diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb index 9cdf161..8ba1343 100644 --- a/apache/templates/site.https.conf.erb +++ b/apache/templates/site.https.conf.erb @@ -22,8 +22,8 @@ SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - -SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW +SSLHonorCipherOrder On +SSLCipherSuite RC4-SHA:HIGH:!ADH # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/apt/manifests/init.pp b/apt/manifests/init.pp index 644d8ba..ec9ab18 100644 --- a/apt/manifests/init.pp +++ b/apt/manifests/init.pp @@ -362,3 +362,17 @@ class apt::repo::partner { } } + + +# Add Puppetlabs repository +# +class apt::repo::puppetlabs { + + apt::repo { "puppetlabs": + ensure => present, + source => "http://apt.puppetlabs.com/", + key => "4BD6EC30", + keyserver => "hkp://keys.gnupg.net", + } + +} diff --git a/custom/lib/puppet/provider/service/openbsd.rb b/custom/lib/puppet/provider/service/openbsd.rb index 0e0947c..9a08d29 100644 --- a/custom/lib/puppet/provider/service/openbsd.rb +++ b/custom/lib/puppet/provider/service/openbsd.rb @@ -4,7 +4,7 @@ Puppet::Type.type(:service).provide :openbsd, :parent => :base do desc "OpenBSD service management." - version = ["4.9", "5.0"] + version = ["4.9", "5.0", "5.1"] confine :operatingsystem => :openbsd confine :operatingsystemrelease => version defaultfor :operatingsystem => :openbsd diff --git a/dhcp/manifests/init.pp b/dhcp/manifests/init.pp index 1c31758..9323270 100644 --- a/dhcp/manifests/init.pp +++ b/dhcp/manifests/init.pp @@ -1,6 +1,28 @@ class dhcp::server::common { + case $::operatingsystem { + "centos": { + case $::operatingsystemrelease { + /[45]\.[0-9]/: { + $confdir = "/etc" + } + default: { + $confdir = "/etc/dhcp" + } + } + } + "debian","ubuntu": { + $confdir = "/etc/dhcp3" + } + "fedora": { + $confdir = "/etc/dhcp" + } + default: { + $confdir = "/etc" + } + } + package { "dhcp": name => $operatingsystem ? { Debian => "dhcp3-server", @@ -73,12 +95,8 @@ class dhcp::server::common { class dhcp::server inherits dhcp::server::common { - file { "/etc/dhcpd.conf": - name => $operatingsystem ? { - debian => "/etc/dhcp3/dhcpd.conf", - ubuntu => "/etc/dhcp3/dhcpd.conf", - default => "/etc/dhcpd.conf", - }, + file { "dhcpd.conf": + name => "${confdir}/dhcpd.conf", ensure => present, source => [ "puppet:///files/dhcp/dhcpd.conf.${fqdn}", "puppet:///files/dhcp/dhcpd.conf", ], @@ -110,8 +128,9 @@ class dhcp::server::ldap inherits dhcp::server::common { }, } - file { "/etc/dhcpd.conf.in": + file { "dhcpd.conf.in": ensure => present, + name => "${confdir}/dhcpd.conf.in", source => [ "puppet:///files/dhcp/dhcpd.conf.in.${hostname}", "puppet:///files/dhcp/dhcpd.conf.in", ], mode => "0644", @@ -125,10 +144,10 @@ class dhcp::server::ldap inherits dhcp::server::common { exec { "generate-dhcp-conf": path => "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", - command => "dhcpdump.py /etc/dhcpd.conf.in* > /etc/dhcpd.conf", - unless => "dhcpdump.py /etc/dhcpd.conf.in* | diff /etc/dhcpd.conf -", + command => "dhcpdump.py ${confdir}/dhcpd.conf.in* > ${confdir}/dhcpd.conf", + unless => "dhcpdump.py ${confdir}/dhcpd.conf.in* | diff ${confdir}/dhcpd.conf -", require => [ - File["/etc/dhcpd.conf.in"], + File["dhcpd.conf.in"], File["/usr/local/sbin/dhcpdump.py"], Class["python"], Class["ldap::client"], diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index ee3ec43..b2ad76a 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -233,18 +233,25 @@ class dns::server::ldap inherits dns::server { # define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") { - $zone = $name + $tmpname = regsubst($name, '([^/]+/)?([0-9]+)/([0-9\.]+\.in-addr\.arpa)', '\1\2-\3') + case dirname($tmpname) { + ".": { $view = "" } + "default": { $view = "" } + default: { $view = regsubst(dirname($tmpname), '^(.*)', '\1/') } + } + $zone = basename($tmpname) + case $role { "master": { case $operatingsystem { "openbsd": { - $zonedir = "/master" + $zonedir = "/master/${view}" } "fedora","centos": { - $zonedir = "/var/named" + $zonedir = "/var/named/${view}" } "ubuntu": { - $zonedir = "/etc/bind" + $zonedir = "/etc/bind/${view}" } } } @@ -254,13 +261,13 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") } case $operatingsystem { "openbsd": { - $zonedir = "/slave" + $zonedir = "/slave/${view}" } "fedora","centos": { - $zonedir = "/var/named/slaves" + $zonedir = "/var/named/slaves/${view}" } "ubuntu": { - $zonedir = "/var/cache/bind" + $zonedir = "/var/cache/bind/${view}" } } } @@ -269,8 +276,28 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") } } - $zonefile = regsubst($zone, '\/', '-') - file { "${dns::server::chroot}${dns::server::confdir}/zone.${zonefile}": + if $view != "" { + if !defined(File["${dns::server::chroot}${dns::server::confdir}/${view}"]) { + file { "${dns::server::chroot}${dns::server::confdir}/${view}": + ensure => directory, + mode => "0750", + owner => "root", + group => $dns::server::group, + before => File["${dns::server::chroot}${dns::server::confdir}/${view}zone.${zone}"], + } + } + if !defined(File["${dns::server::chroot}${zonedir}"]) { + file { "${dns::server::chroot}${zonedir}": + ensure => directory, + mode => "0750", + owner => "root", + group => $dns::server::group, + before => File["${dns::server::chroot}${zonedir}db.${zone}"], + } + } + } + + file { "${dns::server::chroot}${dns::server::confdir}/${view}zone.${zone}": ensure => present, content => template("dns/zone.$role.erb"), mode => "0640", @@ -285,7 +312,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") if $role == "master" and $zone != "." { if $source != "AUTO" { - file { "${dns::server::chroot}${zonedir}/db.${zonefile}": + file { "${dns::server::chroot}${zonedir}db.${zone}": ensure => present, source => $source, mode => "0640", @@ -298,7 +325,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") notify => Exec["generate-named-conf"], } } else { - file { "${dns::server::chroot}${zonedir}/db.${zonefile}": + file { "${dns::server::chroot}${zonedir}/db.${zone}": ensure => present, content => template("dns/db.erb"), mode => "0640", @@ -310,10 +337,12 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") }, notify => Service["named"], } - file { "${dns::server::chroot}${zonedir}/db.${zonefile}-dynamic": + file { "${dns::server::chroot}${zonedir}/db.${zone}-dynamic": ensure => present, - source => [ "puppet:///files/dns/db.${zonefile}-dynamic.${homename}", - "puppet:///modules/dns/empty", ], + source => [ + "puppet:///files/dns/db.${zone}-dynamic.${homename}", + "puppet:///modules/dns/empty", + ], mode => "0640", owner => "root", group => $dns::server::group, @@ -323,10 +352,12 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") }, notify => Service["named"], } - file { "${dns::server::chroot}${zonedir}/db.${zonefile}-static": + file { "${dns::server::chroot}${zonedir}/db.${zone}-static": ensure => present, - source => [ "puppet:///files/dns/db.${zonefile}-static.${homename}", - "puppet:///modules/dns/empty", ], + source => [ + "puppet:///files/dns/db.${zone}-static.${homename}", + "puppet:///modules/dns/empty", + ], mode => "0640", owner => "root", group => $dns::server::group, diff --git a/dns/templates/generate-named-conf.sh.erb b/dns/templates/generate-named-conf.sh.erb index 53daf33..4d5107a 100644 --- a/dns/templates/generate-named-conf.sh.erb +++ b/dns/templates/generate-named-conf.sh.erb @@ -4,21 +4,25 @@ chroot="<%= chroot %>" confdir="<%= confdir %>" operatingsystem="<%= operatingsystem %>" -cat < $apache::sslserver::group, require => File["/etc/hastymail2"], } - exec { "rm /etc/hastymail2/hastymail2.rc && php /usr/local/share/hastymail/install_scripts/install_config.php /etc/hastymail2/hastymail2.conf /etc/hastymail2/hastymail2.rc": + exec { "rm -f /etc/hastymail2/hastymail2.rc && php /usr/local/share/hastymail/install_scripts/install_config.php /etc/hastymail2/hastymail2.conf /etc/hastymail2/hastymail2.rc": path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, require => Util::Extract::Tar["/usr/local/share/hastymail"], diff --git a/kerberos/templates/kadm5.acl.erb b/kerberos/templates/kadm5.acl.erb index 1c4d269..bf48058 100644 --- a/kerberos/templates/kadm5.acl.erb +++ b/kerberos/templates/kadm5.acl.erb @@ -1 +1,2 @@ puppet/admin@<%= kerberos_realm %> ci */*@<%= kerberos_realm %> +smbkrb5pwd/<%= homename %>@<%= kerberos_realm %> ac *@<%= kerberos_realm %> diff --git a/ldap/files/ldap.sysconfig b/ldap/files/ldap.sysconfig index 633a48d..a9f59e2 100644 --- a/ldap/files/ldap.sysconfig +++ b/ldap/files/ldap.sysconfig @@ -14,3 +14,6 @@ SLAPD_LDAPI=yes # Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=yes + +# Kerberos keytab path +KRB5_KTNAME="/etc/openldap/slapd.keytab" diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 79492c2..edfb52e 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -416,6 +416,7 @@ class ldap::server { recurse => true, force => true, require => Package["openldap-server"], + notify => Exec["generate-slapd-database-config"], } if $operatingsystem == "CentOS" and $operatinsystemrelease !~ /^5\./ { @@ -493,6 +494,7 @@ class ldap::server { recurse => true, force => true, require => Package["openldap-server"], + notify => Exec["generate-slapd-schema-config"], } file { "${config}/slapd.conf.d/schema.conf": ensure => present, @@ -502,9 +504,10 @@ class ldap::server { require => Exec["generate-slapd-schema-config"], } exec { "generate-slapd-schema-config": - command => "find ${config}/schema/*.schema -exec echo 'include {}' \; | sort -n > ${config}/slapd.conf.d/schema.conf", + command => "find ${config}/schema/*.schema -exec echo 'include {}' \\; | sort -n > ${config}/slapd.conf.d/schema.conf", path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, + require => File["${config}/slapd.conf.d"], notify => Service["slapd"], } ldap::server::schema { [ "core", "cosine", "ppolicy", ]: @@ -520,7 +523,7 @@ class ldap::server { notify => Service["slapd"], } exec { "generate-slapd-database-config": - command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \; > ${config}/slapd.conf.d/database.conf", + command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \\; > ${config}/slapd.conf.d/database.conf", path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, notify => Service["slapd"], @@ -546,11 +549,16 @@ class ldap::server { # Password for uid=replicator,cn=config,${name} user on master. # Only needed for slave databases. # +# $moduleoptions: +# Options for overlay modules. +# # === Sample usage # -# ldap::server::database { "dc=example,dc=com": } +# ldap::server::database { "dc=example,dc=com": +# moduleoptions => [ "smbkrb5pwd-enable=samba", ] +# } # -define ldap::server::database($aclsource = "", $master = "", $syncpw = "") { +define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $moduleoptions = []) { include ldap::server diff --git a/ldap/templates/slapd-database.conf.erb b/ldap/templates/slapd-database.conf.erb index ebc524b..b5b2bb7 100644 --- a/ldap/templates/slapd-database.conf.erb +++ b/ldap/templates/slapd-database.conf.erb @@ -8,6 +8,16 @@ suffix "<%= name %>" checkpoint 1024 15 rootdn "cn=manager,<%= name %>" +<% if has_variable?("ldap_server_modules") -%> +<% ldap_server_modules.each do |name| -%> +overlay <%= name %> +<% end -%> +<% end -%> + +<% moduleoptions.each do |name| -%> +<%= name.split("=")[0] %> <%= name.split("=")[1] %> +<% end -%> + overlay ppolicy ppolicy_default cn=pwdPolicy,cn=config,<%= name %> ppolicy_hash_cleartext diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb index 23fac27..75aadc5 100644 --- a/ldap/templates/slapd.conf.erb +++ b/ldap/templates/slapd.conf.erb @@ -28,7 +28,7 @@ moduleload ppolicy.la moduleload syncprov.la <% if has_variable?('ldap_server_modules') -%> <% ldap_server_modules.each do |name| -%> -moduleload <%= name %> +moduleload <%= name %>.la <% end -%> <% end -%> diff --git a/munin/manifests/init.pp b/munin/manifests/init.pp index 9de5885..444dc32 100644 --- a/munin/manifests/init.pp +++ b/munin/manifests/init.pp @@ -44,6 +44,17 @@ class munin::node { notify => Exec["munin-node-configure"], } + if $kernel == "Linux" { + file { "/var/lib/munin/plugin-state": + ensure => directory, + mode => "0775", + owner => "munin", + group => "munin", + before => Service["munin-node"], + require => Package["munin-node"], + } + } + @@file { "/etc/munin/nodes.d/${homename}.conf": ensure => present, content => "[${homename}]\n address ${ipaddress}\n use_node_name yes\n", diff --git a/puppet/bootstrap-server.sh b/puppet/bootstrap-server.sh index 35e720c..ca2e3b3 100755 --- a/puppet/bootstrap-server.sh +++ b/puppet/bootstrap-server.sh @@ -74,5 +74,5 @@ EOF fi puppet cert --keylength 4096 --list -puppet apply --no-report --tags bootstrap /etc/puppet/manifests/site.pp +puppet apply --no-report --tags apt,yum,ruby /etc/puppet/manifests/site.pp puppet apply --no-report /etc/puppet/manifests/site.pp diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp index 5849d70..34182f8 100644 --- a/puppet/manifests/init.pp +++ b/puppet/manifests/init.pp @@ -1,6 +1,17 @@ # Install and configure Puppet client. # +# === Global variables +# +# $puppet_server: +# Hostname of puppet server. Defaults to 'puppet'. +# +# $puppet_keylength: +# Length of client keys. Defaults to 2048. +# +# $puppet_diffargs: +# Arguments for puppet's use of diff. Unset by default. +# class puppet::client { tag("bootstrap") @@ -13,10 +24,6 @@ class puppet::client { $puppet_keylength = "2048" } - if ! $puppet_diffargs { - $puppet_diffargs = "-u" - } - case $operatingsystem { openbsd: { $vardir = "/var/puppet" } default: { $vardir = "/var/lib/puppet" } diff --git a/puppet/templates/puppet.conf.erb b/puppet/templates/puppet.conf.erb index 8670b0b..1e5a08c 100644 --- a/puppet/templates/puppet.conf.erb +++ b/puppet/templates/puppet.conf.erb @@ -39,9 +39,11 @@ # The bit length of keys. keylength = <%= puppet_keylength %> +<% if has_variable?("puppet_diffargs") -%> # Arguments for puppet's use of diff diff_args = <%= puppet_diffargs %> +<% end -%> <% if puppetversion[/\d+/].to_i >= 2 -%> [agent] # Ignore site manifest when run as agent. Fixes warnings about diff --git a/samba/manifests/init.pp b/samba/manifests/init.pp index 2d23b2d..06fb6ac 100644 --- a/samba/manifests/init.pp +++ b/samba/manifests/init.pp @@ -25,6 +25,30 @@ class samba::server { subscribe => File["/etc/samba/smb.conf"], } } + centos: { + case $operatingsystemrelease { + /^[1-5]\./: { + service { "smb": + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => File["/etc/samba/smb.conf"], + subscribe => File["/etc/samba/smb.conf"], + } + } + default: { + service { [ "smb", "nmb" ]: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => File["/etc/samba/smb.conf"], + subscribe => File["/etc/samba/smb.conf"], + } + } + } + } fedora: { service { [ "smb", "nmb" ]: ensure => running, @@ -46,14 +70,7 @@ class samba::server { } } default: { - service { "smb": - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => File["/etc/samba/smb.conf"], - subscribe => File["/etc/samba/smb.conf"], - } + fail("samba::server not supported in '${operatingsystem}'") } } @@ -145,7 +162,7 @@ class samba::ldap { environment => "SECRET=${samba_ldap_pass}", path => "/bin:/usr/bin:/sbin:/usr/sbin", unless => "tdbtool /etc/samba/secrets.tdb keys | fgrep 'SECRETS/LDAP_BIND_PW/'", - require => Package["samba"], + require => File["/etc/samba/smb.conf"], notify => Service["smb"], } diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp index aa33a80..7c43d13 100644 --- a/selinux/manifests/init.pp +++ b/selinux/manifests/init.pp @@ -189,3 +189,99 @@ define selinux::manage_port($type, $proto) { } } + + +# Install new SELinux module +# +# === Parameters +# +# $name: +# Module name +# $source: +# Module source (.te) or compiled file (.pp). +# +# === Sample usage +# +# selinux::module { "munin-local": +# source => "puppet:///files/common/selinux/munin-local.te", +# } +# +define selinux::module($source) { + + $ext = regsubst($source, '.*\.(te|pp)', '\1') + case $ext { + "te": { + include selinux::module::devel + file { "/usr/local/src/selinux/${name}.te": + ensure => present, + source => $source, + mode => "0644", + owner => "root", + group => "root", + require => File["/usr/local/src/selinux"], + notify => Exec["selinux-module-compile"], + } + $module = "/usr/local/src/selinux/${name}.pp" + } + "pp": { + $module = $source + } + default: { + fail("Invalid source '${source}' for selinux::module") + } + } + + file { "/usr/share/selinux/targeted/${name}.pp": + ensure => present, + source => $module, + mode => "0644", + owner => "root", + group => "root", + require => $ext ? { + "te" => Exec["selinux-module-compile"], + default => undef, + }, + } + + selmodule { $name: + ensure => present, + require => File["/usr/share/selinux/targeted/${name}.pp"], + syncversion => true, + } + +} + + +# Prequisites for compiling SELinux modules +# +class selinux::module::devel { + + include selinux::tools + + if $::operatingsystem == "CentOS" { + if $::operatingsystemrelease =~ /^5\.[0-9]/ { + package { "selinux-policy-devel": + ensure => installed, + before => File["/usr/local/src/selinux"], + } + } + } + + file { "/usr/local/src/selinux": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + require => Class["selinux::tools"], + } + + exec { "selinux-module-compile": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "make -f /usr/share/selinux/devel/Makefile", + cwd => "/usr/local/src/selinux", + user => "root", + refreshonly => true, + require => Class["selinux::tools"], + } + +} diff --git a/sendmail/files/aliases b/sendmail/files/aliases new file mode 100644 index 0000000..42a6b60 --- /dev/null +++ b/sendmail/files/aliases @@ -0,0 +1,19 @@ +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /bin/mail. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to sendmail. +# + +# Basic system aliases -- these MUST be present. +mailer-daemon: postmaster +postmaster: root + +# General redirections for important pseudo accounts +daemon: root + +# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES +abuse: root +security: root diff --git a/sendmail/files/empty b/sendmail/files/empty new file mode 100644 index 0000000..e69de29 diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp index 4edba7b..53ad628 100644 --- a/sendmail/manifests/init.pp +++ b/sendmail/manifests/init.pp @@ -112,24 +112,65 @@ class sendmail::client::msa inherits sendmail::client { # Configure Sendmail server. # -# $sendmail_domain: +# $mail_domain: # SMTP domain name. +# +# $sendmail_auth_mech: +# List of authentication mechanisms to use. Defaults to PLAIN and LOGIN. +# +# $sendmail_ssl_key: +# +# $sendmail_ssl_cert: +# class sendmail::server inherits sendmail::common { include procmail + if !$sendmail_auth_mech { + $sendmail_auth_mech = [ "PLAIN", "LOGIN", ] + } + + $ssl_key = basename($sendmail_ssl_key) + $ssl_cert = basename($sendmail_ssl_cert) + if $sendmail_ssl_chain { + $ssl_chain = basename($sendmail_ssl_chain) + } + case $operatingsystem { - centos,redhat: { - $sendmail_ostype = "linux" - $group = "root" + "centos","fedora": { File["/etc/sysconfig/sendmail"] { content => "DAEMON=yes\nQUEUE=1h\n", } - } ubuntu: { - fail("Operating system not supported.") - } openbsd: { - $sendmail_ostype = "openbsd" - $group = "wheel" + } + default: { + fail("sendmail::server not supported in '${::operatingsystem}'") + } + } + + file { "/etc/pki/tls/private/${ssl_key}": + ensure => present, + source => $sendmail_ssl_key, + mode => "0600", + owner => "root", + group => "root", + notify => Service["sendmail"], + } + file { "/etc/pki/tls/certs/${ssl_cert}": + ensure => present, + source => $sendmail_ssl_cert, + mode => "0644", + owner => "root", + group => "root", + notify => Service["sendmail"], + } + if $ssl_chain { + file { "/etc/pki/tls/certs/${ssl_chain}": + ensure => present, + source => $sendmail_ssl_chain, + mode => "0644", + owner => "root", + group => "root", + notify => Service["sendmail"], } } @@ -140,47 +181,151 @@ class sendmail::server inherits sendmail::common { }, content => template("sendmail/sendmail.mc.erb"), owner => "root", - group => $group, + group => "root", mode => "0644", notify => Exec["make sendmail.cf"], } - - file { "/etc/aliases": - ensure => present, - notify => Exec["newaliases"], - owner => "root", - group => $group, - mode => "0644", - } - exec { "make sendmail.cf": - path => "/bin:/usr/bin:/sbin:/usr/sbin", + path => "/bin:/usr/bin:/sbin:/usr/sbin:/etc/mail", cwd => $operatingsystem ? { - openbsd => "/usr/share/sendmail/cf", - default => "/etc/mail", + "openbsd" => "/usr/share/sendmail/cf", + default => "/etc/mail", }, require => $operatingsystem ? { - openbsd => undef, - default => Package["sendmail"], + "openbsd" => undef, + default => Package["sendmail"], }, refreshonly => true, } - file { "/etc/mail/sendmail.cf": ensure => present, - owner => "root", - group => $group, mode => "0644", + owner => "root", + group => "root", source => $operatingsystem ? { - openbsd => "/usr/share/sendmail/cf/sendmail.cf", - default => undef, + "openbsd" => "/usr/share/sendmail/cf/sendmail.cf", + default => undef, }, require => Exec["make sendmail.cf"], notify => Service["sendmail"], } + file { "/etc/mail/certs": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } + exec { "populate-etc-mail-certs": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "csplit /etc/pki/tls/certs/ca-bundle.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0", + cwd => "/etc/mail/certs", + onlyif => "find /etc/mail/certs ! -newer /etc/pki/tls/certs/ca-bundle.crt | egrep '.*' || [ -z \"`ls /etc/mail/certs`\" ]", + require => File["/etc/mail/certs"], + before => Service["sendmail"], + } + + file { "/etc/aliases": + ensure => present, + name => $operatingsystem ? { + "openbsd" => "/etc/mail/aliases", + default => "/etc/aliases", + }, + source => [ + "puppet:///files/mail/aliases", + "puppet:///modules/sendmail/aliases", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["newaliases"], + } exec { "newaliases": path => "/bin:/usr/bin:/sbin:/usr/sbin", refreshonly => true, } + + file { "/etc/mail/access": + ensure => present, + source => [ + "puppet:///files/mail/access", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make access.db"], + } + exec { "make access.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/access < /etc/mail/access", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/genericstable": + ensure => present, + source => [ + "puppet:///files/mail/genericstable", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make genericstable.db"], + } + exec { "make genericstable.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/genericstable < /etc/mail/genericstable", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/mailertable": + ensure => present, + source => [ + "puppet:///files/mail/mailertable", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make mailertable.db"], + } + exec { "make mailertable.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/mailertable < /etc/mail/mailertable", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/virtusertable": + ensure => present, + source => [ + "puppet:///files/mail/virtusertable", + "puppet:///modules/sendmail/empty", + ], + mode => "0644", + owner => "root", + group => "root", + notify => Exec["make virtusertable.db"], + } + exec { "make virtusertable.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable", + refreshonly => true, + notify => Service["sendmail"], + } + + file { "/etc/mail/local-host-names": + ensure => present, + source => [ + "puppet:///files/mail/local-host-names", + "puppet:///modules/sendmail/local-host-names", + ], + mode => "0644", + owner => "root", + group => "root", + } + } diff --git a/sendmail/templates/sendmail.mc.erb b/sendmail/templates/sendmail.mc.erb index c063bd5..05ec740 100644 --- a/sendmail/templates/sendmail.mc.erb +++ b/sendmail/templates/sendmail.mc.erb @@ -1,7 +1,14 @@ divert(-1)dnl +dnl # +dnl # This file is managed by puppet so hand editing is not recommended. +dnl # +<% if ['CentOS','Fedora'].index(operatingsystem) -%> include(`/usr/share/sendmail-cf/m4/cf.m4')dnl -VERSIONID(`setup for <%= sendmail_ostype %>')dnl -OSTYPE(`<%= sendmail_ostype %>')dnl +<% elsif operatingsystem == 'Ubuntu' -%> +include(`/usr/share/sendmail/cf/m4/cf.m4')dnl +<% end -%> +VERSIONID(`puppet sendmail::server')dnl +dnl # define(`confDEF_USER_ID', ``8:12'')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl @@ -13,6 +20,20 @@ define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confTO_IDENT', `0')dnl +dnl # +define(`confAUTH_OPTIONS', `A p y')dnl +TRUST_AUTH_MECH(`<%= sendmail_auth_mech.join(' ') %>')dnl +define(`confAUTH_MECHANISMS', `<%= sendmail_auth_mech.join(' ') %>')dnl +dnl # +define(`confCACERT_PATH', `/etc/mail/certs') +<% if has_variable?('ssl_chain') -%> +define(`confCACERT', `/etc/pki/tls/certs/<%= ssl_chain %>') +<% end -%> +define(`confSERVER_CERT', `/etc/pki/tls/certs/<%= ssl_cert %>') +define(`confSERVER_KEY', `/etc/pki/tls/private/<%= ssl_key %>') +define(`confCLIENT_CERT', `/etc/pki/tls/certs/<%= ssl_cert %>') +define(`confCLIENT_KEY', `/etc/pki/tls/private/<%= ssl_key %>') +dnl # FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl @@ -23,19 +44,25 @@ FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl +dnl # FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl +dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl -FEATURE(`accept_unresolvable_domains')dnl -LOCAL_DOMAIN(`localhost.localdomain')dnl -MASQUERADE_AS(`<%= sendmail_domain %>')dnl +DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl +dnl # +LOCAL_DOMAIN`localhost.localdomain')dnl +MASQUERADE_AS(`<%= mail_domain %>')dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl -define(`confMATCH_GECOS')dnl -define(`confDOMAIN_NAME', `<%= sendmail_domain %>')dnl -define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFileSafe,GroupWritableForwardFile,ForwardFileInGroupWritableDirPath')dnl FEATURE(masquerade_entire_domain)dnl +FEATURE(`accept_unresolvable_domains')dnl +dnl # +define(`confMATCH_GECOS')dnl +define(`confDOMAIN_NAME', `<%= mail_domain %>')dnl +define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFileSafe,GroupWritableForwardFile,ForwardFileInGroupWritableDirPath')dnl +dnl # MAILER(smtp)dnl MAILER(procmail)dnl diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp index 8bacbf3..cd38647 100644 --- a/ssh/manifests/init.pp +++ b/ssh/manifests/init.pp @@ -29,6 +29,8 @@ class ssh::known_hosts { # class ssh::hostkeys { + tag("bootstrap") + file { "/etc/ssh/ssh_host_dsa_key": ensure => present, source => "puppet:///private/ssh_host_dsa_key", diff --git a/syslog/files/rsyslogd.rc b/syslog/files/rsyslogd.rc index f918953..a50f795 100755 --- a/syslog/files/rsyslogd.rc +++ b/syslog/files/rsyslogd.rc @@ -6,7 +6,7 @@ daemon_flags="-x -c 4 -i /var/run/syslog.pid" . /etc/rc.d/rc.subr rc_pre() { - pkill -f /usr/sbin/syslogd + pkill -U _syslogd return 0 } diff --git a/syslog/manifests/init.pp b/syslog/manifests/init.pp index 76d75f0..36c8331 100644 --- a/syslog/manifests/init.pp +++ b/syslog/manifests/init.pp @@ -55,6 +55,13 @@ class syslog::common { } } + file { "/var/log/all.log": + ensure => present, + mode => "0640", + owner => "root", + group => $group, + } + } # Install syslog client @@ -90,14 +97,6 @@ class syslog::client::syslogd { } } - file { "/var/log/all.log": - ensure => present, - mode => "0640", - owner => "root", - group => $group, - notify => Service["syslogd"], - } - file { "/etc/syslog.conf": ensure => present, content => template("syslog/syslog.conf.$operatingsystem.erb", @@ -126,6 +125,7 @@ class syslog::client::syslogd { "openbsd" => "pkill -HUP -u _syslogd", default => undef, }, + require => File["/var/log/all.log"], } } @@ -162,15 +162,16 @@ class syslog::client::rsyslog { } service { "rsyslog": - ensure => running, - enable => true, - start => $operatingsystem ? { + ensure => running, + enable => true, + start => $operatingsystem ? { "openbsd" => $operatingsystemrelease ? { /4\.[1-8]/ => "pkill syslogd; /usr/local/sbin/rsyslogd -c 4 -x -i /var/run/syslog.pid", default => undef, }, default => undef, }, + require => File["/var/log/all.log"], } if $operatingsystem == "OpenBSD" and $operatingsystemrelease !~ /4\.[1-8]/ { @@ -234,7 +235,7 @@ class syslog::common::standalone inherits syslog::common { require => File["/srv/log"], } - file { "/var/log/all.log": + File["/var/log/all.log"] { ensure => link, target => "/srv/log/all.log", }