Mercurial > repos > other > Puppet
annotate manifests/templates.pp @ 335:aa9f570d6a9c
Switch to PHP 7.4 now that NextCloud has reached v18
7.3 only lasted until December 2020 with active support.
7.4 is good until December 2021 with security until 2022.
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 22 Mar 2020 19:41:50 +0000 |
| parents | ee4760967d2f |
| children | 445aaaf228cc |
| rev | line source |
|---|---|
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
1 # Make sure packages come after their repos |
| 258 | 2 File<| tag == 'repo-config' |> -> YumRepo<| |> -> Package<| |> |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
3 |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
4 # Make sure all files are in place before starting services |
| 298 | 5 # FIXME: Title matches are to fix a dependency cycle |
| 6 File<| tag != 'post-service' and title != '/etc/sysconfig/ip6tables' and title != '/etc/sysconfig/iptables' |> -> Service<| |> | |
| 246 | 7 |
| 8 # Set some shortcut variables | |
| 9 #$os = $operatingsystem | |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
10 $osver = $operatingsystemmajrelease |
| 246 | 11 $server = '' |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
12 |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
13 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 class basenode { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 include sudo |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 include defaultusers |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 include logwatch |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
19 |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
20 file { '/etc/puppet/hiera.yaml': |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
21 ensure => present, |
| 264 | 22 content => " |
| 23 # Let the system set defaults | |
| 24 version: 5 | |
| 25 ", | |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
26 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
29 class basevpsnode ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
30 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
31 $proxy_4to6_ip_prefix = undef, |
| 279 | 32 $proxy_upstream = undef, |
| 326 | 33 $nat64_ranges = [], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 $imapserver, |
| 326 | 36 $mailrelays = [], |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
37 $firewall_cmd = 'iptables', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 ) { |
|
44
546dfa011f58
Remove "puppet" host name because we don't need it
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
39 |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
40 if $firewall_cmd == 'iptables' { |
| 279 | 41 class { 'vpsfirewall': |
| 42 fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'}, | |
| 43 } | |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
44 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
45 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
46 #VPS is a self-mastered Puppet machine, so bodge a Hosts file |
| 302 | 47 if $primary_ip =~ Stdlib::IP::Address::V6 { |
| 48 $lo_ip = '::1' | |
| 49 } else { | |
| 50 $lo_ip = '127.0.0.1' | |
| 51 } | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
52 file { '/etc/hosts': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
53 ensure => present, |
| 302 | 54 content => "${lo_ip} localhost\n${primary_ip} ${fqdn}", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
55 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
56 |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
57 if $proxy_4to6_ip_prefix != undef { |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
58 # …:1 to …:9 for websites, …:10 for mail |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
59 $ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
60 |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
61 $ipv6_secondaries = join($ipv6_addresses, " ") |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
62 |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
63 augeas {'IPv6 secondary addresses': |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
64 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
65 changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
66 } |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
67 } |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
68 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
69 require repos |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 include basenode |
| 246 | 71 include privat |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
72 include dnsresolver |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 include ssh::server |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
74 include vcs::server |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 include vcs::client |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 class { 'webserver': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
78 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
79 proxy_4to6_mask => 124, |
| 279 | 80 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
81 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
82 include cronjobs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 include logrotate |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
84 class { 'fail2ban': |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
85 firewall_cmd => $firewall_cmd, |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
86 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
87 include tools |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
88 class { 'email': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
89 mailserver => $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
90 imapserver => $imapserver, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
91 mailserver_ip => $primary_ip, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
92 proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef }, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
93 proxy_upstream => $proxy_upstream, |
| 326 | 94 nat64_ranges => $nat64_ranges, |
| 95 mailrelays => $mailrelays, | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
96 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
97 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
98 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
99 ## Classes to allow facet behaviour using preconfigured setups of classes |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
100 |
| 279 | 101 class vpsfirewall ($fw_protocol) { |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
102 resources { "firewall": |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
103 purge => false, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
104 } |
| 279 | 105 class { "my_fw": |
| 106 ip_version => $fw_protocol, | |
| 107 } | |
| 108 # Control what does and doesn't get pruned in the main filter chain | |
| 109 firewallchain { "INPUT:filter:$fw_protocol": | |
| 110 purge => true, | |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
111 ignore => [ |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
112 '-j f2b-[^ ]+$', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
113 '^(:|-A )f2b-', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
114 '--comment "Great Firewall of China"', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
115 '--comment "Do not purge', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
116 ], |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
117 } |
| 279 | 118 if ($fw_protocol != "IPv6") { |
| 119 firewall { '010 Whitelist Googlebot': | |
| 120 source => '66.249.64.0/19', | |
| 121 dport => [80,443], | |
| 122 proto => tcp, | |
| 123 action => accept, | |
| 124 } | |
| 125 # Block a spammer hitting our contact forms (also on StopForumSpam list A LOT) | |
| 126 firewall { '099 Blacklist spammers 1': | |
| 127 source => '107.181.78.172', | |
| 128 dport => [80, 443], | |
| 129 proto => tcp, | |
| 130 action => 'reject', | |
| 131 } | |
| 132 firewall { '099 Blacklist IODC bot': | |
| 133 # IODC bot makes too many bad requests, and contact form is broken | |
| 134 # They don't publish a robots.txt name, so firewall it! | |
| 135 source => '86.153.145.149', | |
| 136 dport => [ 80, 443 ], | |
| 137 proto => tcp, | |
| 138 action => 'reject', | |
| 139 } | |
| 140 firewall { '099 Blacklist Baidu Brazil': | |
| 141 #Baidu got a Brazilian netblock and are hitting us hard | |
| 142 #Baidu doesn't honour "crawl-delay" in robots.txt | |
| 143 #Baidu gets firewalled | |
| 144 source => '131.161.8.0/22', | |
| 145 dport => [ 80, 443 ], | |
| 146 proto => tcp, | |
| 147 action => 'reject', | |
| 148 } | |
|
139
abaf384dc939
Block another annoying IP with a firewall rule
IBBoard <dev@ibboard.co.uk>
parents:
137
diff
changeset
|
149 } |
| 279 | 150 firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol": |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
151 ensure => present, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
152 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
153 firewall { '050 Check our Great Firewall Against China': |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
154 chain => 'INPUT', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
155 jump => 'GREATFIREWALLOFCHINA', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
156 } |
| 279 | 157 firewallchain { "Fail2Ban:filter:$fw_protocol": |
|
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
158 ensure => present, |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
159 } |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
160 firewall { '060 Check Fail2Ban': |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
161 chain => 'INPUT', |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
162 jump => 'Fail2Ban', |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
163 } |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
164 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
165 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
166 class dnsresolver { |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
167 package { 'unbound': |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
168 ensure => present, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
169 } |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
170 package { 'named': |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
171 ensure => absent, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
172 } |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
173 |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
174 service { 'named': |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
175 ensure => stopped, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
176 enable => false, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
177 } |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
178 service { 'unbound': |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
179 ensure => running, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
180 enable => true, |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
181 } |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
182 |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
183 file { '/etc/named.conf': |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
184 ensure => absent, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
185 } |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
186 file { '/etc/unbound/unbound.conf': |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
187 ensure => present, |
| 247 | 188 source => [ |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
189 "puppet:///common/unbound.conf-${::hostname}", |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
190 "puppet:///common/unbound.conf", |
| 247 | 191 ], |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
192 group => 'named', |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
193 require => Package['unbound'], |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
194 notify => Service['unbound'], |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
195 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
196 |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
197 file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
198 ensure => present, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
199 content => "[main] |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
200 dns=none", |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
201 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
202 |
|
101
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
203 file { '/etc/sysconfig/named': |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
204 ensure => absent, |
|
101
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
205 } |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
206 file { '/etc/resolv.conf': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
207 ensure => present, |
|
301
1bfc290270cc
Fix sa-update by using IPv6 for local DNS cache
IBBoard <dev@ibboard.co.uk>
parents:
298
diff
changeset
|
208 # "ipaddress" key only exists for machines with IPv4 addresses |
|
1bfc290270cc
Fix sa-update by using IPv6 for local DNS cache
IBBoard <dev@ibboard.co.uk>
parents:
298
diff
changeset
|
209 content => has_key($facts, 'ipaddress') ? { true => "nameserver 127.0.0.1", default => "nameserver ::1" }, |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
210 require => Service['unbound'], |
| 246 | 211 tag => 'post-service', |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
212 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
213 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
214 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
215 class repos { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
216 yumrepo { 'epel': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
217 mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
218 descr => "Extra Packages for Enterprise Linux", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
219 enabled => 1, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
220 failovermethod => 'priority', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
221 gpgcheck => 1, |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
222 gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
223 } |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
224 file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
225 ensure => present, |
| 258 | 226 source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", |
| 227 tag => 'repo-config', | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
228 } |
| 258 | 229 yumrepo { 'ibboard': |
| 230 baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', | |
| 231 descr => 'Extra packages from IBBoard', | |
| 232 enabled => 1, | |
| 233 gpgcheck => 1, | |
| 234 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', | |
| 235 } | |
| 236 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': | |
| 237 ensure => present, | |
| 238 source => 'puppet:///common/RPM-GPG-KEY-ibboard', | |
| 239 tag => 'repo-config', | |
|
160
0d829df9cd39
Make the IBBoard repo config go away, rather than just leaving it undefined
IBBoard <dev@ibboard.co.uk>
parents:
159
diff
changeset
|
240 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
241 yumrepo { 'webtatic': |
| 238 | 242 ensure => absent, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
243 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
244 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': |
| 108 | 245 ensure => absent, |
| 246 } | |
| 247 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7': | |
| 238 | 248 ensure => absent, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
249 } |
| 148 | 250 |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
251 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
252 $python_ver = 'python3' |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
253 } else { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
254 $python_ver = 'system' |
| 148 | 255 } |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
256 |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
257 class { 'python': |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
258 ensure => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
259 version => $python_ver, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
260 pip => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
261 virtualenv => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
262 use_epel => false, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
263 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
264 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
265 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
266 class tools { |
|
330
0cccb75d7639
Add rsync to tools so that backups work
IBBoard <dev@ibboard.co.uk>
parents:
326
diff
changeset
|
267 $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget', 'yum-utils', 'rsync' ] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
268 package { $packages: |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
269 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
270 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
271 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
272 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
273 class logrotate { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
274 package { 'logrotate': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
275 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
276 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
277 file { '/etc/logrotate.d/httpd': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
278 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
279 source => 'puppet:///common/logrotate-httpd', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
280 require => Package['logrotate'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
281 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
282 file { '/etc/logrotate.d/trac': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
283 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
284 source => 'puppet:///common/logrotate-trac', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
285 require => Package['logrotate'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
286 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
287 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
288 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
289 class logwatch { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
290 package { 'logwatch': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
291 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
292 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
293 File { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
294 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
295 require => Package['logwatch'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
296 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
297 file { '/etc/cron.daily/0logwatch': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
298 source => 'puppet:///common/0logwatch'; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
299 } |
| 332 | 300 $logwatch_dirs = [ |
| 301 '/etc/logwatch/', | |
| 302 '/etc/logwatch/conf/', | |
| 303 '/etc/logwatch/conf/logfiles/', | |
| 304 '/etc/logwatch/conf/services/', | |
| 305 ] | |
| 306 file { $logwatch_dirs: | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
307 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
308 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
309 file { '/etc/logwatch/conf/logwatch.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
310 content => 'Detail = Med', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
311 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
312 file { '/etc/logwatch/conf/logfiles/http.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
313 content => 'LogFile = apache/access_*.log', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
314 } |
| 332 | 315 file { '/etc/logwatch/conf/logfiles/http-error.conf': |
| 316 source => 'puppet:///common/logwatch/logfiles_http-error.conf', | |
|
126
8316d4e55e92
Fix Apache 2.4 Logwatch support
IBBoard <dev@ibboard.co.uk>
parents:
125
diff
changeset
|
317 } |
| 332 | 318 file { '/etc/logwatch/conf/logfiles/mysql.conf': |
| 319 source => 'puppet:///common/logwatch/logfiles_mysql.conf', | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
320 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
321 file { '/etc/logwatch/conf/logfiles/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
322 source => 'puppet:///common/logwatch/logfiles_php.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
323 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
324 file { '/etc/logwatch/conf/services/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
325 source => 'puppet:///common/logwatch/services_php.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
326 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
327 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
328 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
329 #Our web server with our configs, not just a stock one |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
330 class webserver ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
331 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
332 $proxy_4to6_ip_prefix = undef, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
333 $proxy_4to6_mask = undef, |
| 279 | 334 $proxy_upstream = undef, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
335 ) { |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
336 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
337 #Setup base website parameters |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
338 class { 'website': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
339 base_dir => '/srv/sites', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
340 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
341 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
342 proxy_4to6_mask => $proxy_4to6_mask, |
| 279 | 343 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
344 default_owner => $defaultusers::default_user, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
345 default_group => $defaultusers::default_user, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
346 default_tld => 'co.uk', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
347 default_extra_tlds => [ 'com' ], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
348 } |
| 110 | 349 |
| 238 | 350 $php_suffix = '' |
| 247 | 351 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { |
| 352 yumrepo { 'remirepo-safe': | |
| 353 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', | |
| 354 descr => "Extra CentOS packages from Remi", | |
| 355 enabled => 1, | |
| 356 failovermethod => 'priority', | |
| 357 gpgcheck => 1, | |
| 358 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 359 } | |
| 360 yumrepo { 'remirepo-php': | |
| 320 | 361 mirrorlist => 'http://cdn.remirepo.net/enterprise/8/modular/$basearch/mirror', |
| 362 descr => 'Remi\'s Modular repository for Enterprise Linux 8 - $basearch', | |
| 247 | 363 enabled => 1, |
| 364 failovermethod => 'priority', | |
| 365 gpgcheck => 1, | |
| 366 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 367 } | |
| 320 | 368 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': |
| 369 ensure => present, | |
| 370 source => 'puppet:///common/RPM-GPG-KEY-remi.el8', | |
| 371 tag => 'repo-config', | |
| 372 } | |
| 247 | 373 } else { |
| 374 yumrepo { 'remirepo-safe': | |
| 375 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', | |
| 376 descr => "Extra CentOS packages from Remi", | |
| 377 enabled => 1, | |
| 378 failovermethod => 'priority', | |
| 379 gpgcheck => 1, | |
| 380 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 381 } | |
| 382 yumrepo { 'remirepo-php': | |
|
335
aa9f570d6a9c
Switch to PHP 7.4 now that NextCloud has reached v18
IBBoard <dev@ibboard.co.uk>
parents:
334
diff
changeset
|
383 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php74/mirror', |
|
aa9f570d6a9c
Switch to PHP 7.4 now that NextCloud has reached v18
IBBoard <dev@ibboard.co.uk>
parents:
334
diff
changeset
|
384 descr => "PHP7.4 for CentOS from Remi", |
| 247 | 385 enabled => 1, |
| 386 failovermethod => 'priority', | |
| 387 gpgcheck => 1, | |
| 388 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', | |
| 389 } | |
| 320 | 390 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': |
| 391 ensure => present, | |
| 392 source => 'puppet:///common/RPM-GPG-KEY-remi', | |
| 393 tag => 'repo-config', | |
| 394 } | |
| 238 | 395 } |
| 110 | 396 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
397 #Configure the PHP version to use |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
398 class { 'website::php': |
| 110 | 399 suffix => $php_suffix, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
400 opcache => 'opcache', |
|
335
aa9f570d6a9c
Switch to PHP 7.4 now that NextCloud has reached v18
IBBoard <dev@ibboard.co.uk>
parents:
334
diff
changeset
|
401 module => ($operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0) ? { true => 'remi-7.4', default => undef }, |
|
322
06a401d3ef45
Add PHP JSON package, which phpMyAdmin requires
IBBoard <dev@ibboard.co.uk>
parents:
320
diff
changeset
|
402 extras => [ 'process', 'intl', 'pecl-imagick', 'bcmath', 'pecl-zip', 'json' ], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
403 } |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
404 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
405 #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
406 |
| 246 | 407 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
408 $mysqlpackage = 'mariadb' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
409 $mysqlsuffix = '' |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
45
diff
changeset
|
410 |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
411 # Required for SELinux rule setting/status checks |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
412 if versioncmp($operatingsystemrelease, '8') >= 0 { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
413 $semanage_package_name = 'policycoreutils-python-utils' |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
414 } else { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
415 $semanage_package_name = 'policycoreutils-python' |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
416 } |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
417 |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
418 package { 'policycoreutils-python': |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
419 name => $semanage_package_name, |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
420 ensure => present, |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
421 } |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
422 |
|
74
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
423 $extra_packages = [ |
| 78 | 424 'perl-Sys-Syslog', #Required for Perl SPF checking |
|
74
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
425 ] |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
426 |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
427 package { $extra_packages: |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
428 ensure => installed |
|
c2e5027202e2
Add missing dependency for Trac Subversion support on CentOS 7
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
429 } |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
430 } |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
431 else { |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
432 $mysqlpackage = 'mysql' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
433 $mysqlsuffix = '55w' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
434 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
435 class { 'website::mysql': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
436 mysqluser => template('defaultusers/mysql-user'), |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
437 mysqlpassword => template('defaultusers/mysql-password'), |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
438 mysqlprefix => $mysqlpackage, |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
439 mysqlsuffix => $mysqlsuffix, |
| 110 | 440 phpsuffix => $php_suffix, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
441 phpmysqlsuffix => 'nd' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
442 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
443 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
444 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
445 class ibboardvpsnode ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
446 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
447 $proxy_4to6_ip_prefix = undef, |
| 279 | 448 $proxy_upstream = undef, |
| 326 | 449 $nat64_ranges = [], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
450 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
451 $imapserver, |
| 326 | 452 $mailrelays = [], |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
453 $firewall_cmd = 'iptables', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
454 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
455 class { 'basevpsnode': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
456 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
457 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
| 279 | 458 proxy_upstream => $proxy_upstream, |
| 326 | 459 nat64_ranges => $nat64_ranges, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
460 mailserver => $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
461 imapserver => $imapserver, |
| 326 | 462 mailrelays => $mailrelays, |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
463 firewall_cmd => $firewall_cmd, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
464 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
465 |
|
267
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
466 # Set timezone to something sensible |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
467 file { "/etc/localtime": |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
468 ensure => 'link', |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
469 target => '/usr/share/zoneinfo/Europe/London', |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
470 } |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
471 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
472 # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
473 $mods = [ 'auth_basic', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
474 'authn_file', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
475 'authz_user', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
476 'deflate', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
477 'xsendfile' |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
478 ] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
479 apache::mod { |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
480 $mods:; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
481 } |
| 246 | 482 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { |
| 483 apache::mod { | |
|
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
24
diff
changeset
|
484 'authn_core':; |
|
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
24
diff
changeset
|
485 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
486 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
487 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
488 #Configure our sites, using templates for the custom fragments where the extra content is too long |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
489 class { "devsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
490 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:01", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
491 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
492 class { "adminsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
493 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:02", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
494 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
495 website::https::multitld { 'www.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
496 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, |
| 246 | 497 custom_fragment => template("privat/apache/ibboard.fragment"), |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
498 letsencrypt_name => 'ibboard.co.uk', |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
499 csp_override => { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
500 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
501 "default-src" => "'none'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
502 "img-src" => "'self' https://live.staticflickr.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
503 "script-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
504 "style-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
505 "font-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
506 "form-action" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
507 "connect-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
508 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
509 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
510 class { "hiveworldterrasite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
511 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:04", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
512 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
513 class { "bdstrikesite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
514 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:05", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
515 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
516 website::https::multitld { 'www.abiknight': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
517 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:06", default => undef }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
518 custom_fragment => "$website::htmlphpfragment |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
519 ErrorDocument 404 /error.php", |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
520 letsencrypt_name => 'abiknight.co.uk', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
521 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
522 website::https::multitld { 'www.warfoundry': |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
523 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:07", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
524 letsencrypt_name => 'warfoundry.co.uk', |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
525 custom_fragment => template("privat/apache/warfoundry.fragment"), |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
526 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
527 class { "webmailpimsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
528 proxy_4to6_ip_pim => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:08", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
529 proxy_4to6_ip_webmail => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:09", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
530 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
531 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
532 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
533 class adminsite ($proxy_4to6_ip) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
534 apache::mod { 'info':; 'status':; 'cgi':; } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
535 website::https::multitld { 'admin.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
536 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
537 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
538 ssl_ca_chain => '', |
| 246 | 539 custom_fragment => template("privat/apache/admin.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
540 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
541 cron { 'loadavg': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
542 command => '/usr/local/bin/run-loadavg-logger', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
543 user => apache, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
544 minute => '*/6' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
545 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
546 cron { 'awstats': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
547 command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
548 user => apache, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
549 hour => '*/6', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
550 minute => '0' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
551 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
552 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
553 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
554 class hiveworldterrasite ($proxy_4to6_ip) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
555 website::https::multitld { 'www.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
556 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
557 force_no_www => false, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
558 letsencrypt_name => 'hiveworldterra.co.uk', |
| 246 | 559 custom_fragment => template("privat/apache/hwt.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
560 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
561 website::https::multitld { 'forums.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
562 proxy_4to6_ip => $proxy_4to6_ip, |
|
331
f69e2d197302
Separate some certs to make migration easier
IBBoard <dev@ibboard.co.uk>
parents:
330
diff
changeset
|
563 letsencrypt_name => 'forums.hiveworldterra.co.uk', |
| 246 | 564 custom_fragment => template("privat/apache/forums.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
565 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
566 website::https::multitld { 'skins.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
567 proxy_4to6_ip => $proxy_4to6_ip, |
| 334 | 568 letsencrypt_name => 'skins.hiveworldterra.co.uk', |
| 246 | 569 custom_fragment => template("privat/apache/skins.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
570 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
571 website::https::redir { 'hiveworldterra.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
572 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
573 redir => 'https://www.hiveworldterra.co.uk/', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
574 docroot => "${website::basedir}/hiveworldterra", |
| 334 | 575 letsencrypt_name => 'hiveworldterra.ibboard.co.uk', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
576 separate_log => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
577 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
578 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
579 class bdstrikesite ($proxy_4to6_ip) { |
|
331
f69e2d197302
Separate some certs to make migration easier
IBBoard <dev@ibboard.co.uk>
parents:
330
diff
changeset
|
580 website::https::multitld { 'www.bdstrike': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
581 proxy_4to6_ip => $proxy_4to6_ip, |
| 145 | 582 docroot_owner => $defaultusers::secondary_user, |
| 583 docroot_group => 'editors', | |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
584 letsencrypt_name => 'bdstrike.co.uk', |
| 246 | 585 custom_fragment => template("privat/apache/bdstrike.fragment"), |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
586 csp_override => {"frame-ancestors" => "'self'"}, |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
587 csp_report_override => { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
588 "font-src" => "'self' https://fonts.gstatic.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
589 "img-src" => "'self' https://secure.gravatar.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
590 "style-src" => "'self' https://fonts.googleapis.com/" |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
591 }, |
| 145 | 592 } |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
593 $aliases = [ |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
594 'strikecreations.co.uk', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
595 'strikecreations.com', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
596 'www.strikecreations.com' ] |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
597 |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
598 website::https::redir { 'www.strikecreations.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
599 proxy_4to6_ip => $proxy_4to6_ip, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
600 redir => 'https://bdstrike.co.uk/', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
601 serveraliases => $aliases, |
| 145 | 602 docroot => "${website::basedir}/bdstrike", |
| 603 docroot_owner => $defaultusers::secondary_user, | |
| 604 docroot_group => 'editors', | |
|
331
f69e2d197302
Separate some certs to make migration easier
IBBoard <dev@ibboard.co.uk>
parents:
330
diff
changeset
|
605 letsencrypt_name => 'strikecreations.com', |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
606 separate_log => true, |
| 145 | 607 } |
|
235
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
608 cron { 'wordpress_cron': |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
609 # Run "php -f wp-cron.php" on a schedule so that we can auto-update |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
610 # without giving Apache full write access! |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
611 command => "/usr/local/bin/bdstrike-cron", |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
612 user => $defaultusers::default_user, |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
613 minute => '*/15', |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
614 } |
| 145 | 615 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
616 class devsite ($proxy_4to6_ip) { |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
617 if versioncmp($operatingsystemrelease, '8') >= 0 { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
618 # Apache::Mod doesn't map this correctly for CentOS 8 yet |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
619 $mod_wsgi_lib = 'mod_wsgi_python3.so' |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
620 } else { |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
621 $mod_wsgi_lib = undef |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
622 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
623 apache::mod { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
624 # mod_wsgi for Python support |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
625 'wsgi': |
|
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
626 lib => $mod_wsgi_lib, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
627 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
628 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
629 # Create Python virtualenvs for the dev site apps |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
630 file { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
631 "/srv/rhodecode": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
632 ensure => 'directory'; |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
633 "/srv/trac": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
634 ensure => 'directory'; |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
635 } -> |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
636 python::virtualenv { |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
637 # Distribute is described as "simple compatibility layer that installs Setuptools 0.7+" |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
638 # and leads to 'module "importlib._bootstrap" has no attribute "SourceFileLoader"' |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
639 "/srv/rhodecode/virtualenv": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
640 distribute => false, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
641 version => '3'; |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
642 "/srv/trac/virtualenv": |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
643 distribute => false, |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
644 version => '3'; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
645 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
646 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
647 # Graphviz for Trac "master ticket" graphs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
648 package { 'graphviz': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
649 ensure => installed, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
650 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
651 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
652 website::https::multitld { 'dev.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
653 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
654 #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
655 # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
656 priority => 1, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
657 letsencrypt_name => 'dev.ibboard.co.uk', |
| 246 | 658 custom_fragment => template("privat/apache/dev.fragment"), |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
659 proxy_fragment => template("privat/apache/dev-proxy.fragment"), |
|
52
be1e9773a12c
Mercurial repo versions index.php files etc, so removing index.php breaks things!
IBBoard <dev@ibboard.co.uk>
parents:
44
diff
changeset
|
660 force_no_index => false, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
661 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
662 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
663 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
664 class webmailpimsite ($proxy_4to6_ip_pim, $proxy_4to6_ip_webmail) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
665 # Webmail and Personal Information Management (PIM) sites |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
666 website::https { 'webmail.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
667 proxy_4to6_ip => $proxy_4to6_ip_webmail, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
668 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
669 ssl_ca_chain => '', |
| 246 | 670 custom_fragment => template("privat/apache/webmail.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
671 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
672 website::https { 'pim.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
673 proxy_4to6_ip => $proxy_4to6_ip_pim, |
|
242
7d8e664ebcc9
Change owner/group on Nextcloud for easy upgrade
IBBoard <dev@ibboard.co.uk>
parents:
241
diff
changeset
|
674 docroot_owner => 'apache', |
|
7d8e664ebcc9
Change owner/group on Nextcloud for easy upgrade
IBBoard <dev@ibboard.co.uk>
parents:
241
diff
changeset
|
675 docroot_group => 'editors', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
676 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
677 lockdown_requests => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
678 ssl_ca_chain => '', |
|
265
bf2b8912c414
Make PIM site skip CSP headers - NextCloud manages them
IBBoard <dev@ibboard.co.uk>
parents:
264
diff
changeset
|
679 csp => false, |
|
bf2b8912c414
Make PIM site skip CSP headers - NextCloud manages them
IBBoard <dev@ibboard.co.uk>
parents:
264
diff
changeset
|
680 csp_report => false, |
| 246 | 681 custom_fragment => template("privat/apache/pim.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
682 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
683 cron { 'owncloudcron': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
684 command => "/usr/local/bin/owncloud-cron", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
685 user => 'apache', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
686 minute => '*/15', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
687 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
688 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
689 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
690 class email ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
691 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
692 $imapserver, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
693 $mailserver_ip, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
694 $proxy_ip = undef, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
695 $proxy_upstream = [], |
| 326 | 696 $nat64_ranges = [], |
| 697 $mailrelays = [], | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
698 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
699 class { 'postfix': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
700 mailserver => $mailserver, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
701 mailserver_ip => $mailserver_ip, |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
702 mailserver_proxy => $proxy_ip, |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
703 proxy_upstream => $proxy_upstream, |
| 326 | 704 mailrelays => $mailrelays, |
| 705 nat64_ranges => $nat64_ranges, | |
|
317
2a20a5b7f65a
Swap IPv6 Postfix to "all" protocols to support PROXY
IBBoard <dev@ibboard.co.uk>
parents:
313
diff
changeset
|
706 protocols => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'all', default => 'ipv4' }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
707 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
708 class { 'dovecot': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
709 imapserver => $imapserver, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
710 imapserver_ip => $mailserver_ip, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
711 imapserver_proxy => $proxy_ip, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
712 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
713 } |
|
177
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
714 # Unspecified SpamAssassin config dependencies that started |
|
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
715 # showing up as errors in our logs |
|
276
165ad12ea8ca
Remove Perl LZMA module because it's in beta
IBBoard <dev@ibboard.co.uk>
parents:
274
diff
changeset
|
716 package { ['perl-File-MimeInfo']: |
|
177
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
717 ensure => installed, |
|
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
718 } |
|
140
6eef7cec8658
Remove ClamAV from server config
IBBoard <dev@ibboard.co.uk>
parents:
139
diff
changeset
|
719 package { [ 'amavisd-new' ]: |
| 85 | 720 ensure => installed, |
| 721 tag => 'av', | |
| 722 } | |
|
86
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
723 service { 'amavisd': |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
724 ensure => 'running', |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
725 enable => 'true', |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
726 } |
|
270
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
727 service { 'clamd@amavisd': |
|
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
728 ensure => 'stopped', |
|
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
729 enable=> 'mask', |
|
481acc395876
Mask "clamav@amavisd" service to save memory
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
730 } |
| 85 | 731 file { '/etc/amavisd/amavisd.conf': |
| 732 ensure => present, | |
| 733 source => 'puppet:///private/postfix/amavisd.conf', | |
| 734 tag => 'av', | |
| 735 } | |
|
163
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
736 file { '/etc/mail/spamassassin/local.cf': |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
737 ensure => present, |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
738 source => 'puppet:///private/postfix/spamassassin-local.cf', |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
739 tag => 'av', |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
740 } |
|
142
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
741 file { '/etc/mail/spamassassin/ole2macro.cf': |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
742 ensure => present, |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
743 source => 'puppet:///common/ole2macro.cf', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
744 tag => 'av', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
745 } |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
746 file { '/etc/mail/spamassassin/ole2macro.pm': |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
747 ensure => present, |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
748 source => 'puppet:///common/spamassassin-vba-macro-master/ole2macro.pm', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
749 tag => 'av', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
750 } |
| 85 | 751 Package<| tag == 'av' |> -> File<| tag == 'av' |> |
|
87
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
752 File<| tag == 'av' |> { |
|
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
753 notify => Service['amavisd'], |
|
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
754 } |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
755 cron { 'Postwhite': |
|
129
16a931df5fd7
Filter what we see in Postwhite cron output
IBBoard <dev@ibboard.co.uk>
parents:
128
diff
changeset
|
756 command => "/usr/local/bin/postwhite 2>&1| grep -vE '^(Starting|Recursively|Getting|Querying|Removing|Sorting|$)'", |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
757 user => 'root', |
|
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
758 weekday => 0, |
|
128
379089631403
Fix rookie cron mistake - don't run Postwhite EVERY MINUTE!
IBBoard <dev@ibboard.co.uk>
parents:
126
diff
changeset
|
759 hour => 2, |
|
379089631403
Fix rookie cron mistake - don't run Postwhite EVERY MINUTE!
IBBoard <dev@ibboard.co.uk>
parents:
126
diff
changeset
|
760 minute => 0, |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
761 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
762 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
763 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
764 class cronjobs { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
765 # Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
766 package { 'mutt': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
767 ensure => installed, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
768 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
769 file { '/etc/Muttrc.local': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
770 content => 'set copy = no', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
771 require => Package['mutt'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
772 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
773 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
774 # General server-wide cron jobs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
775 Cron { user => 'root' } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
776 cron { 'backupalldbs': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
777 command => "/usr/local/bin/backupalldbs", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
778 monthday => "*/2", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
779 hour => "4", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
780 minute => "9" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
781 } |
|
323
002203790815
Stop running Great Firewall Against China on IPv6 machines
IBBoard <dev@ibboard.co.uk>
parents:
322
diff
changeset
|
782 # Only run the Great Firewall Against China on IPv4 (since we don't have an IPv6 list |
|
002203790815
Stop running Great Firewall Against China on IPv6 machines
IBBoard <dev@ibboard.co.uk>
parents:
322
diff
changeset
|
783 # and the PROXY forwards the IPs to services, but not at the network level) |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
784 cron { 'greatfirewallofchina': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
785 command => '/usr/local/bin/update-great-firewall-of-china', |
|
323
002203790815
Stop running Great Firewall Against China on IPv6 machines
IBBoard <dev@ibboard.co.uk>
parents:
322
diff
changeset
|
786 ensure => has_key($facts, 'ipaddress') ? { true => "present", default => "absent" }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
787 hour => 3, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
788 minute => 30 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
789 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
790 cron { 'permissions': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
791 command => '/usr/local/bin/set-permissions', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
792 hour => 3, |
|
14
534e584f21ce
Tweak time on permission setting script so that it is less likely to clash with LoadAVG run every 6 minutes
IBBoard <dev@ibboard.co.uk>
parents:
13
diff
changeset
|
793 minute => 2 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
794 } |
|
55
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
795 # Since we're only managing the local server, use our script that wraps "puppet apply" instead of PuppetMaster |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
796 cron { 'puppet': |
|
268
9f054191b9db
Filter new log line from puppet-apply output
IBBoard <dev@ibboard.co.uk>
parents:
267
diff
changeset
|
797 command => '/usr/local/bin/puppet-apply | grep -v "Compiled catalog for\|Finished catalog run in\|Applied catalog in"', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
798 hour => '*/6', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
799 minute => 5 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
800 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
801 cron { 'purgecaches': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
802 command => "/usr/local/bin/purge-caches", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
803 hour => '4', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
804 minute => '15', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
805 weekday => '1', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
806 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
807 # Notify of uncommitted files |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
808 cron { 'check-mercurial-committed': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
809 command => "/usr/local/bin/check-hg-status", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
810 hour => '4', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
811 minute => '20', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
812 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
813 } |
|
93
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
814 # Notify of available updates |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
815 cron { 'check-yum-updates': |
|
309
7fa5e230fc94
Fix type in Yum update checking
IBBoard <dev@ibboard.co.uk>
parents:
302
diff
changeset
|
816 command => '/usr/bin/yum check-update | tail -2 | grep -Ev "^ \* [[:alnum:]-]+: [[:alnum:]\.]+$"', |
|
93
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
817 hour => '4', |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
818 minute => '30', |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
819 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
820 } |
|
97
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
821 # And check whether anything needs restarting |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
822 cron { 'check-needs-restarting': |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
823 command => '/usr/bin/needs-restarting|grep -v "/usr/lib/systemd\|/usr/sbin/lvmetad\|/usr/lib/polkit-1/polkitd"', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
824 hour => '4', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
825 minute => '45', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
826 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
827 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
828 } |