Mercurial > repos > other > Puppet
diff manifests/templates.pp @ 390:df5ad1612af7
Adapt configs to support Ubuntu
This is prep for running a VPS on a Mythic Beasts Raspberry Pi
* Switch paths where necessary
* Add optional modules that only apply on some OSes
* Change usernames and groups
* Don't do RPM-based stuff in Ubuntu
* Switch to using some of the new modules
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Mon, 03 Jan 2022 18:37:16 +0000 |
parents | d9009f54eb23 |
children | a948419a23b1 |
line wrap: on
line diff
--- a/manifests/templates.pp Mon Jan 03 17:16:21 2022 +0000 +++ b/manifests/templates.pp Mon Jan 03 18:37:16 2022 +0000 @@ -30,6 +30,30 @@ version: 5 ", } + + if $operatingsystem == 'Ubuntu' { + file { '/etc/locale.gen': + ensure => present, + content => "en_GB.UTF-8 UTF-8", + notify => Exec['Regen locales'] + } + exec { 'Regen locales': + command => 'locale-gen', + refreshonly => true + } + # Don't waste space with Snap and do everything properly with system packages + [ 'lxd', 'core18', 'core20', 'snapd'].each |$snap| { + exec { "remove $snap snap package": + command => "snap remove $snap", + onlyif => "which snap && snap list $snap", + tag => 'snap', + } + } + Exec<| tag == 'snap' |> -> + package { 'snapd': + ensure => purged, + } + } } class basevpsnode ( @@ -198,7 +222,9 @@ require => Package['unbound'], notify => Service['unbound'], } - + file { '/etc/NetworkManager/conf.d': + ensure => directory + } file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf': ensure => present, content => "[main] @@ -209,7 +235,7 @@ ensure => absent, } file { '/etc/resolv.conf': - ensure => present, + ensure => file, # "ipaddress" key only exists for machines with IPv4 addresses content => has_key($facts, 'ipaddress') ? { true => "nameserver 127.0.0.1", default => "nameserver ::1" }, require => Service['unbound'], @@ -218,39 +244,41 @@ } class repos { - yumrepo { 'epel': - mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', - descr => "Extra Packages for Enterprise Linux", - enabled => 1, - failovermethod => absent, - gpgcheck => 1, - gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver", - } - file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": - ensure => present, - source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", - tag => 'repo-config', - } - yumrepo { 'ibboard': - baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', - descr => 'Extra packages from IBBoard', - enabled => 1, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': - ensure => present, - source => 'puppet:///common/RPM-GPG-KEY-ibboard', - tag => 'repo-config', - } - yumrepo { 'webtatic': - ensure => absent, - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': - ensure => absent, - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7': - ensure => absent, + if $operatingsystem == 'CentOS' { + yumrepo { 'epel': + mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', + descr => "Extra Packages for Enterprise Linux", + enabled => 1, + failovermethod => absent, + gpgcheck => 1, + gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver", + } + file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": + ensure => present, + source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", + tag => 'repo-config', + } + yumrepo { 'ibboard': + baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', + descr => 'Extra packages from IBBoard', + enabled => 1, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': + ensure => present, + source => 'puppet:///common/RPM-GPG-KEY-ibboard', + tag => 'repo-config', + } + yumrepo { 'webtatic': + ensure => absent, + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': + ensure => absent, + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7': + ensure => absent, + } } if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { @@ -276,16 +304,20 @@ ensure => 'present', version => $python_ver, pip => 'present', - virtualenv => 'present', use_epel => false, } } class tools { - $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget', 'yum-utils', 'rsync' ] + $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget', 'rsync' ] package { $packages: ensure => installed; } + if $osfamily == 'RedHat' { + package { 'yum-utils': + ensure => installed + } + } } class logrotate { @@ -297,11 +329,6 @@ source => 'puppet:///common/logrotate-httpd', require => Package['logrotate'], } - file { '/etc/logrotate.d/trac': - ensure => present, - source => 'puppet:///common/logrotate-trac', - require => Package['logrotate'], - } } class logwatch { @@ -385,89 +412,106 @@ default_extra_tlds => [ 'com' ], } - $php_suffix = '' - if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { - yumrepo { 'remirepo-safe': - mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', - descr => "Extra CentOS packages from Remi", - enabled => 1, - failovermethod => absent, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', - } - yumrepo { 'remirepo-php': - mirrorlist => 'http://cdn.remirepo.net/enterprise/8/modular/$basearch/mirror', - descr => 'Remi\'s Modular repository for Enterprise Linux 8 - $basearch', - enabled => 1, - failovermethod => absent, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': - ensure => present, - source => 'puppet:///common/RPM-GPG-KEY-remi.el8', - tag => 'repo-config', + if $operatingsystem == 'CentOS' { + $php_suffix = '' + $extra_prefix = 'pecl-' + $extra_extra = [ 'process' ] + if versioncmp($operatingsystemrelease, '8') >= 0 { + yumrepo { 'remirepo-safe': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', + descr => "Extra CentOS packages from Remi", + enabled => 1, + failovermethod => absent, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + yumrepo { 'remirepo-php': + mirrorlist => 'http://cdn.remirepo.net/enterprise/8/modular/$basearch/mirror', + descr => 'Remi\'s Modular repository for Enterprise Linux 8 - $basearch', + enabled => 1, + failovermethod => absent, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': + ensure => present, + source => 'puppet:///common/RPM-GPG-KEY-remi.el8', + tag => 'repo-config', + } + } else { + yumrepo { 'remirepo-safe': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', + descr => "Extra CentOS packages from Remi", + enabled => 1, + failovermethod => absent, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + yumrepo { 'remirepo-php': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php74/mirror', + descr => "PHP7.4 for CentOS from Remi", + enabled => 1, + failovermethod => absent, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': + ensure => present, + source => 'puppet:///common/RPM-GPG-KEY-remi', + tag => 'repo-config', + } } - } else { - yumrepo { 'remirepo-safe': - mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', - descr => "Extra CentOS packages from Remi", - enabled => 1, - failovermethod => absent, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', - } - yumrepo { 'remirepo-php': - mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php74/mirror', - descr => "PHP7.4 for CentOS from Remi", - enabled => 1, - failovermethod => absent, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': - ensure => present, - source => 'puppet:///common/RPM-GPG-KEY-remi', - tag => 'repo-config', - } + } + elsif $operatingsystem == 'Ubuntu' { + $php_suffix = '' + $extra_prefix = '' + $extra_extras = [] } #Configure the PHP version to use class { 'website::php': suffix => $php_suffix, module => ($operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0) ? { true => 'remi-7.4', default => undef }, - extras => [ 'process', 'intl', 'pecl-imagick', 'bcmath', 'pecl-zip', 'json', 'pecl-apcu', 'gmp', 'enchant' ], + extras => [ 'intl', "${extra_prefix}imagick", 'bcmath', "${extra_prefix}zip", 'json', "${extra_prefix}apcu", 'gmp', 'enchant' ] + $extra_extras, } #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user + if $operatingsystem == 'CentOS' { + if versioncmp($operatingsystemrelease, '7') >= 0 { + $mysqlpackage = 'mariadb' + $mysqlsuffix = '' - if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { + # Required for SELinux rule setting/status checks + if versioncmp($operatingsystemrelease, '8') >= 0 { + $semanage_package_name = 'policycoreutils-python-utils' + } else { + $semanage_package_name = 'policycoreutils-python' + } + + package { 'policycoreutils-python': + name => $semanage_package_name, + ensure => present, + } + + $extra_packages = [ + 'perl-Sys-Syslog', #Required for Perl SPF checking + ] + + package { $extra_packages: + ensure => installed + } + } + else { + $mysqlpackage = 'mysql' + $mysqlsuffix = '55w' + } + } + elsif $operatingsystem == 'Ubuntu' { $mysqlpackage = 'mariadb' $mysqlsuffix = '' - - # Required for SELinux rule setting/status checks - if versioncmp($operatingsystemrelease, '8') >= 0 { - $semanage_package_name = 'policycoreutils-python-utils' - } else { - $semanage_package_name = 'policycoreutils-python' - } - - package { 'policycoreutils-python': - name => $semanage_package_name, - ensure => present, - } - - $extra_packages = [ - 'perl-Sys-Syslog', #Required for Perl SPF checking - ] - - package { $extra_packages: - ensure => installed - } } else { - $mysqlpackage = 'mysql' - $mysqlsuffix = '55w' + fail("No MySQL support for ${operatingsystem}") } class { 'website::mysql': mysqluser => template('defaultusers/mysql-user'), @@ -477,6 +521,11 @@ phpsuffix => $php_suffix, phpmysqlsuffix => 'nd' } + + # Additional supporting directories that aren't served as sites + file { [ '/srv/sites/errorhandling', '/srv/sites/private', '/srv/cms' ]: + ensure => directory, + } } class ibboardvpsnode ( @@ -507,7 +556,9 @@ } # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) - $mods = [ 'auth_basic', + $mods = [ + 'auth_basic', + 'authn_core', 'authn_file', 'authz_user', 'deflate', @@ -516,11 +567,6 @@ apache::mod { $mods:; } - if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { - apache::mod { - 'authn_core':; - } - } #Configure our sites, using templates for the custom fragments where the extra content is too long class { "devsite": @@ -545,14 +591,14 @@ } } website::https::redir { 'mail.ibboard.co.uk': - proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, redir => 'https://ibboard.co.uk/', docroot => "${website::basedir}/ibboard", letsencrypt_name => 'ibboard.co.uk', separate_log => true, } website::https::redir { 'imap.ibboard.co.uk': - proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, redir => 'https://ibboard.co.uk/', docroot => "${website::basedir}/ibboard", letsencrypt_name => 'ibboard.co.uk', @@ -589,14 +635,20 @@ ssl_ca_chain => '', custom_fragment => template("privat/apache/admin.fragment"), } + if $osfamily == 'RedHat' { + $cron_user = 'apache' + } + elsif $osfamily == 'Debian' { + $cron_user = 'www-data' + } cron { 'loadavg': command => '/usr/local/bin/run-loadavg-logger', - user => apache, + user => $cron_user, minute => '*/6' } cron { 'awstats': command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log', - user => apache, + user => $cron_user, hour => '*/6', minute => '0' } @@ -665,43 +717,13 @@ } } class devsite ($proxy_4to6_ip) { - if versioncmp($operatingsystemrelease, '8') >= 0 { - # Apache::Mod doesn't map this correctly for CentOS 8 yet - $mod_wsgi_lib = 'mod_wsgi_python3.so' - # And mod_wsgi doesn't exist as a "provides" any more - $mod_wsgi_package = 'python3-mod_wsgi' + if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { + $mod_wsgi_prefix = 'run/wsgi/' } else { - $mod_wsgi_lib = undef - $mod_wsgi_package = undef - } - apache::mod { - # mod_wsgi for Python support - 'wsgi': - lib => $mod_wsgi_lib, - package => $mod_wsgi_package, + $mod_wsgi_prefix = undef } - - # Create Python virtualenvs for the dev site apps - file { - "/srv/rhodecode": - ensure => 'directory'; - "/srv/trac": - ensure => 'directory'; - } -> - python::virtualenv { - # Distribute is described as "simple compatibility layer that installs Setuptools 0.7+" - # and leads to 'module "importlib._bootstrap" has no attribute "SourceFileLoader"' - "/srv/rhodecode/virtualenv": - distribute => false, - version => '3'; - "/srv/trac/virtualenv": - distribute => false, - version => '3'; - } - - # Graphviz for Trac "master ticket" graphs - package { 'graphviz': - ensure => installed, + class { 'apache::mod::wsgi': + wsgi_socket_prefix => $mod_wsgi_prefix, } website::https::multitld { 'dev.ibboard': @@ -724,9 +746,15 @@ ssl_ca_chain => '', custom_fragment => template("privat/apache/webmail.fragment"), } + if $osfamily == 'RedHat' { + $pim_user = 'apache' + } + elsif $osfamily == 'Debian' { + $pim_user = 'www-data' + } website::https { 'pim.ibboard.co.uk': proxy_4to6_ip => $proxy_4to6_ip_pim, - docroot_owner => 'apache', + docroot_owner => $pim_user, docroot_group => 'editors', force_no_index => false, lockdown_requests => false, @@ -737,7 +765,7 @@ } cron { 'owncloudcron': command => "/usr/local/bin/owncloud-cron", - user => 'apache', + user => $pim_user, minute => '*/15', } } @@ -768,44 +796,57 @@ } # Unspecified SpamAssassin config dependencies that started # showing up as errors in our logs - package { ['perl-File-MimeInfo']: + if $osfamily == 'RedHat' { + $spamassassin_deps = ['perl-File-MimeInfo'] + $spamassassin_dir = '/etc/mail/spamassassin/' + $amavis_dir = '/etc/amavisd/' + $amavis_service = 'amavisd' + # CentOS has a Clam service, but we call on demand (Ubuntu doesn't have a service) + service { 'clamd@amavisd': + ensure => 'stopped', + enable=> 'mask', + } + } + elsif $osfamily == 'Debian' { + $spamassassin_deps = ['libfile-mimeinfo-perl'] + $spamassassin_dir = '/etc/spamassassin/' + $amavis_dir = '/etc/amavis/' + $amavis_service = 'amavis' + } + package { $spamassassin_deps: ensure => installed, } package { [ 'amavisd-new' ]: ensure => installed, tag => 'av', } - service { 'amavisd': + service { $amavis_service: ensure => 'running', enable => 'true', } - service { 'clamd@amavisd': - ensure => 'stopped', - enable=> 'mask', - } - file { '/etc/amavisd/amavisd.conf': + file { "${amavis_dir}amavisd.conf": ensure => present, source => 'puppet:///private/postfix/amavisd.conf', tag => 'av', } - file { '/etc/mail/spamassassin/local.cf': + file { "${spamassassin_dir}local.cf": ensure => present, source => 'puppet:///private/postfix/spamassassin-local.cf', tag => 'av', } - file { '/etc/mail/spamassassin/ole2macro.cf': + file { "${spamassassin_dir}ole2macro.cf": ensure => present, source => 'puppet:///common/ole2macro.cf', tag => 'av', } - file { '/etc/mail/spamassassin/ole2macro.pm': + file { "${spamassassin_dir}ole2macro.pm": ensure => present, source => 'puppet:///common/spamassassin-vba-macro-master/ole2macro.pm', tag => 'av', } Package<| tag == 'av' |> -> File<| tag == 'av' |> File<| tag == 'av' |> { - notify => Service['amavisd'], + notify => Service[$amavis_service], } cron { 'Postwhite': command => "/usr/local/bin/postwhite 2>&1| grep -vE '^(Starting|Recursively|Getting|Querying|Removing|Sorting|$)'",