tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge tmakinen/puppet

Browse source 
Conflicts:
	dovecot/manifests/init.pp
	libvirt/manifests/init.pp
	munin/manifests/init.pp
	puppet/manifests/init.pp
	tftp/manifests/init.pp
This commit is contained in:
Ossi Salmi 2012-11-16 19:40:31 +02:00
commit 98767cfb2a
45 changed files with 5517 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apache/templates/site.https.conf.erb
View file

@ -30,14 +30,14 @@ SSLCipherSuite RC4-SHA:HIGH:!ADH
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.crt
SSLCertificateFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
SSLCertificateKeyFile <%= @apache_ssldir %>/private/<%= site_fqdn %>.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@ -47,7 +47,7 @@ SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
# when the CA certificates are directly appended to the server
# certificate for convinience.
<% if ssl_chain != "" -%>
SSLCertificateChainFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
SSLCertificateChainFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
<% end -%>
# Certificate Authority (CA):

5
backuppc/manifests/init.pp
View file

@ -70,7 +70,10 @@ class backuppc::server {
group => "root",
require => Package["BackupPC"],
}
selinux::manage_fcontext { "${backuppc_datadir}(/.*)?":
type => "var_lib_t",
before => File[$backuppc_datadir],
}
file { "/var/lib/BackupPC":
ensure => $backuppc_datadir,
force => true,

2
custom/lib/puppet/provider/service/openbsd.rb
View file

@ -4,7 +4,7 @@ Puppet::Type.type(:service).provide :openbsd, :parent => :base do
desc "OpenBSD service management."
version = ["4.9", "5.0", "5.1"]
version = ["4.9", "5.0", "5.1", "5.2"]
confine :operatingsystem => :openbsd
confine :operatingsystemrelease => version
defaultfor :operatingsystem => :openbsd

41
dell/manifests/init.pp Normal file
View file

@ -0,0 +1,41 @@
class dell::common {
case $::operatingsystem {
"centos", "redhat": {
include yum::repo::dell
}
default: {
fail("Dell modules not supported in ${operatingsystem}")
}
}
}
# Tools and services for Dell iDRAC7 management
#
class dell::idrac7 {
include dell::common
package { 'srvadmin-idrac7':
ensure => installed,
require => Class["yum::repo::dell"],
}
# Enable OpenManage System services
exec { "srvadmin-service-enable":
command => "/opt/dell/srvadmin/sbin/srvadmin-services.sh enable",
creates => "/etc/rc2.d/S97dataeng",
user => "root",
group => "root",
require => Exec["srvadmin-service-start"],
}
# Start OpenManage System services
exec { "srvadmin-service-start":
command => "/opt/dell/srvadmin/sbin/srvadmin-services.sh start",
unless => "/usr/bin/pgrep -f /opt/dell/srvadmin/sbin/dsm_sa_datamgrd",
user => "root",
group => "root",
require => Package["srvadmin-idrac7"],
}
}

0
dovecot/files/empty Normal file
View file

73
dovecot/manifests/dovecot1.pp Normal file
View file

@ -0,0 +1,73 @@
class dovecot::server::v1 {
case $operatingsystem {
centos,fedora: {
$dovecot_ssl_dir = "/etc/pki/tls"
}
default: {
fail("Dovecot module not supported in ${operatingsystem}.")
}
}
service { "dovecot":
ensure => running,
enable => true,
require => File["/etc/dovecot.conf"],
}
if $dovecot_ssl_csr {
file { "$dovecot_ssl_dir/private/dovecot.csr":
ensure => present,
source => $dovecot_ssl_csr,
mode => "0640",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_ca {
file { "$dovecot_ssl_dir/certs/dovecot.ca.crt":
ensure => present,
source => $dovecot_ssl_ca,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_cert {
file { "$dovecot_ssl_dir/certs/dovecot.crt":
ensure => present,
source => $dovecot_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_cert in your node manifest.")
}
if $dovecot_ssl_key {
file { "$dovecot_ssl_dir/private/dovecot.key":
ensure => present,
source => $dovecot_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_key in your node manifest.")
}
file { "/etc/dovecot.conf":
ensure => present,
content => template("dovecot/dovecot.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}

89
dovecot/manifests/dovecot2.pp Normal file
View file

@ -0,0 +1,89 @@
class dovecot::server::v2 {
case $operatingsystem {
centos,fedora: {
$dovecot_ssl_dir = "/etc/pki/tls"
}
default: {
fail("Dovecot module not supported in ${operatingsystem}.")
}
}
service { "dovecot":
ensure => running,
enable => true,
require => File["/etc/dovecot/conf.d/98-puppet.conf",
"/etc/dovecot/conf.d/99-local.conf"],
}
file { "/etc/dovecot/conf.d/98-puppet.conf":
ensure => present,
content => template("dovecot/puppet.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
require => Package["dovecot"],
}
file { "/etc/dovecot/conf.d/99-local.conf":
ensure => present,
source => [
"puppet:///files/dovecot/local.conf",
"puppet:///modules/dovecot/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
require => Package["dovecot"],
}
if $dovecot_ssl_csr {
file { "$dovecot_ssl_dir/private/dovecot.csr":
ensure => present,
source => $dovecot_ssl_csr,
mode => "0640",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_ca {
file { "$dovecot_ssl_dir/certs/dovecot.ca.crt":
ensure => present,
source => $dovecot_ssl_ca,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_cert {
file { "$dovecot_ssl_dir/certs/dovecot.crt":
ensure => present,
source => $dovecot_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_cert in your node manifest.")
}
if $dovecot_ssl_key {
file { "$dovecot_ssl_dir/private/dovecot.key":
ensure => present,
source => $dovecot_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_key in your node manifest.")
}
}

83
dovecot/manifests/init.pp
View file

@ -1,3 +1,6 @@
import "dovecot1.pp" # Dovecot v1.x
import "dovecot2.pp" # Dovecot v2.x
class dovecot::common {
case $::operatingsystem {
@ -24,79 +27,33 @@ class dovecot::common {
# Puppet source for the X.509 key.
# $dovecot_ssl_ca:
# Puppet source for the optional X.509 ca certificate.
# $dovecot_mailbox_format:
# Mailbox format to use in user's homedir ["mbox" | "mdbox"]
# $dovecot_zlib:
# Compress mailboxes with zlib ["yes" | "no"]
class dovecot::server inherits dovecot::common {
if ! $dovecot_mailbox_format {
$dovecot_mailbox_format = "mbox"
}
case $::operatingsystem {
"centos","redhat","fedora": {
$dovecot_ssl_dir = "/etc/pki/tls"
case $operatingsystemrelease {
/^6\./: {
include dovecot::server::v2
}
default: {
include dovecot::server::v1
}
}
}
default: {
fail("Dovecot module not supported in ${::operatingsystem}.")
}
}
service { "dovecot":
ensure => running,
enable => true,
require => File["/etc/dovecot.conf"],
}
if $dovecot_ssl_csr {
file { "$dovecot_ssl_dir/private/dovecot.csr":
ensure => present,
source => $dovecot_ssl_csr,
mode => "0640",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_ca {
file { "$dovecot_ssl_dir/certs/dovecot.ca.crt":
ensure => present,
source => $dovecot_ssl_ca,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_cert {
file { "$dovecot_ssl_dir/certs/dovecot.crt":
ensure => present,
source => $dovecot_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_cert in your node manifest.")
}
if $dovecot_ssl_key {
file { "$dovecot_ssl_dir/private/dovecot.key":
ensure => present,
source => $dovecot_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_key in your node manifest.")
}
file { "/etc/dovecot.conf":
ensure => present,
content => template("dovecot/dovecot.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}

38
dovecot/templates/puppet.conf.erb Normal file
View file

@ -0,0 +1,38 @@
ssl=required
ssl_cert = <<%= dovecot_ssl_dir %>/certs/dovecot.crt
ssl_key = <<%= dovecot_ssl_dir %>/private/dovecot.key
<% if has_variable?('dovecot_ssl_ca') -%>
ssl_ca = <<%= dovecot_ssl_dir %>/certs/dovecot.ca.crt
<% end -%>
<% if has_variable=('dovecot_mailbox_format') && dovecot_mailbox_format == "mdbox" -%>
# mdbox settings
mdbox_rotate_size = 10M
mdbox_rotate_interval = 10d
<% end -%>
# zlib
<% if has_variable?('dovecot_zlib') && dovecot_zlib == "yes" -%>
mail_plugins = $mail_plugins zlib
plugin {
zlib_save_level = 1 # 1..9
zlib_save = gz # or bz2
}
<% end -%>
mail_location = <%= dovecot_mailbox_format %>:~/imapmail/
namespace {
separator = /
list = yes
}
namespace {
separator = /
prefix = "#mbox/"
location = mbox:~/imapinbox/:INBOX=/var/mail/%u
inbox = yes
hidden = yes
list = no
}

13
firewall/manifests/init.pp
View file

@ -17,6 +17,11 @@
#
# $firewall_custom = [ "pass in quick carp", ]
#
# Loading of extra modules is supported on centos. For example FTP
# support for iptables:
#
# $firewall_modules = [ "nf_conntrack_ftp", ]
class firewall {
if ! $firewall_custom {
@ -117,6 +122,14 @@ class firewall::common::iptables {
hasrestart => true,
require => Package["iptables"],
}
if $firewall_modules {
$firewall_modules_str = inline_template('<%= @firewall_modules.join(" ") -%>')
augeas { "iptables-config":
context => "/files/etc/sysconfig/iptables-config",
changes => [ "set IPTABLES_MODULES '${firewall_modules_str}'" ],
notify => Service["iptables"],
}
}
}
}

4
firewall/templates/ip6tables.erb
View file

@ -14,7 +14,7 @@
<% end -%>
-A INPUT -p ipv6-icmp -j ACCEPT
<%
firewall_rules.each do |rule|
@firewall_rules.each do |rule|
rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
if not rule[3] or IPAddr.new(rule[3].strip()).ipv6?
-%>
@ -22,7 +22,7 @@
<%
end
end
firewall_custom.each do |rule|
@firewall_custom.each do |rule|
-%>
<%= rule %>
<% end -%>

4
firewall/templates/iptables.erb
View file

@ -8,7 +8,7 @@
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
<%
firewall_rules.each do |rule|
@firewall_rules.each do |rule|
rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
if not rule[3] or IPAddr.new(rule[3].strip()).ipv4?
-%>
@ -16,7 +16,7 @@
<%
end
end
firewall_custom.each do |rule|
@firewall_custom.each do |rule|
-%>
<%= rule %>
<% end -%>

4
firewall/templates/pf.conf.erb
View file

@ -8,10 +8,10 @@ pass out all
pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all
<% firewall_rules.each do |rule| -%>
<% @firewall_rules.each do |rule| -%>
<% rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%>
pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %>
<% end -%>
<% firewall_custom.each do |rule| -%>
<% @firewall_custom.each do |rule| -%>
<%= rule %>
<% end -%>

2
inetd/manifests/init.pp
View file

@ -50,7 +50,7 @@ class inetd::server::inetd {
service { "inetd":
ensure => running,
start => "inetd",
start => "/usr/sbin/inetd",
enable => true,
}

4
ldap/templates/slapd-database.conf.erb
View file

@ -58,9 +58,9 @@ include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/acl.<%= nam
include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/index.<%= name %>.conf
# map local users connecting via ldapi:///
sasl-regexp "gidNumber=([\d]+)+uidNumber=0,cn=peercred,cn=external,cn=auth"
sasl-regexp "gidNumber=([^,]+)+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=manager,<%= name %>"
sasl-regexp "gidNumber=([\d]+)+uidNumber=([\d]+),cn=peercred,cn=external,cn=auth"
sasl-regexp "gidNumber=([^,]+)+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth"
ldap:///<%= name %>??sub?(&(uidNumber=$2)(objectClass=posixAccount))
# map sasl authenticated users

38
libvirt/manifests/init.pp
View file

@ -35,8 +35,33 @@ class libvirt::client {
# $libvirt_admingroup:
# Group which has access to system libvirtd.
#
# $libvirt_guest_on_boot
# Action to taken on host boot [start, ignore] (default: start)
#
# $libvirt_guest_on_shutdown
# Action to taken on host shutdown [suspend, shutdown] (default: suspend)
#
# $libvirt_parallel_shutdown
# If set to non-zero, shutdown will suspend guests concurrently. (default: 0)
#
class libvirt::kvm inherits libvirt::client {
if !$libvirt_admingroup {
$libvirt_admingroup = "root"
}
if !$libvirt_guest_on_boot {
$libvirt_guest_on_boot = "start"
}
if !$libvirt_guest_on_shutdown {
$libvirt_guest_on_shutdown = "suspend"
}
if !$libvirt_parallel_shutdown {
$libvirt_parallel_shutdown = 0
}
case $::operatingsystem {
"centos","redhat": {
case $::operatingsystemrelease {
@ -58,6 +83,14 @@ class libvirt::kvm inherits libvirt::client {
}
}
}
file { "/etc/sysconfig/libvirt-guests":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("libvirt/sysconfig-libvirt-guests.erb"),
require => Package["libvirt"],
}
}
"fedora": {
package { "qemu-kvm":
@ -74,10 +107,6 @@ class libvirt::kvm inherits libvirt::client {
}
}
if !$libvirt_admingroup {
$libvirt_admingroup = "root"
}
file { "/etc/libvirt/libvirtd.conf":
ensure => present,
mode => "0644",
@ -92,6 +121,5 @@ class libvirt::kvm inherits libvirt::client {
ensure => running,
enable => true,
}
}

41
libvirt/templates/sysconfig-libvirt-guests.erb Normal file
View file

@ -0,0 +1,41 @@
# URIs to check for running guests
# example: URIS='default xen:/// vbox+tcp://host/system lxc:///'
#URIS=default
# action taken on host boot
# - start all guests which were running on shutdown are started on boot
# regardless on their autostart settings
# - ignore libvirt-guests init script won't start any guest on boot, however,
# guests marked as autostart will still be automatically started by
# libvirtd
ON_BOOT=<%= libvirt_guest_on_boot %>
# Number of seconds to wait between each guest start. Set to 0 to allow
# parallel startup.
#START_DELAY=0
# action taken on host shutdown
# - suspend all running guests are suspended using virsh managedsave
# - shutdown all running guests are asked to shutdown. Please be careful with
# this settings since there is no way to distinguish between a
# guest which is stuck or ignores shutdown requests and a guest
# which just needs a long time to shutdown. When setting
# ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a
# value suitable for your guests.
ON_SHUTDOWN=<%= libvirt_guest_on_shutdown %>
# If set to non-zero, shutdown will suspend guests concurrently. Number of
# guests on shutdown at any time will not exceed number set in this variable.
PARALLEL_SHUTDOWN=<%= libvirt_parallel_shutdown %>
# Number of seconds we're willing to wait for a guest to shut down. If parallel
# shutdown is enabled, this timeout applies as a timeout for shutting down all
# guests on a single URI defined in the variable URIS. If this is 0, then there
# is no time out (use with caution, as guests might not respond to a shutdown
# request). The default value is 300 seconds (5 minutes).
#SHUTDOWN_TIMEOUT=300
# If non-zero, try to bypass the file system cache when saving and
# restoring guests, even though this may give slower operation for
# some file systems.
#BYPASS_CACHE=0

6
munin/manifests/init.pp
View file

@ -239,11 +239,11 @@ class munin::server {
mode => "0775",
owner => "munin",
group => $apache::sslserver::group,
seltype => "httpd_munin_content_t",
seltype => "httpd_munin_rw_content_t",
require => Package["munin"],
}
selinux::manage_fcontext { "/var/cache/munin":
type => "munin_var_lib_t",
selinux::manage_fcontext { "/var/cache/munin(/.*)?":
type => "httpd_munin_rw_content_t",
before => File["/var/cache/munin"],
}
mount { "/var/cache/munin":

294
mythtv/files/myth.find_orphans.pl Executable file
View file

@ -0,0 +1,294 @@
#!/usr/bin/perl
# check for recording anomalies -
# based somewhat on greg froese's "myth.rebuilddatabase.pl"
# -- Lincoln Dale <ltd@interlink.com.au>, September 2006
# 2007-03-11: Added pretty print of unknown files vs. orphaned thumbnails.
# (Robert Kulagowski) 2008-02-15: Added dryrun and rerecord options (David
# George)
# The intent of this script is to be able to find orphaned rows in the
# 'recorded' table (entries which don't have matching media files) and
# orphaned media files (potentially taking up gigabytes of otherwise usable
# disk space) which have no matching row in the 'recorded' db table.
#
# By default, running the script will simply return a list of problems it
# finds. Running with --dodbdelete will remove db recorded rows for which
# there is no matching media file. Running with --dodelete will delete
# media files for which there is no matching db record.
#
# This script may be useful to fix up some orphaned db entries (causes
# mythweb to run very slowly) as well as reclaim some disk space from some
# orphaned media files. (in an ideal world, neither of these would ever
# happen, but I've seen both happen in reality). This script makes it easy
# to keep track of whether it has or hasn't happened, even if you have
# thousands of recordings and terabytes of stored media.
#
# no warranties expressed or implied. if you run this and it deletes all
# your recordings and sets mythtv to fill up all your disk space with The
# Home Shopping Network, its entirely your fault.
#
# The dryrun option will allow you to see the db entries/files that will be
# deleted without actually executing them.
# The rerecord option is useful if you lose a hard drive in your storage
# group to tell the scheduler to re-record the lost programs (if they happen
# to be shown again).
my $progname = "myth.find_orphans.pl";
my $revision = "0.21";
use DBI;
use Sys::Hostname;
use Getopt::Long;
#
# options
#
my $opt_host = hostname;
my $opt_dbhost = $opt_host;
my $opt_database = "mythconverg";
my $opt_user = "mythtv";
my $opt_pass = "mythtv";
my $opt_ext = "{nuv,mpg,mpeg,avi}";
my $opt_dir = "";
my $opt_dodelete = 0;
my $opt_dodbdelete = 0;
my $debug = 0;
my $opt_help = 0;
my $opt_dryrun = 0;
my $opt_rerecord = 0;
GetOptions(
'host=s' => \$opt_host,
'dbhost=s' => \$opt_dbhost,
'database=s' => \$opt_database,
'user=s' => \$opt_user,
'pass=s' => \$opt_pass,
'dir=s' => \$opt_dir,
'dodelete' => \$opt_dodelete,
'dodbdelete' => \$opt_dodbdelete,
'dryrun' => \$opt_dryrun,
'rerecord' => \$opt_rerecord,
'debug+' => \$debug,
'help' => \$opt_help,
'h' => \$opt_help,
'v' => \$opt_help);
if ($opt_help) {
print<<EOF
$progname (rev $revision)
(checks MythTV recording directories for orphaned files)
options:
--host=(host) MythTV backend host ($opt_host)
--dbhost=(host) host where MySQL database for backend is ($opt_dbhost)
--database=(dbname) MythTV database ($opt_database)
--user=(user) MySQL MythTV database user ($opt_user)
--pass=(pass) MySQL MythTV database password ($opt_pass)
--dir=directories manually specify recording directories (otherwise setting is from database)
--debug increase debug level
--dodbdelete remove recorded db entries with no matching file (default: don't)
--dodelete delete files with no record (default: don't)
--dryrun display delete actions without doing them
--rerecord set db entries to re-record missing files (requires --dodbdelete)
EOF
;
exit(0);
}
#
# go go go!
#
my $valid_recordings = 0;
my $missing_recordings = 0;
my $errors = 0;
my $unknown_files = 0;
my $known_files = 0;
my $unknown_size = 0;
my $known_size = 0;
my $unknown_thumbnail = 0;
if (!($dbh = DBI->connect("dbi:mysql:database=$opt_database:host=$opt_dbhost","$opt_user","$opt_pass"))) {
die "Cannot connect to database $opt_database on host $opt_dbhost: $!\n";
}
if ($opt_dir eq "") {
&dir_lookup("SELECT dirname FROM storagegroup WHERE hostname=(?) AND groupname != 'DB Backups'");
&dir_lookup("SELECT data FROM settings WHERE value='RecordFilePrefix' AND hostname=(?)");
printf STDERR "Recording directories ($opt_host): $opt_dir\n" if $debug;
}
if ($opt_dir eq "") {
printf "ERROR: no directory found or specified\n";
exit 1;
}
foreach $d (split(/,/,$opt_dir)) {
$d =~ s/\/$//g; # strip trailing /
$dirs{$d}++;
}
#
# look in recorded table, make sure we can find every file ..
#
my $q = "SELECT title, subtitle, description, starttime, endtime, chanid, basename FROM recorded WHERE hostname=(?) ORDER BY starttime";
$sth = $dbh->prepare($q);
$sth->execute($opt_host) || die "Could not execute ($q): $!\n";
while (my @row=$sth->fetchrow_array) {
($title, $subtitle, $description ,$starttime, $endtime, $channel, $basename) = @row;
# see if we can find it...
$loc = find_file($basename);
if ($loc eq "") {
printf "Missing media: %s (title:%s, start:%s)\n",$basename,$title,$starttime;
$missing_recordings++;
if ($opt_dodbdelete) {
$title =~ s/"/\\"/g;
$subtitle =~ s/"/\\"/g;
$description =~ s/"/\\"/g;
my $sql = sprintf "DELETE FROM oldrecorded WHERE title LIKE \"%s\" AND subtitle LIKE \"%s\" AND description LIKE \"%s\" LIMIT 1", $title, $subtitle, $description;
printf "unmarking program as recorded: %s\n",$sql;
$dbh->do($sql) || die "Could not execute $sql: $!\n";
my $sql = sprintf "DELETE FROM recorded WHERE basename LIKE \"%s\" LIMIT 1",$basename;
printf "performing database delete: %s\n",$sql;
if (!$opt_dryrun) {
$dbh->do($sql) || die "Could not execute $sql: $!\n";
}
if ($opt_rerecord) {
my $sql = sprintf "UPDATE oldrecorded SET duplicate = 0 where title = \"%s\" and starttime = \"%s\" and chanid = \"%s\"",
$title, $starttime, $channel;
printf "updating oldrecorded: %s\n", $sql;
if (!$opt_dryrun) {
$dbh->do($sql) || die "Could not execute $sql: $!\n";
}
}
}
} else {
$valid_recordings++;
$seen_basename{$basename}++;
$seen_basename{$basename.".png"}++; # thumbnail
}
}
#
# look in recording directories, see if there are extra files not in database
#
foreach my $this_dir (keys %dirs) {
opendir(DIR, $this_dir) || die "cannot open directory $this_dir: $!\n";
foreach $this_file (readdir(DIR)) {
if (-f "$this_dir/$this_file") {
next if ($this_file eq "nfslockfile.lock");
my $this_filesize = -s "$this_dir/$this_file";
if ($seen_basename{$this_file} == 0) {
$sorted_filesizes{$this_filesize} .= sprintf "unknown file [%s]: %s/%s\n",pretty_filesize($this_filesize),$this_dir,$this_file;
$unknown_size += $this_filesize;
if (substr($this_file,-4) eq ".png") {
$unknown_thumbnail++;
}
else {
$unknown_files++;
}
if ($opt_dodelete) {
printf STDERR "deleting [%s]: %s/%s\n",pretty_filesize($this_filesize),$this_dir,$this_file;
if (!$opt_dryrun) {
unlink "$this_dir/$this_file";
if (-f "$this_dir/$this_file") {
$errors++;
printf "ERROR: could not delete $this_dir/$this_file\n";
}
}
}
} else {
$known_files++;
$known_size += $this_filesize;
printf "KNOWN file [%s]: %s/%s\n",pretty_filesize($this_filesize),$this_dir,$this_file if $debug;
}
} else {
printf "NOT A FILE: %s/%s\n",$this_dir,$this_file if $debug;
}
}
closedir DIR;
}
#
# finished, report results
#
foreach my $key (sort { $a <=> $b } keys %sorted_filesizes) {
printf $sorted_filesizes{$key};
}
printf "Summary:\n";
printf " Host: %s, Directories: %s\n", $opt_host, join(" ",keys %dirs);
printf " %d ERRORS ENCOUNTERED (see above for details)\n",$errors if ($errors > 0);
printf " %d valid recording%s, %d missing recording%s %s\n",
$valid_recordings, ($valid_recordings != 1 ? "s" : ""),
$missing_recordings, ($missing_recordings != 1 ? "s" : ""),
($missing_recordings > 0 ? ($opt_dodbdelete ? "were fixed" : "not fixed, check above is valid and use --dodbdelete to fix") : "");
printf " %d known media files using %s\n %d orphaned thumbnails with no corresponding recording\n %d unknown files using %s %s\n",
$known_files, pretty_filesize($known_size),
$unknown_thumbnail,$unknown_files, pretty_filesize($unknown_size),
($unknown_files > 0 ? ($opt_dodelete ? "were fixed" : "not fixed, check above and use --dodelete to clean up if the above output is accurate") : "");
exit(0);
###########################################################################
# filesize bling
sub pretty_filesize
{
local($fsize) = @_;
return sprintf "%0.1fGB",($fsize / 1000000000) if ($fsize >= 1000000000);
return sprintf "%0.1fMB",($fsize / 1000000) if ($fsize >= 1000000);
return sprintf "%0.1fKB",($fsize / 1000) if ($fsize >= 1000);
return sprintf "%0.0fB",$fsize;
}
###########################################################################
# find a file in directories without globbing
sub find_file
{
local($fname) = @_;
foreach my $d (keys %dirs) {
my $f = $d."/".$fname;
if (-e $f) {
return $f;
}
}
return;
}
###########################################################################
sub dir_lookup
{
my $query = shift;
$sth = $dbh->prepare($query);
$sth->execute($opt_host) || die "Could not execute ($dir_query)";
while (my @row = $sth->fetchrow_array) {
$opt_dir .= "," if ($opt_dir ne "");
$opt_dir .= $row[0];
}
}
###########################################################################

2
mythtv/files/mythorphans
View file

@ -19,7 +19,7 @@ mysql -h "${DBHostName}" -u"${DBUserName}" -p"${DBPassword}" -s \
"${DBName}" | egrep -q "^[1-9][0-9]*\$" || exit 0
# find orphans and print stats if found
perl /usr/share/doc/mythtv-docs-${MYTHVERSION}/contrib/maintenance/myth.find_orphans.pl \
perl /usr/local/bin/myth.find_orphans.pl \
--dbhost="${DBHostName}" \
--database="${DBName}" \
--user="${DBUserName}" \

14
mythtv/manifests/init.pp
View file

@ -118,11 +118,19 @@ class mythtv::backend {
}
file { "/etc/cron.daily/mythorphans":
ensure => present,
source => "puppet:///modules/mythtv/mythorphans",
mode => "0755",
owner => "root",
group => "root",
require => File["/usr/local/bin/myth.find_orphans.pl"],
}
file { "/usr/local/bin/myth.find_orphans.pl":
ensure => present,
source => "puppet:///modules/mythtv/mythorphans",
source => "puppet:///modules/mythtv/myth.find_orphans.pl",
mode => "0755",
owner => root,
group => root,
owner => "root",
group => "root",
}
}

7
mythtv/templates/config.xml.erb
View file

@ -10,4 +10,11 @@
</DefaultBackend>
</MythFrontend>
</UPnP>
<Database>
<Host><%= mythtv_dbhost %></Host>
<UserName><%= mythtv_dbuser %></UserName>
<Password><%= mythtv_dbpass %></Password>
<DatabaseName><%= mythtv_dbname %></DatabaseName>
<Port>3306</Port>
</Database>
</Configuration>

256
nagios/files/commands.cfg Normal file
View file

@ -0,0 +1,256 @@
###############################################################################
# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS 3.4.1
#
# Last Modified: 05-31-2007
#
# NOTES: This config file provides you with some example command definitions
# that you can reference in host, service, and contact definitions.
#
# You don't need to keep commands in a separate file from your other
# object definitions. This has been done just to make things easier to
# understand.
#
###############################################################################
################################################################################
#
# SAMPLE NOTIFICATION COMMANDS
#
# These are some example notification commands. They may or may not work on
# your system without modification. As an example, some systems will require
# you to use "/usr/bin/mailx" instead of "/usr/bin/mail" in the commands below.
#
################################################################################
# 'notify-host-by-email' command definition
define command{
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
# 'notify-service-by-email' command definition
define command{
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
################################################################################
#
# SAMPLE HOST CHECK COMMANDS
#
################################################################################
# This command checks to see if a host is "alive" by pinging it
# The check must result in a 100% packet loss or 5 second (5000ms) round trip
# average time to produce a critical error.
# Note: Five ICMP echo packets are sent (determined by the '-p 5' argument)
# 'check-host-alive' command definition
define command{
command_name check-host-alive
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
################################################################################
#
# SAMPLE SERVICE CHECK COMMANDS
#
# These are some example service check commands. They may or may not work on
# your system, as they must be modified for your plugins. See the HTML
# documentation on the plugins for examples of how to configure command definitions.
#
# NOTE: The following 'check_local_...' functions are designed to monitor
# various metrics on the host that Nagios is running on (i.e. this one).
################################################################################
# 'check_local_disk' command definition
define command{
command_name check_local_disk
command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
# 'check_local_load' command definition
define command{
command_name check_local_load
command_line $USER1$/check_load -w $ARG1$ -c $ARG2$
}
# 'check_local_procs' command definition
define command{
command_name check_local_procs
command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
}
# 'check_local_users' command definition
define command{
command_name check_local_users
command_line $USER1$/check_users -w $ARG1$ -c $ARG2$
}
# 'check_local_swap' command definition
define command{
command_name check_local_swap
command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$
}
# 'check_local_mrtgtraf' command definition
define command{
command_name check_local_mrtgtraf
command_line $USER1$/check_mrtgtraf -F $ARG1$ -a $ARG2$ -w $ARG3$ -c $ARG4$ -e $ARG5$
}
################################################################################
# NOTE: The following 'check_...' commands are used to monitor services on
# both local and remote hosts.
################################################################################
# 'check_ftp' command definition
define command{
command_name check_ftp
command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
}
# 'check_hpjd' command definition
define command{
command_name check_hpjd
command_line $USER1$/check_hpjd -H $HOSTADDRESS$ $ARG1$
}
# 'check_snmp' command definition
define command{
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
# 'check_http' command definition
define command{
command_name check_http
command_line $USER1$/check_http -I $HOSTADDRESS$ $ARG1$
}
# 'check_ssh' command definition
define command{
command_name check_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
# 'check_dhcp' command definition
define command{
command_name check_dhcp
command_line $USER1$/check_dhcp $ARG1$
}
# 'check_ping' command definition
define command{
command_name check_ping
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}
# 'check_pop' command definition
define command{
command_name check_pop
command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
}
# 'check_imap' command definition
define command{
command_name check_imap
command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
}
# 'check_smtp' command definition
define command{
command_name check_smtp
command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
}
# 'check_tcp' command definition
define command{
command_name check_tcp
command_line $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
# 'check_udp' command definition
define command{
command_name check_udp
command_line $USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
# 'check_nt' command definition
define command{
command_name check_nt
command_line $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -v $ARG1$ $ARG2$
}
# 'check_nrpe' command definition
define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
################################################################################
#
# SAMPLE PERFORMANCE DATA COMMANDS
#
# These are sample performance data commands that can be used to send performance
# data output to two text files (one for hosts, another for services). If you
# plan on simply writing performance data out to a file, consider using the
# host_perfdata_file and service_perfdata_file options in the main config file.
#
################################################################################
# 'process-host-perfdata' command definition
define command{
command_name process-host-perfdata
command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/log/nagios/host-perfdata.out
}
# 'process-service-perfdata' command definition
define command{
command_name process-service-perfdata
command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/log/nagios/service-perfdata.out
}
define command{
command_name notify-host-by-prowl
command_line /usr/bin/curl -s -o /dev/null -F apikey="$CONTACTADDRESS1$" -F application="Nagios" -F event="$NOTIFICATIONTYPE$ Host Alert" -F description="$HOSTNAME$ is $HOSTSTATE$ '$HOSTOUTPUT$'" "https://prowl.weks.net/publicapi/add"
}
define command{
command_name notify-service-by-prowl
command_line /usr/bin/curl -s -o /dev/null -F apikey="$CONTACTADDRESS1$" -F application="Nagios" -F event="$NOTIFICATIONTYPE$ Service Alert" -F description="$HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ '$SERVICEOUTPUT$'" "https://prowl.weks.net/publicapi/add"
}

5
nagios/files/htaccess.Debian Normal file
View file

@ -0,0 +1,5 @@
AuthType Basic
AuthName "Nagios"
AuthUserFile /etc/nagios3/htpasswd.users
require valid-user

5
nagios/files/htaccess.RedHat Normal file
View file

@ -0,0 +1,5 @@
AuthType Basic
AuthName "Nagios"
AuthUserFile /etc/nagios/passwd
require valid-user

1313
nagios/files/nagios.cfg.Debian Normal file
View file

File diff suppressed because it is too large Load diff

1330
nagios/files/nagios.cfg.RedHat Normal file
View file

File diff suppressed because it is too large Load diff

440
nagios/manifests/init.pp Normal file
View file

@ -0,0 +1,440 @@
class nagios::server {
case $operatingsystem {
"centos","redhat","fedora": {
$etcdir = "/etc/nagios"
$confdir = "${etcdir}/conf.d"
$package = "nagios"
$service = "nagios"
$scriptalias = "/nagios/cgi-bin/"
$cgibin = $architecture ? {
"x86_64" => "/usr/lib64/nagios/cgi-bin",
default => "/usr/lib/nagios/cgi-bin",
}
$htdocs = "/usr/share/nagios/html"
}
"ubuntu","debian": {
$etcdir = "/etc/nagios3"
$confdir = "${etcdir}/conf.d"
$package = "nagios3"
$service = "nagios3"
$scriptalias = "/cgi-bin/nagios3/"
$cgibin = "/usr/lib/cgi-bin/nagios3"
$htdocs = "/usr/share/nagios3/htdocs"
}
default: {
fail("nagios::server not supported on ${::operatingsystem}")
}
}
package { "nagios":
name => $package,
ensure => installed,
}
case $operatingsystem {
"centos","redhat","fedora": {
package { [ "nagios-plugins-all",
"nagios-plugins-nrpe", ]:
ensure => installed,
}
}
"ubuntu","debian": {
package { [ "nagios-plugins",
"nagios-nrpe-plugin", ]:
ensure => installed,
}
}
}
service { "nagios":
name => $service,
ensure => running,
enable => true,
}
apache::configfile { "nagios.conf":
content => template("nagios/nagios-httpd.conf.erb"),
}
file { [ "${htdocs}/.htaccess", "${cgibin}/.htaccess" ]:
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => [ "puppet:///files/nagios/htaccess",
"puppet:///modules/nagios/htaccess.${osfamily}", ],
require => Package["nagios"],
}
file { "/etc/nagios/nagios.cfg":
name => "${etcdir}/nagios.cfg",
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/nagios/nagios.cfg.${osfamily}",
require => Package["nagios"],
notify => Service["nagios"],
}
file { "/etc/nagios/cgi.cfg":
name => "${etcdir}/cgi.cfg",
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("nagios/cgi.cfg.erb"),
require => Package["nagios"],
notify => Service["nagios"],
}
file { "/etc/nagios/commands.cfg":
name => "${etcdir}/commands.cfg",
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/nagios/commands.cfg",
require => Package["nagios"],
notify => Service["nagios"],
}
file { "/etc/nagios/conf.d":
name => $confdir,
ensure => directory,
mode => "0640",
owner => "root",
group => "nagios",
purge => true,
force => true,
recurse => true,
source => "puppet:///modules/custom/empty",
require => Package["nagios"],
}
file { "${confdir}/contactgroup_all.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Contactgroup["all"],
require => File["/etc/nagios/conf.d"],
}
nagios_contactgroup { "all":
target => "${confdir}/contactgroup_all.cfg",
members => "*",
notify => Service["nagios"],
}
file { "${confdir}/host_default.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Host["default"],
require => File["/etc/nagios/conf.d"],
}
nagios_host { "default":
target => "${confdir}/host_default.cfg",
register => "0",
notifications_enabled => "1",
event_handler_enabled => "1",
flap_detection_enabled => "1",
failure_prediction_enabled => "1",
process_perf_data => "1",
retain_status_information => "1",
retain_nonstatus_information => "1",
check_command => "check-host-alive",
max_check_attempts => "5",
notification_interval => "0",
notification_period => "24x7",
notification_options => "d,u,r",
contact_groups => "all",
notify => Service["nagios"],
}
file { "${confdir}/service_default.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Service["default"],
require => File["/etc/nagios/conf.d"],
}
nagios_service { "default":
target => "${confdir}/service_default.cfg",
register => "0",
active_checks_enabled => "1",
passive_checks_enabled => "1",
parallelize_check => "1",
obsess_over_service => "1",
check_freshness => "0",
notifications_enabled => "1",
event_handler_enabled => "1",
flap_detection_enabled => "1",
failure_prediction_enabled => "1",
process_perf_data => "1",
retain_status_information => "1",
retain_nonstatus_information => "1",
notification_interval => "0",
is_volatile => "0",
check_period => "24x7",
normal_check_interval => "5",
retry_check_interval => "1",
max_check_attempts => "2",
notification_period => "24x7",
notification_options => "w,u,c,r",
contact_groups => "all",
notify => Service["nagios"],
}
file { "${confdir}/timeperiod_24x7.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Timeperiod["24x7"],
require => File["/etc/nagios/conf.d"],
}
nagios_timeperiod { "24x7":
target => "${confdir}/timeperiod_24x7.cfg",
alias => "24x7",
monday => "00:00-24:00",
tuesday => "00:00-24:00",
wednesday => "00:00-24:00",
thursday => "00:00-24:00",
friday => "00:00-24:00",
saturday => "00:00-24:00",
sunday => "00:00-24:00",
notify => Service["nagios"],
}
Nagios::Host <<||>> {
confdir => $confdir,
notify => Service["nagios"],
}
Nagios::Service <<||>> {
confdir => $confdir,
notify => Service["nagios"],
}
}
define nagios::contact::email($confdir=$nagios::server::confdir) {
file { "${confdir}/contact_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Contact[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_contact { $name:
target => "${confdir}/contact_${name}.cfg",
host_notification_commands => "notify-host-by-email",
host_notification_options => "d,r",
host_notification_period => "24x7",
service_notification_commands => "notify-service-by-email",
service_notification_options => "w,u,c,r",
service_notification_period => "24x7",
email => $name,
notify => Service["nagios"],
}
}
define nagios::contact::prowl($confdir=$nagios::server::confdir) {
file { "${confdir}/contact_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Contact[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_contact { $name:
target => "${confdir}/contact_${name}.cfg",
host_notification_commands => "notify-host-by-prowl",
host_notification_options => "d,r",
host_notification_period => "24x7",
service_notification_commands => "notify-service-by-prowl",
service_notification_options => "w,u,c,r",
service_notification_period => "24x7",
address1 => $name,
notify => Service["nagios"],
}
}
define nagios::host($confdir, $operatingsystem) {
file { "${confdir}/host_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Host[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_host { $name:
ensure => present,
use => "default",
target => "${confdir}/host_${name}.cfg"
}
# file { "${confdir}/hostextinfo_${name}.cfg":
# ensure => present,
# mode => "0640",
# owner => "root",
# group => "nagios",
# before => Nagios_Hostextinfo[$name],
# require => File["/etc/nagios/conf.d"],
# }
# nagios_hostextinfo { $name:
# ensure => present,
# icon_image_alt => $operatingsystem,
# icon_image => "base/${operatingsystem}.png",
# statusmap_image => "base/${operatingsystem}.gd2",
# target => "${confdir}/hostextinfo_${name}.cfg"
# }
}
define nagios::service($confdir, $host, $command, $description) {
file { "${confdir}/service_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Service[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_service { $name:
host_name => $host,
check_command => $command,
service_description => $description,
use => "default",
target => "${confdir}/service_${name}.cfg"
}
}
class nagios::target {
@@nagios::host { $fqdn:
operatingsystem => inline_template("<%= operatingsystem.downcase %>")
}
}
class nagios::target::nrpe {
if !$nagios_allow {
$nagios_allow = "127.0.0.1"
}
include nagios::target
case $operatingsystem {
"centos","redhat","fedora": {
package { [ "nrpe",
"nagios-plugins-disk",
"nagios-plugins-load",
"nagios-plugins-procs",
"nagios-plugins-users", ]:
ensure => installed,
before => [ Augeas["nrpe-allow"], Service["nrpe"] ],
}
$service = "nrpe"
}
"ubuntu","debian": {
package { [ "nagios-nrpe-server",
"nagios-plugins-basic", ]:
ensure => installed,
before => [ Augeas["nrpe-allow"], Service["nrpe"] ],
}
$service = "nagios-nrpe-server"
}
}
service { "nrpe":
name => $service,
ensure => running,
enable => true,
}
augeas { "nrpe-allow":
context => "/files/etc/nagios/nrpe.cfg",
changes => "set allowed_hosts '${nagios_allow}'",
notify => Service["nrpe"],
}
@@nagios::service { "${fqdn}_load":
host => $fqdn,
command => "check_nrpe!check_load",
description => "Load",
}
}
class nagios::target::ssh {
include nagios::target
@@nagios::service { "${fqdn}_ssh":
host => $fqdn,
command => "check_ssh",
description => "SSH",
}
}
class nagios::target::http {
include nagios::target
@@nagios::service { "${fqdn}_http":
host => $fqdn,
command => "check_http",
description => "HTTP",
}
}
class nagios::target::https {
include nagios::target
@@nagios::service { "${fqdn}_https":
host => $fqdn,
command => "check_http!--ssl",
description => "HTTPS",
}
}
class nagios::target::smtp {
include nagios::target
@@nagios::service { "${fqdn}_smtp":
host => $fqdn,
command => "check_smtp",
description => "SMTP",
}
}

387
nagios/templates/cgi.cfg.erb Normal file
View file

@ -0,0 +1,387 @@
#################################################################
#
# CGI.CFG - Sample CGI Configuration File for Nagios 3.4.1
#
# Last Modified: 06-17-2009
#
#################################################################
# MAIN CONFIGURATION FILE
# This tells the CGIs where to find your main configuration file.
# The CGIs will read the main and host config files for any other
# data they might need.
main_config_file=<%= etcdir %>/nagios.cfg
# PHYSICAL HTML PATH
# This is the path where the HTML files for Nagios reside. This
# value is used to locate the logo images needed by the statusmap
# and statuswrl CGIs.
physical_html_path=<%= htdocs %>
# URL HTML PATH
# This is the path portion of the URL that corresponds to the
# physical location of the Nagios HTML files (as defined above).
# This value is used by the CGIs to locate the online documentation
# and graphics. If you access the Nagios pages with an URL like
# http://www.myhost.com/nagios, this value should be '/nagios'
# (without the quotes).
url_html_path=/nagios
# CONTEXT-SENSITIVE HELP
# This option determines whether or not a context-sensitive
# help icon will be displayed for most of the CGIs.
# Values: 0 = disables context-sensitive help
# 1 = enables context-sensitive help
show_context_help=0
# PENDING STATES OPTION
# This option determines what states should be displayed in the web
# interface for hosts/services that have not yet been checked.
# Values: 0 = leave hosts/services that have not been check yet in their original state
# 1 = mark hosts/services that have not been checked yet as PENDING
use_pending_states=1
# NAGIOS PROCESS CHECK COMMAND
# This is the full path and filename of the program used to check
# the status of the Nagios process. It is used only by the CGIs
# and is completely optional. However, if you don't use it, you'll
# see warning messages in the CGIs about the Nagios process
# not running and you won't be able to execute any commands from
# the web interface. The program should follow the same rules
# as plugins; the return codes are the same as for the plugins,
# it should have timeout protection, it should output something
# to STDIO, etc.
#
# Note: The command line for the check_nagios plugin below may
# have to be tweaked a bit, as different versions of the plugin
# use different command line arguments/syntaxes.
<% if osfamily == 'Debian' -%>
nagios_check_command=/usr/lib/nagios/plugins/check_nagios /var/cache/nagios3/status.dat 5 '/usr/sbin/nagios3'
<% else -%>
<% if architecture == 'x86_64' %>
nagios_check_command=/usr/lib64/nagios/plugins/check_nagios /var/log/nagios/status.dat 5 '/usr/sbin/nagios'
<% else -%>
nagios_check_command=/usr/lib/nagios/plugins/check_nagios /var/log/nagios/status.dat 5 '/usr/sbin/nagios'
<% end -%>
<% end -%>
# AUTHENTICATION USAGE
# This option controls whether or not the CGIs will use any
# authentication when displaying host and service information, as
# well as committing commands to Nagios for processing.
#
# Read the HTML documentation to learn how the authorization works!
#
# NOTE: It is a really *bad* idea to disable authorization, unless
# you plan on removing the command CGI (cmd.cgi)! Failure to do
# so will leave you wide open to kiddies messing with Nagios and
# possibly hitting you with a denial of service attack by filling up
# your drive by continuously writing to your command file!
#
# Setting this value to 0 will cause the CGIs to *not* use
# authentication (bad idea), while any other value will make them
# use the authentication functions (the default).
use_authentication=1
# x509 CERT AUTHENTICATION
# When enabled, this option allows you to use x509 cert (SSL)
# authentication in the CGIs. This is an advanced option and should
# not be enabled unless you know what you're doing.
use_ssl_authentication=0
# DEFAULT USER
# Setting this variable will define a default user name that can
# access pages without authentication. This allows people within a
# secure domain (i.e., behind a firewall) to see the current status
# without authenticating. You may want to use this to avoid basic
# authentication if you are not using a secure server since basic
# authentication transmits passwords in the clear.
#
# Important: Do not define a default username unless you are
# running a secure web server and are sure that everyone who has
# access to the CGIs has been authenticated in some manner! If you
# define this variable, anyone who has not authenticated to the web
# server will inherit all rights you assign to this user!
#default_user_name=guest
# SYSTEM/PROCESS INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# have access to viewing the Nagios process information as
# provided by the Extended Information CGI (extinfo.cgi). By
# default, *no one* has access to this unless you choose to
# not use authorization. You may use an asterisk (*) to
# authorize any user who has authenticated to the web server.
authorized_for_system_information=*
# CONFIGURATION INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# can view ALL configuration information (hosts, commands, etc).
# By default, users can only view configuration information
# for the hosts and services they are contacts for. You may use
# an asterisk (*) to authorize any user who has authenticated
# to the web server.
authorized_for_configuration_information=*
# SYSTEM/PROCESS COMMAND ACCESS
# This option is a comma-delimited list of all usernames that
# can issue shutdown and restart commands to Nagios via the
# command CGI (cmd.cgi). Users in this list can also change
# the program mode to active or standby. By default, *no one*
# has access to this unless you choose to not use authorization.
# You may use an asterisk (*) to authorize any user who has
# authenticated to the web server.
authorized_for_system_commands=
# GLOBAL HOST/SERVICE VIEW ACCESS
# These two options are comma-delimited lists of all usernames that
# can view information for all hosts and services that are being
# monitored. By default, users can only view information
# for hosts or services that they are contacts for (unless you
# you choose to not use authorization). You may use an asterisk (*)
# to authorize any user who has authenticated to the web server.
authorized_for_all_services=*
authorized_for_all_hosts=*
# GLOBAL HOST/SERVICE COMMAND ACCESS
# These two options are comma-delimited lists of all usernames that
# can issue host or service related commands via the command
# CGI (cmd.cgi) for all hosts and services that are being monitored.
# By default, users can only issue commands for hosts or services
# that they are contacts for (unless you you choose to not use
# authorization). You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
authorized_for_all_service_commands=
authorized_for_all_host_commands=
# READ-ONLY USERS
# A comma-delimited list of usernames that have read-only rights in
# the CGIs. This will block any service or host commands normally shown
# on the extinfo CGI pages. It will also block comments from being shown
# to read-only users.
#authorized_for_read_only=user1,user2
# STATUSMAP BACKGROUND IMAGE
# This option allows you to specify an image to be used as a
# background in the statusmap CGI. It is assumed that the image
# resides in the HTML images path (i.e. /usr/local/nagios/share/images).
# This path is automatically determined by appending "/images"
# to the path specified by the 'physical_html_path' directive.
# Note: The image file may be in GIF, PNG, JPEG, or GD2 format.
# However, I recommend that you convert your image to GD2 format
# (uncompressed), as this will cause less CPU load when the CGI
# generates the image.
#statusmap_background_image=smbackground.gd2
# STATUSMAP TRANSPARENCY INDEX COLOR
# These options set the r,g,b values of the background color used the statusmap CGI,
# so normal browsers that can't show real png transparency set the desired color as
# a background color instead (to make it look pretty).
# Defaults to white: (R,G,B) = (255,255,255).
#color_transparency_index_r=255
#color_transparency_index_g=255
#color_transparency_index_b=255
# DEFAULT STATUSMAP LAYOUT METHOD
# This option allows you to specify the default layout method
# the statusmap CGI should use for drawing hosts. If you do
# not use this option, the default is to use user-defined
# coordinates. Valid options are as follows:
# 0 = User-defined coordinates
# 1 = Depth layers
# 2 = Collapsed tree
# 3 = Balanced tree
# 4 = Circular
# 5 = Circular (Marked Up)
default_statusmap_layout=5
# DEFAULT STATUSWRL LAYOUT METHOD
# This option allows you to specify the default layout method
# the statuswrl (VRML) CGI should use for drawing hosts. If you
# do not use this option, the default is to use user-defined
# coordinates. Valid options are as follows:
# 0 = User-defined coordinates
# 2 = Collapsed tree
# 3 = Balanced tree
# 4 = Circular
default_statuswrl_layout=4
# STATUSWRL INCLUDE
# This option allows you to include your own objects in the
# generated VRML world. It is assumed that the file
# resides in the HTML path (i.e. /usr/local/nagios/share).
#statuswrl_include=myworld.wrl
# PING SYNTAX
# This option determines what syntax should be used when
# attempting to ping a host from the WAP interface (using
# the statuswml CGI. You must include the full path to
# the ping binary, along with all required options. The
# $HOSTADDRESS$ macro is substituted with the address of
# the host before the command is executed.
# Please note that the syntax for the ping binary is
# notorious for being different on virtually ever *NIX
# OS and distribution, so you may have to tweak this to
# work on your system.
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
# REFRESH RATE
# This option allows you to specify the refresh rate in seconds
# of various CGIs (status, statusmap, extinfo, and outages).
refresh_rate=90
# DEFAULT PAGE LIMIT
# This option allows you to specify the default number of results
# displayed on the status.cgi. This number can be adjusted from
# within the UI after the initial page load. Setting this to 0
# will show all results.
result_limit=100
# ESCAPE HTML TAGS
# This option determines whether HTML tags in host and service
# status output is escaped in the web interface. If enabled,
# your plugin output will not be able to contain clickable links.
escape_html_tags=1
# SOUND OPTIONS
# These options allow you to specify an optional audio file
# that should be played in your browser window when there are
# problems on the network. The audio files are used only in
# the status CGI. Only the sound for the most critical problem
# will be played. Order of importance (higher to lower) is as
# follows: unreachable hosts, down hosts, critical services,
# warning services, and unknown services. If there are no
# visible problems, the sound file optionally specified by
# 'normal_sound' variable will be played.
#
#
# <varname>=<sound_file>
#
# Note: All audio files must be placed in the /media subdirectory
# under the HTML path (i.e. /usr/local/nagios/share/media/).
#host_unreachable_sound=hostdown.wav
#host_down_sound=hostdown.wav
#service_critical_sound=critical.wav
#service_warning_sound=warning.wav
#service_unknown_sound=warning.wav
#normal_sound=noproblem.wav
# URL TARGET FRAMES
# These options determine the target frames in which notes and
# action URLs will open.
action_url_target=_blank
notes_url_target=_blank
# LOCK AUTHOR NAMES OPTION
# This option determines whether users can change the author name
# when submitting comments, scheduling downtime. If disabled, the
# author names will be locked into their contact name, as defined in Nagios.
# Values: 0 = allow editing author names
# 1 = lock author names (disallow editing)
lock_author_names=1
# SPLUNK INTEGRATION OPTIONS
# These options allow you to enable integration with Splunk
# in the web interface. If enabled, you'll be presented with
# "Splunk It" links in various places in the CGIs (log file,
# alert history, host/service detail, etc). Useful if you're
# trying to research why a particular problem occurred.
# For more information on Splunk, visit http://www.splunk.com/
# This option determines whether the Splunk integration is enabled
# Values: 0 = disable Splunk integration
# 1 = enable Splunk integration
#enable_splunk_integration=1
# This option should be the URL used to access your instance of Splunk
#splunk_url=http://127.0.0.1:8000/

12
nagios/templates/nagios-httpd.conf.erb Normal file
View file

@ -0,0 +1,12 @@
ScriptAlias <%= scriptalias %> <%= cgibin %>/
Alias /nagios <%= htdocs %>
<Directory "<%= cgibin %>">
Options ExecCGI
AllowOverride AuthConfig
</Directory>
<Directory "<%= htdocs %>">
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>

19
postfix/files/aliases Normal file
View file

@ -0,0 +1,19 @@
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
# General redirections for important pseudo accounts
daemon: root
# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES
abuse: root
security: root

0
postfix/files/empty Normal file
View file

105
postfix/manifests/init.pp Normal file
View file

@ -0,0 +1,105 @@
# Install Postfix packages.
#
class postfix {
include ssl
if !$postfix_key {
$postfix_key = "${puppet_ssldir}/private_keys/${homename}.pem"
}
if !$postfix_cert {
$postfix_cert = "${puppet_ssldir}/certs/${homename}.pem"
}
if !$mail_domain {
if $domain {
$mail_domain = $domain
} else {
fail("Failed to set \$mail_domain, missing \$domain")
}
}
if !$postfix_hostname {
if $fqdn {
$postfix_hostname = $fqdn
} else {
fail("Failed to set \$postfix_hostname, missing \$fqdn")
}
}
if !$postfix_interfaces {
$postfix_interfaces = "localhost"
}
package { "postfix":
ensure => installed,
}
service { "postfix":
ensure => running,
enable => true,
require => Package["postfix"],
}
file { "${ssl::certs}/postfix.crt":
ensure => present,
source => $postfix_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["postfix"],
}
file { "${ssl::private}/postfix.key":
ensure => present,
source => $postfix_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["postfix"],
}
file { "/etc/postfix/main.cf":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("postfix/main.cf.erb"),
notify => Service["postfix"],
require => Package["postfix"],
}
file { "/etc/aliases":
ensure => present,
source => [
"puppet:///files/mail/aliases.${homename}",
"puppet:///files/mail/aliases",
"puppet:///modules/postfix/aliases",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["newaliases"],
}
exec { "newaliases":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
}
file { "/etc/postfix/virtual":
ensure => present,
source => [
"puppet:///files/mail/virtual.${homename}",
"puppet:///files/mail/virtual",
"puppet:///modules/postfix/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["postmap /etc/postfix/virtual"],
}
exec { "postmap /etc/postfix/virtual":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
}
}

727
postfix/templates/main.cf.erb Normal file
View file

@ -0,0 +1,727 @@
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
<% if ['Debian','Ubuntu'].index(operatingsystem) -%>
daemon_directory = /usr/lib/postfix
<% else -%>
daemon_directory = /usr/libexec/postfix
<% end -%>
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = <%= postfix_hostname %>
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
mydomain = <%= mail_domain %>
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = <%= postfix_interfaces %>
# Enable IPv4, and IPv6 if supported
inet_protocols = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
<% if postfix_interfaces == "localhost" and has_variable?("mail_server") -%>
relayhost = [<%= mail_server %>]
<% end -%>
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
#
virtual_alias_maps = hash:/etc/postfix/virtual
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
<% if has_variable?("postfix_home_mailbox") -%>
home_mailbox <%= postfix_home_mailbox %>
<% end -%>
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# To use the old cyrus deliver program you have to set:
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
#
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client,
<% if has_variable?("postfix_rbl") -%>
<% postfix_rbl.each do |rbl| -%>
reject_rbl_client <%= rbl %>,
<% end -%>
<% end -%>
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_relay_domains
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
#sample_directory = /usr/share/doc/postfix-2.6.6/samples
# readme_directory: The location of the Postfix README files.
#
#readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
<% if postfix_interfaces != "localhost" -%>
# SASL
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
# TLS
#
smtpd_use_tls=yes
smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
<% end -%>

14
psacct/manifests/init.pp
View file

@ -3,15 +3,15 @@
#
class psacct {
case $kernel {
linux: {
case $::kernel {
"linux": {
include psacct::linux
}
openbsd: {
"openbsd": {
include psacct::openbsd
}
default: {
fail("psacct module not supported in ${kernel}")
fail("psacct module not supported in ${::kernel}")
}
}
@ -24,8 +24,8 @@ class psacct::linux {
package { "psacct":
name => $::operatingsystem ? {
ubuntu => "acct",
default => "psacct",
"ubuntu" => "acct",
default => "psacct",
},
ensure => installed,
}
@ -67,7 +67,7 @@ class psacct::openbsd {
exec { "accton":
command => "accton /var/account/acct",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
user => root,
user => "root",
refreshonly => true,
}

42
puppet/manifests/init.pp
View file

@ -194,9 +194,11 @@ class puppet::server {
class puppet::server::common inherits puppet::client {
if $::operatingsystem in ["CentOS","RedHat"] and $::operatingsystemrelease =~ /^[1-5]\..*/ {
$seltype = "var_lib_t"
$seltype_readonly = "var_lib_t"
$seltype_writable = "var_lib_t"
} else {
$seltype = "puppet_var_lib_t"
$seltype_readonly = "puppetmaster_t"
$seltype_writable = "puppet_var_lib_t"
}
case $::operatingsystem {
@ -294,17 +296,25 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel",
default => "root",
},
seltype => $seltype,
seltype => $seltype_readonly,
require => Package["puppetmaster"],
}
selinux::manage_fcontext { "${puppet_datadir}(/.*)?":
type => $seltype,
type => $seltype_readonly,
before => File[$puppet_datadir],
}
selinux::manage_fcontext { [
"${puppet_datadir}/bucket(/.*)?",
"${puppet_datadir}/reports(/.*)?",
"${puppet_datadir}/rrd(/.*)?",
]:
type => $seltype_writable,
before => File["/srv/puppet/reports"],
}
file { "/srv/puppet":
ensure => link,
target => $puppet_datadir,
seltype => $seltype,
seltype => $seltype_readonly,
require => File[$puppet_datadir],
}
} else {
@ -316,14 +326,22 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel",
default => "root",
},
seltype => $seltype,
seltype => $seltype_readonly,
require => Package["puppetmaster"],
}
}
selinux::manage_fcontext { "/srv/puppet(/.*)?":
type => $seltype,
type => $seltype_readonly,
before => File["/srv/puppet"],
}
selinux::manage_fcontext { [
"/srv/puppet/bucket(/.*)?",
"/srv/puppet/reports(/.*)?",
"/srv/puppet/rrd(/.*)?",
]:
type => $seltype_writable,
before => File["/srv/puppet/reports"],
}
if $puppet_storeconfigs != "none" {
file { "/srv/puppet/storeconfigs":
@ -331,7 +349,7 @@ class puppet::server::common inherits puppet::client {
mode => "0750",
owner => $user,
group => $group,
seltype => $seltype,
seltype => $seltype_readonly,
require => File["/srv/puppet"],
}
}
@ -342,7 +360,7 @@ class puppet::server::common inherits puppet::client {
mode => "0750",
owner => $user,
group => $group,
seltype => $seltype,
seltype => $seltype_writable,
require => File["/srv/puppet"],
}
file { [ "/srv/puppet/files",
@ -354,7 +372,7 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel",
default => "root",
},
seltype => $seltype,
seltype => $seltype_readonly,
require => File["/srv/puppet"],
}
file { "/srv/puppet/files/common":
@ -365,7 +383,7 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel",
default => "root",
},
seltype => $seltype,
seltype => $seltype_readonly,
require => File["/srv/puppet/files"],
}
file { "/srv/puppet/files/private":
@ -373,7 +391,7 @@ class puppet::server::common inherits puppet::client {
mode => "0750",
owner => "root",
group => $group,
seltype => $seltype,
seltype => $seltype_readonly,
require => File["/srv/puppet/files"],
}

6
puppet/templates/puppet-httpd.conf.erb
View file

@ -50,12 +50,7 @@ Listen 8140
# Proxy settings
<IfModule mod_rewrite.c>
<LocationMatch ^/production/file_content/.*>
ForceType application/x-raw
</LocationMatch>
RewriteEngine On
RewriteRule ^/production/file_content/files/(.+)$ /srv/puppet/files/common/$1 [L]
RewriteRule ^/production/file_content/modules/([^/]+)/files/(.+)$ /etc/puppet/modules/$1/files/$2 [L]
RewriteRule ^/(.*)$ balancer://puppetmaster%{REQUEST_URI} [P,QSA,L]
</Ifmodule>
<IfModule !mod_rewrite.c>
@ -67,4 +62,3 @@ Listen 8140
SetEnv proxy-nokeepalive 1
</VirtualHost>

23
sasl/manifests/init.pp
View file

@ -20,14 +20,35 @@ class sasl::client {
# === Global variables
#
# $saslauthd_mech:
# Authentication mechanism to use. Defaults to system default.
# Authentication mechanism to use. Defaults to system
# default. Supported mechanisms include pam, ldap and kerberos5.
#
# For ldap authentication, see ldap::client for required global variables.
#
class sasl::saslauthd {
require sasl::client
case $saslauthd_mech {
"","pam": { }
"ldap": {
include ldap::client
augeas { "set-saslauthd-mech":
context => "/files/etc/sysconfig/saslauthd",
changes => "set MECH ldap",
notify => Service["saslauthd"],
}
file { "/etc/saslauthd.conf":
ensure => present,
mode => 0644,
owner => "root",
group => "root",
content => template("sasl/saslauthd.conf.ldap.erb"),
notify => Service["saslauthd"],
}
}
"kerberos5": {
augeas { "set-saslauthd-mech":
context => "/files/etc/sysconfig/saslauthd",

2
sasl/templates/saslauthd.conf.ldap.erb Normal file
View file

@ -0,0 +1,2 @@
ldap_servers: <% ldap_server.each do |uri| %><%= uri %> <% end %>
ldap_search_base: <%= ldap_basedn %>

87
syslog/files/logarchiver.sh
View file

@ -1,18 +1,21 @@
#!/bin/sh
ARCHIVEFILES="all.log"
LOGDIR="/srv/log"
DATE=`date +%Y-%m-%d`
YEAR=`date +%Y`
ARCHIVEDIR="/srv/log/archive/" #archivedlogs will be in this
#directory + $YEAR
ARCHIVE="${LOGDIR}/archive"
DATE="`date +%Y-%m-%d`"
YEAR="`date +%Y`"
umask 027
myerror(){
myerror()
{
echo "Error: $*" 1>&2
exit 1
}
archive_log(){
archive_log()
{
FILE="${1}"
DEST="${2}"
@ -21,44 +24,54 @@ archive_log(){
else
echo "Archiving file ${FILE} to ${DEST}"
mv "${FILE}" "${DEST}"
touch ${FILE}
touch "${FILE}"
LOGS="${LOGS} ${DEST}"
fi
}
restart_syslog(){
restart_syslog()
{
for i in syslog.pid rsyslogd.pid syslogd.pid ; do
if [ -f "/var/run/$i" ]; then
PIDFILE="/var/run/$i"
break
fi
if [ -f "/var/run/$i" ]; then
PIDFILE="/var/run/$i"
break
fi
done
if [ "blah${PIDFILE}" = "blah" ]; then
myerror "Cannot find syslog pid file" 1>&2
myerror "Cannot find syslog pid file"
fi
kill -HUP `cat ${PIDFILE}`
}
archive(){
[ -d ${LOGDIR} ] || myerror "No such direcroty: ${LOGDIR}"
[ -d "${ARCHIVEDIR}" ] || myerror "No such archive directory: ${ARCHIVEDIR}"
[ -d "${ARCHIVEDIR}/${YEAR}" ] || mkdir ${ARCHIVEDIR}/${YEAR}
ARCHIVEDIR="${ARCHIVEDIR}/${YEAR}"
for logfile in ${ARCHIVEFILES} ; do
[ -f "${LOGDIR}/${logfile}" ] || myerror "File not found: ${logfile}"
archive_log "${LOGDIR}/${logfile}" "${ARCHIVEDIR}/${logfile}.${DATE}"
done
restart_syslog
for zipfile in ${ARCHIVEFILES} ; do
gzip -f "${ARCHIVEDIR}/${zipfile}.${DATE}" || myerror "Error while gzipping ${ARCHIVEDIR}/${zipfile}"
done
}
case "x$1" in
"x-v"|"x--verbose")
archive
;;
*)
archive >> /dev/null
;;
esac
[ $# -gt 0 ] || myerror "Usage: `basename $0` <file|dir> [file|dir] ..."
[ -d ${LOGDIR} ] || myerror "Not a directory: ${LOGDIR}"
while [ "$*" ]; do
if [ -f "${LOGDIR}/${1}" ]; then
dstdir=${ARCHIVE}/${YEAR}
dstfile=${dstdir}/`basename ${1}`.${DATE}
[ -d "${dstdir}" ] || mkdir -p ${dstdir}
archive_log ${LOGDIR}/${1} ${dstfile}
elif [ -d "${LOGDIR}/${1}" ]; then
for f in ${LOGDIR}/${1}/*.log; do
if [ -f "${f}" ]; then
dstdir=${ARCHIVE}/${1}/${YEAR}
dstfile=${dstdir}/`basename ${f}`.${DATE}
[ -d "${dstdir}" ] || mkdir -p ${dstdir}
archive_log ${f} ${dstfile}
else
echo "Skipping ${f}: not a file" 1>&2
fi
done
else
echo "Skipping ${1}: not a file or directory" 1>&2
fi
shift
done
restart_syslog
for log in ${LOGS}; do
gzip -f ${log} || myerror "Error while gzipping ${log}"
done

38
syslog/manifests/init.pp
View file

@ -212,8 +212,15 @@ class syslog::client::rsyslog {
# $syslog_datadir:
# Directory where to store logs. Defaults to /srv/log.
#
# $syslog_rotate:
# Array of log files to rotate. Defaults to 'all.log'.
#
class syslog::common::standalone inherits syslog::common {
if !$syslog_rotate {
$syslog_rotate = [ "all.log" ]
}
if $syslog_datadir {
file { $syslog_datadir:
ensure => directory,
@ -277,8 +284,9 @@ class syslog::common::standalone inherits syslog::common {
default => "root",
},
}
$syslog_rotate_files = inline_template('<%= syslog_rotate.join(" ") -%>')
cron { "logarchiver.sh":
command => "/usr/local/sbin/logarchiver.sh",
command => "/usr/local/sbin/logarchiver.sh ${syslog_rotate_files} >/dev/null",
user => "root",
hour => 0,
minute => 0,
@ -370,3 +378,31 @@ class syslog::server::rsyslog inherits syslog::client::rsyslog {
}
}
# Install syslog server with custom configuration.
#
class syslog::custom inherits syslog::common::standalone {
case $syslog_type {
"syslogd": { fail("Server for \$syslog_type '$syslog_type' not yet supported.") }
"rsyslog": { include syslog::custom::rsyslog }
default: { fail("Unknown \$syslog_type '$syslog_type'") }
}
}
# Install syslog server using rsyslog with custom configuration.
#
class syslog::custom::rsyslog inherits syslog::client::rsyslog {
File["/etc/rsyslog.conf"] {
content => undef,
source => [ "puppet:///files/syslog/rsyslog.conf.${homename}",
"puppet:///files/syslog/rsyslog.conf", ],
require => [ File["/srv/log"],
File["/var/log/all.log"], ],
}
}

23
tftp/manifests/init.pp
View file

@ -82,7 +82,7 @@ class tftp::server {
}
case $::operatingsystem {
debian,ubuntu: {
"debian","ubuntu": {
service { "tftpd-hpa":
ensure => running,
hasstatus => true,
@ -91,14 +91,35 @@ class tftp::server {
Package["tftp-server"], ],
}
}
"openbsd": {
if versioncmp($::operatingsystemrelease, '5.2') < 0 {
include inetd::server
inetd::service { "tftp":
ensure => present,
require => File["/tftpboot"],
}
} else {
service { "tftpd":
ensure => running,
hasstatus => true,
enable => true,
start => "/usr/sbin/tftpd /tftpboot",
require => File["/tftpboot"],
}
}
}
default: {
include inetd::server
inetd::service { "tftp":
ensure => present,
<<<<<<< HEAD
require => $::operatingsystem ? {
"openbsd" => undef,
default => Package["tftp-server"],
},
=======
require => Package["tftp-server"],
>>>>>>> 7c4f9e6b94793caf3c9369cc0519eefddc54f7d0
}
}
}

2
wiki/manifests/init.pp
View file

@ -451,7 +451,7 @@ define wiki::collab::package($source, $config="/srv/wikis/collab/wikis/collab/co
user => "collab",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
environment => "PYTHONPATH=${config}",
command => "/bin/sh -c 'umask 007; python ${::pythonsitedir}/MoinMoin/packages.py i /usr/local/src/${name}'",
command => "/bin/sh -c 'umask 007; python ${::pythonsitedir}/MoinMoin/packages.py -u collab i /usr/local/src/${name}'",
refreshonly => true,
require => Exec["collab-account-create -f -r collab"]
}

27
yum/files/keys/dell-omsa.key Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDrbVQQRBACfyqmXDmXKLS/1TUpxb7KMVKqzk3XqiHidQWmRzquo26FReyvR
2PnGKHVtiBtZcgb+e2rPR/MNyfAGh5Xkjfzq+gPxVAJUbwbM81yo54b8oYGlqogv
wq0Y6a3H5t9nHENifLbX2HEVH/+eFKcp4gVJqRiUctf8xreUOU/HXuVXvwCgg2HG
Bm2PAjhRXxchtuyPK7SggaUD/3HsxqqCw97JAnZtMXzL/9gNDuzAB/8SZTtiw+eU
NbIAieyPydoLyoZKvbaMIHchkSQgZJ8QX6cvaME3xYpSeiUwT3WVztbDy/naEyq5
VoMMc1thtPt+Z0Bx7lwefZ1HsXmKtUen9X/wrNOjKhOJrInn4RaBw8eE1w8Uh/oj
SxhbA/0b2xxmmOh1GJxdEKRDMabXu9cJNgTuR8pDG2aGH32bNniLC69Lr34daaJn
kl0lL5JH2ivqvUB83jTGir0pqf/rWOBgVJ8sfvzhpf4w0QXSuwQsk+UdvlcsalI8
m5nah+9bRnFsibYX7Y04odE5rzRg6Vv2wqQo9eELnPXdt3JiVLRJRGVsbCBDb21w
dXRlciBDb3Jwb3JhdGlvbiAoTGludXggU3lzdGVtcyBHcm91cCkgPGxpbnV4LXNl
Y3VyaXR5QGRlbGwuY29tPohXBBMRAgAXBQI621UEBQsHCgMEAxUDAgMWAgECF4AA
CgkQyneVHSO2ap2nqACeJKS/llA45VuDrtzUnxPPiWknKtcAniG6aD7ELAM2+SzD
lG7n1cHZSqyXiEYEEBECAAYFAjujySgACgkQIavu95Lw/AluzACgluS3dEQh4iw3
t80nI+oZ2ssphEQAnjMXCjnRlkohpMgdJuvHSBuVUPjJuQENBDrbVQUQBAC2h3kC
wV0pPn44jL7kdeujexYm9hy0ImggCzMHHqplpq1vh0vK2DtZLjM3ZUs68ypCZfDt
ejvxm+m/e708ZmGxveIk0FbvC9dfuUvn5dmj9gQcXOWxqfjkOgZ2CXXY1fX9Fe4a
QLI8QuQ5sTn6GreeFQCcJXCGWiNi1Hpyi8k1ZwADBQP+KVolSCJG2KR0qScJN+2O
MRS6IowNIwLY93GlDekrqxBxVOv0FxRHH8lV0xZWMTWfsIBEZU+Iov6ns3ky4m6J
ImKZ+xaFHehgCPBy3u2pbrSbHGhMzqa40sU3mI9SA0sOJQ18oX6blNDIwnyveKXw
ZrXZC6mO7PkRnoa+J/4cvSmIRgQYEQIABgUCOttVBQAKCRDKd5UdI7ZqnYmZAJ97
LhXpWlSlrm5XCNSfO8BwJGVNGgCfR0hFclor3HLNl28ZVENT1SvbjNQ=
=sYOa
-----END PGP PUBLIC KEY BLOCK-----

40
yum/manifests/init.pp
View file

@ -129,7 +129,7 @@ class yum::exclude {
augeas { "yum-exclude":
context => "/files/etc/yum.conf/main",
changes => "set exclude ${yum_exclude_real}",
changes => "set exclude '${yum_exclude_real}'",
}
}
@ -257,6 +257,44 @@ class yum::repo::centos-cr {
}
class yum::repo::dell {
case $::operatingsystem {
"centos", "redhat": { }
default: {
fail("Dell OMSA repository not supported in ${operatingsystem}")
}
}
# Required for detecting the correct system hardware via
# yum. Dell's repo then provide their own yum-dellsysid after
# installing the repos.
package { "yum-dellsysid":
ensure => installed,
require => Class["yum::repo::epel"],
}
case $operatingsystemrelease {
/^6\.[0-9]+/: {
yum::repo { "dell-omsa-indep":
descr => "Dell OMSA repository - Hardware independent",
mirrorlist => "http://linux.dell.com/repo/hardware/latest/mirrors.cgi?osname=el\$releasever&ve&basearch=\$basearch&native=1&dellsysidpluginver=\$dellsysidpluginver",
gpgkey => "puppet:///modules/yum/keys/dell-omsa.key",
require => Package["yum-dellsysid"],
}
yum::repo { "dell-omsa-specific":
descr => "Dell OMSA repository - Hardware specific",
mirrorlist => "http://linux.dell.com/repo/hardware/latest/mirrors.cgi?osname=el\$releasever&basearch=\$basearch&native=1&sys_ven_id=\$sys_ven_id&sys_dev_id=\$sys_dev_id&dellsysidpluginver=\$dellsysidpluginver",
gpgkey => "puppet:///modules/yum/keys/dell-omsa.key",
require => Package["yum-dellsysid"],
}
}
default: {
fail("Dell OMSA repository not supported in ${operatingsystem} ${operatingsystemrelease}")
}
}
}
class yum::repo::elrepo {