other/Puppet: manifests/templates.pp comparison

comparison manifests/templates.pp @ 298:61e90445c899

Merge CentOS8 and CentOS7 branches Also includes some fixes to get it working on CentOS7

author	IBBoard <dev@ibboard.co.uk>
date	Mon, 17 Feb 2020 16:08:20 +0000
parents	3e04f35dd0af 9431aec4d998
children	1bfc290270cc

comparison

equal deleted inserted replaced

-:4f7315d7e869
+:61e90445c899
 # Make sure packages come after their repos
 File<| tag == 'repo-config' |> -> YumRepo<| |> -> Package<| |>
 # Make sure all files are in  place before starting services
-File<| tag != 'post-service' |> -> Service<| |>
+# FIXME: Title matches are to fix a dependency cycle
+File<| tag != 'post-service' and title != '/etc/sysconfig/ip6tables' and title != '/etc/sysconfig/iptables' |> -> Service<| |>
 # Set some shortcut variables
 #$os = $operatingsystem
 $osver = $operatingsystemmajrelease
 $server = ''
 	}
 }
 class basevpsnode (
 	$primary_ip,
-	$secondary_ip,
+	$proxy_4to6_ip_prefix = undef,
+	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	) {
 	if $firewall_cmd == 'iptables' {
-		include vpsfirewall
+		class { 'vpsfirewall':
+			fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'},
+		}
 	}
 	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
 	file { '/etc/hosts':
 		ensure => present,
 	include ssh::server
 	include vcs::server
 	include vcs::client
 	class { 'webserver':
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix,
+		proxy_upstream => $proxy_upstream,
 	}
 	include cronjobs
 	include logrotate
 	class { 'fail2ban':
 		firewall_cmd => $firewall_cmd,
 	}
 }
 ## Classes to allow facet behaviour using preconfigured setups of classes
-class vpsfirewall {
+class vpsfirewall ($fw_protocol) {
 	resources { "firewall":
 		purge => false,
 	}
-	firewallchain { 'INPUT:filter:IPv4':
+	class { "my_fw":
-		purge => true,
+		ip_version => $fw_protocol,
+	}
+	# Control what does and doesn't get pruned in the main filter chain
+	firewallchain { "INPUT:filter:$fw_protocol":
+		purge => true,
 		ignore => [
 			'-j f2b-[^ ]+$',
 			'^(:|-A )f2b-',
 			'--comment "Great Firewall of China"',
 			'--comment "Do not purge',
 			],
 	}
-	Firewall {
+	if ($fw_protocol != "IPv6") {
-		before => Class['my_fw::post'],
+		firewall { '010 Whitelist Googlebot':
-		require => Class['my_fw::pre'],
+			source => '66.249.64.0/19',
-	}
+			dport => [80,443],
-	class { ['my_fw::pre', 'my_fw::post']: }
+			proto => tcp,
-	class { 'firewall': }
+			action => accept,
-	firewall { '010 Whitelist Googlebot':
+		}
-		source => '66.249.64.0/19',
+		# Block a spammer hitting our contact forms (also on StopForumSpam list A LOT)
-		dport => [80,443],
+		firewall { '099 Blacklist spammers 1':
-		proto => tcp,
+			source => '107.181.78.172',
-		action => accept,
+			dport => [80, 443],
-	}
+			proto => tcp,
-	# Block a spammer hitting our contact forms (also on StopForumSpam list A LOT)
+			action => 'reject',
-	firewall { '099 Blacklist spammers 1':
+		}
-		source => '107.181.78.172',
+		firewall { '099 Blacklist IODC bot':
-		dport => [80, 443],
+			# IODC bot makes too many bad requests, and contact form is broken
-		proto => tcp,
+			# They don't publish a robots.txt name, so firewall it!
-		action => 'reject',
+			source => '86.153.145.149',
-	}
+			dport => [ 80, 443 ],
-	firewall { '099 Blacklist IODC bot':
+			proto => tcp,
-		# IODC bot makes too many bad requests, and contact form is broken
+			action => 'reject',
-		# They don't publish a robots.txt name, so firewall it!
+		}
-		source => '86.153.145.149',
+		firewall { '099 Blacklist Baidu Brazil':
-		dport => [ 80, 443 ],
+			#Baidu got a Brazilian netblock and are hitting us hard
-		proto => tcp,
+			#Baidu doesn't honour "crawl-delay" in robots.txt
-		action => 'reject',
+			#Baidu gets firewalled
-	}
+			source => '131.161.8.0/22',
-	firewall { '099 Blacklist Baidu Brazil':
+			dport => [ 80, 443 ],
-		#Baidu got a Brazilian netblock and are hitting us hard
+			proto => tcp,
-		#Baidu doesn't honour "crawl-delay" in robots.txt
+			action => 'reject',
-		#Baidu gets firewalled
+		}
-		source => '131.161.8.0/22',
+	}
-		dport => [ 80, 443 ],
+	firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol":
-		proto => tcp,
-		action => 'reject',
-	}
-	firewallchain { 'GREATFIREWALLOFCHINA:filter:IPv4':
 		ensure => present,
 	}
 	firewall { '050 Check our Great Firewall Against China':
 		chain => 'INPUT',
 		jump => 'GREATFIREWALLOFCHINA',
 	}
-	firewallchain { 'Fail2Ban:filter:IPv4':
+	firewallchain { "Fail2Ban:filter:$fw_protocol":
 		ensure => present,
 	}
 	firewall { '060 Check Fail2Ban':
 		chain => 'INPUT',
 		jump => 'Fail2Ban',
-	}
-	firewall { '100 allow https and http':
-		dport => [80, 443],
-		proto => tcp,
-		action => accept,
 	}
 	firewall { '101 allow SMTP':
 		dport => [25, 465],
 		proto => tcp,
 		action => accept,
 	}
 	file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7':
 		ensure => absent,
 	}
-	# Install Pip and symlink it so we can use it as a package provider
+	if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 {
-	package { 'python2-pip':
+		$python_ver = 'python3'
-		ensure => installed;
+	} else {
-	}
+		$python_ver = 'system'
-	->
+	}
-	file { '/usr/bin/pip-python':
-		ensure => link,
+	class { 'python':
-		target => '/usr/bin/pip',
+		ensure => 'present',
-	} -> Package <| provider == 'pip' |>
+		version => $python_ver,
+		pip => 'present',
+		virtualenv => 'present',
+		use_epel => false,
+	}
 }
 class tools {
-	$packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux' ]
+	$packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget' ]
 	package { $packages:
 		ensure => installed;
 	}
 }
 }
 #Our web server with our configs, not just a stock one
 class webserver (
 	$primary_ip,
-	$secondary_ip,
+	$proxy_4to6_ip_prefix = undef,
+	$proxy_upstream = undef,
 	) {
+	if $proxy_4to6_ip_prefix == undef {
+		$ipv6_addresses = []
+	}
+	else {
+		$ipv6_addresses = [1, 2, 3, 4, 5, 6, 7, 8, 9].map |$octet| { "$proxy_4to6_ip_prefix:$octet" }
+	}
 	#Setup base website parameters
 	class { 'website':
 		base_dir => '/srv/sites',
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix,
+		proxy_4to6_mask => 124,
+		proxy_4to6_addresses => $ipv6_addresses,
+		proxy_upstream => $proxy_upstream,
 		default_owner => $defaultusers::default_user,
 		default_group => $defaultusers::default_user,
 		default_tld => 'co.uk',
 		default_extra_tlds => [ 'com' ],
 	}
 			name => $semanage_package_name,
 			ensure => present,
 		}
 		$extra_packages = [
-			'subversion-python', #Required for Trac
 			'perl-Sys-Syslog', #Required for Perl SPF checking
 		]
 		package { $extra_packages:
 			 ensure => installed
 	}
 }
 class ibboardvpsnode (
 	$primary_ip,
-	$secondary_ip = $primary_ip,
+	$proxy_4to6_ip_prefix = undef,
+	$proxy_upstream = undef,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
 		primary_ip => $primary_ip,
-		secondary_ip => $secondary_ip,
+		proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix,
+		proxy_upstream => $proxy_upstream,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
 		firewall_cmd => $firewall_cmd,
 	}
 			'authn_core':;
 		}
 	}
 	#Configure our sites, using templates for the custom fragments where the extra content is too long
-	include adminsite
+	class { "devsite":
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:01", default => undef }
+	}
+	class { "adminsite":
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:02", default => undef }
+	}
 	website::https::multitld { 'www.ibboard':
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef },
 		custom_fragment => template("privat/apache/ibboard.fragment"),
 		letsencrypt_name => 'ibboard.co.uk',
 		csp_override => {
 			"report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce",
 			"default-src" => "'none'",
 			"font-src" => "'self'",
 			"form-action" => "'self'",
 			"connect-src" => "'self'",
 		}
 	}
-	include hiveworldterrasite
+	class { "hiveworldterrasite":
-	include bdstrikesite
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:04", default => undef }
-	include devsite
+	}
+	class { "bdstrikesite":
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:05", default => undef }
+	}
 	website::https::multitld { 'www.abiknight':
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:06", default => undef },
 		custom_fragment => "$website::htmlphpfragment
 	ErrorDocument 404 /error.php",
 		letsencrypt_name => 'abiknight.co.uk',
 	}
-	include webmailpimsite
+	website::https::multitld { 'www.warfoundry':
-}
+		proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:07", default => undef },
+		letsencrypt_name => 'warfoundry.co.uk',
-class adminsite{
+		custom_fragment => template("privat/apache/warfoundry.fragment"),
+	}
+	class { "webmailpimsite":
+		proxy_4to6_ip_pim => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:08", default => undef },
+		proxy_4to6_ip_webmail => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:09", default => undef },
+	}
+}
+class adminsite ($proxy_4to6_ip) {
 	apache::mod { 'info':; 'status':; 'cgi':; }
 	website::https::multitld { 'admin.ibboard':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		force_no_index => false,
 		ssl_ca_chain => '',
 		custom_fragment => template("privat/apache/admin.fragment"),
 	}
 	cron { 'loadavg':
 		hour => '*/6',
 		minute => '0'
 	}
 }
-class hiveworldterrasite {
+class hiveworldterrasite ($proxy_4to6_ip) {
 	website::https::multitld { 'www.hiveworldterra':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		force_no_www => false,
 		letsencrypt_name => 'hiveworldterra.co.uk',
 		custom_fragment => template("privat/apache/hwt.fragment"),
 	}
 	website::https::multitld { 'forums.hiveworldterra':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		letsencrypt_name => 'hiveworldterra.co.uk',
 		custom_fragment => template("privat/apache/forums.fragment"),
 	}
 	website::https::multitld { 'skins.hiveworldterra':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		letsencrypt_name => 'hiveworldterra.co.uk',
 		custom_fragment => template("privat/apache/skins.fragment"),
 	}
 	website::https::redir { 'hiveworldterra.ibboard.co.uk':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		redir => 'https://www.hiveworldterra.co.uk/',
 		docroot => "${website::basedir}/hiveworldterra",
 		letsencrypt_name => 'hiveworldterra.co.uk',
 		separate_log => true,
 	}
 }
-class bdstrikesite {
+class bdstrikesite ($proxy_4to6_ip) {
 	website::https::multitld { 'www.bdstrike':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		docroot_owner => $defaultusers::secondary_user,
 		docroot_group => 'editors',
 		letsencrypt_name => 'bdstrike.co.uk',
 		custom_fragment => template("privat/apache/bdstrike.fragment"),
 		csp_override => {"frame-ancestors" => "'self'"},
 		'strikecreations.co.uk',
 		'strikecreations.com',
 		'www.strikecreations.com' ]
 	website::https::redir { 'www.strikecreations.co.uk':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		redir => 'https://bdstrike.co.uk/',
 		serveraliases => $aliases,
 		docroot => "${website::basedir}/bdstrike",
 		docroot_owner => $defaultusers::secondary_user,
 		docroot_group => 'editors',
 		command => "/usr/local/bin/bdstrike-cron",
 		user => $defaultusers::default_user,
 		minute => '*/15',
 	}
 }
-class devsite {
+class devsite ($proxy_4to6_ip) {
 	if versioncmp($operatingsystemrelease, '8') >= 0 {
 		# Apache::Mod doesn't map this correctly for CentOS 8 yet
 		$mod_wsgi_lib = 'mod_wsgi_python3.so'
 	} else {
 		$mod_wsgi_lib = undef
 		# mod_wsgi for Python support
 		'wsgi':
 		  lib => $mod_wsgi_lib,
 	}
-	include python::venv
 	# Create Python virtualenvs for the dev site apps
-	python::venv::isolate {
+	file {
-		"/srv/rhodecode/virtualenv":;
+		"/srv/rhodecode":
-		"/srv/trac/virtualenv":;
+			ensure => 'directory';
+		"/srv/trac":
+			ensure => 'directory';
+	} ->
+	python::virtualenv {
+		# Distribute is described as "simple compatibility layer that installs Setuptools 0.7+"
+		# and leads to 'module "importlib._bootstrap" has no attribute "SourceFileLoader"'
+		"/srv/rhodecode/virtualenv":
+			distribute => false,
+			version => '3';
+		"/srv/trac/virtualenv":
+			distribute => false,
+			version => '3';
 	}
 	# Graphviz for Trac "master ticket" graphs
 	package { 'graphviz':
 		ensure => installed,
 	}
-	website::https::multitld { 'www.warfoundry':
-		letsencrypt_name => 'warfoundry.co.uk',
-		custom_fragment => template("privat/apache/warfoundry.fragment"),
-	}
 	website::https::multitld { 'dev.ibboard':
+		proxy_4to6_ip => $proxy_4to6_ip,
 		#Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!)
 		# http://en.wikipedia.org/wiki/Server_Name_Indication#No_support
 		priority => 1,
 		letsencrypt_name => 'dev.ibboard.co.uk',
 		custom_fragment => template("privat/apache/dev.fragment"),
+		proxy_fragment => template("privat/apache/dev-proxy.fragment"),
 		force_no_index => false,
 	}
 }
-class webmailpimsite {
+class webmailpimsite ($proxy_4to6_ip_pim, $proxy_4to6_ip_webmail) {
 	# Webmail and Personal Information Management (PIM) sites
 	website::https { 'webmail.ibboard.co.uk':
+		proxy_4to6_ip => $proxy_4to6_ip_webmail,
 		force_no_index => false,
 		ssl_ca_chain => '',
 		custom_fragment => template("privat/apache/webmail.fragment"),
 	}
 	website::https { 'pim.ibboard.co.uk':
+		proxy_4to6_ip => $proxy_4to6_ip_pim,
 		docroot_owner => 'apache',
 		docroot_group => 'editors',
 		force_no_index => false,
 		lockdown_requests => false,
 		ssl_ca_chain => '',
 	class { 'dovecot':
 		imapserver => $imapserver,
 	}
 	# Unspecified SpamAssassin config dependencies that started
 	# showing up as errors in our logs
-	package { ['perl-File-MimeInfo', 'perl-IO-Compress-Lzma']:
+	package { ['perl-File-MimeInfo']:
 		ensure => installed,
 	}
 	package { [ 'amavisd-new' ]:
 		ensure => installed,
 		tag => 'av',
 	}
 	service { 'amavisd':
 		ensure => 'running',
 		enable => 'true',
+	}
+	service { 'clamd@amavisd':
+		ensure => 'stopped',
+		enable=> 'mask',
 	}
 	file { '/etc/amavisd/amavisd.conf':
 		ensure => present,
 		source => 'puppet:///private/postfix/amavisd.conf',
 		tag => 'av',

Mercurial > repos > other > Puppet

comparison manifests/templates.pp @ 298:61e90445c899