Mercurial > repos > other > Puppet

comparison manifests/templates.pp @ 0:956e484adc12

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial public release of Puppet configs
author IBBoard <dev@ibboard.co.uk>
date Sat, 16 Aug 2014 19:47:38 +0000
parents
children b7c30595c97a
comparison
equal deleted inserted replaced
-1:000000000000 0:956e484adc12
1 class basenode {
2 $os = $operatingsystem
3 $osver = "v${operatingsystemrelease}"
4 include sudo
5
6 include defaultusers
7 include logwatch
8 }
9
10 class basevpsnode (
11 $primary_ip,
12 $secondary_ip,
13 $mailserver,
14 $imapserver,
15 ) {
16 #VPS is a self-mastered Puppet machine, so bodge a Hosts file
17 file { '/etc/hosts':
18 ensure => present,
19 content => "127.0.0.1 localhost puppet
20 $primary_ip ${fqdn}",
21 }
22
23 require repos
24 include basenode
25 include ssh::server
26 include vcs::server
27 include vcs::client
28 class { 'webserver':
29 primary_ip => $primary_ip,
30 secondary_ip => $secondary_ip,
31 }
32 include cronjobs
33 include logrotate
34 include fail2ban
35 include tools
36 class { 'email':
37 mailserver => $mailserver,
38 imapserver => $imapserver,
39 }
40 }
41
42 ## Classes to allow facet behaviour using preconfigured setups of classes
43
44 class repos {
45 yumrepo { 'epel':
46 mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch',
47 descr => "Extra Packages for Enterprise Linux",
48 enabled => 1,
49 failovermethod => 'priority',
50 gpgcheck => 1,
51 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6',
52 }
53 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6':
54 ensure => present,
55 source => 'puppet:///common/RPM-GPG-KEY-EPEL-6'
56 }
57 yumrepo { 'ibboard':
58 baseurl => 'http://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_CentOS-$releasever/',
59 descr => 'IBBoard Server',
60 enabled => 1,
61 gpgcheck => 1,
62 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-IBBoard-OBS',
63 }
64 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-IBBoard-OBS':
65 ensure => present,
66 source => 'puppet:///common/RPM-GPG-KEY-IBBoard-OBS'
67 }
68 yumrepo { 'webtatic':
69 mirrorlist => 'http://repo.webtatic.com/yum/el$releasever/$basearch/mirrorlist',
70 descr => "Extra Packages for Enterprise Linux",
71 enabled => 1,
72 failovermethod => 'priority',
73 gpgcheck => 1,
74 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy',
75 }
76 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy':
77 ensure => present,
78 source => 'puppet:///common/RPM-GPG-KEY-webtatic-andy'
79 }
80 }
81
82 class tools {
83 $packages = [ 'sqlite', 'bash-completion' ]
84 package { $packages:
85 ensure => latest;
86 }
87 }
88
89 class logrotate {
90 package { 'logrotate':
91 ensure => latest;
92 }
93 file { '/etc/logrotate.d/httpd':
94 ensure => present,
95 source => 'puppet:///common/logrotate-httpd',
96 require => Package['logrotate'],
97 }
98 file { '/etc/logrotate.d/trac':
99 ensure => present,
100 source => 'puppet:///common/logrotate-trac',
101 require => Package['logrotate'],
102 }
103 }
104
105 class logwatch {
106 package { 'logwatch':
107 ensure => latest;
108 }
109 File {
110 ensure => present,
111 require => Package['logwatch'],
112 }
113 file { '/etc/cron.daily/0logwatch':
114 source => 'puppet:///common/0logwatch';
115 }
116 file { '/etc/logwatch/scripts/shared/':
117 ensure => directory,
118 }
119 file { '/etc/logwatch/scripts/services/http-error':
120 source => 'puppet:///common/logwatch/http-error',
121 }
122 file { '/etc/logwatch/scripts/services/php':
123 source => 'puppet:///common/logwatch/scripts_php',
124 }
125 file { '/etc/logwatch/scripts/services/mysql':
126 source => 'puppet:///common/logwatch/scripts_mysql',
127 }
128 file { '/etc/logwatch/scripts/services/dovecot':
129 source => 'puppet:///common/logwatch/dovecot',
130 }
131 file { '/etc/logwatch/scripts/services/postfix':
132 source => 'puppet:///common/logwatch/postfix',
133 }
134 file { '/etc/logwatch/scripts/shared/applyhttperrordate':
135 source => 'puppet:///common/logwatch/applyhttperrordate',
136 }
137 file { '/etc/logwatch/conf/logwatch.conf':
138 content => 'Detail = Med',
139 }
140 file { '/etc/logwatch/conf/logfiles/http.conf':
141 content => 'LogFile = apache/access_*.log',
142 }
143 file { '/etc/logwatch/conf/logfiles/http-error.conf':
144 source => 'puppet:///common/logwatch/log-http-error.conf',
145 }
146 file { '/etc/logwatch/conf/services/http-error.conf':
147 source => 'puppet:///common/logwatch/services-http-error.conf',
148 }
149 file { '/etc/logwatch/conf/logfiles/php.conf':
150 source => 'puppet:///common/logwatch/logfiles_php.conf',
151 }
152 file { '/etc/logwatch/conf/services/php.conf':
153 source => 'puppet:///common/logwatch/services_php.conf',
154 }
155 file { '/etc/logwatch/conf/logfiles/mysql.conf':
156 source => 'puppet:///common/logwatch/logfiles_mysql.conf',
157 }
158 file { '/etc/logwatch/conf/services/mysql.conf':
159 source => 'puppet:///common/logwatch/services_mysql.conf',
160 }
161 }
162
163 class fail2ban {
164 package { 'fail2ban':
165 ensure => latest,
166 }
167 service { 'fail2ban':
168 ensure => running,
169 enable => true
170 }
171 File {
172 ensure => present,
173 require => Package['fail2ban'],
174 notify => Service['fail2ban'],
175 }
176 file { '/etc/fail2ban/jail.local':
177 source => 'puppet:///common/fail2ban/jail.local',
178 }
179 file { '/etc/fail2ban/action.d/apf.conf':
180 source => 'puppet:///common/fail2ban/apf.conf',
181 }
182 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
183 source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf',
184 }
185 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
186 source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf',
187 }
188 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
189 source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf',
190 }
191 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
192 source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf',
193 }
194 file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
195 source => 'puppet:///common/fail2ban/ibb-postfix.conf',
196 }
197 file { '/etc/fail2ban/fail2ban.local':
198 content => '[Definition]
199 logtarget = /var/log/fail2ban.log'
200 }
201 }
202
203 #Our web server with our configs, not just a stock one
204 class webserver (
205 $primary_ip,
206 $secondary_ip,
207 ) {
208 #Setup base website parameters
209 class { 'website':
210 base_dir => '/srv/sites',
211 primary_ip => $primary_ip,
212 secondary_ip => $secondary_ip,
213 default_owner => $defaultusers::default_user,
214 default_group => $defaultusers::default_user,
215 default_tld => 'co.uk',
216 default_extra_tlds => [ 'com' ],
217 }
218 #Configure the PHP version to use
219 class { 'website::php':
220 suffix => '55w', #Webtatic's PHP 5.5
221 opcache => 'opcache',
222 }
223 #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user
224 class { 'website::mysql':
225 mysqluser => template('defaultusers/mysql-user'),
226 mysqlpassword => template('defaultusers/mysql-password'),
227 mysqlsuffix => '55w',
228 phpsuffix => '55w',
229 phpmysqlsuffix => 'nd'
230 }
231 }
232
233 class ibboardvpsnode (
234 $primary_ip,
235 $secondary_ip,
236 $mailserver,
237 $imapserver,
238 ){
239 class { 'basevpsnode':
240 primary_ip => $primary_ip,
241 secondary_ip => $secondary_ip,
242 mailserver => $mailserver,
243 imapserver => $imapserver,
244 }
245
246 # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things)
247 apache::mod {
248 'auth_basic':; 'authn_file':; 'authz_user':; 'auth_token':;'deflate':;
249 }
250 $apache_packages = [ 'mod_auth_token' ]
251 package { $apache_packages:
252 ensure => present;
253 }
254
255 #Configure our sites, using templates for the custom fragments where the extra content is too long
256 include adminsite
257 website::https::multitld { 'www.ibboard':
258 custom_fragment => template("private/apache/ibboard.fragment"),
259 }
260 include hiveworldterrasite
261 include glittergothsite
262 include devsite
263 website::https::multitld { 'www.abiknight':
264 custom_fragment => "$website::htmlphpfragment
265 ErrorDocument 404 /error.php",
266 }
267 website::https::multitld { 'www.gracebertram':
268 main_tld => 'com',
269 extra_tlds => [ 'co.uk' ],
270 docroot_owner => $defaultusers::secondary_user,
271 docroot_group => 'editors',
272 custom_fragment => template("private/apache/gracebertram.fragment"),
273 }
274 website::https { 'www.realmrunner.com':
275 docroot => "${website::basedir}/gracebertram", # Don't give it a separate docroot because it is a redirect via the fragment
276 docroot_owner => $defaultusers::secondary_user,
277 docroot_group => 'editors',
278 serveraliases => 'realmrunner.com',
279 custom_fragment => template("private/apache/realmrunner.fragment"),
280 }
281 include webmailpimsite
282 }
283
284 class adminsite{
285 apache::mod { 'info':; 'status':; 'cgi':; }
286 website::https::multitld { 'admin.ibboard':
287 force_no_index => false,
288 ssl_ca_chain => '',
289 custom_fragment => template("private/apache/admin.fragment"),
290 }
291 cron { 'loadavg':
292 command => '/usr/local/bin/run-loadavg-logger',
293 user => apache,
294 minute => '*/6'
295 }
296 cron { 'awstats':
297 command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log',
298 user => apache,
299 hour => '*/6',
300 minute => '0'
301 }
302 }
303
304 class hiveworldterrasite {
305 website::https::multitld { 'www.hiveworldterra':
306 force_no_www => false,
307 custom_fragment => template("private/apache/hwt.fragment"),
308 }
309 website::https::multitld { 'forums.hiveworldterra':
310 custom_fragment => 'ErrorDocument 404 /error.php'
311 }
312 website::https::multitld { 'skins.hiveworldterra':
313 custom_fragment => template("private/apache/skins.fragment"),
314 }
315 website::https::redir { 'hiveworldterra.ibboard.co.uk':
316 redir => 'https://www.hiveworldterra.co.uk/',
317 docroot => "${website::basedir}/hiveworldterra",
318 separate_log => true,
319 }
320 }
321
322 class devsite {
323 apache::mod {
324 # mod_wsgi for Python support
325 'wsgi':;
326 }
327
328 include python::venv
329
330 # Create Python virtualenvs for the dev site apps
331 python::venv::isolate {
332 "/srv/rhodecode/virtualenv":;
333 "/srv/trac/virtualenv":;
334 }
335
336 # Graphviz for Trac "master ticket" graphs
337 package { 'graphviz':
338 ensure => latest,
339 }
340
341 website::https::multitld { 'www.warfoundry':
342 custom_fragment => template("private/apache/warfoundry.fragment"),
343 }
344 website::https::multitld { 'dev.ibboard':
345 #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!)
346 # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support
347 priority => 1,
348 custom_fragment => template("private/apache/dev.fragment"),
349 }
350 }
351 class glittergothsite {
352 website::https::multitld { 'www.glittergoth':
353 ip => $website::secondary_ip,
354 priority => 1,
355 ssl_ca_chain => 'glittergoth.ca-bundle',
356 docroot_owner => $defaultusers::secondary_user,
357 docroot_group => 'editors',
358 force_no_index => false,
359 custom_fragment => template("private/apache/glittergoth.fragment"),
360 }
361 website::https { 'test.glittergoth.co.uk':
362 docroot => "${website::basedir}/glittergoth-test",
363 docroot_owner => $defaultusers::secondary_user,
364 docroot_group => 'editors',
365 ip => $website::secondary_ip,
366 force_no_index => false,
367 custom_fragment => template("private/apache/glittergoth-test.fragment"),
368 }
369
370 # Website specific cron jobs
371 cron { 'backupopencart':
372 command => "/usr/local/bin/backupdb opencart",
373 user => 'root',
374 hour => '*/6',
375 minute => '15',
376 }
377 cron { 'requestreviews':
378 command => '/usr/local/bin/request-reviews 2> /srv/sites/admin/request-reviews.log',
379 user => 'apache',
380 hour => 4,
381 minute => 5
382 }
383 }
384
385 class webmailpimsite {
386 # Webmail and Personal Information Management (PIM) sites
387 website::https { 'webmail.ibboard.co.uk':
388 force_no_index => false,
389 ssl_ca_chain => '',
390 custom_fragment => template("private/apache/webmail.fragment"),
391 }
392 website::https { 'pim.ibboard.co.uk':
393 force_no_index => false,
394 lockdown_requests => false,
395 ssl_ca_chain => '',
396 custom_fragment => template("private/apache/pim.fragment"),
397 }
398 cron { 'owncloudcron':
399 command => "/usr/local/bin/owncloud-cron",
400 user => 'apache',
401 minute => '*/15',
402 }
403 }
404
405 class email (
406 $mailserver,
407 $imapserver,
408 ){
409 class { 'postfix':
410 mailserver => $mailserver,
411 }
412 class { 'dovecot':
413 imapserver => $imapserver,
414 }
415 }
416
417 class cronjobs {
418 # Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails
419 package { 'mutt':
420 ensure => latest,
421 }
422 file { '/etc/Muttrc.local':
423 content => 'set copy = no',
424 require => Package['mutt'],
425 }
426
427 # General server-wide cron jobs
428 Cron { user => 'root' }
429 cron { 'backupalldbs':
430 command => "/usr/local/bin/backupalldbs",
431 monthday => "*/2",
432 hour => "4",
433 minute => "9"
434 }
435 cron { 'greatfirewallofchina':
436 command => '/usr/local/bin/update-great-firewall-of-china',
437 hour => 3,
438 minute => 30
439 }
440 cron { 'permissions':
441 command => '/usr/local/bin/set-permissions',
442 hour => 3,
443 minute => 5
444 }
445 cron { 'apf-refresh':
446 command => '/etc/apf/apf --refresh >> /dev/null 2>&1 &',
447 hour => '*/6',
448 minute => '45'
449 }
450 # Since we're only managing the local server, use "puppet apply" instead of PuppetMaster
451 cron { 'puppet':
452 command => 'puppet apply /etc/puppet/manifests/site.pp | grep -v "Finished catalog run in"',
453 hour => '*/6',
454 minute => 5
455 }
456 cron { 'purgecaches':
457 command => "/usr/local/bin/purge-caches",
458 hour => '4',
459 minute => '15',
460 weekday => '1',
461 }
462 # Notify of uncommitted files
463 cron { 'check-mercurial-committed':
464 command => "/usr/local/bin/check-hg-status",
465 hour => '4',
466 minute => '20',
467 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning
468 }
469 }