Mercurial > repos > other > Puppet
annotate manifests/templates.pp @ 284:9431aec4d998
Switch to using IPv6 prefix and IP per site
This is because the proxy seems to break SNI, so we need an IP
per SSL cert. We're not short of IPv6 addresses, though!
Also corrected to "4to6" naming, because we're letting IPv4 access
an IPv6 site
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 16 Feb 2020 12:07:35 +0000 |
| parents | af7df930a670 |
| children | 61e90445c899 |
| rev | line source |
|---|---|
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
1 # Make sure packages come after their repos |
| 258 | 2 File<| tag == 'repo-config' |> -> YumRepo<| |> -> Package<| |> |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
3 |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
4 # Make sure all files are in place before starting services |
| 246 | 5 File<| tag != 'post-service' |> -> Service<| |> |
| 6 | |
| 7 # Set some shortcut variables | |
| 8 #$os = $operatingsystem | |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
9 $osver = $operatingsystemmajrelease |
| 246 | 10 $server = '' |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
11 |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
12 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 class basenode { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 include sudo |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 include defaultusers |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 include logwatch |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
18 |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
19 file { '/etc/puppet/hiera.yaml': |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
20 ensure => present, |
| 264 | 21 content => " |
| 22 # Let the system set defaults | |
| 23 version: 5 | |
| 24 ", | |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
25 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
26 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 class basevpsnode ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
29 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
30 $proxy_4to6_ip_prefix = undef, |
| 279 | 31 $proxy_upstream = undef, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 $imapserver, |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
34 $firewall_cmd = 'iptables', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 ) { |
|
44
546dfa011f58
Remove "puppet" host name because we don't need it
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
36 |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
37 if $firewall_cmd == 'iptables' { |
| 279 | 38 class { 'vpsfirewall': |
| 39 fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'}, | |
| 40 } | |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
41 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
42 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
43 #VPS is a self-mastered Puppet machine, so bodge a Hosts file |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
44 file { '/etc/hosts': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
45 ensure => present, |
|
44
546dfa011f58
Remove "puppet" host name because we don't need it
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
46 content => "127.0.0.1 localhost |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
47 $primary_ip ${fqdn}", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
48 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
49 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
50 require repos |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
51 include basenode |
| 246 | 52 include privat |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
53 include dnsresolver |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
54 include ssh::server |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
55 include vcs::server |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
56 include vcs::client |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
57 class { 'webserver': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
58 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
59 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
| 279 | 60 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
61 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
62 include cronjobs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
63 include logrotate |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
64 class { 'fail2ban': |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
65 firewall_cmd => $firewall_cmd, |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
66 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
67 include tools |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
68 class { 'email': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
69 mailserver => $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 imapserver => $imapserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
74 ## Classes to allow facet behaviour using preconfigured setups of classes |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
75 |
| 279 | 76 class vpsfirewall ($fw_protocol) { |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
77 resources { "firewall": |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
78 purge => false, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
79 } |
| 279 | 80 class { "my_fw": |
| 81 ip_version => $fw_protocol, | |
| 82 } | |
| 83 # Control what does and doesn't get pruned in the main filter chain | |
| 84 firewallchain { "INPUT:filter:$fw_protocol": | |
| 85 purge => true, | |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
86 ignore => [ |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
87 '-j f2b-[^ ]+$', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
88 '^(:|-A )f2b-', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
89 '--comment "Great Firewall of China"', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
90 '--comment "Do not purge', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
91 ], |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
92 } |
| 279 | 93 if ($fw_protocol != "IPv6") { |
| 94 firewall { '010 Whitelist Googlebot': | |
| 95 source => '66.249.64.0/19', | |
| 96 dport => [80,443], | |
| 97 proto => tcp, | |
| 98 action => accept, | |
| 99 } | |
| 100 # Block a spammer hitting our contact forms (also on StopForumSpam list A LOT) | |
| 101 firewall { '099 Blacklist spammers 1': | |
| 102 source => '107.181.78.172', | |
| 103 dport => [80, 443], | |
| 104 proto => tcp, | |
| 105 action => 'reject', | |
| 106 } | |
| 107 firewall { '099 Blacklist IODC bot': | |
| 108 # IODC bot makes too many bad requests, and contact form is broken | |
| 109 # They don't publish a robots.txt name, so firewall it! | |
| 110 source => '86.153.145.149', | |
| 111 dport => [ 80, 443 ], | |
| 112 proto => tcp, | |
| 113 action => 'reject', | |
| 114 } | |
| 115 firewall { '099 Blacklist Baidu Brazil': | |
| 116 #Baidu got a Brazilian netblock and are hitting us hard | |
| 117 #Baidu doesn't honour "crawl-delay" in robots.txt | |
| 118 #Baidu gets firewalled | |
| 119 source => '131.161.8.0/22', | |
| 120 dport => [ 80, 443 ], | |
| 121 proto => tcp, | |
| 122 action => 'reject', | |
| 123 } | |
|
139
abaf384dc939
Block another annoying IP with a firewall rule
IBBoard <dev@ibboard.co.uk>
parents:
137
diff
changeset
|
124 } |
| 279 | 125 firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol": |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
126 ensure => present, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
127 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
128 firewall { '050 Check our Great Firewall Against China': |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
129 chain => 'INPUT', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
130 jump => 'GREATFIREWALLOFCHINA', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
131 } |
| 279 | 132 firewallchain { "Fail2Ban:filter:$fw_protocol": |
|
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
133 ensure => present, |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
134 } |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
135 firewall { '060 Check Fail2Ban': |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
136 chain => 'INPUT', |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
137 jump => 'Fail2Ban', |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
138 } |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
139 firewall { '101 allow SMTP': |
|
91
61a79ae833cb
Follow the documentation properly and specify dport, not just port
IBBoard <dev@ibboard.co.uk>
parents:
87
diff
changeset
|
140 dport => [25, 465], |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
141 proto => tcp, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
142 action => accept, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
143 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
144 firewall { '102 allow IMAPS': |
|
91
61a79ae833cb
Follow the documentation properly and specify dport, not just port
IBBoard <dev@ibboard.co.uk>
parents:
87
diff
changeset
|
145 dport => 993, |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
146 proto => tcp, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
147 action => accept, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
148 } |
| 45 | 149 # Note: SSH port will be managed separately as we |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
150 # put it on a different port to hide from script kiddy noise |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
151 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
152 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
153 class dnsresolver { |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
154 package { 'bind': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
155 ensure => present, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
156 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
157 |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
158 service { 'named': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
159 ensure => running, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
160 enable => true, |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
161 require => Package['bind'], |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
162 } |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
163 |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
164 file { '/etc/named.conf': |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
165 ensure => present, |
| 247 | 166 source => [ |
| 167 "puppet:///common/named.conf-${::hostname}", | |
| 168 "puppet:///common/named.conf", | |
| 169 ], | |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
170 group => 'named', |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
171 require => Package['bind'], |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
172 notify => Service['named'], |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
173 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
174 |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
175 file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
176 ensure => present, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
177 content => "[main] |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
178 dns=none", |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
179 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
180 |
|
101
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
181 file { '/etc/sysconfig/named': |
|
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
182 ensure => present, |
| 247 | 183 source => [ |
| 184 "puppet:///common/sysconfig-named-${::hostname}", | |
| 185 "puppet:///common/sysconfig-named", | |
| 186 ], | |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
187 require => Package['bind'], |
|
101
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
188 } |
|
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
189 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
190 file { '/etc/resolv.conf': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
191 ensure => present, |
| 246 | 192 content => "nameserver 127.0.0.1", |
| 193 require => Service['named'], | |
| 194 tag => 'post-service', | |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
195 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
196 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
197 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
198 class repos { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
199 yumrepo { 'epel': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
200 mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
201 descr => "Extra Packages for Enterprise Linux", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
202 enabled => 1, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
203 failovermethod => 'priority', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
204 gpgcheck => 1, |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
205 gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
206 } |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
207 file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
208 ensure => present, |
| 258 | 209 source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", |
| 210 tag => 'repo-config', | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
211 } |
| 258 | 212 yumrepo { 'ibboard': |
| 213 baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', | |
| 214 descr => 'Extra packages from IBBoard', | |
| 215 enabled => 1, | |
| 216 gpgcheck => 1, | |
| 217 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', | |
| 218 } | |
| 219 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': | |
| 220 ensure => present, | |
| 221 source => 'puppet:///common/RPM-GPG-KEY-ibboard', | |
| 222 tag => 'repo-config', | |
|
160
0d829df9cd39
Make the IBBoard repo config go away, rather than just leaving it undefined
IBBoard <dev@ibboard.co.uk>
parents:
159
diff
changeset
|
223 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
224 yumrepo { 'webtatic': |
| 238 | 225 ensure => absent, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
226 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
227 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': |
| 108 | 228 ensure => absent, |
| 229 } | |
| 230 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7': | |
| 238 | 231 ensure => absent, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
232 } |
| 148 | 233 |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
234 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
235 $python_ver = 'python3' |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
236 } else { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
237 $python_ver = 'system' |
| 148 | 238 } |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
239 |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
240 class { 'python': |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
241 ensure => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
242 version => $python_ver, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
243 pip => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
244 virtualenv => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
245 use_epel => false, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
246 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
247 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
248 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
249 class tools { |
|
271
c62728474654
Add wget so that we can download files like a normal person
IBBoard <dev@ibboard.co.uk>
parents:
270
diff
changeset
|
250 $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget' ] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
251 package { $packages: |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
252 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
253 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
254 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
255 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
256 class logrotate { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
257 package { 'logrotate': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
258 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
259 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
260 file { '/etc/logrotate.d/httpd': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
261 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
262 source => 'puppet:///common/logrotate-httpd', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
263 require => Package['logrotate'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
264 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
265 file { '/etc/logrotate.d/trac': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
266 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
267 source => 'puppet:///common/logrotate-trac', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
268 require => Package['logrotate'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
269 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
270 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
271 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
272 class logwatch { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
273 package { 'logwatch': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
274 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
275 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
276 File { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
277 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
278 require => Package['logwatch'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
279 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
280 file { '/etc/cron.daily/0logwatch': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
281 source => 'puppet:///common/0logwatch'; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
282 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
283 file { '/etc/logwatch/scripts/shared/': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
284 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
285 } |
|
66
e424cd208b99
Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
59
diff
changeset
|
286 file { '/etc/logwatch/scripts/services/fail2ban': |
|
e424cd208b99
Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
59
diff
changeset
|
287 source => 'puppet:///common/logwatch/services-fail2ban', |
|
e424cd208b99
Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
59
diff
changeset
|
288 } |
|
185
78dc899775b7
Add latest Logwatch "named" script to handle DNS log changes
IBBoard <dev@ibboard.co.uk>
parents:
181
diff
changeset
|
289 file { '/etc/logwatch/scripts/services/named': |
|
78dc899775b7
Add latest Logwatch "named" script to handle DNS log changes
IBBoard <dev@ibboard.co.uk>
parents:
181
diff
changeset
|
290 source => 'puppet:///common/logwatch/named', |
|
78dc899775b7
Add latest Logwatch "named" script to handle DNS log changes
IBBoard <dev@ibboard.co.uk>
parents:
181
diff
changeset
|
291 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
292 file { '/etc/logwatch/scripts/services/http-error': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
293 source => 'puppet:///common/logwatch/http-error', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
294 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
295 file { '/etc/logwatch/scripts/services/php': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
296 source => 'puppet:///common/logwatch/scripts_php', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
297 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
298 file { '/etc/logwatch/scripts/services/mysql': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
299 source => 'puppet:///common/logwatch/scripts_mysql', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
300 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
301 file { '/etc/logwatch/scripts/services/dovecot': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
302 source => 'puppet:///common/logwatch/dovecot', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
303 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
304 file { '/etc/logwatch/scripts/services/postfix': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
305 source => 'puppet:///common/logwatch/postfix', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
306 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
307 file { '/etc/logwatch/scripts/shared/applyhttperrordate': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
308 source => 'puppet:///common/logwatch/applyhttperrordate', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
309 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
310 file { '/etc/logwatch/conf/logwatch.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
311 content => 'Detail = Med', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
312 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
313 file { '/etc/logwatch/conf/logfiles/http.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
314 content => 'LogFile = apache/access_*.log', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
315 } |
|
126
8316d4e55e92
Fix Apache 2.4 Logwatch support
IBBoard <dev@ibboard.co.uk>
parents:
125
diff
changeset
|
316 file { '/etc/logwatch/conf/logfiles/http-error-24.conf': |
|
8316d4e55e92
Fix Apache 2.4 Logwatch support
IBBoard <dev@ibboard.co.uk>
parents:
125
diff
changeset
|
317 source => 'puppet:///common/logwatch/log-http-error.conf', |
|
8316d4e55e92
Fix Apache 2.4 Logwatch support
IBBoard <dev@ibboard.co.uk>
parents:
125
diff
changeset
|
318 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
319 file { '/etc/logwatch/conf/logfiles/http-error.conf': |
|
126
8316d4e55e92
Fix Apache 2.4 Logwatch support
IBBoard <dev@ibboard.co.uk>
parents:
125
diff
changeset
|
320 ensure=> absent, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
321 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
322 file { '/etc/logwatch/conf/services/http-error.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
323 source => 'puppet:///common/logwatch/services-http-error.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
324 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
325 file { '/etc/logwatch/conf/logfiles/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
326 source => 'puppet:///common/logwatch/logfiles_php.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
327 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
328 file { '/etc/logwatch/conf/services/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
329 source => 'puppet:///common/logwatch/services_php.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
330 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
331 file { '/etc/logwatch/conf/logfiles/mysql.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
332 source => 'puppet:///common/logwatch/logfiles_mysql.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
333 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
334 file { '/etc/logwatch/conf/services/mysql.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
335 source => 'puppet:///common/logwatch/services_mysql.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
336 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
337 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
338 |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
339 class fail2ban ( |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
340 $firewall_cmd, |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
341 ) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
342 package { 'fail2ban': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
343 ensure => installed, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
344 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
345 service { 'fail2ban': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
346 ensure => running, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
347 enable => true |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
348 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
349 File { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
350 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
351 require => Package['fail2ban'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
352 notify => Service['fail2ban'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
353 } |
|
67
4be7f49debc2
"Already Banned" is actually at NOTICE
IBBoard <dev@ibboard.co.uk>
parents:
66
diff
changeset
|
354 file { '/etc/fail2ban/fail2ban.local': |
|
4be7f49debc2
"Already Banned" is actually at NOTICE
IBBoard <dev@ibboard.co.uk>
parents:
66
diff
changeset
|
355 source => 'puppet:///common/fail2ban/fail2ban.local', |
|
4be7f49debc2
"Already Banned" is actually at NOTICE
IBBoard <dev@ibboard.co.uk>
parents:
66
diff
changeset
|
356 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
357 file { '/etc/fail2ban/jail.local': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
358 source => 'puppet:///common/fail2ban/jail.local', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
359 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
360 file { '/etc/fail2ban/action.d/apf.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
361 source => 'puppet:///common/fail2ban/apf.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
362 } |
|
55
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
363 |
|
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
364 if $firewall_cmd == 'iptables' { |
|
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
365 $firewall_ban_cmd = 'iptables-multiport' |
|
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
366 } else { |
|
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
367 $firewall_ban_cmd = $firewall_cmd |
|
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
368 } |
|
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
369 |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
370 file { '/etc/fail2ban/action.d/firewall-ban.conf': |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
371 ensure => link, |
|
55
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
372 target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
373 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
374 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
375 source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
376 } |
|
6
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
377 file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': |
|
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
378 source => 'puppet:///common/fail2ban/ibb-apache-shellshock.conf', |
|
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
379 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
380 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
381 source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
382 } |
|
195
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
194
diff
changeset
|
383 file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': |
|
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
194
diff
changeset
|
384 source => 'puppet:///common/fail2ban/ibb-repeat-offender-ssh.conf', |
|
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
194
diff
changeset
|
385 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
386 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
387 source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
388 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
389 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
390 source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
391 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
392 file { '/etc/fail2ban/filter.d/ibb-postfix.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
393 source => 'puppet:///common/fail2ban/ibb-postfix.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
394 } |
|
171
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
170
diff
changeset
|
395 file { '/etc/fail2ban/filter.d/ibb-sshd.conf': |
|
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
170
diff
changeset
|
396 source => 'puppet:///common/fail2ban/ibb-sshd.conf', |
|
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
170
diff
changeset
|
397 } |
|
197
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
195
diff
changeset
|
398 file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': |
|
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
195
diff
changeset
|
399 source => 'puppet:///common/fail2ban/ibb-sshd-bad-user.conf', |
|
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
195
diff
changeset
|
400 } |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
401 # Because one of our rules checks fail2ban's log, but the service dies without the file |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
402 file { '/var/log/fail2ban.log': |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
403 ensure => present, |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
404 owner => 'root', |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
405 group => 'root', |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
406 mode => '0600', |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
407 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
408 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
409 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
410 #Our web server with our configs, not just a stock one |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
411 class webserver ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
412 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
413 $proxy_4to6_ip_prefix = undef, |
| 279 | 414 $proxy_upstream = undef, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
415 ) { |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
416 |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
417 if $proxy_4to6_ip_prefix == undef { |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
418 $ipv6_addresses = [] |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
419 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
420 else { |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
421 $ipv6_addresses = [1, 2, 3, 4, 5, 6, 7, 8, 9].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
422 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
423 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
424 #Setup base website parameters |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
425 class { 'website': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
426 base_dir => '/srv/sites', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
427 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
428 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
429 proxy_4to6_mask => 124, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
430 proxy_4to6_addresses => $ipv6_addresses, |
| 279 | 431 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
432 default_owner => $defaultusers::default_user, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
433 default_group => $defaultusers::default_user, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
434 default_tld => 'co.uk', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
435 default_extra_tlds => [ 'com' ], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
436 } |
| 110 | 437 |
| 241 | 438 # Use Remi's PHP 7.3 for now - 7.4 is still VERY new |
| 238 | 439 $php_suffix = '' |
| 247 | 440 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { |
| 441 yumrepo { 'remirepo-safe': | |
| 442 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', | |
| 443 descr => "Extra CentOS packages from Remi", | |
| 444 enabled => 1, | |
| 445 failovermethod => 'priority', | |
| 446 gpgcheck => 1, | |
| 447 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 448 } | |
| 449 yumrepo { 'remirepo-php': | |
| 450 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/$basearch/mirror', | |
| 451 descr => "PHP7.3 for CentOS from Remi", | |
| 452 enabled => 1, | |
| 453 failovermethod => 'priority', | |
| 454 gpgcheck => 1, | |
| 455 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 456 } | |
| 457 } else { | |
| 458 yumrepo { 'remirepo-safe': | |
| 459 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', | |
| 460 descr => "Extra CentOS packages from Remi", | |
| 461 enabled => 1, | |
| 462 failovermethod => 'priority', | |
| 463 gpgcheck => 1, | |
| 464 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 465 } | |
| 466 yumrepo { 'remirepo-php': | |
| 467 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror', | |
| 468 descr => "PHP7.3 for CentOS from Remi", | |
| 469 enabled => 1, | |
| 470 failovermethod => 'priority', | |
| 471 gpgcheck => 1, | |
| 472 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 473 } | |
| 238 | 474 } |
| 475 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': | |
| 476 ensure => present, | |
| 477 source => 'puppet:///common/RPM-GPG-KEY-remi', | |
| 241 | 478 before => YumRepo['remirepo-php'], |
| 238 | 479 } |
| 110 | 480 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
481 #Configure the PHP version to use |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
482 class { 'website::php': |
| 110 | 483 suffix => $php_suffix, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
484 opcache => 'opcache', |
|
239
001e2f446837
Add the Zip module to make Wordpress happy
IBBoard <dev@ibboard.co.uk>
parents:
238
diff
changeset
|
485 extras => [ 'process', 'intl', 'pecl-imagick', 'bcmath', 'pecl-zip' ], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
486 } |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
487 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
488 #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
489 |
| 246 | 490 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
491 $mysqlpackage = 'mariadb' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
492 $mysqlsuffix = '' |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
45
diff
changeset
|
493 |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
494 # Required for SELinux rule setting/status checks |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
495 if versioncmp($operatingsystemrelease, '8') >= 0 { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
496 $semanage_package_name = 'policycoreutils-python-utils' |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
497 } else { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
498 $semanage_package_name = 'policycoreutils-python' |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
499 } |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
500 |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
501 package { 'policycoreutils-python': |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
502 name => $semanage_package_name, |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
503 ensure => present, |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
504 } |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
505 |
|
74
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
506 $extra_packages = [ |
| 78 | 507 'perl-Sys-Syslog', #Required for Perl SPF checking |
|
74
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
508 ] |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
509 |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
510 package { $extra_packages: |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
511 ensure => installed |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
512 } |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
513 } |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
514 else { |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
515 $mysqlpackage = 'mysql' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
516 $mysqlsuffix = '55w' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
517 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
518 class { 'website::mysql': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
519 mysqluser => template('defaultusers/mysql-user'), |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
520 mysqlpassword => template('defaultusers/mysql-password'), |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
521 mysqlprefix => $mysqlpackage, |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
522 mysqlsuffix => $mysqlsuffix, |
| 110 | 523 phpsuffix => $php_suffix, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
524 phpmysqlsuffix => 'nd' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
525 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
526 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
527 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
528 class ibboardvpsnode ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
529 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
530 $proxy_4to6_ip_prefix = undef, |
| 279 | 531 $proxy_upstream = undef, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
532 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
533 $imapserver, |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
534 $firewall_cmd = 'iptables', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
535 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
536 class { 'basevpsnode': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
537 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
538 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
| 279 | 539 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
540 mailserver => $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
541 imapserver => $imapserver, |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
542 firewall_cmd => $firewall_cmd, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
543 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
544 |
|
267
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
545 # Set timezone to something sensible |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
546 file { "/etc/localtime": |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
547 ensure => 'link', |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
548 target => '/usr/share/zoneinfo/Europe/London', |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
549 } |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
550 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
551 # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
552 $mods = [ 'auth_basic', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
553 'authn_file', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
554 'authz_user', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
555 'deflate', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
556 'xsendfile' |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
557 ] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
558 apache::mod { |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
559 $mods:; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
560 } |
| 246 | 561 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { |
| 562 apache::mod { | |
|
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
24
diff
changeset
|
563 'authn_core':; |
|
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
24
diff
changeset
|
564 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
565 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
566 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
567 #Configure our sites, using templates for the custom fragments where the extra content is too long |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
568 class { "devsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
569 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:01", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
570 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
571 class { "adminsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
572 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:02", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
573 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
574 website::https::multitld { 'www.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
575 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, |
| 246 | 576 custom_fragment => template("privat/apache/ibboard.fragment"), |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
577 letsencrypt_name => 'ibboard.co.uk', |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
578 csp_override => { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
579 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
580 "default-src" => "'none'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
581 "img-src" => "'self' https://live.staticflickr.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
582 "script-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
583 "style-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
584 "font-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
585 "form-action" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
586 "connect-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
587 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
588 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
589 class { "hiveworldterrasite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
590 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:04", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
591 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
592 class { "bdstrikesite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
593 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:05", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
594 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
595 website::https::multitld { 'www.abiknight': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
596 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:06", default => undef }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
597 custom_fragment => "$website::htmlphpfragment |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
598 ErrorDocument 404 /error.php", |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
599 letsencrypt_name => 'abiknight.co.uk', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
600 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
601 website::https::multitld { 'www.warfoundry': |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
602 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:07", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
603 letsencrypt_name => 'warfoundry.co.uk', |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
604 custom_fragment => template("privat/apache/warfoundry.fragment"), |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
605 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
606 class { "webmailpimsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
607 proxy_4to6_ip_pim => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:08", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
608 proxy_4to6_ip_webmail => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:09", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
609 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
610 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
611 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
612 class adminsite ($proxy_4to6_ip) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
613 apache::mod { 'info':; 'status':; 'cgi':; } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
614 website::https::multitld { 'admin.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
615 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
616 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
617 ssl_ca_chain => '', |
| 246 | 618 custom_fragment => template("privat/apache/admin.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
619 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
620 cron { 'loadavg': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
621 command => '/usr/local/bin/run-loadavg-logger', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
622 user => apache, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
623 minute => '*/6' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
624 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
625 cron { 'awstats': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
626 command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
627 user => apache, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
628 hour => '*/6', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
629 minute => '0' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
630 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
631 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
632 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
633 class hiveworldterrasite ($proxy_4to6_ip) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
634 website::https::multitld { 'www.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
635 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
636 force_no_www => false, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
637 letsencrypt_name => 'hiveworldterra.co.uk', |
| 246 | 638 custom_fragment => template("privat/apache/hwt.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
639 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
640 website::https::multitld { 'forums.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
641 proxy_4to6_ip => $proxy_4to6_ip, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
642 letsencrypt_name => 'hiveworldterra.co.uk', |
| 246 | 643 custom_fragment => template("privat/apache/forums.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
644 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
645 website::https::multitld { 'skins.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
646 proxy_4to6_ip => $proxy_4to6_ip, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
647 letsencrypt_name => 'hiveworldterra.co.uk', |
| 246 | 648 custom_fragment => template("privat/apache/skins.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
649 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
650 website::https::redir { 'hiveworldterra.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
651 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
652 redir => 'https://www.hiveworldterra.co.uk/', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
653 docroot => "${website::basedir}/hiveworldterra", |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
654 letsencrypt_name => 'hiveworldterra.co.uk', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
655 separate_log => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
656 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
657 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
658 class bdstrikesite ($proxy_4to6_ip) { |
| 145 | 659 website::https::multitld { 'www.bdstrike': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
660 proxy_4to6_ip => $proxy_4to6_ip, |
| 145 | 661 docroot_owner => $defaultusers::secondary_user, |
| 662 docroot_group => 'editors', | |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
663 letsencrypt_name => 'bdstrike.co.uk', |
| 246 | 664 custom_fragment => template("privat/apache/bdstrike.fragment"), |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
665 csp_override => {"frame-ancestors" => "'self'"}, |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
666 csp_report_override => { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
667 "font-src" => "'self' https://fonts.gstatic.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
668 "img-src" => "'self' https://secure.gravatar.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
669 "style-src" => "'self' https://fonts.googleapis.com/" |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
670 }, |
| 145 | 671 } |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
672 $aliases = [ |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
673 'strikecreations.co.uk', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
674 'strikecreations.com', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
675 'www.strikecreations.com' ] |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
676 |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
677 website::https::redir { 'www.strikecreations.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
678 proxy_4to6_ip => $proxy_4to6_ip, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
679 redir => 'https://bdstrike.co.uk/', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
680 serveraliases => $aliases, |
| 145 | 681 docroot => "${website::basedir}/bdstrike", |
| 682 docroot_owner => $defaultusers::secondary_user, | |
| 683 docroot_group => 'editors', | |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
684 letsencrypt_name => 'bdstrike.co.uk', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
685 separate_log => true, |
| 145 | 686 } |
|
235
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
687 cron { 'wordpress_cron': |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
688 # Run "php -f wp-cron.php" on a schedule so that we can auto-update |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
689 # without giving Apache full write access! |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
690 command => "/usr/local/bin/bdstrike-cron", |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
691 user => $defaultusers::default_user, |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
692 minute => '*/15', |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
693 } |
| 145 | 694 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
695 class devsite ($proxy_4to6_ip) { |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
696 if versioncmp($operatingsystemrelease, '8') >= 0 { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
697 # Apache::Mod doesn't map this correctly for CentOS 8 yet |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
698 $mod_wsgi_lib = 'mod_wsgi_python3.so' |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
699 } else { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
700 $mod_wsgi_lib = undef |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
701 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
702 apache::mod { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
703 # mod_wsgi for Python support |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
704 'wsgi': |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
705 lib => $mod_wsgi_lib, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
706 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
707 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
708 # Create Python virtualenvs for the dev site apps |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
709 file { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
710 "/srv/rhodecode": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
711 ensure => 'directory'; |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
712 "/srv/trac": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
713 ensure => 'directory'; |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
714 } -> |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
715 python::virtualenv { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
716 # Distribute is described as "simple compatibility layer that installs Setuptools 0.7+" |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
717 # and leads to 'module "importlib._bootstrap" has no attribute "SourceFileLoader"' |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
718 "/srv/rhodecode/virtualenv": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
719 distribute => false, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
720 version => '3'; |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
721 "/srv/trac/virtualenv": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
722 distribute => false, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
723 version => '3'; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
724 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
725 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
726 # Graphviz for Trac "master ticket" graphs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
727 package { 'graphviz': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
728 ensure => installed, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
729 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
730 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
731 website::https::multitld { 'dev.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
732 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
733 #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
734 # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
735 priority => 1, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
736 letsencrypt_name => 'dev.ibboard.co.uk', |
| 246 | 737 custom_fragment => template("privat/apache/dev.fragment"), |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
738 proxy_fragment => template("privat/apache/dev-proxy.fragment"), |
|
52
be1e9773a12c
Mercurial repo versions index.php files etc, so removing index.php breaks things!
IBBoard <dev@ibboard.co.uk>
parents:
44
diff
changeset
|
739 force_no_index => false, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
740 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
741 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
742 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
743 class webmailpimsite ($proxy_4to6_ip_pim, $proxy_4to6_ip_webmail) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
744 # Webmail and Personal Information Management (PIM) sites |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
745 website::https { 'webmail.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
746 proxy_4to6_ip => $proxy_4to6_ip_webmail, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
747 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
748 ssl_ca_chain => '', |
| 246 | 749 custom_fragment => template("privat/apache/webmail.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
750 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
751 website::https { 'pim.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
752 proxy_4to6_ip => $proxy_4to6_ip_pim, |
|
242
7d8e664ebcc9
Change owner/group on Nextcloud for easy upgrade
IBBoard <dev@ibboard.co.uk>
parents:
241
diff
changeset
|
753 docroot_owner => 'apache', |
|
7d8e664ebcc9
Change owner/group on Nextcloud for easy upgrade
IBBoard <dev@ibboard.co.uk>
parents:
241
diff
changeset
|
754 docroot_group => 'editors', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
755 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
756 lockdown_requests => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
757 ssl_ca_chain => '', |
|
265
bf2b8912c414
Make PIM site skip CSP headers - NextCloud manages them
IBBoard <dev@ibboard.co.uk>
parents:
264
diff
changeset
|
758 csp => false, |
|
bf2b8912c414
Make PIM site skip CSP headers - NextCloud manages them
IBBoard <dev@ibboard.co.uk>
parents:
264
diff
changeset
|
759 csp_report => false, |
| 246 | 760 custom_fragment => template("privat/apache/pim.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
761 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
762 cron { 'owncloudcron': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
763 command => "/usr/local/bin/owncloud-cron", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
764 user => 'apache', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
765 minute => '*/15', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
766 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
767 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
768 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
769 class email ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
770 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
771 $imapserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
772 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
773 class { 'postfix': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
774 mailserver => $mailserver, |
| 176 | 775 protocols => 'ipv4', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
776 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
777 class { 'dovecot': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
778 imapserver => $imapserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
779 } |
|
177
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
780 # Unspecified SpamAssassin config dependencies that started |
|
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
781 # showing up as errors in our logs |
|
276
165ad12ea8ca
Remove Perl LZMA module because it's in beta
IBBoard <dev@ibboard.co.uk>
parents:
274
diff
changeset
|
782 package { ['perl-File-MimeInfo']: |
|
177
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
783 ensure => installed, |
|
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
784 } |
|
140
6eef7cec8658
Remove ClamAV from server config
IBBoard <dev@ibboard.co.uk>
parents:
139
diff
changeset
|
785 package { [ 'amavisd-new' ]: |
| 85 | 786 ensure => installed, |
| 787 tag => 'av', | |
| 788 } | |
|
86
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
789 service { 'amavisd': |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
790 ensure => 'running', |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
791 enable => 'true', |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
792 } |
|
270
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
793 service { 'clamd@amavisd': |
|
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
794 ensure => 'stopped', |
|
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
795 enable=> 'mask', |
|
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
796 } |
| 85 | 797 file { '/etc/amavisd/amavisd.conf': |
| 798 ensure => present, | |
| 799 source => 'puppet:///private/postfix/amavisd.conf', | |
| 800 tag => 'av', | |
| 801 } | |
|
163
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
802 file { '/etc/mail/spamassassin/local.cf': |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
803 ensure => present, |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
804 source => 'puppet:///private/postfix/spamassassin-local.cf', |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
805 tag => 'av', |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
806 } |
|
142
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
807 file { '/etc/mail/spamassassin/ole2macro.cf': |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
808 ensure => present, |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
809 source => 'puppet:///common/ole2macro.cf', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
810 tag => 'av', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
811 } |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
812 file { '/etc/mail/spamassassin/ole2macro.pm': |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
813 ensure => present, |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
814 source => 'puppet:///common/spamassassin-vba-macro-master/ole2macro.pm', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
815 tag => 'av', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
816 } |
| 85 | 817 Package<| tag == 'av' |> -> File<| tag == 'av' |> |
|
87
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
818 File<| tag == 'av' |> { |
|
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
819 notify => Service['amavisd'], |
|
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
820 } |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
821 cron { 'Postwhite': |
|
129
16a931df5fd7
Filter what we see in Postwhite cron output
IBBoard <dev@ibboard.co.uk>
parents:
128
diff
changeset
|
822 command => "/usr/local/bin/postwhite 2>&1| grep -vE '^(Starting|Recursively|Getting|Querying|Removing|Sorting|$)'", |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
823 user => 'root', |
|
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
824 weekday => 0, |
|
128
379089631403
Fix rookie cron mistake - don't run Postwhite EVERY MINUTE!
IBBoard <dev@ibboard.co.uk>
parents:
126
diff
changeset
|
825 hour => 2, |
|
379089631403
Fix rookie cron mistake - don't run Postwhite EVERY MINUTE!
IBBoard <dev@ibboard.co.uk>
parents:
126
diff
changeset
|
826 minute => 0, |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
827 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
828 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
829 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
830 class cronjobs { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
831 # Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
832 package { 'mutt': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
833 ensure => installed, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
834 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
835 file { '/etc/Muttrc.local': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
836 content => 'set copy = no', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
837 require => Package['mutt'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
838 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
839 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
840 # General server-wide cron jobs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
841 Cron { user => 'root' } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
842 cron { 'backupalldbs': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
843 command => "/usr/local/bin/backupalldbs", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
844 monthday => "*/2", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
845 hour => "4", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
846 minute => "9" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
847 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
848 cron { 'greatfirewallofchina': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
849 command => '/usr/local/bin/update-great-firewall-of-china', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
850 hour => 3, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
851 minute => 30 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
852 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
853 cron { 'permissions': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
854 command => '/usr/local/bin/set-permissions', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
855 hour => 3, |
|
14
534e584f21ce
Tweak time on permission setting script so that it is less likely to clash with LoadAVG run every 6 minutes
IBBoard <dev@ibboard.co.uk>
parents:
13
diff
changeset
|
856 minute => 2 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
857 } |
|
55
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
858 # Since we're only managing the local server, use our script that wraps "puppet apply" instead of PuppetMaster |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
859 cron { 'puppet': |
|
268
9f054191b9db
Filter new log line from puppet-apply output
IBBoard <dev@ibboard.co.uk>
parents:
267
diff
changeset
|
860 command => '/usr/local/bin/puppet-apply | grep -v "Compiled catalog for\|Finished catalog run in\|Applied catalog in"', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
861 hour => '*/6', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
862 minute => 5 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
863 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
864 cron { 'purgecaches': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
865 command => "/usr/local/bin/purge-caches", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
866 hour => '4', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
867 minute => '15', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
868 weekday => '1', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
869 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
870 # Notify of uncommitted files |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
871 cron { 'check-mercurial-committed': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
872 command => "/usr/local/bin/check-hg-status", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
873 hour => '4', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
874 minute => '20', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
875 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
876 } |
|
93
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
877 # Notify of available updates |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
878 cron { 'check-yum-updates': |
|
255
d4b2bdfe47a6
Fix Yum update check to handle hyphenated aliases
IBBoard <dev@ibboard.co.uk>
parents:
242
diff
changeset
|
879 command => '/usr/bin/yum check-updates | tail -2 | grep -Ev "^ \* [[:alnum:]-]+: [[:alnum:]\.]+$"', |
|
93
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
880 hour => '4', |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
881 minute => '30', |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
882 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
883 } |
|
97
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
884 # And check whether anything needs restarting |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
885 cron { 'check-needs-restarting': |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
886 command => '/usr/bin/needs-restarting|grep -v "/usr/lib/systemd\|/usr/sbin/lvmetad\|/usr/lib/polkit-1/polkitd"', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
887 hour => '4', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
888 minute => '45', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
889 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
890 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
891 } |