Mercurial > repos > other > Puppet
view manifests/templates.pp @ 331:f69e2d197302
Separate some certs to make migration easier
LetsEncrypt requires all domains on the cert to be accessible
when renewing. If some migrated and some didn't then it won't
work. Separating sites gives us more options for moving sites
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 08 Mar 2020 19:56:26 +0000 |
| parents | 0cccb75d7639 |
| children | 7198cc4397d8 |
line wrap: on
line source
# Make sure packages come after their repos File<| tag == 'repo-config' |> -> YumRepo<| |> -> Package<| |> # Make sure all files are in place before starting services # FIXME: Title matches are to fix a dependency cycle File<| tag != 'post-service' and title != '/etc/sysconfig/ip6tables' and title != '/etc/sysconfig/iptables' |> -> Service<| |> # Set some shortcut variables #$os = $operatingsystem $osver = $operatingsystemmajrelease $server = '' class basenode { include sudo include defaultusers include logwatch file { '/etc/puppet/hiera.yaml': ensure => present, content => " # Let the system set defaults version: 5 ", } } class basevpsnode ( $primary_ip, $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, $nat64_ranges = [], $mailserver, $imapserver, $mailrelays = [], $firewall_cmd = 'iptables', ) { if $firewall_cmd == 'iptables' { class { 'vpsfirewall': fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'}, } } #VPS is a self-mastered Puppet machine, so bodge a Hosts file if $primary_ip =~ Stdlib::IP::Address::V6 { $lo_ip = '::1' } else { $lo_ip = '127.0.0.1' } file { '/etc/hosts': ensure => present, content => "${lo_ip} localhost\n${primary_ip} ${fqdn}", } if $proxy_4to6_ip_prefix != undef { # …:1 to …:9 for websites, …:10 for mail $ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } $ipv6_secondaries = join($ipv6_addresses, " ") augeas {'IPv6 secondary addresses': context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", } } require repos include basenode include privat include dnsresolver include ssh::server include vcs::server include vcs::client class { 'webserver': primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, proxy_4to6_mask => 124, proxy_upstream => $proxy_upstream, } include cronjobs include logrotate class { 'fail2ban': firewall_cmd => $firewall_cmd, } include tools class { 'email': mailserver => $mailserver, imapserver => $imapserver, mailserver_ip => $primary_ip, proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef }, proxy_upstream => $proxy_upstream, nat64_ranges => $nat64_ranges, mailrelays => $mailrelays, } } ## Classes to allow facet behaviour using preconfigured setups of classes class vpsfirewall ($fw_protocol) { resources { "firewall": purge => false, } class { "my_fw": ip_version => $fw_protocol, } # Control what does and doesn't get pruned in the main filter chain firewallchain { "INPUT:filter:$fw_protocol": purge => true, ignore => [ '-j f2b-[^ ]+$', '^(:|-A )f2b-', '--comment "Great Firewall of China"', '--comment "Do not purge', ], } if ($fw_protocol != "IPv6") { firewall { '010 Whitelist Googlebot': source => '66.249.64.0/19', dport => [80,443], proto => tcp, action => accept, } # Block a spammer hitting our contact forms (also on StopForumSpam list A LOT) firewall { '099 Blacklist spammers 1': source => '107.181.78.172', dport => [80, 443], proto => tcp, action => 'reject', } firewall { '099 Blacklist IODC bot': # IODC bot makes too many bad requests, and contact form is broken # They don't publish a robots.txt name, so firewall it! source => '86.153.145.149', dport => [ 80, 443 ], proto => tcp, action => 'reject', } firewall { '099 Blacklist Baidu Brazil': #Baidu got a Brazilian netblock and are hitting us hard #Baidu doesn't honour "crawl-delay" in robots.txt #Baidu gets firewalled source => '131.161.8.0/22', dport => [ 80, 443 ], proto => tcp, action => 'reject', } } firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol": ensure => present, } firewall { '050 Check our Great Firewall Against China': chain => 'INPUT', jump => 'GREATFIREWALLOFCHINA', } firewallchain { "Fail2Ban:filter:$fw_protocol": ensure => present, } firewall { '060 Check Fail2Ban': chain => 'INPUT', jump => 'Fail2Ban', } } class dnsresolver { package { 'unbound': ensure => present, } package { 'named': ensure => absent, } service { 'named': ensure => stopped, enable => false, } service { 'unbound': ensure => running, enable => true, } file { '/etc/named.conf': ensure => absent, } file { '/etc/unbound/unbound.conf': ensure => present, source => [ "puppet:///common/unbound.conf-${::hostname}", "puppet:///common/unbound.conf", ], group => 'named', require => Package['unbound'], notify => Service['unbound'], } file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf': ensure => present, content => "[main] dns=none", } file { '/etc/sysconfig/named': ensure => absent, } file { '/etc/resolv.conf': ensure => present, # "ipaddress" key only exists for machines with IPv4 addresses content => has_key($facts, 'ipaddress') ? { true => "nameserver 127.0.0.1", default => "nameserver ::1" }, require => Service['unbound'], tag => 'post-service', } } class repos { yumrepo { 'epel': mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', descr => "Extra Packages for Enterprise Linux", enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver", } file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": ensure => present, source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", tag => 'repo-config', } yumrepo { 'ibboard': baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', descr => 'Extra packages from IBBoard', enabled => 1, gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': ensure => present, source => 'puppet:///common/RPM-GPG-KEY-ibboard', tag => 'repo-config', } yumrepo { 'webtatic': ensure => absent, } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': ensure => absent, } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7': ensure => absent, } if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { $python_ver = 'python3' } else { $python_ver = 'system' } class { 'python': ensure => 'present', version => $python_ver, pip => 'present', virtualenv => 'present', use_epel => false, } } class tools { $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget', 'yum-utils', 'rsync' ] package { $packages: ensure => installed; } } class logrotate { package { 'logrotate': ensure => installed; } file { '/etc/logrotate.d/httpd': ensure => present, source => 'puppet:///common/logrotate-httpd', require => Package['logrotate'], } file { '/etc/logrotate.d/trac': ensure => present, source => 'puppet:///common/logrotate-trac', require => Package['logrotate'], } } class logwatch { package { 'logwatch': ensure => installed; } File { ensure => present, require => Package['logwatch'], } file { '/etc/cron.daily/0logwatch': source => 'puppet:///common/0logwatch'; } file { '/etc/logwatch/scripts/shared/': ensure => directory, } file { '/etc/logwatch/scripts/services/fail2ban': source => 'puppet:///common/logwatch/services-fail2ban', } file { '/etc/logwatch/scripts/services/named': source => 'puppet:///common/logwatch/named', } file { '/etc/logwatch/scripts/services/http-error': source => 'puppet:///common/logwatch/http-error', } file { '/etc/logwatch/scripts/services/php': source => 'puppet:///common/logwatch/scripts_php', } file { '/etc/logwatch/scripts/services/mysql': source => 'puppet:///common/logwatch/scripts_mysql', } file { '/etc/logwatch/scripts/services/dovecot': source => 'puppet:///common/logwatch/dovecot', } file { '/etc/logwatch/scripts/services/postfix': source => 'puppet:///common/logwatch/postfix', } file { '/etc/logwatch/scripts/shared/applyhttperrordate': source => 'puppet:///common/logwatch/applyhttperrordate', } file { '/etc/logwatch/conf/logwatch.conf': content => 'Detail = Med', } file { '/etc/logwatch/conf/logfiles/http.conf': content => 'LogFile = apache/access_*.log', } file { '/etc/logwatch/conf/logfiles/http-error-24.conf': source => 'puppet:///common/logwatch/log-http-error.conf', } file { '/etc/logwatch/conf/logfiles/http-error.conf': ensure=> absent, } file { '/etc/logwatch/conf/services/http-error.conf': source => 'puppet:///common/logwatch/services-http-error.conf', } file { '/etc/logwatch/conf/logfiles/php.conf': source => 'puppet:///common/logwatch/logfiles_php.conf', } file { '/etc/logwatch/conf/services/php.conf': source => 'puppet:///common/logwatch/services_php.conf', } file { '/etc/logwatch/conf/logfiles/mysql.conf': source => 'puppet:///common/logwatch/logfiles_mysql.conf', } file { '/etc/logwatch/conf/services/mysql.conf': source => 'puppet:///common/logwatch/services_mysql.conf', } } #Our web server with our configs, not just a stock one class webserver ( $primary_ip, $proxy_4to6_ip_prefix = undef, $proxy_4to6_mask = undef, $proxy_upstream = undef, ) { #Setup base website parameters class { 'website': base_dir => '/srv/sites', primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, proxy_4to6_mask => $proxy_4to6_mask, proxy_upstream => $proxy_upstream, default_owner => $defaultusers::default_user, default_group => $defaultusers::default_user, default_tld => 'co.uk', default_extra_tlds => [ 'com' ], } # Use Remi's PHP 7.3 for now - 7.4 is still VERY new $php_suffix = '' if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { yumrepo { 'remirepo-safe': mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', descr => "Extra CentOS packages from Remi", enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', } yumrepo { 'remirepo-php': mirrorlist => 'http://cdn.remirepo.net/enterprise/8/modular/$basearch/mirror', descr => 'Remi\'s Modular repository for Enterprise Linux 8 - $basearch', enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': ensure => present, source => 'puppet:///common/RPM-GPG-KEY-remi.el8', tag => 'repo-config', } } else { yumrepo { 'remirepo-safe': mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', descr => "Extra CentOS packages from Remi", enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', } yumrepo { 'remirepo-php': mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror', descr => "PHP7.3 for CentOS from Remi", enabled => 1, failovermethod => 'priority', gpgcheck => 1, gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': ensure => present, source => 'puppet:///common/RPM-GPG-KEY-remi', tag => 'repo-config', } } #Configure the PHP version to use class { 'website::php': suffix => $php_suffix, opcache => 'opcache', module => ($operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0) ? { true => 'remi-7.3', default => undef }, extras => [ 'process', 'intl', 'pecl-imagick', 'bcmath', 'pecl-zip', 'json' ], } #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { $mysqlpackage = 'mariadb' $mysqlsuffix = '' # Required for SELinux rule setting/status checks if versioncmp($operatingsystemrelease, '8') >= 0 { $semanage_package_name = 'policycoreutils-python-utils' } else { $semanage_package_name = 'policycoreutils-python' } package { 'policycoreutils-python': name => $semanage_package_name, ensure => present, } $extra_packages = [ 'perl-Sys-Syslog', #Required for Perl SPF checking ] package { $extra_packages: ensure => installed } } else { $mysqlpackage = 'mysql' $mysqlsuffix = '55w' } class { 'website::mysql': mysqluser => template('defaultusers/mysql-user'), mysqlpassword => template('defaultusers/mysql-password'), mysqlprefix => $mysqlpackage, mysqlsuffix => $mysqlsuffix, phpsuffix => $php_suffix, phpmysqlsuffix => 'nd' } } class ibboardvpsnode ( $primary_ip, $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, $nat64_ranges = [], $mailserver, $imapserver, $mailrelays = [], $firewall_cmd = 'iptables', ){ class { 'basevpsnode': primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, proxy_upstream => $proxy_upstream, nat64_ranges => $nat64_ranges, mailserver => $mailserver, imapserver => $imapserver, mailrelays => $mailrelays, firewall_cmd => $firewall_cmd, } # Set timezone to something sensible file { "/etc/localtime": ensure => 'link', target => '/usr/share/zoneinfo/Europe/London', } # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) $mods = [ 'auth_basic', 'authn_file', 'authz_user', 'deflate', 'xsendfile' ] apache::mod { $mods:; } if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { apache::mod { 'authn_core':; } } #Configure our sites, using templates for the custom fragments where the extra content is too long class { "devsite": proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:01", default => undef } } class { "adminsite": proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:02", default => undef } } website::https::multitld { 'www.ibboard': proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, custom_fragment => template("privat/apache/ibboard.fragment"), letsencrypt_name => 'ibboard.co.uk', csp_override => { "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", "default-src" => "'none'", "img-src" => "'self' https://live.staticflickr.com/", "script-src" => "'self'", "style-src" => "'self'", "font-src" => "'self'", "form-action" => "'self'", "connect-src" => "'self'", } } class { "hiveworldterrasite": proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:04", default => undef } } class { "bdstrikesite": proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:05", default => undef } } website::https::multitld { 'www.abiknight': proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:06", default => undef }, custom_fragment => "$website::htmlphpfragment ErrorDocument 404 /error.php", letsencrypt_name => 'abiknight.co.uk', } website::https::multitld { 'www.warfoundry': proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:07", default => undef }, letsencrypt_name => 'warfoundry.co.uk', custom_fragment => template("privat/apache/warfoundry.fragment"), } class { "webmailpimsite": proxy_4to6_ip_pim => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:08", default => undef }, proxy_4to6_ip_webmail => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:09", default => undef }, } } class adminsite ($proxy_4to6_ip) { apache::mod { 'info':; 'status':; 'cgi':; } website::https::multitld { 'admin.ibboard': proxy_4to6_ip => $proxy_4to6_ip, force_no_index => false, ssl_ca_chain => '', custom_fragment => template("privat/apache/admin.fragment"), } cron { 'loadavg': command => '/usr/local/bin/run-loadavg-logger', user => apache, minute => '*/6' } cron { 'awstats': command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log', user => apache, hour => '*/6', minute => '0' } } class hiveworldterrasite ($proxy_4to6_ip) { website::https::multitld { 'www.hiveworldterra': proxy_4to6_ip => $proxy_4to6_ip, force_no_www => false, letsencrypt_name => 'hiveworldterra.co.uk', custom_fragment => template("privat/apache/hwt.fragment"), } website::https::multitld { 'forums.hiveworldterra': proxy_4to6_ip => $proxy_4to6_ip, letsencrypt_name => 'forums.hiveworldterra.co.uk', custom_fragment => template("privat/apache/forums.fragment"), } website::https::multitld { 'skins.hiveworldterra': proxy_4to6_ip => $proxy_4to6_ip, letsencrypt_name => 'hiveworldterra.co.uk', custom_fragment => template("privat/apache/skins.fragment"), } website::https::redir { 'hiveworldterra.ibboard.co.uk': proxy_4to6_ip => $proxy_4to6_ip, redir => 'https://www.hiveworldterra.co.uk/', docroot => "${website::basedir}/hiveworldterra", letsencrypt_name => 'hiveworldterra.co.uk', separate_log => true, } } class bdstrikesite ($proxy_4to6_ip) { website::https::multitld { 'www.bdstrike': proxy_4to6_ip => $proxy_4to6_ip, docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', letsencrypt_name => 'bdstrike.co.uk', custom_fragment => template("privat/apache/bdstrike.fragment"), csp_override => {"frame-ancestors" => "'self'"}, csp_report_override => { "font-src" => "'self' https://fonts.gstatic.com/", "img-src" => "'self' https://secure.gravatar.com/", "style-src" => "'self' https://fonts.googleapis.com/" }, } $aliases = [ 'strikecreations.co.uk', 'strikecreations.com', 'www.strikecreations.com' ] website::https::redir { 'www.strikecreations.co.uk': proxy_4to6_ip => $proxy_4to6_ip, redir => 'https://bdstrike.co.uk/', serveraliases => $aliases, docroot => "${website::basedir}/bdstrike", docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', letsencrypt_name => 'strikecreations.com', separate_log => true, } cron { 'wordpress_cron': # Run "php -f wp-cron.php" on a schedule so that we can auto-update # without giving Apache full write access! command => "/usr/local/bin/bdstrike-cron", user => $defaultusers::default_user, minute => '*/15', } } class devsite ($proxy_4to6_ip) { if versioncmp($operatingsystemrelease, '8') >= 0 { # Apache::Mod doesn't map this correctly for CentOS 8 yet $mod_wsgi_lib = 'mod_wsgi_python3.so' } else { $mod_wsgi_lib = undef } apache::mod { # mod_wsgi for Python support 'wsgi': lib => $mod_wsgi_lib, } # Create Python virtualenvs for the dev site apps file { "/srv/rhodecode": ensure => 'directory'; "/srv/trac": ensure => 'directory'; } -> python::virtualenv { # Distribute is described as "simple compatibility layer that installs Setuptools 0.7+" # and leads to 'module "importlib._bootstrap" has no attribute "SourceFileLoader"' "/srv/rhodecode/virtualenv": distribute => false, version => '3'; "/srv/trac/virtualenv": distribute => false, version => '3'; } # Graphviz for Trac "master ticket" graphs package { 'graphviz': ensure => installed, } website::https::multitld { 'dev.ibboard': proxy_4to6_ip => $proxy_4to6_ip, #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support priority => 1, letsencrypt_name => 'dev.ibboard.co.uk', custom_fragment => template("privat/apache/dev.fragment"), proxy_fragment => template("privat/apache/dev-proxy.fragment"), force_no_index => false, } } class webmailpimsite ($proxy_4to6_ip_pim, $proxy_4to6_ip_webmail) { # Webmail and Personal Information Management (PIM) sites website::https { 'webmail.ibboard.co.uk': proxy_4to6_ip => $proxy_4to6_ip_webmail, force_no_index => false, ssl_ca_chain => '', custom_fragment => template("privat/apache/webmail.fragment"), } website::https { 'pim.ibboard.co.uk': proxy_4to6_ip => $proxy_4to6_ip_pim, docroot_owner => 'apache', docroot_group => 'editors', force_no_index => false, lockdown_requests => false, ssl_ca_chain => '', csp => false, csp_report => false, custom_fragment => template("privat/apache/pim.fragment"), } cron { 'owncloudcron': command => "/usr/local/bin/owncloud-cron", user => 'apache', minute => '*/15', } } class email ( $mailserver, $imapserver, $mailserver_ip, $proxy_ip = undef, $proxy_upstream = [], $nat64_ranges = [], $mailrelays = [], ){ class { 'postfix': mailserver => $mailserver, mailserver_ip => $mailserver_ip, mailserver_proxy => $proxy_ip, proxy_upstream => $proxy_upstream, mailrelays => $mailrelays, nat64_ranges => $nat64_ranges, protocols => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'all', default => 'ipv4' }, } class { 'dovecot': imapserver => $imapserver, imapserver_ip => $mailserver_ip, imapserver_proxy => $proxy_ip, proxy_upstream => $proxy_upstream, } # Unspecified SpamAssassin config dependencies that started # showing up as errors in our logs package { ['perl-File-MimeInfo']: ensure => installed, } package { [ 'amavisd-new' ]: ensure => installed, tag => 'av', } service { 'amavisd': ensure => 'running', enable => 'true', } service { 'clamd@amavisd': ensure => 'stopped', enable=> 'mask', } file { '/etc/amavisd/amavisd.conf': ensure => present, source => 'puppet:///private/postfix/amavisd.conf', tag => 'av', } file { '/etc/mail/spamassassin/local.cf': ensure => present, source => 'puppet:///private/postfix/spamassassin-local.cf', tag => 'av', } file { '/etc/mail/spamassassin/ole2macro.cf': ensure => present, source => 'puppet:///common/ole2macro.cf', tag => 'av', } file { '/etc/mail/spamassassin/ole2macro.pm': ensure => present, source => 'puppet:///common/spamassassin-vba-macro-master/ole2macro.pm', tag => 'av', } Package<| tag == 'av' |> -> File<| tag == 'av' |> File<| tag == 'av' |> { notify => Service['amavisd'], } cron { 'Postwhite': command => "/usr/local/bin/postwhite 2>&1| grep -vE '^(Starting|Recursively|Getting|Querying|Removing|Sorting|$)'", user => 'root', weekday => 0, hour => 2, minute => 0, } } class cronjobs { # Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails package { 'mutt': ensure => installed, } file { '/etc/Muttrc.local': content => 'set copy = no', require => Package['mutt'], } # General server-wide cron jobs Cron { user => 'root' } cron { 'backupalldbs': command => "/usr/local/bin/backupalldbs", monthday => "*/2", hour => "4", minute => "9" } # Only run the Great Firewall Against China on IPv4 (since we don't have an IPv6 list # and the PROXY forwards the IPs to services, but not at the network level) cron { 'greatfirewallofchina': command => '/usr/local/bin/update-great-firewall-of-china', ensure => has_key($facts, 'ipaddress') ? { true => "present", default => "absent" }, hour => 3, minute => 30 } cron { 'permissions': command => '/usr/local/bin/set-permissions', hour => 3, minute => 2 } # Since we're only managing the local server, use our script that wraps "puppet apply" instead of PuppetMaster cron { 'puppet': command => '/usr/local/bin/puppet-apply | grep -v "Compiled catalog for\|Finished catalog run in\|Applied catalog in"', hour => '*/6', minute => 5 } cron { 'purgecaches': command => "/usr/local/bin/purge-caches", hour => '4', minute => '15', weekday => '1', } # Notify of uncommitted files cron { 'check-mercurial-committed': command => "/usr/local/bin/check-hg-status", hour => '4', minute => '20', weekday => '0-6/3', #Sunday, Wednesday and Saturday morning } # Notify of available updates cron { 'check-yum-updates': command => '/usr/bin/yum check-update | tail -2 | grep -Ev "^ \* [[:alnum:]-]+: [[:alnum:]\.]+$"', hour => '4', minute => '30', weekday => '0-6/3', #Sunday, Wednesday and Saturday morning } # And check whether anything needs restarting cron { 'check-needs-restarting': command => '/usr/bin/needs-restarting|grep -v "/usr/lib/systemd\|/usr/sbin/lvmetad\|/usr/lib/polkit-1/polkitd"', hour => '4', minute => '45', weekday => '0-6/3', #Sunday, Wednesday and Saturday morning } }