diff manifests/templates.pp @ 0:956e484adc12

Initial public release of Puppet configs
author IBBoard <dev@ibboard.co.uk>
date Sat, 16 Aug 2014 19:47:38 +0000
parents
children b7c30595c97a
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/manifests/templates.pp	Sat Aug 16 19:47:38 2014 +0000
@@ -0,0 +1,469 @@
+class basenode {
+	$os = $operatingsystem
+	$osver = "v${operatingsystemrelease}"
+	include sudo
+
+	include defaultusers
+	include logwatch
+}
+
+class basevpsnode (
+	$primary_ip,
+	$secondary_ip,
+	$mailserver,
+	$imapserver,
+	) {
+	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
+	file { '/etc/hosts':
+		ensure => present,
+		content => "127.0.0.1   localhost puppet
+$primary_ip ${fqdn}",
+	}
+
+	require repos
+	include basenode
+	include ssh::server
+	include vcs::server
+	include vcs::client
+	class { 'webserver':
+		primary_ip => $primary_ip,
+		secondary_ip => $secondary_ip,
+	}
+	include cronjobs
+	include logrotate
+	include fail2ban
+	include tools
+	class { 'email':
+		mailserver => $mailserver,
+		imapserver => $imapserver,
+	}
+}
+
+## Classes to allow facet behaviour using preconfigured setups of classes
+
+class repos {
+	yumrepo { 'epel':
+		mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch',
+		descr => "Extra Packages for Enterprise Linux",
+		enabled => 1,
+		failovermethod => 'priority',
+		gpgcheck => 1,
+		gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6',
+	}
+	file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6':
+		ensure => present,
+		source => 'puppet:///common/RPM-GPG-KEY-EPEL-6'
+	}
+	yumrepo { 'ibboard':
+		baseurl => 'http://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_CentOS-$releasever/',
+		descr => 'IBBoard Server',
+		enabled => 1,
+		gpgcheck => 1,
+		gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-IBBoard-OBS',
+	}
+	file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-IBBoard-OBS':
+		ensure => present,
+		source => 'puppet:///common/RPM-GPG-KEY-IBBoard-OBS'
+	}
+	yumrepo { 'webtatic':
+		mirrorlist => 'http://repo.webtatic.com/yum/el$releasever/$basearch/mirrorlist',
+		descr => "Extra Packages for Enterprise Linux",
+		enabled => 1,
+		failovermethod => 'priority',
+		gpgcheck => 1,
+		gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy',
+	}
+	file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy':
+		ensure => present,
+		source => 'puppet:///common/RPM-GPG-KEY-webtatic-andy'
+	}
+}
+
+class tools {
+	$packages = [ 'sqlite', 'bash-completion' ]
+	package { $packages:
+		ensure => latest;
+	}
+}
+
+class logrotate {
+	package { 'logrotate':
+		ensure => latest;
+	}
+	file { '/etc/logrotate.d/httpd':
+		ensure => present,
+		source => 'puppet:///common/logrotate-httpd',
+		require => Package['logrotate'],
+	}
+	file { '/etc/logrotate.d/trac':
+		ensure => present,
+		source => 'puppet:///common/logrotate-trac',
+		require => Package['logrotate'],
+	}
+}
+
+class logwatch {
+	package { 'logwatch':
+		ensure => latest;
+	}
+	File {
+		ensure => present,
+		require => Package['logwatch'],
+	}
+	file { '/etc/cron.daily/0logwatch':
+		source => 'puppet:///common/0logwatch';
+	}
+	file { '/etc/logwatch/scripts/shared/':
+		ensure => directory,
+	}
+	file { '/etc/logwatch/scripts/services/http-error':
+		source => 'puppet:///common/logwatch/http-error',
+	}
+	file { '/etc/logwatch/scripts/services/php':
+		source => 'puppet:///common/logwatch/scripts_php',
+	}
+	file { '/etc/logwatch/scripts/services/mysql':
+		source => 'puppet:///common/logwatch/scripts_mysql',
+	}
+	file { '/etc/logwatch/scripts/services/dovecot':
+		source => 'puppet:///common/logwatch/dovecot',
+	}
+	file { '/etc/logwatch/scripts/services/postfix':
+		source => 'puppet:///common/logwatch/postfix',
+	}
+	file { '/etc/logwatch/scripts/shared/applyhttperrordate':
+		source => 'puppet:///common/logwatch/applyhttperrordate',
+	}
+	file { '/etc/logwatch/conf/logwatch.conf':
+		content => 'Detail = Med',
+	}
+	file { '/etc/logwatch/conf/logfiles/http.conf':
+		content => 'LogFile = apache/access_*.log',
+	}
+	file { '/etc/logwatch/conf/logfiles/http-error.conf':
+		source => 'puppet:///common/logwatch/log-http-error.conf',
+	}
+	file { '/etc/logwatch/conf/services/http-error.conf':
+		source => 'puppet:///common/logwatch/services-http-error.conf',
+	}
+	file { '/etc/logwatch/conf/logfiles/php.conf':
+		source => 'puppet:///common/logwatch/logfiles_php.conf',
+	}
+	file { '/etc/logwatch/conf/services/php.conf':
+		source => 'puppet:///common/logwatch/services_php.conf',
+	}
+	file { '/etc/logwatch/conf/logfiles/mysql.conf':
+		source => 'puppet:///common/logwatch/logfiles_mysql.conf',
+	}
+	file { '/etc/logwatch/conf/services/mysql.conf':
+		source => 'puppet:///common/logwatch/services_mysql.conf',
+	}
+}
+
+class fail2ban {
+	package { 'fail2ban':
+		ensure => latest,
+	}
+	service { 'fail2ban':
+		ensure => running,
+		enable => true
+	}
+	File {
+		ensure => present,
+		require => Package['fail2ban'],
+		notify => Service['fail2ban'],
+	}
+	file { '/etc/fail2ban/jail.local':
+		source => 'puppet:///common/fail2ban/jail.local',
+	}
+	file { '/etc/fail2ban/action.d/apf.conf':
+		source => 'puppet:///common/fail2ban/apf.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
+		source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
+		source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
+		source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
+		source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
+		source => 'puppet:///common/fail2ban/ibb-postfix.conf',
+	}
+	file { '/etc/fail2ban/fail2ban.local':
+		content => '[Definition]
+logtarget = /var/log/fail2ban.log'
+	}
+}
+
+#Our web server with our configs, not just a stock one
+class webserver (
+	$primary_ip,
+	$secondary_ip,
+	) {
+	#Setup base website parameters
+	class { 'website':
+		base_dir => '/srv/sites',
+		primary_ip => $primary_ip,
+		secondary_ip => $secondary_ip,
+		default_owner => $defaultusers::default_user,
+		default_group => $defaultusers::default_user,
+		default_tld => 'co.uk',
+		default_extra_tlds => [ 'com' ],
+	}
+	#Configure the PHP version to use
+	class { 'website::php':
+		suffix => '55w', #Webtatic's PHP 5.5
+		opcache => 'opcache',
+	}
+	#Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user
+	class { 'website::mysql':
+		mysqluser => template('defaultusers/mysql-user'),
+		mysqlpassword => template('defaultusers/mysql-password'),
+		mysqlsuffix => '55w',
+		phpsuffix => '55w',
+		phpmysqlsuffix => 'nd'
+	}
+}
+
+class ibboardvpsnode (
+	$primary_ip,
+	$secondary_ip,
+	$mailserver,
+	$imapserver,
+	){
+	class { 'basevpsnode':
+		primary_ip => $primary_ip,
+		secondary_ip => $secondary_ip,
+		mailserver => $mailserver,
+		imapserver => $imapserver,
+	}
+
+	# Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things)
+	apache::mod {
+		'auth_basic':; 'authn_file':; 'authz_user':; 'auth_token':;'deflate':;
+	}
+	$apache_packages = [ 'mod_auth_token' ]
+	package { $apache_packages:
+		ensure => present;
+	}
+
+	#Configure our sites, using templates for the custom fragments where the extra content is too long
+	include adminsite
+	website::https::multitld { 'www.ibboard':
+		custom_fragment => template("private/apache/ibboard.fragment"),
+	}
+	include hiveworldterrasite
+	include glittergothsite
+	include devsite
+	website::https::multitld { 'www.abiknight':
+		custom_fragment => "$website::htmlphpfragment
+	ErrorDocument 404 /error.php",
+	}
+	website::https::multitld { 'www.gracebertram':
+		main_tld => 'com',
+		extra_tlds => [ 'co.uk' ],
+		docroot_owner => $defaultusers::secondary_user,
+		docroot_group => 'editors',
+		custom_fragment => template("private/apache/gracebertram.fragment"),
+	}
+	website::https { 'www.realmrunner.com':
+		docroot => "${website::basedir}/gracebertram", # Don't give it a separate docroot because it is a redirect via the fragment
+		docroot_owner => $defaultusers::secondary_user,
+		docroot_group => 'editors',
+		serveraliases => 'realmrunner.com',
+		custom_fragment => template("private/apache/realmrunner.fragment"),
+	}
+	include webmailpimsite
+}
+
+class adminsite{
+	apache::mod { 'info':; 'status':; 'cgi':; }
+	website::https::multitld { 'admin.ibboard':
+		force_no_index => false,
+		ssl_ca_chain => '',
+		custom_fragment => template("private/apache/admin.fragment"),
+	}
+	cron { 'loadavg':
+		command => '/usr/local/bin/run-loadavg-logger',
+		user => apache,
+		minute => '*/6'
+	}
+	cron { 'awstats':
+		command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log',
+		user => apache,
+		hour => '*/6',
+		minute => '0'
+	}
+}
+
+class hiveworldterrasite {
+	website::https::multitld { 'www.hiveworldterra':
+		force_no_www => false,
+		custom_fragment => template("private/apache/hwt.fragment"),
+	}
+	website::https::multitld { 'forums.hiveworldterra': 
+		custom_fragment => 'ErrorDocument 404 /error.php'
+	}
+	website::https::multitld { 'skins.hiveworldterra':
+		custom_fragment => template("private/apache/skins.fragment"),
+	}
+	website::https::redir { 'hiveworldterra.ibboard.co.uk':
+		redir => 'https://www.hiveworldterra.co.uk/',
+		docroot => "${website::basedir}/hiveworldterra",
+		separate_log => true,
+	}
+}
+
+class devsite {
+	apache::mod {
+		# mod_wsgi for Python support
+		'wsgi':;
+	}
+
+	include python::venv
+
+	# Create Python virtualenvs for the dev site apps
+	python::venv::isolate {
+		"/srv/rhodecode/virtualenv":;
+		"/srv/trac/virtualenv":;
+	}
+
+	# Graphviz for Trac "master ticket" graphs
+	package { 'graphviz':
+		ensure => latest,
+	}
+
+	website::https::multitld { 'www.warfoundry':
+		custom_fragment => template("private/apache/warfoundry.fragment"),
+	}
+	website::https::multitld { 'dev.ibboard':
+		#Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!)
+		# http://en.wikipedia.org/wiki/Server_Name_Indication#No_support
+		priority => 1,
+		custom_fragment => template("private/apache/dev.fragment"),
+	}
+}
+class glittergothsite {
+	website::https::multitld { 'www.glittergoth':
+		ip => $website::secondary_ip,
+		priority => 1,
+		ssl_ca_chain => 'glittergoth.ca-bundle',
+		docroot_owner => $defaultusers::secondary_user,
+		docroot_group => 'editors',
+		force_no_index => false,
+		custom_fragment => template("private/apache/glittergoth.fragment"),
+	}
+	website::https { 'test.glittergoth.co.uk':
+		docroot => "${website::basedir}/glittergoth-test",
+		docroot_owner => $defaultusers::secondary_user,
+		docroot_group => 'editors',
+		ip => $website::secondary_ip,
+		force_no_index => false,
+		custom_fragment => template("private/apache/glittergoth-test.fragment"),
+	}
+
+	# Website specific cron jobs
+	cron { 'backupopencart':
+		command => "/usr/local/bin/backupdb opencart",
+		user => 'root',
+		hour => '*/6',
+		minute => '15',
+	}
+	cron { 'requestreviews':
+		command => '/usr/local/bin/request-reviews 2> /srv/sites/admin/request-reviews.log',
+		user => 'apache',
+		hour => 4,
+		minute => 5
+	}
+}
+
+class webmailpimsite {
+	# Webmail and Personal Information Management (PIM) sites
+	website::https { 'webmail.ibboard.co.uk':
+		force_no_index => false,
+		ssl_ca_chain => '',
+		custom_fragment => template("private/apache/webmail.fragment"),
+	}
+	website::https { 'pim.ibboard.co.uk':
+		force_no_index => false,
+		lockdown_requests => false,
+		ssl_ca_chain => '',
+		custom_fragment => template("private/apache/pim.fragment"),
+	}
+	cron { 'owncloudcron':
+		command => "/usr/local/bin/owncloud-cron",
+		user => 'apache',
+		minute => '*/15',
+	}
+}
+
+class email (
+	$mailserver,
+	$imapserver,
+	){
+	class { 'postfix':
+		mailserver => $mailserver,
+	}
+	class { 'dovecot':
+		imapserver => $imapserver,
+	}
+}
+
+class cronjobs {
+	# Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails
+	package { 'mutt':
+		ensure => latest,
+	}
+	file { '/etc/Muttrc.local':
+		content => 'set copy = no',
+		require => Package['mutt'],
+	}
+
+	# General server-wide cron jobs
+	Cron { user => 'root' }
+	cron { 'backupalldbs':
+		command => "/usr/local/bin/backupalldbs",
+		monthday => "*/2",
+		hour => "4",
+		minute => "9"
+	}
+	cron { 'greatfirewallofchina':
+		command => '/usr/local/bin/update-great-firewall-of-china',
+		hour => 3,
+		minute => 30
+	}
+	cron { 'permissions':
+		command => '/usr/local/bin/set-permissions',
+		hour => 3,
+		minute => 5
+	}
+	cron { 'apf-refresh':
+		command => '/etc/apf/apf --refresh >> /dev/null 2>&1 &',
+		hour => '*/6',
+		minute => '45'
+	}
+	# Since we're only managing the local server, use "puppet apply" instead of PuppetMaster
+	cron { 'puppet':
+		command => 'puppet apply /etc/puppet/manifests/site.pp | grep -v "Finished catalog run in"',
+		hour => '*/6',
+		minute => 5
+	}
+	cron { 'purgecaches':
+		command => "/usr/local/bin/purge-caches",
+		hour => '4',
+		minute => '15',
+		weekday => '1',
+	}
+	# Notify of uncommitted files
+	cron { 'check-mercurial-committed':
+		command => "/usr/local/bin/check-hg-status",
+		hour => '4',
+		minute => '20',
+		weekday => '0-6/3', #Sunday, Wednesday and Saturday morning
+	}
+}