Mercurial > repos > other > Puppet
view manifests/templates.pp @ 6:b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sun, 28 Sep 2014 08:03:46 +0000 |
parents | 956e484adc12 |
children | ca6ce30c0bfc |
line wrap: on
line source
class basenode { $os = $operatingsystem $osver = "v${operatingsystemrelease}" include sudo include defaultusers include logwatch } class basevpsnode ( $primary_ip, $secondary_ip, $mailserver, $imapserver, ) { #VPS is a self-mastered Puppet machine, so bodge a Hosts file file { '/etc/hosts': ensure => present, content => "127.0.0.1 localhost puppet $primary_ip ${fqdn}", } require repos include basenode include ssh::server include vcs::server include vcs::client class { 'webserver': primary_ip => $primary_ip, secondary_ip => $secondary_ip, } include cronjobs include logrotate include fail2ban include tools class { 'email': mailserver => $mailserver, imapserver => $imapserver, } } ## Classes to allow facet behaviour using preconfigured setups of classes class repos { yumrepo { 'epel': mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', descr => "Extra Packages for Enterprise Linux", enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6', } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6': ensure => present, source => 'puppet:///common/RPM-GPG-KEY-EPEL-6' } yumrepo { 'ibboard': baseurl => 'http://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_CentOS-$releasever/', descr => 'IBBoard Server', enabled => 1, gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-IBBoard-OBS', } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-IBBoard-OBS': ensure => present, source => 'puppet:///common/RPM-GPG-KEY-IBBoard-OBS' } yumrepo { 'webtatic': mirrorlist => 'http://repo.webtatic.com/yum/el$releasever/$basearch/mirrorlist', descr => "Extra Packages for Enterprise Linux", enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy', } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': ensure => present, source => 'puppet:///common/RPM-GPG-KEY-webtatic-andy' } } class tools { $packages = [ 'sqlite', 'bash-completion' ] package { $packages: ensure => latest; } } class logrotate { package { 'logrotate': ensure => latest; } file { '/etc/logrotate.d/httpd': ensure => present, source => 'puppet:///common/logrotate-httpd', require => Package['logrotate'], } file { '/etc/logrotate.d/trac': ensure => present, source => 'puppet:///common/logrotate-trac', require => Package['logrotate'], } } class logwatch { package { 'logwatch': ensure => latest; } File { ensure => present, require => Package['logwatch'], } file { '/etc/cron.daily/0logwatch': source => 'puppet:///common/0logwatch'; } file { '/etc/logwatch/scripts/shared/': ensure => directory, } file { '/etc/logwatch/scripts/services/http-error': source => 'puppet:///common/logwatch/http-error', } file { '/etc/logwatch/scripts/services/php': source => 'puppet:///common/logwatch/scripts_php', } file { '/etc/logwatch/scripts/services/mysql': source => 'puppet:///common/logwatch/scripts_mysql', } file { '/etc/logwatch/scripts/services/dovecot': source => 'puppet:///common/logwatch/dovecot', } file { '/etc/logwatch/scripts/services/postfix': source => 'puppet:///common/logwatch/postfix', } file { '/etc/logwatch/scripts/shared/applyhttperrordate': source => 'puppet:///common/logwatch/applyhttperrordate', } file { '/etc/logwatch/conf/logwatch.conf': content => 'Detail = Med', } file { '/etc/logwatch/conf/logfiles/http.conf': content => 'LogFile = apache/access_*.log', } file { '/etc/logwatch/conf/logfiles/http-error.conf': source => 'puppet:///common/logwatch/log-http-error.conf', } file { '/etc/logwatch/conf/services/http-error.conf': source => 'puppet:///common/logwatch/services-http-error.conf', } file { '/etc/logwatch/conf/logfiles/php.conf': source => 'puppet:///common/logwatch/logfiles_php.conf', } file { '/etc/logwatch/conf/services/php.conf': source => 'puppet:///common/logwatch/services_php.conf', } file { '/etc/logwatch/conf/logfiles/mysql.conf': source => 'puppet:///common/logwatch/logfiles_mysql.conf', } file { '/etc/logwatch/conf/services/mysql.conf': source => 'puppet:///common/logwatch/services_mysql.conf', } } class fail2ban { package { 'fail2ban': ensure => latest, } service { 'fail2ban': ensure => running, enable => true } File { ensure => present, require => Package['fail2ban'], notify => Service['fail2ban'], } file { '/etc/fail2ban/jail.local': source => 'puppet:///common/fail2ban/jail.local', } file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///common/fail2ban/apf.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': source => 'puppet:///common/fail2ban/ibb-apache-shellshock.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix.conf': source => 'puppet:///common/fail2ban/ibb-postfix.conf', } file { '/etc/fail2ban/fail2ban.local': content => '[Definition] logtarget = /var/log/fail2ban.log' } } #Our web server with our configs, not just a stock one class webserver ( $primary_ip, $secondary_ip, ) { #Setup base website parameters class { 'website': base_dir => '/srv/sites', primary_ip => $primary_ip, secondary_ip => $secondary_ip, default_owner => $defaultusers::default_user, default_group => $defaultusers::default_user, default_tld => 'co.uk', default_extra_tlds => [ 'com' ], } #Configure the PHP version to use class { 'website::php': suffix => '55w', #Webtatic's PHP 5.5 opcache => 'opcache', } #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user class { 'website::mysql': mysqluser => template('defaultusers/mysql-user'), mysqlpassword => template('defaultusers/mysql-password'), mysqlsuffix => '55w', phpsuffix => '55w', phpmysqlsuffix => 'nd' } } class ibboardvpsnode ( $primary_ip, $secondary_ip, $mailserver, $imapserver, ){ class { 'basevpsnode': primary_ip => $primary_ip, secondary_ip => $secondary_ip, mailserver => $mailserver, imapserver => $imapserver, } # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) apache::mod { 'auth_basic':; 'authn_file':; 'authz_user':; 'auth_token':;'deflate':; } $apache_packages = [ 'mod_auth_token' ] package { $apache_packages: ensure => present; } #Configure our sites, using templates for the custom fragments where the extra content is too long include adminsite website::https::multitld { 'www.ibboard': custom_fragment => template("private/apache/ibboard.fragment"), } include hiveworldterrasite include glittergothsite include devsite website::https::multitld { 'www.abiknight': custom_fragment => "$website::htmlphpfragment ErrorDocument 404 /error.php", } website::https::multitld { 'www.gracebertram': main_tld => 'com', extra_tlds => [ 'co.uk' ], docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', custom_fragment => template("private/apache/gracebertram.fragment"), } website::https { 'www.realmrunner.com': docroot => "${website::basedir}/gracebertram", # Don't give it a separate docroot because it is a redirect via the fragment docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', serveraliases => 'realmrunner.com', custom_fragment => template("private/apache/realmrunner.fragment"), } include webmailpimsite } class adminsite{ apache::mod { 'info':; 'status':; 'cgi':; } website::https::multitld { 'admin.ibboard': force_no_index => false, ssl_ca_chain => '', custom_fragment => template("private/apache/admin.fragment"), } cron { 'loadavg': command => '/usr/local/bin/run-loadavg-logger', user => apache, minute => '*/6' } cron { 'awstats': command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log', user => apache, hour => '*/6', minute => '0' } } class hiveworldterrasite { website::https::multitld { 'www.hiveworldterra': force_no_www => false, custom_fragment => template("private/apache/hwt.fragment"), } website::https::multitld { 'forums.hiveworldterra': custom_fragment => 'ErrorDocument 404 /error.php' } website::https::multitld { 'skins.hiveworldterra': custom_fragment => template("private/apache/skins.fragment"), } website::https::redir { 'hiveworldterra.ibboard.co.uk': redir => 'https://www.hiveworldterra.co.uk/', docroot => "${website::basedir}/hiveworldterra", separate_log => true, } } class devsite { apache::mod { # mod_wsgi for Python support 'wsgi':; } include python::venv # Create Python virtualenvs for the dev site apps python::venv::isolate { "/srv/rhodecode/virtualenv":; "/srv/trac/virtualenv":; } # Graphviz for Trac "master ticket" graphs package { 'graphviz': ensure => latest, } website::https::multitld { 'www.warfoundry': custom_fragment => template("private/apache/warfoundry.fragment"), } website::https::multitld { 'dev.ibboard': #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support priority => 1, custom_fragment => template("private/apache/dev.fragment"), } } class glittergothsite { website::https::multitld { 'www.glittergoth': ip => $website::secondary_ip, priority => 1, ssl_ca_chain => 'glittergoth.ca-bundle', docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', force_no_index => false, custom_fragment => template("private/apache/glittergoth.fragment"), } website::https { 'test.glittergoth.co.uk': docroot => "${website::basedir}/glittergoth-test", docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', ip => $website::secondary_ip, force_no_index => false, custom_fragment => template("private/apache/glittergoth-test.fragment"), } # Website specific cron jobs cron { 'backupopencart': command => "/usr/local/bin/backupdb opencart", user => 'root', hour => '*/6', minute => '15', } cron { 'requestreviews': command => '/usr/local/bin/request-reviews 2> /srv/sites/admin/request-reviews.log', user => 'apache', hour => 4, minute => 5 } } class webmailpimsite { # Webmail and Personal Information Management (PIM) sites website::https { 'webmail.ibboard.co.uk': force_no_index => false, ssl_ca_chain => '', custom_fragment => template("private/apache/webmail.fragment"), } website::https { 'pim.ibboard.co.uk': force_no_index => false, lockdown_requests => false, ssl_ca_chain => '', custom_fragment => template("private/apache/pim.fragment"), } cron { 'owncloudcron': command => "/usr/local/bin/owncloud-cron", user => 'apache', minute => '*/15', } } class email ( $mailserver, $imapserver, ){ class { 'postfix': mailserver => $mailserver, } class { 'dovecot': imapserver => $imapserver, } } class cronjobs { # Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails package { 'mutt': ensure => latest, } file { '/etc/Muttrc.local': content => 'set copy = no', require => Package['mutt'], } # General server-wide cron jobs Cron { user => 'root' } cron { 'backupalldbs': command => "/usr/local/bin/backupalldbs", monthday => "*/2", hour => "4", minute => "9" } cron { 'greatfirewallofchina': command => '/usr/local/bin/update-great-firewall-of-china', hour => 3, minute => 30 } cron { 'permissions': command => '/usr/local/bin/set-permissions', hour => 3, minute => 5 } cron { 'apf-refresh': command => '/etc/apf/apf --refresh >> /dev/null 2>&1 &', hour => '*/6', minute => '45' } # Since we're only managing the local server, use "puppet apply" instead of PuppetMaster cron { 'puppet': command => 'puppet apply /etc/puppet/manifests/site.pp | grep -v "Finished catalog run in"', hour => '*/6', minute => 5 } cron { 'purgecaches': command => "/usr/local/bin/purge-caches", hour => '4', minute => '15', weekday => '1', } # Notify of uncommitted files cron { 'check-mercurial-committed': command => "/usr/local/bin/check-hg-status", hour => '4', minute => '20', weekday => '0-6/3', #Sunday, Wednesday and Saturday morning } }