diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp
index 98c96cb..8313714 100644
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@@ -88,7 +88,7 @@ class apache::debian::server inherits apache::debian::common {
}
-define apache::debian::site($aliases, $root, $redirect) {
+define apache::debian::site($aliases, $root, $redirect, $proxy) {
if $name == "default" {
$site_fqdn = $homename
@@ -100,7 +100,7 @@ define apache::debian::site($aliases, $root, $redirect) {
$site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}.d"
if !$redirect {
- if !$proxy {
+ if $proxy == "" {
if $root {
file { "/srv/www/http/${site_fqdn}":
ensure => link,
@@ -131,8 +131,8 @@ define apache::debian::site($aliases, $root, $redirect) {
file { $site_conf:
ensure => present,
mode => "0644",
- owner => root,
- group => root,
+ owner => "root",
+ group => "root",
notify => Service["apache2"],
}
@@ -140,26 +140,24 @@ define apache::debian::site($aliases, $root, $redirect) {
File[$site_conf] {
content => "\n ServerName ${site_fqdn}\n Redirect permanent / ${redirect}\n\n",
}
- } elsif $proxy {
- File[$site_conf] {
- content => template("apache/proxy.http.conf.erb"),
- }
} else {
File[$site_conf] {
content => template("apache/site.http.conf.erb"),
}
- file { $site_confdir:
- ensure => directory,
- mode => "0644",
- owner => root,
- group => root,
- purge => true,
- force => true,
- recurse => true,
- source => [ "puppet:///files/apache/sites/${site_fqdn}",
- "puppet:///modules/custom/empty", ],
- before => File[$site_conf],
- notify => Service["apache2"],
+ if $proxy == "" {
+ file { $site_confdir:
+ ensure => directory,
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ purge => true,
+ force => true,
+ recurse => true,
+ source => [ "puppet:///files/apache/sites/${site_fqdn}",
+ "puppet:///modules/custom/empty", ],
+ before => File[$site_conf],
+ notify => Service["apache2"],
+ }
}
}
@@ -187,26 +185,28 @@ class apache::debian::sslserver inherits apache::debian::common {
define apache::debian::sslsite($first, $hsts, $ipaddr, $root,
- $ssl_cert, $ssl_key, $ssl_chain) {
+ $ssl_cert, $ssl_key, $ssl_chain, $proxy) {
if $name == "default" {
$site_fqdn = $homename
} else {
$site_fqdn = $name
- if $root {
- file { "/srv/www/https/${site_fqdn}":
- ensure => link,
- target => $root,
- before => Service["apache2"],
- }
- } else {
- file { "/srv/www/https/${site_fqdn}":
- ensure => directory,
- mode => "0755",
- owner => root,
- group => root,
- before => Service["apache2"],
+ if $proxy == "" {
+ if $root {
+ file { "/srv/www/https/${site_fqdn}":
+ ensure => link,
+ target => $root,
+ before => Service["apache2"],
+ }
+ } else {
+ file { "/srv/www/https/${site_fqdn}":
+ ensure => directory,
+ mode => "0755",
+ owner => "root",
+ group => "root",
+ before => Service["apache2"],
+ }
}
}
@@ -279,18 +279,20 @@ define apache::debian::sslsite($first, $hsts, $ipaddr, $root,
File["/etc/ssl/private/${site_fqdn}.key"], ],
}
- file { $site_confdir:
- ensure => directory,
- mode => "0644",
- owner => root,
- group => root,
- purge => true,
- force => true,
- recurse => true,
- source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
- "puppet:///modules/custom/empty", ],
- before => File[$site_conf],
- notify => Service["apache2"],
+ if $proxy == "" {
+ file { $site_confdir:
+ ensure => directory,
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ purge => true,
+ force => true,
+ recurse => true,
+ source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
+ "puppet:///modules/custom/empty", ],
+ before => File[$site_conf],
+ notify => Service["apache2"],
+ }
}
}
diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index f0d350d..384d578 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -279,6 +279,8 @@ class apache::sslserver::listen {
# Path to SSL private key. Defaults to puppet client certificate.
# $ssl_chain:
# Path to SSL certificate chain. Defaults to none.
+# $proxy:
+# Proxy site to given URL.
#
# === Sample usage
#
@@ -288,8 +290,14 @@ class apache::sslserver::listen {
# ssl_key => "puppet:///path/to/www.example.com.key",
# }
#
+# apache::site { "proxy.example.com":
+# ssl_cert => "puppet:///path/to/proxy.example.com.crt",
+# ssl_key => "puppet:///path/to/proxy.example.com.key",
+# proxy => "http://localhost:8080",
+# }
+#
define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
- $ssl_cert="", $ssl_key="", $ssl_chain="") {
+ $ssl_cert="", $ssl_key="", $ssl_chain="", $proxy="") {
include apache::sslserver::listen
@@ -308,6 +316,7 @@ define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
+ proxy => $proxy,
require => Class["apache::sslserver::listen"],
}
}
@@ -321,6 +330,7 @@ define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
+ proxy => $proxy,
require => Class["apache::sslserver::listen"],
}
}
diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp
index f72ce64..e2fd7a3 100644
--- a/apache/manifests/redhat.pp
+++ b/apache/manifests/redhat.pp
@@ -57,7 +57,7 @@ define apache::redhat::site($aliases, $root, $redirect, $proxy) {
$site_confdir = "/etc/httpd/site.http.d/${site_fqdn}.d"
if !$redirect {
- if !$proxy {
+ if $proxy == "" {
if $root {
file { "/srv/www/http/${site_fqdn}":
ensure => link,
@@ -98,26 +98,24 @@ define apache::redhat::site($aliases, $root, $redirect, $proxy) {
File[$site_conf] {
content => "\n ServerName ${site_fqdn}\n Redirect permanent / ${redirect}\n\n",
}
- } elsif $proxy {
- File[$site_conf] {
- content => template("apache/proxy.http.conf.erb"),
- }
} else {
File[$site_conf] {
content => template("apache/site.http.conf.erb"),
}
- file { $site_confdir:
- ensure => directory,
- mode => "0644",
- owner => root,
- group => root,
- purge => true,
- force => true,
- recurse => true,
- source => [ "puppet:///files/apache/sites/${site_fqdn}",
- "puppet:///modules/apache/emptysite", ],
- before => File[$site_conf],
- notify => Service["httpd"],
+ if $proxy == "" {
+ file { $site_confdir:
+ ensure => directory,
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ purge => true,
+ force => true,
+ recurse => true,
+ source => [ "puppet:///files/apache/sites/${site_fqdn}",
+ "puppet:///modules/apache/emptysite", ],
+ before => File[$site_conf],
+ notify => Service["httpd"],
+ }
}
}
@@ -226,26 +224,28 @@ class apache::redhat::sslserver {
define apache::redhat::sslsite($first, $hsts, $ipaddr, $root,
- $ssl_cert, $ssl_key, $ssl_chain) {
+ $ssl_cert, $ssl_key, $ssl_chain, $proxy) {
if $name == "default" {
$site_fqdn = $homename
} else {
$site_fqdn = $name
- if $root {
- file { "/srv/www/https/${site_fqdn}":
- ensure => link,
- target => $root,
- before => Service["httpsd"],
- }
- } else {
- file { "/srv/www/https/${site_fqdn}":
- ensure => directory,
- mode => "0755",
- owner => root,
- group => root,
- before => Service["httpsd"],
+ if $proxy == "" {
+ if $root {
+ file { "/srv/www/https/${site_fqdn}":
+ ensure => link,
+ target => $root,
+ before => Service["httpsd"],
+ }
+ } else {
+ file { "/srv/www/https/${site_fqdn}":
+ ensure => directory,
+ mode => "0755",
+ owner => "root",
+ group => "root",
+ before => Service["httpsd"],
+ }
}
}
@@ -319,18 +319,20 @@ define apache::redhat::sslsite($first, $hsts, $ipaddr, $root,
File["/etc/pki/tls/private/${site_fqdn}.key"], ],
}
- file { $site_confdir:
- ensure => directory,
- mode => "0644",
- owner => root,
- group => root,
- purge => true,
- force => true,
- recurse => true,
- source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
- "puppet:///modules/apache/emptysite", ],
- before => File[$site_conf],
- notify => Service["httpsd"],
+ if $proxy == "" {
+ file { $site_confdir:
+ ensure => directory,
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ purge => true,
+ force => true,
+ recurse => true,
+ source => [ "puppet:///files/apache/sslsites/${site_fqdn}",
+ "puppet:///modules/apache/emptysite", ],
+ before => File[$site_conf],
+ notify => Service["httpsd"],
+ }
}
}
diff --git a/apache/templates/proxy.http.conf.erb b/apache/templates/proxy.http.conf.erb
deleted file mode 100644
index 06b4c83..0000000
--- a/apache/templates/proxy.http.conf.erb
+++ /dev/null
@@ -1,10 +0,0 @@
-
- ServerName <%= @site_fqdn %>
-<% if @aliases != "" -%>
- ServerAlias <%= @aliases %>
-<% end -%>
- ErrorLog /srv/www/log/http/<%= @site_fqdn %>/error_log
- CustomLog /srv/www/log/http/<%= @site_fqdn %>/access_log combined
- ProxyPass / <%= @proxy %>/
- ProxyPassReverse / <%= @proxy %>/
-
diff --git a/apache/templates/site.http.conf.erb b/apache/templates/site.http.conf.erb
index 866939d..8624adb 100644
--- a/apache/templates/site.http.conf.erb
+++ b/apache/templates/site.http.conf.erb
@@ -5,6 +5,11 @@
<% end -%>
ErrorLog /srv/www/log/http/<%= @site_fqdn %>/error_log
CustomLog /srv/www/log/http/<%= @site_fqdn %>/access_log combined
+<% if @proxy != "" -%>
+ ProxyPass / <%= @proxy %>/
+ ProxyPassReverse / <%= @proxy %>/
+<% else -%>
DocumentRoot /srv/www/http/<%= @site_fqdn %>
Include <%= @site_confdir %>/*.conf
+<% end -%>
diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb
index 4545bf6..df199b6 100644
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@@ -1,7 +1,6 @@
:443>
# General setup for the virtual host, inherited from global configuration
-DocumentRoot "/srv/www/https/<%= @site_fqdn %>"
ServerName <%= @site_fqdn %>:443
# Use separate log files for the SSL virtual host; note that LogLevel
@@ -156,6 +155,12 @@ BrowserMatch "MSIE [2-5]" \
<% end -%>
-Include <%= @site_confdir %>/*.conf
+<% if @proxy != "" -%>
+ ProxyPass / <%= @proxy %>/
+ ProxyPassReverse / <%= @proxy %>/
+<% else -%>
+ DocumentRoot /srv/www/https/<%= @site_fqdn %>
+ Include <%= @site_confdir %>/*.conf
+<% end -%>
diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp
index 42aaaad..225285f 100644
--- a/firewall/manifests/init.pp
+++ b/firewall/manifests/init.pp
@@ -111,7 +111,7 @@ class firewall::common::iptables {
}
$ip6states = versioncmp($::kernelversion, "2.6.20")
- if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 {
+ if $::operatingsystem == "Fedora" and versioncmp($::operatingsystemrelease, "17") == 1 {
package { "firewall-config":
ensure => absent,
before => Package["firewalld"],
diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index 7e9efac..23be41d 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -95,14 +95,32 @@ class ldap::auth inherits ldap::client {
}
}
Fedora: {
- package { [ "sssd", "pam_ldap", ]:
+ package { "sssd":
ensure => installed,
}
- exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update":
- path => "/bin:/usr/bin:/sbin:/usr/sbin",
- unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
- before => Augeas["sssd-conf"],
- require => Package["authconfig", "sssd", "pam_ldap"],
+ if versioncmp($::operatingsystemrelease, "18") == 1 {
+ exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --krb5realm='' --update":
+ path => "/bin:/usr/bin:/sbin:/usr/sbin",
+ creates => "/etc/sssd/sssd.conf",
+ require => [ Package["authconfig"], Package["sssd"], ],
+ notify => Exec["authconfig --enablesssd --update"],
+ }
+ exec { "authconfig --enablesssd --update":
+ path => "/bin:/usr/bin:/sbin:/usr/sbin",
+ refreshonly => true,
+ before => Augeas["sssd-conf"],
+ }
+ } else {
+ package { "pam_ldap":
+ ensure => installed,
+ before => Package["sssd"],
+ }
+ exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update":
+ path => "/bin:/usr/bin:/sbin:/usr/sbin",
+ unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
+ before => Augeas["sssd-conf"],
+ require => [ Package["authconfig"], Package["sssd"], ],
+ }
}
augeas { "sssd-conf":
changes => [
@@ -113,7 +131,7 @@ class ldap::auth inherits ldap::client {
],
incl => "/etc/sssd/sssd.conf",
lens => "MySQL.lns",
- before => Service["sssd"],
+ notify => Service["sssd"],
}
service { "sssd":
ensure => running,
diff --git a/nagios/manifests/target.pp b/nagios/manifests/target.pp
index d47d8cf..99f4cbd 100644
--- a/nagios/manifests/target.pp
+++ b/nagios/manifests/target.pp
@@ -111,6 +111,18 @@ class nagios::target::imaps inherits nagios::target {
}
+# Configure ipp service target.
+#
+class nagios::target::ipp inherits nagios::target {
+
+ @@nagios::service { "${::homename}_ipp":
+ command => "check_http!-p 631",
+ description => "IPP",
+ }
+
+}
+
+
# Configure ldap service target.
#
class nagios::target::ldap inherits nagios::target {
@@ -135,6 +147,18 @@ class nagios::target::ldaps inherits nagios::target {
}
+# Configure lpd service target.
+#
+class nagios::target::lpd inherits nagios::target {
+
+ @@nagios::service { "${::homename}_lpd":
+ command => "check_tcp!515",
+ description => "LPD",
+ }
+
+}
+
+
# Configure pop3 service target.
#
class nagios::target::pop3s inherits nagios::target {
diff --git a/network/manifests/init.pp b/network/manifests/init.pp
index ac7f374..05bf243 100644
--- a/network/manifests/init.pp
+++ b/network/manifests/init.pp
@@ -74,7 +74,7 @@ class network::hostname {
}
}
"fedora": {
- if $::operatingsystemrelease > 17 {
+ if versioncmp($::operatingsystemrelease, "17") == 1 {
file { "/etc/hostname":
ensure => present,
content => "${homename}\n",
diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp
index 9dcad6b..c965108 100644
--- a/sendmail/manifests/init.pp
+++ b/sendmail/manifests/init.pp
@@ -141,8 +141,72 @@ class sendmail::client inherits sendmail::common {
# Configure Sendmail submission using port 587.
#
+# === Global variables:
+#
+# $mail_server:
+# Hostname of mail server.
+#
+# $sendmail_ssl_key:
+# Path to SSL key file used for authentication. If not set
+# certificate authentication will be disabled.
+#
+# $sendmail_ssl_cert:
+# Path to SSL certificate file used for authentication. If not set
+# certificate authentication will be disabled.
+#
class sendmail::client::msa inherits sendmail::client {
+ if $sendmail_ssl_key and $sendmail_ssl_cert {
+
+ include ssl
+
+ $ssl_key = basename($sendmail_ssl_key)
+ $ssl_cert = basename($sendmail_ssl_cert)
+ file { "${ssl::private}/${ssl_key}":
+ ensure => present,
+ mode => "0640",
+ owner => "root",
+ group => "smmsp",
+ source => $sendmail_ssl_key,
+ notify => Service["sendmail"],
+ }
+ file { "${ssl::certs}/${ssl_cert}":
+ ensure => present,
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => $sendmail_ssl_cert,
+ notify => Service["sendmail"],
+ }
+
+ file { "/etc/mail/authinfo":
+ ensure => present,
+ content => "AuthInfo:${mail_server} \"U: \" \"P: \" \"M:EXTERNAL\"\n",
+ mode => "0640",
+ owner => "root",
+ group => $::operatingsystem ? {
+ "openbsd" => "wheel",
+ default => "root",
+ },
+ notify => Exec["make authinfo.db"],
+ }
+ exec { "make authinfo.db":
+ path => "/bin:/usr/bin:/sbin:/usr/sbin",
+ command => "makemap hash /etc/mail/authinfo < /etc/mail/authinfo",
+ refreshonly => true,
+ notify => Service["sendmail"],
+ }
+ file { "/etc/mail/authinfo.db":
+ ensure => present,
+ mode => "0640",
+ owner => "root",
+ group => "smmsp",
+ require => Exec["make authinfo.db"],
+ before => Service["sendmail"],
+ }
+
+ }
+
File["/etc/mail/submit.mc"] {
content => template("sendmail/submit.mc.erb", "sendmail/submit.mc.msa.erb"),
}
diff --git a/sendmail/templates/submit.mc.msa.erb b/sendmail/templates/submit.mc.msa.erb
index 24261a7..ff777f2 100644
--- a/sendmail/templates/submit.mc.msa.erb
+++ b/sendmail/templates/submit.mc.msa.erb
@@ -1 +1,7 @@
+<% if @ssl_key and @ssl_cert -%>
+define(`confCLIENT_CERT', `<%= scope.lookupvar('ssl::certs') %>/<%= @ssl_cert %>')
+define(`confCLIENT_KEY', `<%= scope.lookupvar('ssl::private') %>/<%= @ssl_key %>')
+define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
+FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/authinfo')dnl
+<% end -%>
FEATURE(`msp', `[<%= @mail_server %>]', `MSA')dnl