tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of bitbucket.org:tmakinen/puppet

Browse source
This commit is contained in:
Ossi Salmi 2013-09-24 13:52:18 +03:00
commit 379ca62a5f
12 changed files with 237 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
apache/manifests/debian.pp
View file

@ -88,7 +88,7 @@ class apache::debian::server inherits apache::debian::common {
}
define apache::debian::site($aliases, $root, $redirect) {
define apache::debian::site($aliases, $root, $redirect, $proxy) {
if $name == "default" {
$site_fqdn = $homename
@ -100,7 +100,7 @@ define apache::debian::site($aliases, $root, $redirect) {
$site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}.d"
if !$redirect {
if !$proxy {
if $proxy == "" {
if $root {
file { "/srv/www/http/${site_fqdn}":
ensure => link,
@ -131,8 +131,8 @@ define apache::debian::site($aliases, $root, $redirect) {
file { $site_conf:
ensure => present,
mode => "0644",
owner => root,
group => root,
owner => "root",
group => "root",
notify => Service["apache2"],
}
@ -140,26 +140,24 @@ define apache::debian::site($aliases, $root, $redirect) {
File[$site_conf] {
content => "<VirtualHost *:80>\n ServerName ${site_fqdn}\n Redirect permanent / ${redirect}\n</VirtualHost>\n",
}
} elsif $proxy {
File[$site_conf] {
content => template("apache/proxy.http.conf.erb"),
}
} else {
File[$site_conf] {
content => template("apache/site.http.conf.erb"),
}
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => root,
group => root,
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sites/${site_fqdn}",
"puppet:///modules/custom/empty", ],
before => File[$site_conf],
notify => Service["apache2"],
if $proxy == "" {
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => "root",
group => "root",
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sites/${site_fqdn}",
"puppet:///modules/custom/empty", ],
before => File[$site_conf],
notify => Service["apache2"],
}
}
}
@ -187,26 +185,28 @@ class apache::debian::sslserver inherits apache::debian::common {
define apache::debian::sslsite($first, $hsts, $ipaddr, $root,
$ssl_cert, $ssl_key, $ssl_chain) {
$ssl_cert, $ssl_key, $ssl_chain, $proxy) {
if $name == "default" {
$site_fqdn = $homename
} else {
$site_fqdn = $name
if $root {
file { "/srv/www/https/${site_fqdn}":
ensure => link,
target => $root,
before => Service["apache2"],
}
} else {
file { "/srv/www/https/${site_fqdn}":
ensure => directory,
mode => "0755",
owner => root,
group => root,
before => Service["apache2"],
if $proxy == "" {
if $root {
file { "/srv/www/https/${site_fqdn}":
ensure => link,
target => $root,
before => Service["apache2"],
}
} else {
file { "/srv/www/https/${site_fqdn}":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
before => Service["apache2"],
}
}
}
@ -279,18 +279,20 @@ define apache::debian::sslsite($first, $hsts, $ipaddr, $root,
File["/etc/ssl/private/${site_fqdn}.key"], ],
}
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => root,
group => root,
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
"puppet:///modules/custom/empty", ],
before => File[$site_conf],
notify => Service["apache2"],
if $proxy == "" {
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => "root",
group => "root",
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
"puppet:///modules/custom/empty", ],
before => File[$site_conf],
notify => Service["apache2"],
}
}
}

12
apache/manifests/init.pp
View file

@ -279,6 +279,8 @@ class apache::sslserver::listen {
# Path to SSL private key. Defaults to puppet client certificate.
# $ssl_chain:
# Path to SSL certificate chain. Defaults to none.
# $proxy:
# Proxy site to given URL.
#
# === Sample usage
#
@ -288,8 +290,14 @@ class apache::sslserver::listen {
# ssl_key => "puppet:///path/to/www.example.com.key",
# }
#
# apache::site { "proxy.example.com":
# ssl_cert => "puppet:///path/to/proxy.example.com.crt",
# ssl_key => "puppet:///path/to/proxy.example.com.key",
# proxy => "http://localhost:8080",
# }
#
define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
$ssl_cert="", $ssl_key="", $ssl_chain="") {
$ssl_cert="", $ssl_key="", $ssl_chain="", $proxy="") {
include apache::sslserver::listen
@ -308,6 +316,7 @@ define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
proxy => $proxy,
require => Class["apache::sslserver::listen"],
}
}
@ -321,6 +330,7 @@ define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
proxy => $proxy,
require => Class["apache::sslserver::listen"],
}
}

88
apache/manifests/redhat.pp
View file

@ -57,7 +57,7 @@ define apache::redhat::site($aliases, $root, $redirect, $proxy) {
$site_confdir = "/etc/httpd/site.http.d/${site_fqdn}.d"
if !$redirect {
if !$proxy {
if $proxy == "" {
if $root {
file { "/srv/www/http/${site_fqdn}":
ensure => link,
@ -98,26 +98,24 @@ define apache::redhat::site($aliases, $root, $redirect, $proxy) {
File[$site_conf] {
content => "<VirtualHost *:80>\n ServerName ${site_fqdn}\n Redirect permanent / ${redirect}\n</VirtualHost>\n",
}
} elsif $proxy {
File[$site_conf] {
content => template("apache/proxy.http.conf.erb"),
}
} else {
File[$site_conf] {
content => template("apache/site.http.conf.erb"),
}
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => root,
group => root,
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sites/${site_fqdn}",
"puppet:///modules/apache/emptysite", ],
before => File[$site_conf],
notify => Service["httpd"],
if $proxy == "" {
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => "root",
group => "root",
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sites/${site_fqdn}",
"puppet:///modules/apache/emptysite", ],
before => File[$site_conf],
notify => Service["httpd"],
}
}
}
@ -226,26 +224,28 @@ class apache::redhat::sslserver {
define apache::redhat::sslsite($first, $hsts, $ipaddr, $root,
$ssl_cert, $ssl_key, $ssl_chain) {
$ssl_cert, $ssl_key, $ssl_chain, $proxy) {
if $name == "default" {
$site_fqdn = $homename
} else {
$site_fqdn = $name
if $root {
file { "/srv/www/https/${site_fqdn}":
ensure => link,
target => $root,
before => Service["httpsd"],
}
} else {
file { "/srv/www/https/${site_fqdn}":
ensure => directory,
mode => "0755",
owner => root,
group => root,
before => Service["httpsd"],
if $proxy == "" {
if $root {
file { "/srv/www/https/${site_fqdn}":
ensure => link,
target => $root,
before => Service["httpsd"],
}
} else {
file { "/srv/www/https/${site_fqdn}":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
before => Service["httpsd"],
}
}
}
@ -319,18 +319,20 @@ define apache::redhat::sslsite($first, $hsts, $ipaddr, $root,
File["/etc/pki/tls/private/${site_fqdn}.key"], ],
}
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => root,
group => root,
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
"puppet:///modules/apache/emptysite", ],
before => File[$site_conf],
notify => Service["httpsd"],
if $proxy == "" {
file { $site_confdir:
ensure => directory,
mode => "0644",
owner => "root",
group => "root",
purge => true,
force => true,
recurse => true,
source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
"puppet:///modules/apache/emptysite", ],
before => File[$site_conf],
notify => Service["httpsd"],
}
}
}

10
apache/templates/proxy.http.conf.erb
View file

@ -1,10 +0,0 @@
<VirtualHost *:80>
ServerName <%= @site_fqdn %>
<% if @aliases != "" -%>
ServerAlias <%= @aliases %>
<% end -%>
ErrorLog /srv/www/log/http/<%= @site_fqdn %>/error_log
CustomLog /srv/www/log/http/<%= @site_fqdn %>/access_log combined
ProxyPass / <%= @proxy %>/
ProxyPassReverse / <%= @proxy %>/
</VirtualHost>

5
apache/templates/site.http.conf.erb
View file

@ -5,6 +5,11 @@
<% end -%>
ErrorLog /srv/www/log/http/<%= @site_fqdn %>/error_log
CustomLog /srv/www/log/http/<%= @site_fqdn %>/access_log combined
<% if @proxy != "" -%>
ProxyPass / <%= @proxy %>/
ProxyPassReverse / <%= @proxy %>/
<% else -%>
DocumentRoot /srv/www/http/<%= @site_fqdn %>
Include <%= @site_confdir %>/*.conf
<% end -%>
</VirtualHost>

9
apache/templates/site.https.conf.erb
View file

@ -1,7 +1,6 @@
<VirtualHost <%= @ipaddr %>:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/srv/www/https/<%= @site_fqdn %>"
ServerName <%= @site_fqdn %>:443
# Use separate log files for the SSL virtual host; note that LogLevel
@ -156,6 +155,12 @@ BrowserMatch "MSIE [2-5]" \
</IfModule>
<% end -%>
Include <%= @site_confdir %>/*.conf
<% if @proxy != "" -%>
ProxyPass / <%= @proxy %>/
ProxyPassReverse / <%= @proxy %>/
<% else -%>
DocumentRoot /srv/www/https/<%= @site_fqdn %>
Include <%= @site_confdir %>/*.conf
<% end -%>
</VirtualHost>

2
firewall/manifests/init.pp
View file

@ -111,7 +111,7 @@ class firewall::common::iptables {
}
$ip6states = versioncmp($::kernelversion, "2.6.20")
if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 {
if $::operatingsystem == "Fedora" and versioncmp($::operatingsystemrelease, "17") == 1 {
package { "firewall-config":
ensure => absent,
before => Package["firewalld"],

32
ldap/manifests/init.pp
View file

@ -95,14 +95,32 @@ class ldap::auth inherits ldap::client {
}
}
Fedora: {
package { [ "sssd", "pam_ldap", ]:
package { "sssd":
ensure => installed,
}
exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
before => Augeas["sssd-conf"],
require => Package["authconfig", "sssd", "pam_ldap"],
if versioncmp($::operatingsystemrelease, "18") == 1 {
exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --krb5realm='' --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
creates => "/etc/sssd/sssd.conf",
require => [ Package["authconfig"], Package["sssd"], ],
notify => Exec["authconfig --enablesssd --update"],
}
exec { "authconfig --enablesssd --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
before => Augeas["sssd-conf"],
}
} else {
package { "pam_ldap":
ensure => installed,
before => Package["sssd"],
}
exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
before => Augeas["sssd-conf"],
require => [ Package["authconfig"], Package["sssd"], ],
}
}
augeas { "sssd-conf":
changes => [
@ -113,7 +131,7 @@ class ldap::auth inherits ldap::client {
],
incl => "/etc/sssd/sssd.conf",
lens => "MySQL.lns",
before => Service["sssd"],
notify => Service["sssd"],
}
service { "sssd":
ensure => running,

24
nagios/manifests/target.pp
View file

@ -111,6 +111,18 @@ class nagios::target::imaps inherits nagios::target {
}
# Configure ipp service target.
#
class nagios::target::ipp inherits nagios::target {
@@nagios::service { "${::homename}_ipp":
command => "check_http!-p 631",
description => "IPP",
}
}
# Configure ldap service target.
#
class nagios::target::ldap inherits nagios::target {
@ -135,6 +147,18 @@ class nagios::target::ldaps inherits nagios::target {
}
# Configure lpd service target.
#
class nagios::target::lpd inherits nagios::target {
@@nagios::service { "${::homename}_lpd":
command => "check_tcp!515",
description => "LPD",
}
}
# Configure pop3 service target.
#
class nagios::target::pop3s inherits nagios::target {

2
network/manifests/init.pp
View file

@ -74,7 +74,7 @@ class network::hostname {
}
}
"fedora": {
if $::operatingsystemrelease > 17 {
if versioncmp($::operatingsystemrelease, "17") == 1 {
file { "/etc/hostname":
ensure => present,
content => "${homename}\n",

64
sendmail/manifests/init.pp
View file

@ -141,8 +141,72 @@ class sendmail::client inherits sendmail::common {
# Configure Sendmail submission using port 587.
#
# === Global variables:
#
# $mail_server:
# Hostname of mail server.
#
# $sendmail_ssl_key:
# Path to SSL key file used for authentication. If not set
# certificate authentication will be disabled.
#
# $sendmail_ssl_cert:
# Path to SSL certificate file used for authentication. If not set
# certificate authentication will be disabled.
#
class sendmail::client::msa inherits sendmail::client {
if $sendmail_ssl_key and $sendmail_ssl_cert {
include ssl
$ssl_key = basename($sendmail_ssl_key)
$ssl_cert = basename($sendmail_ssl_cert)
file { "${ssl::private}/${ssl_key}":
ensure => present,
mode => "0640",
owner => "root",
group => "smmsp",
source => $sendmail_ssl_key,
notify => Service["sendmail"],
}
file { "${ssl::certs}/${ssl_cert}":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => $sendmail_ssl_cert,
notify => Service["sendmail"],
}
file { "/etc/mail/authinfo":
ensure => present,
content => "AuthInfo:${mail_server} \"U: \" \"P: \" \"M:EXTERNAL\"\n",
mode => "0640",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
notify => Exec["make authinfo.db"],
}
exec { "make authinfo.db":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "makemap hash /etc/mail/authinfo < /etc/mail/authinfo",
refreshonly => true,
notify => Service["sendmail"],
}
file { "/etc/mail/authinfo.db":
ensure => present,
mode => "0640",
owner => "root",
group => "smmsp",
require => Exec["make authinfo.db"],
before => Service["sendmail"],
}
}
File["/etc/mail/submit.mc"] {
content => template("sendmail/submit.mc.erb", "sendmail/submit.mc.msa.erb"),
}

6
sendmail/templates/submit.mc.msa.erb
View file

@ -1 +1,7 @@
<% if @ssl_key and @ssl_cert -%>
define(`confCLIENT_CERT', `<%= scope.lookupvar('ssl::certs') %>/<%= @ssl_cert %>')
define(`confCLIENT_KEY', `<%= scope.lookupvar('ssl::private') %>/<%= @ssl_key %>')
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/authinfo')dnl
<% end -%>
FEATURE(`msp', `[<%= @mail_server %>]', `MSA')dnl