tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of https://bitbucket.org/tmakinen/puppet

Browse source
This commit is contained in:
Ossi Herrala 2012-05-18 10:02:25 +00:00
commit 32a2ad7855
25 changed files with 559 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apache/templates/site.https.conf.erb
View file

@ -22,8 +22,8 @@ SSLProtocol all -SSLv2
# SSL Cipher Suite: # SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. # List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list. # See the mod_ssl documentation for a complete list.
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW SSLCipherSuite RC4-SHA:HIGH:!ADH
# Server Certificate: # Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If # Point SSLCertificateFile at a PEM encoded certificate. If

14
apt/manifests/init.pp
View file

@ -362,3 +362,17 @@ class apt::repo::partner {
} }
} }
# Add Puppetlabs repository
#
class apt::repo::puppetlabs {
apt::repo { "puppetlabs":
ensure => present,
source => "http://apt.puppetlabs.com/",
key => "4BD6EC30",
keyserver => "hkp://keys.gnupg.net",
}
}

2
custom/lib/puppet/provider/service/openbsd.rb
View file

@ -4,7 +4,7 @@ Puppet::Type.type(:service).provide :openbsd, :parent => :base do
desc "OpenBSD service management." desc "OpenBSD service management."
version = ["4.9", "5.0"] version = ["4.9", "5.0", "5.1"]
confine :operatingsystem => :openbsd confine :operatingsystem => :openbsd
confine :operatingsystemrelease => version confine :operatingsystemrelease => version
defaultfor :operatingsystem => :openbsd defaultfor :operatingsystem => :openbsd

39
dhcp/manifests/init.pp
View file

@ -1,6 +1,28 @@
class dhcp::server::common { class dhcp::server::common {
case $::operatingsystem {
"centos": {
case $::operatingsystemrelease {
/[45]\.[0-9]/: {
$confdir = "/etc"
}
default: {
$confdir = "/etc/dhcp"
}
}
}
"debian","ubuntu": {
$confdir = "/etc/dhcp3"
}
"fedora": {
$confdir = "/etc/dhcp"
}
default: {
$confdir = "/etc"
}
}
package { "dhcp": package { "dhcp":
name => $operatingsystem ? { name => $operatingsystem ? {
Debian => "dhcp3-server", Debian => "dhcp3-server",
@ -73,12 +95,8 @@ class dhcp::server::common {
class dhcp::server inherits dhcp::server::common { class dhcp::server inherits dhcp::server::common {
file { "/etc/dhcpd.conf": file { "dhcpd.conf":
name => $operatingsystem ? { name => "${confdir}/dhcpd.conf",
debian => "/etc/dhcp3/dhcpd.conf",
ubuntu => "/etc/dhcp3/dhcpd.conf",
default => "/etc/dhcpd.conf",
},
ensure => present, ensure => present,
source => [ "puppet:///files/dhcp/dhcpd.conf.${fqdn}", source => [ "puppet:///files/dhcp/dhcpd.conf.${fqdn}",
"puppet:///files/dhcp/dhcpd.conf", ], "puppet:///files/dhcp/dhcpd.conf", ],
@ -110,8 +128,9 @@ class dhcp::server::ldap inherits dhcp::server::common {
}, },
} }
file { "/etc/dhcpd.conf.in": file { "dhcpd.conf.in":
ensure => present, ensure => present,
name => "${confdir}/dhcpd.conf.in",
source => [ "puppet:///files/dhcp/dhcpd.conf.in.${hostname}", source => [ "puppet:///files/dhcp/dhcpd.conf.in.${hostname}",
"puppet:///files/dhcp/dhcpd.conf.in", ], "puppet:///files/dhcp/dhcpd.conf.in", ],
mode => "0644", mode => "0644",
@ -125,10 +144,10 @@ class dhcp::server::ldap inherits dhcp::server::common {
exec { "generate-dhcp-conf": exec { "generate-dhcp-conf":
path => "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", path => "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
command => "dhcpdump.py /etc/dhcpd.conf.in* > /etc/dhcpd.conf", command => "dhcpdump.py ${confdir}/dhcpd.conf.in* > ${confdir}/dhcpd.conf",
unless => "dhcpdump.py /etc/dhcpd.conf.in* | diff /etc/dhcpd.conf -", unless => "dhcpdump.py ${confdir}/dhcpd.conf.in* | diff ${confdir}/dhcpd.conf -",
require => [ require => [
File["/etc/dhcpd.conf.in"], File["dhcpd.conf.in"],
File["/usr/local/sbin/dhcpdump.py"], File["/usr/local/sbin/dhcpdump.py"],
Class["python"], Class["python"],
Class["ldap::client"], Class["ldap::client"],

65
dns/manifests/init.pp
View file

@ -233,18 +233,25 @@ class dns::server::ldap inherits dns::server {
# #
define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") { define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO") {
$zone = $name $tmpname = regsubst($name, '([^/]+/)?([0-9]+)/([0-9\.]+\.in-addr\.arpa)', '\1\2-\3')
case dirname($tmpname) {
".": { $view = "" }
"default": { $view = "" }
default: { $view = regsubst(dirname($tmpname), '^(.*)', '\1/') }
}
$zone = basename($tmpname)
case $role { case $role {
"master": { "master": {
case $operatingsystem { case $operatingsystem {
"openbsd": { "openbsd": {
$zonedir = "/master" $zonedir = "/master/${view}"
} }
"fedora","centos": { "fedora","centos": {
$zonedir = "/var/named" $zonedir = "/var/named/${view}"
} }
"ubuntu": { "ubuntu": {
$zonedir = "/etc/bind" $zonedir = "/etc/bind/${view}"
} }
} }
} }
@ -254,13 +261,13 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO")
} }
case $operatingsystem { case $operatingsystem {
"openbsd": { "openbsd": {
$zonedir = "/slave" $zonedir = "/slave/${view}"
} }
"fedora","centos": { "fedora","centos": {
$zonedir = "/var/named/slaves" $zonedir = "/var/named/slaves/${view}"
} }
"ubuntu": { "ubuntu": {
$zonedir = "/var/cache/bind" $zonedir = "/var/cache/bind/${view}"
} }
} }
} }
@ -269,8 +276,28 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO")
} }
} }
$zonefile = regsubst($zone, '\/', '-') if $view != "" {
file { "${dns::server::chroot}${dns::server::confdir}/zone.${zonefile}": if !defined(File["${dns::server::chroot}${dns::server::confdir}/${view}"]) {
file { "${dns::server::chroot}${dns::server::confdir}/${view}":
ensure => directory,
mode => "0750",
owner => "root",
group => $dns::server::group,
before => File["${dns::server::chroot}${dns::server::confdir}/${view}zone.${zone}"],
}
}
if !defined(File["${dns::server::chroot}${zonedir}"]) {
file { "${dns::server::chroot}${zonedir}":
ensure => directory,
mode => "0750",
owner => "root",
group => $dns::server::group,
before => File["${dns::server::chroot}${zonedir}db.${zone}"],
}
}
}
file { "${dns::server::chroot}${dns::server::confdir}/${view}zone.${zone}":
ensure => present, ensure => present,
content => template("dns/zone.$role.erb"), content => template("dns/zone.$role.erb"),
mode => "0640", mode => "0640",
@ -285,7 +312,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO")
if $role == "master" and $zone != "." { if $role == "master" and $zone != "." {
if $source != "AUTO" { if $source != "AUTO" {
file { "${dns::server::chroot}${zonedir}/db.${zonefile}": file { "${dns::server::chroot}${zonedir}db.${zone}":
ensure => present, ensure => present,
source => $source, source => $source,
mode => "0640", mode => "0640",
@ -298,7 +325,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO")
notify => Exec["generate-named-conf"], notify => Exec["generate-named-conf"],
} }
} else { } else {
file { "${dns::server::chroot}${zonedir}/db.${zonefile}": file { "${dns::server::chroot}${zonedir}/db.${zone}":
ensure => present, ensure => present,
content => template("dns/db.erb"), content => template("dns/db.erb"),
mode => "0640", mode => "0640",
@ -310,10 +337,12 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO")
}, },
notify => Service["named"], notify => Service["named"],
} }
file { "${dns::server::chroot}${zonedir}/db.${zonefile}-dynamic": file { "${dns::server::chroot}${zonedir}/db.${zone}-dynamic":
ensure => present, ensure => present,
source => [ "puppet:///files/dns/db.${zonefile}-dynamic.${homename}", source => [
"puppet:///modules/dns/empty", ], "puppet:///files/dns/db.${zone}-dynamic.${homename}",
"puppet:///modules/dns/empty",
],
mode => "0640", mode => "0640",
owner => "root", owner => "root",
group => $dns::server::group, group => $dns::server::group,
@ -323,10 +352,12 @@ define dns::zone($role = "master", $master = "", $slaves = [], $source = "AUTO")
}, },
notify => Service["named"], notify => Service["named"],
} }
file { "${dns::server::chroot}${zonedir}/db.${zonefile}-static": file { "${dns::server::chroot}${zonedir}/db.${zone}-static":
ensure => present, ensure => present,
source => [ "puppet:///files/dns/db.${zonefile}-static.${homename}", source => [
"puppet:///modules/dns/empty", ], "puppet:///files/dns/db.${zone}-static.${homename}",
"puppet:///modules/dns/empty",
],
mode => "0640", mode => "0640",
owner => "root", owner => "root",
group => $dns::server::group, group => $dns::server::group,

49
dns/templates/generate-named-conf.sh.erb
View file

@ -4,19 +4,23 @@ chroot="<%= chroot %>"
confdir="<%= confdir %>" confdir="<%= confdir %>"
operatingsystem="<%= operatingsystem %>" operatingsystem="<%= operatingsystem %>"
cat <<EOF function printview {
include "${confdir}/named.conf.local"; view=$1
include "${confdir}/named.conf.options"; case $view in
default)
viewdir="${confdir}"
acl="any"
;;
*)
viewdir="${confdir}/${view}"
acl="${view}"
;;
esac
view default { echo "view ${view} {"
match-clients { any; }; echo " match-clients { ${acl}; };"
EOF
for name in ${chroot}${confdir}/zone.* ; do case $operatingsystem in
echo " include \"${confdir}/`basename ${name}`\";"
done
case $operatingsystem in
OpenBSD) OpenBSD)
cat <<EOF cat <<EOF
zone "." { zone "." {
@ -52,7 +56,24 @@ EOF
cat ${chroot}/etc/named.rfc1912.zones | \ cat ${chroot}/etc/named.rfc1912.zones | \
sed -e 's%file "%file "/var/named/%' -e 's/^/ /' sed -e 's%file "%file "/var/named/%' -e 's/^/ /'
;; ;;
esac esac
echo "};" for name in ${chroot}${viewdir}/zone.* ; do
echo "" echo " include \"${viewdir}/`basename ${name}`\";"
done
echo "};"
echo ""
}
cat <<EOF
include "${confdir}/named.conf.local";
include "${confdir}/named.conf.options";
EOF
for name in ${chroot}/${confdir}/* ; do
[ -d ${name} ] || continue
printview `basename ${name}`
done
printview default

2
hastymail/manifests/init.pp
View file

@ -39,7 +39,7 @@ class hastymail {
group => $apache::sslserver::group, group => $apache::sslserver::group,
require => File["/etc/hastymail2"], require => File["/etc/hastymail2"],
} }
exec { "rm /etc/hastymail2/hastymail2.rc && php /usr/local/share/hastymail/install_scripts/install_config.php /etc/hastymail2/hastymail2.conf /etc/hastymail2/hastymail2.rc": exec { "rm -f /etc/hastymail2/hastymail2.rc && php /usr/local/share/hastymail/install_scripts/install_config.php /etc/hastymail2/hastymail2.conf /etc/hastymail2/hastymail2.rc":
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true, refreshonly => true,
require => Util::Extract::Tar["/usr/local/share/hastymail"], require => Util::Extract::Tar["/usr/local/share/hastymail"],

1
kerberos/templates/kadm5.acl.erb
View file

@ -1 +1,2 @@
puppet/admin@<%= kerberos_realm %> ci */*@<%= kerberos_realm %> puppet/admin@<%= kerberos_realm %> ci */*@<%= kerberos_realm %>
smbkrb5pwd/<%= homename %>@<%= kerberos_realm %> ac *@<%= kerberos_realm %>

3
ldap/files/ldap.sysconfig
View file

@ -14,3 +14,6 @@ SLAPD_LDAPI=yes
# Run slapd with -h "... ldaps:/// ..." # Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no # yes/no, default: no
SLAPD_LDAPS=yes SLAPD_LDAPS=yes
# Kerberos keytab path
KRB5_KTNAME="/etc/openldap/slapd.keytab"

16
ldap/manifests/init.pp
View file

@ -416,6 +416,7 @@ class ldap::server {
recurse => true, recurse => true,
force => true, force => true,
require => Package["openldap-server"], require => Package["openldap-server"],
notify => Exec["generate-slapd-database-config"],
} }
if $operatingsystem == "CentOS" and $operatinsystemrelease !~ /^5\./ { if $operatingsystem == "CentOS" and $operatinsystemrelease !~ /^5\./ {
@ -493,6 +494,7 @@ class ldap::server {
recurse => true, recurse => true,
force => true, force => true,
require => Package["openldap-server"], require => Package["openldap-server"],
notify => Exec["generate-slapd-schema-config"],
} }
file { "${config}/slapd.conf.d/schema.conf": file { "${config}/slapd.conf.d/schema.conf":
ensure => present, ensure => present,
@ -502,9 +504,10 @@ class ldap::server {
require => Exec["generate-slapd-schema-config"], require => Exec["generate-slapd-schema-config"],
} }
exec { "generate-slapd-schema-config": exec { "generate-slapd-schema-config":
command => "find ${config}/schema/*.schema -exec echo 'include {}' \; | sort -n > ${config}/slapd.conf.d/schema.conf", command => "find ${config}/schema/*.schema -exec echo 'include {}' \\; | sort -n > ${config}/slapd.conf.d/schema.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true, refreshonly => true,
require => File["${config}/slapd.conf.d"],
notify => Service["slapd"], notify => Service["slapd"],
} }
ldap::server::schema { [ "core", "cosine", "ppolicy", ]: ldap::server::schema { [ "core", "cosine", "ppolicy", ]:
@ -520,7 +523,7 @@ class ldap::server {
notify => Service["slapd"], notify => Service["slapd"],
} }
exec { "generate-slapd-database-config": exec { "generate-slapd-database-config":
command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \; > ${config}/slapd.conf.d/database.conf", command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \\; > ${config}/slapd.conf.d/database.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true, refreshonly => true,
notify => Service["slapd"], notify => Service["slapd"],
@ -546,11 +549,16 @@ class ldap::server {
# Password for uid=replicator,cn=config,${name} user on master. # Password for uid=replicator,cn=config,${name} user on master.
# Only needed for slave databases. # Only needed for slave databases.
# #
# $moduleoptions:
# Options for overlay modules.
#
# === Sample usage # === Sample usage
# #
# ldap::server::database { "dc=example,dc=com": } # ldap::server::database { "dc=example,dc=com":
# moduleoptions => [ "smbkrb5pwd-enable=samba", ]
# }
# #
define ldap::server::database($aclsource = "", $master = "", $syncpw = "") { define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $moduleoptions = []) {
include ldap::server include ldap::server

10
ldap/templates/slapd-database.conf.erb
View file

@ -8,6 +8,16 @@ suffix "<%= name %>"
checkpoint 1024 15 checkpoint 1024 15
rootdn "cn=manager,<%= name %>" rootdn "cn=manager,<%= name %>"
<% if has_variable?("ldap_server_modules") -%>
<% ldap_server_modules.each do |name| -%>
overlay <%= name %>
<% end -%>
<% end -%>
<% moduleoptions.each do |name| -%>
<%= name.split("=")[0] %> <%= name.split("=")[1] %>
<% end -%>
overlay ppolicy overlay ppolicy
ppolicy_default cn=pwdPolicy,cn=config,<%= name %> ppolicy_default cn=pwdPolicy,cn=config,<%= name %>
ppolicy_hash_cleartext ppolicy_hash_cleartext

2
ldap/templates/slapd.conf.erb
View file

@ -28,7 +28,7 @@ moduleload ppolicy.la
moduleload syncprov.la moduleload syncprov.la
<% if has_variable?('ldap_server_modules') -%> <% if has_variable?('ldap_server_modules') -%>
<% ldap_server_modules.each do |name| -%> <% ldap_server_modules.each do |name| -%>
moduleload <%= name %> moduleload <%= name %>.la
<% end -%> <% end -%>
<% end -%> <% end -%>

11
munin/manifests/init.pp
View file

@ -44,6 +44,17 @@ class munin::node {
notify => Exec["munin-node-configure"], notify => Exec["munin-node-configure"],
} }
if $kernel == "Linux" {
file { "/var/lib/munin/plugin-state":
ensure => directory,
mode => "0775",
owner => "munin",
group => "munin",
before => Service["munin-node"],
require => Package["munin-node"],
}
}
@@file { "/etc/munin/nodes.d/${homename}.conf": @@file { "/etc/munin/nodes.d/${homename}.conf":
ensure => present, ensure => present,
content => "[${homename}]\n address ${ipaddress}\n use_node_name yes\n", content => "[${homename}]\n address ${ipaddress}\n use_node_name yes\n",

2
puppet/bootstrap-server.sh
View file

@ -74,5 +74,5 @@ EOF
fi fi
puppet cert --keylength 4096 --list puppet cert --keylength 4096 --list
puppet apply --no-report --tags bootstrap /etc/puppet/manifests/site.pp puppet apply --no-report --tags apt,yum,ruby /etc/puppet/manifests/site.pp
puppet apply --no-report /etc/puppet/manifests/site.pp puppet apply --no-report /etc/puppet/manifests/site.pp

15
puppet/manifests/init.pp
View file

@ -1,6 +1,17 @@
# Install and configure Puppet client. # Install and configure Puppet client.
# #
# === Global variables
#
# $puppet_server:
# Hostname of puppet server. Defaults to 'puppet'.
#
# $puppet_keylength:
# Length of client keys. Defaults to 2048.
#
# $puppet_diffargs:
# Arguments for puppet's use of diff. Unset by default.
#
class puppet::client { class puppet::client {
tag("bootstrap") tag("bootstrap")
@ -13,10 +24,6 @@ class puppet::client {
$puppet_keylength = "2048" $puppet_keylength = "2048"
} }
if ! $puppet_diffargs {
$puppet_diffargs = "-u"
}
case $operatingsystem { case $operatingsystem {
openbsd: { $vardir = "/var/puppet" } openbsd: { $vardir = "/var/puppet" }
default: { $vardir = "/var/lib/puppet" } default: { $vardir = "/var/lib/puppet" }

2
puppet/templates/puppet.conf.erb
View file

@ -39,9 +39,11 @@
# The bit length of keys. # The bit length of keys.
keylength = <%= puppet_keylength %> keylength = <%= puppet_keylength %>
<% if has_variable?("puppet_diffargs") -%>
# Arguments for puppet's use of diff # Arguments for puppet's use of diff
diff_args = <%= puppet_diffargs %> diff_args = <%= puppet_diffargs %>
<% end -%>
<% if puppetversion[/\d+/].to_i >= 2 -%> <% if puppetversion[/\d+/].to_i >= 2 -%>
[agent] [agent]
# Ignore site manifest when run as agent. Fixes warnings about # Ignore site manifest when run as agent. Fixes warnings about

35
samba/manifests/init.pp
View file

@ -25,6 +25,30 @@ class samba::server {
subscribe => File["/etc/samba/smb.conf"], subscribe => File["/etc/samba/smb.conf"],
} }
} }
centos: {
case $operatingsystemrelease {
/^[1-5]\./: {
service { "smb":
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
default: {
service { [ "smb", "nmb" ]:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
}
}
fedora: { fedora: {
service { [ "smb", "nmb" ]: service { [ "smb", "nmb" ]:
ensure => running, ensure => running,
@ -46,14 +70,7 @@ class samba::server {
} }
} }
default: { default: {
service { "smb": fail("samba::server not supported in '${operatingsystem}'")
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
} }
} }
@ -145,7 +162,7 @@ class samba::ldap {
environment => "SECRET=${samba_ldap_pass}", environment => "SECRET=${samba_ldap_pass}",
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => "tdbtool /etc/samba/secrets.tdb keys | fgrep 'SECRETS/LDAP_BIND_PW/'", unless => "tdbtool /etc/samba/secrets.tdb keys | fgrep 'SECRETS/LDAP_BIND_PW/'",
require => Package["samba"], require => File["/etc/samba/smb.conf"],
notify => Service["smb"], notify => Service["smb"],
} }

96
selinux/manifests/init.pp
View file

@ -189,3 +189,99 @@ define selinux::manage_port($type, $proto) {
} }
} }
# Install new SELinux module
#
# === Parameters
#
# $name:
# Module name
# $source:
# Module source (.te) or compiled file (.pp).
#
# === Sample usage
#
# selinux::module { "munin-local":
# source => "puppet:///files/common/selinux/munin-local.te",
# }
#
define selinux::module($source) {
$ext = regsubst($source, '.*\.(te|pp)', '\1')
case $ext {
"te": {
include selinux::module::devel
file { "/usr/local/src/selinux/${name}.te":
ensure => present,
source => $source,
mode => "0644",
owner => "root",
group => "root",
require => File["/usr/local/src/selinux"],
notify => Exec["selinux-module-compile"],
}
$module = "/usr/local/src/selinux/${name}.pp"
}
"pp": {
$module = $source
}
default: {
fail("Invalid source '${source}' for selinux::module")
}
}
file { "/usr/share/selinux/targeted/${name}.pp":
ensure => present,
source => $module,
mode => "0644",
owner => "root",
group => "root",
require => $ext ? {
"te" => Exec["selinux-module-compile"],
default => undef,
},
}
selmodule { $name:
ensure => present,
require => File["/usr/share/selinux/targeted/${name}.pp"],
syncversion => true,
}
}
# Prequisites for compiling SELinux modules
#
class selinux::module::devel {
include selinux::tools
if $::operatingsystem == "CentOS" {
if $::operatingsystemrelease =~ /^5\.[0-9]/ {
package { "selinux-policy-devel":
ensure => installed,
before => File["/usr/local/src/selinux"],
}
}
}
file { "/usr/local/src/selinux":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
require => Class["selinux::tools"],
}
exec { "selinux-module-compile":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "make -f /usr/share/selinux/devel/Makefile",
cwd => "/usr/local/src/selinux",
user => "root",
refreshonly => true,
require => Class["selinux::tools"],
}
}

19
sendmail/files/aliases Normal file
View file

@ -0,0 +1,19 @@
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
# General redirections for important pseudo accounts
daemon: root
# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES
abuse: root
security: root

0
sendmail/files/empty Normal file
View file

197
sendmail/manifests/init.pp
View file

@ -112,24 +112,65 @@ class sendmail::client::msa inherits sendmail::client {
# Configure Sendmail server. # Configure Sendmail server.
# #
# $sendmail_domain: # $mail_domain:
# SMTP domain name. # SMTP domain name.
#
# $sendmail_auth_mech:
# List of authentication mechanisms to use. Defaults to PLAIN and LOGIN.
#
# $sendmail_ssl_key:
#
# $sendmail_ssl_cert:
#
class sendmail::server inherits sendmail::common { class sendmail::server inherits sendmail::common {
include procmail include procmail
if !$sendmail_auth_mech {
$sendmail_auth_mech = [ "PLAIN", "LOGIN", ]
}
$ssl_key = basename($sendmail_ssl_key)
$ssl_cert = basename($sendmail_ssl_cert)
if $sendmail_ssl_chain {
$ssl_chain = basename($sendmail_ssl_chain)
}
case $operatingsystem { case $operatingsystem {
centos,redhat: { "centos","fedora": {
$sendmail_ostype = "linux"
$group = "root"
File["/etc/sysconfig/sendmail"] { File["/etc/sysconfig/sendmail"] {
content => "DAEMON=yes\nQUEUE=1h\n", content => "DAEMON=yes\nQUEUE=1h\n",
} }
} ubuntu: { }
fail("Operating system not supported.") default: {
} openbsd: { fail("sendmail::server not supported in '${::operatingsystem}'")
$sendmail_ostype = "openbsd" }
$group = "wheel" }
file { "/etc/pki/tls/private/${ssl_key}":
ensure => present,
source => $sendmail_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["sendmail"],
}
file { "/etc/pki/tls/certs/${ssl_cert}":
ensure => present,
source => $sendmail_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["sendmail"],
}
if $ssl_chain {
file { "/etc/pki/tls/certs/${ssl_chain}":
ensure => present,
source => $sendmail_ssl_chain,
mode => "0644",
owner => "root",
group => "root",
notify => Service["sendmail"],
} }
} }
@ -140,47 +181,151 @@ class sendmail::server inherits sendmail::common {
}, },
content => template("sendmail/sendmail.mc.erb"), content => template("sendmail/sendmail.mc.erb"),
owner => "root", owner => "root",
group => $group, group => "root",
mode => "0644", mode => "0644",
notify => Exec["make sendmail.cf"], notify => Exec["make sendmail.cf"],
} }
file { "/etc/aliases":
ensure => present,
notify => Exec["newaliases"],
owner => "root",
group => $group,
mode => "0644",
}
exec { "make sendmail.cf": exec { "make sendmail.cf":
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin:/etc/mail",
cwd => $operatingsystem ? { cwd => $operatingsystem ? {
openbsd => "/usr/share/sendmail/cf", "openbsd" => "/usr/share/sendmail/cf",
default => "/etc/mail", default => "/etc/mail",
}, },
require => $operatingsystem ? { require => $operatingsystem ? {
openbsd => undef, "openbsd" => undef,
default => Package["sendmail"], default => Package["sendmail"],
}, },
refreshonly => true, refreshonly => true,
} }
file { "/etc/mail/sendmail.cf": file { "/etc/mail/sendmail.cf":
ensure => present, ensure => present,
owner => "root",
group => $group,
mode => "0644", mode => "0644",
owner => "root",
group => "root",
source => $operatingsystem ? { source => $operatingsystem ? {
openbsd => "/usr/share/sendmail/cf/sendmail.cf", "openbsd" => "/usr/share/sendmail/cf/sendmail.cf",
default => undef, default => undef,
}, },
require => Exec["make sendmail.cf"], require => Exec["make sendmail.cf"],
notify => Service["sendmail"], notify => Service["sendmail"],
} }
file { "/etc/mail/certs":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
}
exec { "populate-etc-mail-certs":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "csplit /etc/pki/tls/certs/ca-bundle.crt '/BEGIN/' '{*}' ; sh -c 'for i in x* ; do name=`openssl x509 -hash -noout -in \$i`.0 ; openssl x509 -hash -in \$i -out \$name ; done' && rm -f x* .0",
cwd => "/etc/mail/certs",
onlyif => "find /etc/mail/certs ! -newer /etc/pki/tls/certs/ca-bundle.crt | egrep '.*' || [ -z \"`ls /etc/mail/certs`\" ]",
require => File["/etc/mail/certs"],
before => Service["sendmail"],
}
file { "/etc/aliases":
ensure => present,
name => $operatingsystem ? {
"openbsd" => "/etc/mail/aliases",
default => "/etc/aliases",
},
source => [
"puppet:///files/mail/aliases",
"puppet:///modules/sendmail/aliases",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["newaliases"],
}
exec { "newaliases": exec { "newaliases":
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true, refreshonly => true,
} }
file { "/etc/mail/access":
ensure => present,
source => [
"puppet:///files/mail/access",
"puppet:///modules/sendmail/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["make access.db"],
}
exec { "make access.db":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "makemap hash /etc/mail/access < /etc/mail/access",
refreshonly => true,
notify => Service["sendmail"],
}
file { "/etc/mail/genericstable":
ensure => present,
source => [
"puppet:///files/mail/genericstable",
"puppet:///modules/sendmail/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["make genericstable.db"],
}
exec { "make genericstable.db":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "makemap hash /etc/mail/genericstable < /etc/mail/genericstable",
refreshonly => true,
notify => Service["sendmail"],
}
file { "/etc/mail/mailertable":
ensure => present,
source => [
"puppet:///files/mail/mailertable",
"puppet:///modules/sendmail/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["make mailertable.db"],
}
exec { "make mailertable.db":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "makemap hash /etc/mail/mailertable < /etc/mail/mailertable",
refreshonly => true,
notify => Service["sendmail"],
}
file { "/etc/mail/virtusertable":
ensure => present,
source => [
"puppet:///files/mail/virtusertable",
"puppet:///modules/sendmail/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["make virtusertable.db"],
}
exec { "make virtusertable.db":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable",
refreshonly => true,
notify => Service["sendmail"],
}
file { "/etc/mail/local-host-names":
ensure => present,
source => [
"puppet:///files/mail/local-host-names",
"puppet:///modules/sendmail/local-host-names",
],
mode => "0644",
owner => "root",
group => "root",
}
} }

43
sendmail/templates/sendmail.mc.erb
View file

@ -1,7 +1,14 @@
divert(-1)dnl divert(-1)dnl
dnl #
dnl # This file is managed by puppet so hand editing is not recommended.
dnl #
<% if ['CentOS','Fedora'].index(operatingsystem) -%>
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for <%= sendmail_ostype %>')dnl <% elsif operatingsystem == 'Ubuntu' -%>
OSTYPE(`<%= sendmail_ostype %>')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
<% end -%>
VERSIONID(`puppet sendmail::server')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl define(`confDEF_USER_ID', ``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl define(`confTRY_NULL_MX_LIST', `True')dnl
@ -13,6 +20,20 @@ define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl define(`confTO_IDENT', `0')dnl
dnl #
define(`confAUTH_OPTIONS', `A p y')dnl
TRUST_AUTH_MECH(`<%= sendmail_auth_mech.join(' ') %>')dnl
define(`confAUTH_MECHANISMS', `<%= sendmail_auth_mech.join(' ') %>')dnl
dnl #
define(`confCACERT_PATH', `/etc/mail/certs')
<% if has_variable?('ssl_chain') -%>
define(`confCACERT', `/etc/pki/tls/certs/<%= ssl_chain %>')
<% end -%>
define(`confSERVER_CERT', `/etc/pki/tls/certs/<%= ssl_cert %>')
define(`confSERVER_KEY', `/etc/pki/tls/private/<%= ssl_key %>')
define(`confCLIENT_CERT', `/etc/pki/tls/certs/<%= ssl_cert %>')
define(`confCLIENT_KEY', `/etc/pki/tls/private/<%= ssl_key %>')
dnl #
FEATURE(`no_default_msa', `dnl')dnl FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
@ -23,19 +44,25 @@ FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl FEATURE(use_ct_file)dnl
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl EXPOSED_USER(`root')dnl
dnl #
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
FEATURE(`accept_unresolvable_domains')dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl dnl #
MASQUERADE_AS(`<%= sendmail_domain %>')dnl LOCAL_DOMAIN`localhost.localdomain')dnl
MASQUERADE_AS(`<%= mail_domain %>')dnl
FEATURE(masquerade_envelope)dnl FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl FEATURE(allmasquerade)dnl
define(`confMATCH_GECOS')dnl
define(`confDOMAIN_NAME', `<%= sendmail_domain %>')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFileSafe,GroupWritableForwardFile,ForwardFileInGroupWritableDirPath')dnl
FEATURE(masquerade_entire_domain)dnl FEATURE(masquerade_entire_domain)dnl
FEATURE(`accept_unresolvable_domains')dnl
dnl #
define(`confMATCH_GECOS')dnl
define(`confDOMAIN_NAME', `<%= mail_domain %>')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFileSafe,GroupWritableForwardFile,ForwardFileInGroupWritableDirPath')dnl
dnl #
MAILER(smtp)dnl MAILER(smtp)dnl
MAILER(procmail)dnl MAILER(procmail)dnl

2
ssh/manifests/init.pp
View file

@ -29,6 +29,8 @@ class ssh::known_hosts {
# #
class ssh::hostkeys { class ssh::hostkeys {
tag("bootstrap")
file { "/etc/ssh/ssh_host_dsa_key": file { "/etc/ssh/ssh_host_dsa_key":
ensure => present, ensure => present,
source => "puppet:///private/ssh_host_dsa_key", source => "puppet:///private/ssh_host_dsa_key",

2
syslog/files/rsyslogd.rc
View file

@ -6,7 +6,7 @@ daemon_flags="-x -c 4 -i /var/run/syslog.pid"
. /etc/rc.d/rc.subr . /etc/rc.d/rc.subr
rc_pre() { rc_pre() {
pkill -f /usr/sbin/syslogd pkill -U _syslogd
return 0 return 0
} }

19
syslog/manifests/init.pp
View file

@ -55,6 +55,13 @@ class syslog::common {
} }
} }
file { "/var/log/all.log":
ensure => present,
mode => "0640",
owner => "root",
group => $group,
}
} }
# Install syslog client # Install syslog client
@ -90,14 +97,6 @@ class syslog::client::syslogd {
} }
} }
file { "/var/log/all.log":
ensure => present,
mode => "0640",
owner => "root",
group => $group,
notify => Service["syslogd"],
}
file { "/etc/syslog.conf": file { "/etc/syslog.conf":
ensure => present, ensure => present,
content => template("syslog/syslog.conf.$operatingsystem.erb", content => template("syslog/syslog.conf.$operatingsystem.erb",
@ -126,6 +125,7 @@ class syslog::client::syslogd {
"openbsd" => "pkill -HUP -u _syslogd", "openbsd" => "pkill -HUP -u _syslogd",
default => undef, default => undef,
}, },
require => File["/var/log/all.log"],
} }
} }
@ -171,6 +171,7 @@ class syslog::client::rsyslog {
}, },
default => undef, default => undef,
}, },
require => File["/var/log/all.log"],
} }
if $operatingsystem == "OpenBSD" and $operatingsystemrelease !~ /4\.[1-8]/ { if $operatingsystem == "OpenBSD" and $operatingsystemrelease !~ /4\.[1-8]/ {
@ -234,7 +235,7 @@ class syslog::common::standalone inherits syslog::common {
require => File["/srv/log"], require => File["/srv/log"],
} }
file { "/var/log/all.log": File["/var/log/all.log"] {
ensure => link, ensure => link,
target => "/srv/log/all.log", target => "/srv/log/all.log",
} }