Mercurial > repos > other > Puppet

changeset 449:4a6ad700cded

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update config for real Raspberry Pi host * Add node config * Change Amavis setup because of Ubuntu differences * Change secondary IP address setup because Ubuntu still uses older networking approach * Make Postfix config more flexible
author IBBoard <dev@ibboard.co.uk>
date Wed, 26 Jul 2023 15:30:19 +0100
parents 460bf6514bd8
children f4ed14153cda
files manifests/nodes.pp manifests/templates.pp modules/privat/templates/eth0.epp modules/privat/templates/postfix
diffstat 4 files changed, 123 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/nodes.pp	Sat Jul 15 13:31:32 2023 +0100
+++ b/manifests/nodes.pp	Wed Jul 26 15:30:19 2023 +0100
@@ -1,3 +1,22 @@
+node 'ibbpi.hostedpi.com' {
+	class { 'ibboardvpsnode':
+		primary_ip => '2a00:1098:0008:0157::1',
+		gateway_ip => '2a00:1098:0008:0157::2',
+		proxy_4to6_ip_prefix => '2a00:1098:0008:0157::01d4', # ::old4 for IPv4!
+		proxy_upstream => ['2a00:1098::82:1000:3b:1:1', '2a00:1098::80:1000:3b:1:1'],
+		nat64_ranges => ['64:ff9b::/96'],
+		mailserver => 'mail.ibboard.co.uk',
+		imapserver => 'imap.ibboard.co.uk',
+		mailrelays => ['mx.mythic-beasts.com'],
+		firewall_cmd => 'iptables',
+	}
+	firewall { '090 Allow SSH (IPv4-to-IPv6)':
+		dport => 22,
+		source => '2a00:1098:0:82:1000:0:5d5d:826a',
+		proto => 'tcp',
+		action => 'accept',
+	}
+}
 node 'vpsarm.home' {
 	class { 'ibboardvpsnode':
 		primary_ip => '2a00:23c8:a480:3701:5054:ff:fe42:65f9',
--- a/manifests/templates.pp	Sat Jul 15 13:31:32 2023 +0100
+++ b/manifests/templates.pp	Wed Jul 26 15:30:19 2023 +0100
@@ -62,6 +62,7 @@
 
 class basevpsnode (
 	$primary_ip,
+	$gateway_ip = undef,
 	$proxy_4to6_ip_prefix = undef,
 	$proxy_upstream = undef,
 	$nat64_ranges = [],
@@ -89,14 +90,44 @@
 	}
 
 	if $proxy_4to6_ip_prefix != undef {
-		# …:1 to …:9 for websites, …:10 for mail
-		$ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" }
+		if $operatingsystem == 'Ubuntu' {
+			# Ubuntu can't parse the existing file, so we need to brute-force it with a template
+			file { "/etc/network/interfaces.d/eth0":
+				content => epp('privat/eth0.epp',
+					{
+						default_address => $primary_ip,
+						gateway_address => $gateway_ip,
+						prefix_address => $proxy_4to6_ip_prefix,
+					}
+				),
+			}
 
-		$ipv6_secondaries = join($ipv6_addresses, " ")
+#			# …:1 to …:9 for websites, …:10 for mail
+#			Integer[1, 10].each |$octet| {
+#				augeas { "IPv6 secondary address $octet":
+#					context => "/files/etc/network/interfaces.d/eth0",
+#					changes => [
+#						"set auto[child::1 = 'eth0:$octet']/1 eth0:$octet",
+#						"set no-auto-down[child::1 = 'eth0:$octet']/1 eth0:$octet",
+#						"set iface[. = 'eth0:$octet'] eth0:$octet",
+#						"set iface[. = 'eth0:$octet']/family inet6",
+#						"set iface[. = 'eth0:$octet']/method static",
+#						"set iface[. = 'eth0:$octet']/address $proxy_4to6_ip_prefix:$octet",
+#						"set iface[. = 'eth0:$octet']/netmask 64",
+#
+#					],
+#				}
+#			}
+		}
+		else {
+			# …:1 to …:9 for websites, …:10 for mail
+			$ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" }
+			$ipv6_secondaries = join($ipv6_addresses, " ")
 
-		augeas {'IPv6 secondary addresses':
-			context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
-			changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'",
+			augeas {'IPv6 secondary addresses':
+				context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
+				changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'",
+			}
 		}
 	}
 
@@ -229,7 +260,7 @@
 		require => Package['unbound'],
 		notify => Service['unbound'],
 	}
-	file { '/etc/NetworkManager/conf.d':
+	file { ['/etc/NetworkManager', '/etc/NetworkManager/conf.d']:
 		ensure => directory
 	}
 	file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf':
@@ -344,6 +375,11 @@
 			ensure => installed
 		}
 	}
+	elsif $osfamily == 'Debian' {
+		package { 'dnsutils':
+			ensure => installed
+		}
+	}
 }
 
 class logrotate {
@@ -642,6 +678,7 @@
 
 class ibboardvpsnode (
 	$primary_ip,
+	$gateway_ip = undef,
 	$proxy_4to6_ip_prefix = undef,
 	$proxy_upstream = undef,
 	$nat64_ranges = [],
@@ -652,6 +689,7 @@
 	){
 	class { 'basevpsnode':
 		primary_ip => $primary_ip,
+		gateway_ip => $gateway_ip,
 		proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix,
 		proxy_upstream => $proxy_upstream,
 		nat64_ranges => $nat64_ranges,
@@ -914,7 +952,10 @@
 	if $osfamily == 'RedHat' {
 		$spamassassin_deps = ['perl-File-MimeInfo']
 		$spamassassin_dir = '/etc/mail/spamassassin/'
-		$amavis_dir = '/etc/amavisd/'
+		$amavis_config = '/etc/amavisd/amavisd.conf'
+		$amavis_rundir = '/var/run/amavisd'
+		$amavis_spooldir = '/var/spool/amavisd'
+		$amavis_quarantinedir = '$HOME_DIR/quarantine'
 		$amavis_service = 'amavisd'
 		# CentOS has a Clam service, but we call on demand (Ubuntu doesn't have a service)
 		service { 'clamd@amavisd':
@@ -925,7 +966,10 @@
 	elsif $osfamily == 'Debian' {
 		$spamassassin_deps = ['libfile-mimeinfo-perl']
 		$spamassassin_dir = '/etc/spamassassin/'
-		$amavis_dir = '/etc/amavis/'
+		$amavis_config = '/etc/amavis/conf.d/60-puppeted'
+		$amavis_rundir = '/var/run/amavis'
+		$amavis_spooldir = '/var/lib/amavis'
+		$amavis_quarantinedir = '$HOME_DIR/virusmails'
 		$amavis_service = 'amavis'
 	}
 	package { $spamassassin_deps:
@@ -939,9 +983,16 @@
 		ensure => 'running',
 		enable => 'true',
 	}
-	file { "${amavis_dir}amavisd.conf":
+	file { $amavis_config:
 		ensure => present,
-		source => 'puppet:///private/postfix/amavisd.conf',
+		content => epp('privat/postfix/amavis.conf.epp',
+			{
+				fqdn => $::fqdn,
+				rundir => $amavis_rundir,
+				spooldir => $amavis_spooldir,
+				quarantinedir => $amavis_quarantinedir,
+			}
+		),
 		tag => 'av',
 	}
 	file { "${spamassassin_dir}local.cf":
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/privat/templates/eth0.epp	Wed Jul 26 15:30:19 2023 +0100
@@ -0,0 +1,41 @@
+<%- |
+	Stdlib::IP::Address::V6 $default_address,
+	Stdlib::IP::Address::V6 $gateway_address,
+	Stdlib::IP::Address::V6 $prefix_address, # Not actually an IP, but looks like one
+| -%>
+auto eth0
+no-auto-down eth0
+iface eth0 inet6 static
+    address <%= $default_address %>
+    netmask 64
+    gateway <%= $gateway_address %>
+iface eth0:1 inet6 static
+   address <%= $prefix_address %>:1
+   netmask 64
+iface eth0:2 inet6 static
+   address <%= $prefix_address %>:2
+   netmask 64
+iface eth0:3 inet6 static
+   address <%= $prefix_address %>:3
+   netmask 64
+iface eth0:4 inet6 static
+   address <%= $prefix_address %>:4
+   netmask 64
+iface eth0:5 inet6 static
+   address <%= $prefix_address %>:5
+   netmask 64
+iface eth0:6 inet6 static
+   address <%= $prefix_address %>:6
+   netmask 64
+iface eth0:7 inet6 static
+   address <%= $prefix_address %>:7
+   netmask 64
+iface eth0:8 inet6 static
+   address <%= $prefix_address %>:8
+   netmask 64
+iface eth0:9 inet6 static
+   address <%= $prefix_address %>:9
+   netmask 64
+iface eth0:10 inet6 static
+   address <%= $prefix_address %>:10
+   netmask 64
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/privat/templates/postfix	Wed Jul 26 15:30:19 2023 +0100
@@ -0,0 +1,1 @@
+../../../private/postfix/templates
\ No newline at end of file