Mercurial > repos > other > Puppet

comparison manifests/templates.pp @ 256:0ebd8efeef04

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge Puppet divergences and fix SSL chain issues it caused
author IBBoard <dev@ibboard.co.uk>
date Sun, 29 Dec 2019 15:31:28 +0000
parents d4b2bdfe47a6 2d119b462c83
children 241fbf45e6f3
comparison
equal deleted inserted replaced
255:d4b2bdfe47a6 256:0ebd8efeef04
1 # Make sure packages come after their repos 1 # Make sure packages come after their repos
2 YumRepo<| |> -> Package<| |> 2 YumRepo<| |> -> Package<| |>
3 3
4 # Make sure all files are in place before starting services 4 # Make sure all files are in place before starting services
5 File<| |> -> Service<| |> 5 File<| tag != 'post-service' |> -> Service<| |>
6
7 # Set some shortcut variables
8 #$os = $operatingsystem
9 $osver = $operatingsystemmajrelease
10 $server = ''
6 11
7 12
8 class basenode { 13 class basenode {
9 $os = $operatingsystem
10 $osver = "v${operatingsystemrelease}"
11 include sudo 14 include sudo
12 15
13 include defaultusers 16 include defaultusers
14 include logwatch 17 include logwatch
15 18
43 $primary_ip ${fqdn}", 46 $primary_ip ${fqdn}",
44 } 47 }
45 48
46 require repos 49 require repos
47 include basenode 50 include basenode
48 include private 51 include privat
49 include dnsresolver 52 include dnsresolver
50 include ssh::server 53 include ssh::server
51 include vcs::server 54 include vcs::server
52 include vcs::client 55 include vcs::client
53 class { 'webserver': 56 class { 'webserver':
161 require => Package['bind'], 164 require => Package['bind'],
162 } 165 }
163 166
164 file { '/etc/named.conf': 167 file { '/etc/named.conf':
165 ensure => present, 168 ensure => present,
166 source => 'puppet:///common/named.conf', 169 source => [
170 "puppet:///common/named.conf-${::hostname}",
171 "puppet:///common/named.conf",
172 ],
167 group => 'named', 173 group => 'named',
168 require => Package['bind'], 174 require => Package['bind'],
169 notify => Service['named'], 175 notify => Service['named'],
170 } 176 }
171 177
175 dns=none", 181 dns=none",
176 } 182 }
177 183
178 file { '/etc/sysconfig/named': 184 file { '/etc/sysconfig/named':
179 ensure => present, 185 ensure => present,
180 content => 'OPTIONS="-4"', 186 source => [
187 "puppet:///common/sysconfig-named-${::hostname}",
188 "puppet:///common/sysconfig-named",
189 ],
181 require => Package['bind'], 190 require => Package['bind'],
182 } 191 }
183 192
184 file { '/etc/resolv.conf': 193 file { '/etc/resolv.conf':
185 ensure => present, 194 ensure => present,
186 content => "nameserver 127.0.0.1" 195 content => "nameserver 127.0.0.1",
196 require => Service['named'],
197 tag => 'post-service',
187 } 198 }
188 } 199 }
189 200
190 class repos { 201 class repos {
191 yumrepo { 'epel': 202 yumrepo { 'epel':
192 mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', 203 mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch',
193 descr => "Extra Packages for Enterprise Linux", 204 descr => "Extra Packages for Enterprise Linux",
194 enabled => 1, 205 enabled => 1,
195 failovermethod => 'priority', 206 failovermethod => 'priority',
196 gpgcheck => 1, 207 gpgcheck => 1,
197 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6', 208 gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver",
198 } 209 }
199 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6': 210 file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver":
200 ensure => present, 211 ensure => present,
201 source => 'puppet:///common/RPM-GPG-KEY-EPEL-6' 212 source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver"
202 } 213 }
203 yumrepo { 'ibboard': 214 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 and versioncmp($operatingsystemrelease, '8') < 0 {
204 baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', 215 # We only have extra packages for CentOS 7
205 descr => 'Extra packages from IBBoard', 216 yumrepo { 'ibboard':
206 enabled => 1, 217 baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/',
207 gpgcheck => 1, 218 descr => 'Extra packages from IBBoard',
208 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', 219 enabled => 1,
209 } 220 gpgcheck => 1,
210 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': 221 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard',
211 ensure => present, 222 }
212 source => 'puppet:///common/RPM-GPG-KEY-ibboard' 223 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard':
224 ensure => present,
225 source => 'puppet:///common/RPM-GPG-KEY-ibboard'
226 }
213 } 227 }
214 yumrepo { 'webtatic': 228 yumrepo { 'webtatic':
215 ensure => absent, 229 ensure => absent,
216 } 230 }
217 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': 231 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy':
231 target => '/usr/bin/pip', 245 target => '/usr/bin/pip',
232 } -> Package <| provider == 'pip' |> 246 } -> Package <| provider == 'pip' |>
233 } 247 }
234 248
235 class tools { 249 class tools {
236 $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch' ] 250 $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux' ]
237 package { $packages: 251 package { $packages:
238 ensure => installed; 252 ensure => installed;
239 } 253 }
240 } 254 }
241 255
409 default_extra_tlds => [ 'com' ], 423 default_extra_tlds => [ 'com' ],
410 } 424 }
411 425
412 # Use Remi's PHP 7.3 for now - 7.4 is still VERY new 426 # Use Remi's PHP 7.3 for now - 7.4 is still VERY new
413 $php_suffix = '' 427 $php_suffix = ''
414 yumrepo { 'remirepo-safe': 428 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 {
415 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', 429 yumrepo { 'remirepo-safe':
416 descr => "Extra CentOS packages from Remi", 430 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror',
417 enabled => 1, 431 descr => "Extra CentOS packages from Remi",
418 failovermethod => 'priority', 432 enabled => 1,
419 gpgcheck => 1, 433 failovermethod => 'priority',
420 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', 434 gpgcheck => 1,
421 } 435 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
422 yumrepo { 'remirepo-php': 436 }
423 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror', 437 yumrepo { 'remirepo-php':
424 descr => "PHP7.3 for CentOS from Remi", 438 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/$basearch/mirror',
425 enabled => 1, 439 descr => "PHP7.3 for CentOS from Remi",
426 failovermethod => 'priority', 440 enabled => 1,
427 gpgcheck => 1, 441 failovermethod => 'priority',
428 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', 442 gpgcheck => 1,
443 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
444 }
445 } else {
446 yumrepo { 'remirepo-safe':
447 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror',
448 descr => "Extra CentOS packages from Remi",
449 enabled => 1,
450 failovermethod => 'priority',
451 gpgcheck => 1,
452 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
453 }
454 yumrepo { 'remirepo-php':
455 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror',
456 descr => "PHP7.3 for CentOS from Remi",
457 enabled => 1,
458 failovermethod => 'priority',
459 gpgcheck => 1,
460 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
461 }
429 } 462 }
430 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': 463 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi':
431 ensure => present, 464 ensure => present,
432 source => 'puppet:///common/RPM-GPG-KEY-remi', 465 source => 'puppet:///common/RPM-GPG-KEY-remi',
433 before => YumRepo['remirepo-php'], 466 before => YumRepo['remirepo-php'],
440 extras => [ 'process', 'intl', 'pecl-imagick', 'bcmath', 'pecl-zip' ], 473 extras => [ 'process', 'intl', 'pecl-imagick', 'bcmath', 'pecl-zip' ],
441 } 474 }
442 475
443 #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user 476 #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user
444 477
445 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, 7) >= 0 { 478 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 {
446 $mysqlpackage = 'mariadb' 479 $mysqlpackage = 'mariadb'
447 $mysqlsuffix = '' 480 $mysqlsuffix = ''
448 481
449 $extra_packages = [ 482 $extra_packages = [
450 'policycoreutils-python', # Required for SELinux 483 'policycoreutils-python', # Required for SELinux
470 } 503 }
471 } 504 }
472 505
473 class ibboardvpsnode ( 506 class ibboardvpsnode (
474 $primary_ip, 507 $primary_ip,
475 $secondary_ip, 508 $secondary_ip = $primary_ip,
476 $mailserver, 509 $mailserver,
477 $imapserver, 510 $imapserver,
478 $firewall_cmd = 'iptables', 511 $firewall_cmd = 'iptables',
479 ){ 512 ){
480 class { 'basevpsnode': 513 class { 'basevpsnode':
493 'xsendfile' 526 'xsendfile'
494 ] 527 ]
495 apache::mod { 528 apache::mod {
496 $mods:; 529 $mods:;
497 } 530 }
498 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, 7) >= 0 { 531 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 {
499 apache::mod { 532 apache::mod {
500 'authn_core':; 533 'authn_core':;
501 } 534 }
502 } 535 }
503 $apache_packages = [ 'mod_xsendfile' ] 536 $apache_packages = [ 'mod_xsendfile' ]
504 package { $apache_packages: 537 package { $apache_packages:
506 } 539 }
507 540
508 #Configure our sites, using templates for the custom fragments where the extra content is too long 541 #Configure our sites, using templates for the custom fragments where the extra content is too long
509 include adminsite 542 include adminsite
510 website::https::multitld { 'www.ibboard': 543 website::https::multitld { 'www.ibboard':
511 custom_fragment => template("private/apache/ibboard.fragment"), 544 custom_fragment => template("privat/apache/ibboard.fragment"),
512 letsencrypt_name => 'ibboard.co.uk', 545 letsencrypt_name => 'ibboard.co.uk',
513 csp_override => { 546 csp_override => {
514 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", 547 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce",
515 "default-src" => "'none'", 548 "default-src" => "'none'",
516 "img-src" => "'self' https://live.staticflickr.com/", 549 "img-src" => "'self' https://live.staticflickr.com/",
535 class adminsite{ 568 class adminsite{
536 apache::mod { 'info':; 'status':; 'cgi':; } 569 apache::mod { 'info':; 'status':; 'cgi':; }
537 website::https::multitld { 'admin.ibboard': 570 website::https::multitld { 'admin.ibboard':
538 force_no_index => false, 571 force_no_index => false,
539 ssl_ca_chain => '', 572 ssl_ca_chain => '',
540 custom_fragment => template("private/apache/admin.fragment"), 573 custom_fragment => template("privat/apache/admin.fragment"),
541 } 574 }
542 cron { 'loadavg': 575 cron { 'loadavg':
543 command => '/usr/local/bin/run-loadavg-logger', 576 command => '/usr/local/bin/run-loadavg-logger',
544 user => apache, 577 user => apache,
545 minute => '*/6' 578 minute => '*/6'
554 587
555 class hiveworldterrasite { 588 class hiveworldterrasite {
556 website::https::multitld { 'www.hiveworldterra': 589 website::https::multitld { 'www.hiveworldterra':
557 force_no_www => false, 590 force_no_www => false,
558 letsencrypt_name => 'hiveworldterra.co.uk', 591 letsencrypt_name => 'hiveworldterra.co.uk',
559 custom_fragment => template("private/apache/hwt.fragment"), 592 custom_fragment => template("privat/apache/hwt.fragment"),
560 } 593 }
561 website::https::multitld { 'forums.hiveworldterra': 594 website::https::multitld { 'forums.hiveworldterra':
562 letsencrypt_name => 'hiveworldterra.co.uk', 595 letsencrypt_name => 'hiveworldterra.co.uk',
563 custom_fragment => template("private/apache/forums.fragment"), 596 custom_fragment => template("privat/apache/forums.fragment"),
564 } 597 }
565 website::https::multitld { 'skins.hiveworldterra': 598 website::https::multitld { 'skins.hiveworldterra':
566 letsencrypt_name => 'hiveworldterra.co.uk', 599 letsencrypt_name => 'hiveworldterra.co.uk',
567 custom_fragment => template("private/apache/skins.fragment"), 600 custom_fragment => template("privat/apache/skins.fragment"),
568 } 601 }
569 website::https::redir { 'hiveworldterra.ibboard.co.uk': 602 website::https::redir { 'hiveworldterra.ibboard.co.uk':
570 redir => 'https://www.hiveworldterra.co.uk/', 603 redir => 'https://www.hiveworldterra.co.uk/',
571 docroot => "${website::basedir}/hiveworldterra", 604 docroot => "${website::basedir}/hiveworldterra",
572 letsencrypt_name => 'hiveworldterra.co.uk', 605 letsencrypt_name => 'hiveworldterra.co.uk',
576 class bdstrikesite { 609 class bdstrikesite {
577 website::https::multitld { 'www.bdstrike': 610 website::https::multitld { 'www.bdstrike':
578 docroot_owner => $defaultusers::secondary_user, 611 docroot_owner => $defaultusers::secondary_user,
579 docroot_group => 'editors', 612 docroot_group => 'editors',
580 letsencrypt_name => 'bdstrike.co.uk', 613 letsencrypt_name => 'bdstrike.co.uk',
581 custom_fragment => template("private/apache/bdstrike.fragment"), 614 custom_fragment => template("privat/apache/bdstrike.fragment"),
582 csp_override => {"frame-ancestors" => "'self'"}, 615 csp_override => {"frame-ancestors" => "'self'"},
583 csp_report_override => { 616 csp_report_override => {
584 "font-src" => "'self' https://fonts.gstatic.com/", 617 "font-src" => "'self' https://fonts.gstatic.com/",
585 "img-src" => "'self' https://secure.gravatar.com/", 618 "img-src" => "'self' https://secure.gravatar.com/",
586 "style-src" => "'self' https://fonts.googleapis.com/" 619 "style-src" => "'self' https://fonts.googleapis.com/"
627 ensure => installed, 660 ensure => installed,
628 } 661 }
629 662
630 website::https::multitld { 'www.warfoundry': 663 website::https::multitld { 'www.warfoundry':
631 letsencrypt_name => 'warfoundry.co.uk', 664 letsencrypt_name => 'warfoundry.co.uk',
632 custom_fragment => template("private/apache/warfoundry.fragment"), 665 custom_fragment => template("privat/apache/warfoundry.fragment"),
633 } 666 }
634 website::https::multitld { 'dev.ibboard': 667 website::https::multitld { 'dev.ibboard':
635 #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) 668 #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!)
636 # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support 669 # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support
637 priority => 1, 670 priority => 1,
638 letsencrypt_name => 'dev.ibboard.co.uk', 671 letsencrypt_name => 'dev.ibboard.co.uk',
639 custom_fragment => template("private/apache/dev.fragment"), 672 custom_fragment => template("privat/apache/dev.fragment"),
640 force_no_index => false, 673 force_no_index => false,
641 } 674 }
642 } 675 }
643 676
644 class webmailpimsite { 677 class webmailpimsite {
645 # Webmail and Personal Information Management (PIM) sites 678 # Webmail and Personal Information Management (PIM) sites
646 website::https { 'webmail.ibboard.co.uk': 679 website::https { 'webmail.ibboard.co.uk':
647 force_no_index => false, 680 force_no_index => false,
648 ssl_ca_chain => '', 681 ssl_ca_chain => '',
649 custom_fragment => template("private/apache/webmail.fragment"), 682 custom_fragment => template("privat/apache/webmail.fragment"),
650 } 683 }
651 website::https { 'pim.ibboard.co.uk': 684 website::https { 'pim.ibboard.co.uk':
652 docroot_owner => 'apache', 685 docroot_owner => 'apache',
653 docroot_group => 'editors', 686 docroot_group => 'editors',
654 force_no_index => false, 687 force_no_index => false,
655 lockdown_requests => false, 688 lockdown_requests => false,
656 ssl_ca_chain => '', 689 ssl_ca_chain => '',
657 custom_fragment => template("private/apache/pim.fragment"), 690 custom_fragment => template("privat/apache/pim.fragment"),
658 } 691 }
659 cron { 'owncloudcron': 692 cron { 'owncloudcron':
660 command => "/usr/local/bin/owncloud-cron", 693 command => "/usr/local/bin/owncloud-cron",
661 user => 'apache', 694 user => 'apache',
662 minute => '*/15', 695 minute => '*/15',