tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge tmakinen/puppet

Browse source 
Conflicts:
	dovecot/manifests/init.pp
	libvirt/manifests/init.pp
	munin/manifests/init.pp
	puppet/manifests/init.pp
	tftp/manifests/init.pp
This commit is contained in:
Ossi Salmi 2012-11-16 19:40:31 +02:00
commit 98767cfb2a
45 changed files with 5517 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apache/templates/site.https.conf.erb
View file

@ -30,14 +30,14 @@ SSLCipherSuite RC4-SHA:HIGH:!ADH
# the certificate is encrypted, then you will be prompted for a # the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new # pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command. # certificate can be generated using the genkey(1) command.
SSLCertificateFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.crt SSLCertificateFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.crt
# Server Private Key: # Server Private Key:
# If the key is not combined with the certificate, use this # If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if # directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure # you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.) # both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key SSLCertificateKeyFile <%= @apache_ssldir %>/private/<%= site_fqdn %>.key
# Server Certificate Chain: # Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the # Point SSLCertificateChainFile at a file containing the
@ -47,7 +47,7 @@ SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
# when the CA certificates are directly appended to the server # when the CA certificates are directly appended to the server
# certificate for convinience. # certificate for convinience.
<% if ssl_chain != "" -%> <% if ssl_chain != "" -%>
SSLCertificateChainFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt SSLCertificateChainFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
<% end -%> <% end -%>
# Certificate Authority (CA): # Certificate Authority (CA):

5
backuppc/manifests/init.pp
View file

@ -70,7 +70,10 @@ class backuppc::server {
group => "root", group => "root",
require => Package["BackupPC"], require => Package["BackupPC"],
} }
selinux::manage_fcontext { "${backuppc_datadir}(/.*)?":
type => "var_lib_t",
before => File[$backuppc_datadir],
}
file { "/var/lib/BackupPC": file { "/var/lib/BackupPC":
ensure => $backuppc_datadir, ensure => $backuppc_datadir,
force => true, force => true,

2
custom/lib/puppet/provider/service/openbsd.rb
View file

@ -4,7 +4,7 @@ Puppet::Type.type(:service).provide :openbsd, :parent => :base do
desc "OpenBSD service management." desc "OpenBSD service management."
version = ["4.9", "5.0", "5.1"] version = ["4.9", "5.0", "5.1", "5.2"]
confine :operatingsystem => :openbsd confine :operatingsystem => :openbsd
confine :operatingsystemrelease => version confine :operatingsystemrelease => version
defaultfor :operatingsystem => :openbsd defaultfor :operatingsystem => :openbsd

41
dell/manifests/init.pp Normal file
View file

@ -0,0 +1,41 @@
class dell::common {
case $::operatingsystem {
"centos", "redhat": {
include yum::repo::dell
}
default: {
fail("Dell modules not supported in ${operatingsystem}")
}
}
}
# Tools and services for Dell iDRAC7 management
#
class dell::idrac7 {
include dell::common
package { 'srvadmin-idrac7':
ensure => installed,
require => Class["yum::repo::dell"],
}
# Enable OpenManage System services
exec { "srvadmin-service-enable":
command => "/opt/dell/srvadmin/sbin/srvadmin-services.sh enable",
creates => "/etc/rc2.d/S97dataeng",
user => "root",
group => "root",
require => Exec["srvadmin-service-start"],
}
# Start OpenManage System services
exec { "srvadmin-service-start":
command => "/opt/dell/srvadmin/sbin/srvadmin-services.sh start",
unless => "/usr/bin/pgrep -f /opt/dell/srvadmin/sbin/dsm_sa_datamgrd",
user => "root",
group => "root",
require => Package["srvadmin-idrac7"],
}
}

0
dovecot/files/empty Normal file
View file

73
dovecot/manifests/dovecot1.pp Normal file
View file

@ -0,0 +1,73 @@
class dovecot::server::v1 {
case $operatingsystem {
centos,fedora: {
$dovecot_ssl_dir = "/etc/pki/tls"
}
default: {
fail("Dovecot module not supported in ${operatingsystem}.")
}
}
service { "dovecot":
ensure => running,
enable => true,
require => File["/etc/dovecot.conf"],
}
if $dovecot_ssl_csr {
file { "$dovecot_ssl_dir/private/dovecot.csr":
ensure => present,
source => $dovecot_ssl_csr,
mode => "0640",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_ca {
file { "$dovecot_ssl_dir/certs/dovecot.ca.crt":
ensure => present,
source => $dovecot_ssl_ca,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_cert {
file { "$dovecot_ssl_dir/certs/dovecot.crt":
ensure => present,
source => $dovecot_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_cert in your node manifest.")
}
if $dovecot_ssl_key {
file { "$dovecot_ssl_dir/private/dovecot.key":
ensure => present,
source => $dovecot_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_key in your node manifest.")
}
file { "/etc/dovecot.conf":
ensure => present,
content => template("dovecot/dovecot.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}

89
dovecot/manifests/dovecot2.pp Normal file
View file

@ -0,0 +1,89 @@
class dovecot::server::v2 {
case $operatingsystem {
centos,fedora: {
$dovecot_ssl_dir = "/etc/pki/tls"
}
default: {
fail("Dovecot module not supported in ${operatingsystem}.")
}
}
service { "dovecot":
ensure => running,
enable => true,
require => File["/etc/dovecot/conf.d/98-puppet.conf",
"/etc/dovecot/conf.d/99-local.conf"],
}
file { "/etc/dovecot/conf.d/98-puppet.conf":
ensure => present,
content => template("dovecot/puppet.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
require => Package["dovecot"],
}
file { "/etc/dovecot/conf.d/99-local.conf":
ensure => present,
source => [
"puppet:///files/dovecot/local.conf",
"puppet:///modules/dovecot/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
require => Package["dovecot"],
}
if $dovecot_ssl_csr {
file { "$dovecot_ssl_dir/private/dovecot.csr":
ensure => present,
source => $dovecot_ssl_csr,
mode => "0640",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_ca {
file { "$dovecot_ssl_dir/certs/dovecot.ca.crt":
ensure => present,
source => $dovecot_ssl_ca,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_cert {
file { "$dovecot_ssl_dir/certs/dovecot.crt":
ensure => present,
source => $dovecot_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_cert in your node manifest.")
}
if $dovecot_ssl_key {
file { "$dovecot_ssl_dir/private/dovecot.key":
ensure => present,
source => $dovecot_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_key in your node manifest.")
}
}

83
dovecot/manifests/init.pp
View file

@ -1,3 +1,6 @@
import "dovecot1.pp" # Dovecot v1.x
import "dovecot2.pp" # Dovecot v2.x
class dovecot::common { class dovecot::common {
case $::operatingsystem { case $::operatingsystem {
@ -24,79 +27,33 @@ class dovecot::common {
# Puppet source for the X.509 key. # Puppet source for the X.509 key.
# $dovecot_ssl_ca: # $dovecot_ssl_ca:
# Puppet source for the optional X.509 ca certificate. # Puppet source for the optional X.509 ca certificate.
# $dovecot_mailbox_format:
# Mailbox format to use in user's homedir ["mbox" | "mdbox"]
# $dovecot_zlib:
# Compress mailboxes with zlib ["yes" | "no"]
class dovecot::server inherits dovecot::common { class dovecot::server inherits dovecot::common {
if ! $dovecot_mailbox_format {
$dovecot_mailbox_format = "mbox"
}
case $::operatingsystem { case $::operatingsystem {
"centos","redhat","fedora": { "centos","redhat","fedora": {
$dovecot_ssl_dir = "/etc/pki/tls" $dovecot_ssl_dir = "/etc/pki/tls"
case $operatingsystemrelease {
/^6\./: {
include dovecot::server::v2
}
default: {
include dovecot::server::v1
}
}
} }
default: { default: {
fail("Dovecot module not supported in ${::operatingsystem}.") fail("Dovecot module not supported in ${::operatingsystem}.")
} }
} }
service { "dovecot":
ensure => running,
enable => true,
require => File["/etc/dovecot.conf"],
}
if $dovecot_ssl_csr {
file { "$dovecot_ssl_dir/private/dovecot.csr":
ensure => present,
source => $dovecot_ssl_csr,
mode => "0640",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_ca {
file { "$dovecot_ssl_dir/certs/dovecot.ca.crt":
ensure => present,
source => $dovecot_ssl_ca,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
}
if $dovecot_ssl_cert {
file { "$dovecot_ssl_dir/certs/dovecot.crt":
ensure => present,
source => $dovecot_ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_cert in your node manifest.")
}
if $dovecot_ssl_key {
file { "$dovecot_ssl_dir/private/dovecot.key":
ensure => present,
source => $dovecot_ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} else {
fail("You need to define an ssl_key in your node manifest.")
}
file { "/etc/dovecot.conf":
ensure => present,
content => template("dovecot/dovecot.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["dovecot"],
}
} }

38
dovecot/templates/puppet.conf.erb Normal file
View file

@ -0,0 +1,38 @@
ssl=required
ssl_cert = <<%= dovecot_ssl_dir %>/certs/dovecot.crt
ssl_key = <<%= dovecot_ssl_dir %>/private/dovecot.key
<% if has_variable?('dovecot_ssl_ca') -%>
ssl_ca = <<%= dovecot_ssl_dir %>/certs/dovecot.ca.crt
<% end -%>
<% if has_variable=('dovecot_mailbox_format') && dovecot_mailbox_format == "mdbox" -%>
# mdbox settings
mdbox_rotate_size = 10M
mdbox_rotate_interval = 10d
<% end -%>
# zlib
<% if has_variable?('dovecot_zlib') && dovecot_zlib == "yes" -%>
mail_plugins = $mail_plugins zlib
plugin {
zlib_save_level = 1 # 1..9
zlib_save = gz # or bz2
}
<% end -%>
mail_location = <%= dovecot_mailbox_format %>:~/imapmail/
namespace {
separator = /
list = yes
}
namespace {
separator = /
prefix = "#mbox/"
location = mbox:~/imapinbox/:INBOX=/var/mail/%u
inbox = yes
hidden = yes
list = no
}

13
firewall/manifests/init.pp
View file

@ -17,6 +17,11 @@
# #
# $firewall_custom = [ "pass in quick carp", ] # $firewall_custom = [ "pass in quick carp", ]
# #
# Loading of extra modules is supported on centos. For example FTP
# support for iptables:
#
# $firewall_modules = [ "nf_conntrack_ftp", ]
class firewall { class firewall {
if ! $firewall_custom { if ! $firewall_custom {
@ -117,6 +122,14 @@ class firewall::common::iptables {
hasrestart => true, hasrestart => true,
require => Package["iptables"], require => Package["iptables"],
} }
if $firewall_modules {
$firewall_modules_str = inline_template('<%= @firewall_modules.join(" ") -%>')
augeas { "iptables-config":
context => "/files/etc/sysconfig/iptables-config",
changes => [ "set IPTABLES_MODULES '${firewall_modules_str}'" ],
notify => Service["iptables"],
}
}
} }
} }

4
firewall/templates/ip6tables.erb
View file

@ -14,7 +14,7 @@
<% end -%> <% end -%>
-A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT
<% <%
firewall_rules.each do |rule| @firewall_rules.each do |rule|
rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
if not rule[3] or IPAddr.new(rule[3].strip()).ipv6? if not rule[3] or IPAddr.new(rule[3].strip()).ipv6?
-%> -%>
@ -22,7 +22,7 @@
<% <%
end end
end end
firewall_custom.each do |rule| @firewall_custom.each do |rule|
-%> -%>
<%= rule %> <%= rule %>
<% end -%> <% end -%>

4
firewall/templates/iptables.erb
View file

@ -8,7 +8,7 @@
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT
<% <%
firewall_rules.each do |rule| @firewall_rules.each do |rule|
rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
if not rule[3] or IPAddr.new(rule[3].strip()).ipv4? if not rule[3] or IPAddr.new(rule[3].strip()).ipv4?
-%> -%>
@ -16,7 +16,7 @@
<% <%
end end
end end
firewall_custom.each do |rule| @firewall_custom.each do |rule|
-%> -%>
<%= rule %> <%= rule %>
<% end -%> <% end -%>

4
firewall/templates/pf.conf.erb
View file

@ -8,10 +8,10 @@ pass out all
pass in quick inet proto icmp all pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all pass in quick inet6 proto icmp6 all
<% firewall_rules.each do |rule| -%> <% @firewall_rules.each do |rule| -%>
<% rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%> <% rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%>
pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %> pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %>
<% end -%> <% end -%>
<% firewall_custom.each do |rule| -%> <% @firewall_custom.each do |rule| -%>
<%= rule %> <%= rule %>
<% end -%> <% end -%>

2
inetd/manifests/init.pp
View file

@ -50,7 +50,7 @@ class inetd::server::inetd {
service { "inetd": service { "inetd":
ensure => running, ensure => running,
start => "inetd", start => "/usr/sbin/inetd",
enable => true, enable => true,
} }

4
ldap/templates/slapd-database.conf.erb
View file

@ -58,9 +58,9 @@ include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/acl.<%= nam
include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/index.<%= name %>.conf include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/index.<%= name %>.conf
# map local users connecting via ldapi:/// # map local users connecting via ldapi:///
sasl-regexp "gidNumber=([\d]+)+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl-regexp "gidNumber=([^,]+)+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=manager,<%= name %>" "cn=manager,<%= name %>"
sasl-regexp "gidNumber=([\d]+)+uidNumber=([\d]+),cn=peercred,cn=external,cn=auth" sasl-regexp "gidNumber=([^,]+)+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth"
ldap:///<%= name %>??sub?(&(uidNumber=$2)(objectClass=posixAccount)) ldap:///<%= name %>??sub?(&(uidNumber=$2)(objectClass=posixAccount))
# map sasl authenticated users # map sasl authenticated users

38
libvirt/manifests/init.pp
View file

@ -35,8 +35,33 @@ class libvirt::client {
# $libvirt_admingroup: # $libvirt_admingroup:
# Group which has access to system libvirtd. # Group which has access to system libvirtd.
# #
# $libvirt_guest_on_boot
# Action to taken on host boot [start, ignore] (default: start)
#
# $libvirt_guest_on_shutdown
# Action to taken on host shutdown [suspend, shutdown] (default: suspend)
#
# $libvirt_parallel_shutdown
# If set to non-zero, shutdown will suspend guests concurrently. (default: 0)
#
class libvirt::kvm inherits libvirt::client { class libvirt::kvm inherits libvirt::client {
if !$libvirt_admingroup {
$libvirt_admingroup = "root"
}
if !$libvirt_guest_on_boot {
$libvirt_guest_on_boot = "start"
}
if !$libvirt_guest_on_shutdown {
$libvirt_guest_on_shutdown = "suspend"
}
if !$libvirt_parallel_shutdown {
$libvirt_parallel_shutdown = 0
}
case $::operatingsystem { case $::operatingsystem {
"centos","redhat": { "centos","redhat": {
case $::operatingsystemrelease { case $::operatingsystemrelease {
@ -58,6 +83,14 @@ class libvirt::kvm inherits libvirt::client {
} }
} }
} }
file { "/etc/sysconfig/libvirt-guests":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("libvirt/sysconfig-libvirt-guests.erb"),
require => Package["libvirt"],
}
} }
"fedora": { "fedora": {
package { "qemu-kvm": package { "qemu-kvm":
@ -74,10 +107,6 @@ class libvirt::kvm inherits libvirt::client {
} }
} }
if !$libvirt_admingroup {
$libvirt_admingroup = "root"
}
file { "/etc/libvirt/libvirtd.conf": file { "/etc/libvirt/libvirtd.conf":
ensure => present, ensure => present,
mode => "0644", mode => "0644",
@ -92,6 +121,5 @@ class libvirt::kvm inherits libvirt::client {
ensure => running, ensure => running,
enable => true, enable => true,
} }
} }

41
libvirt/templates/sysconfig-libvirt-guests.erb Normal file
View file

@ -0,0 +1,41 @@
# URIs to check for running guests
# example: URIS='default xen:/// vbox+tcp://host/system lxc:///'
#URIS=default
# action taken on host boot
# - start all guests which were running on shutdown are started on boot
# regardless on their autostart settings
# - ignore libvirt-guests init script won't start any guest on boot, however,
# guests marked as autostart will still be automatically started by
# libvirtd
ON_BOOT=<%= libvirt_guest_on_boot %>
# Number of seconds to wait between each guest start. Set to 0 to allow
# parallel startup.
#START_DELAY=0
# action taken on host shutdown
# - suspend all running guests are suspended using virsh managedsave
# - shutdown all running guests are asked to shutdown. Please be careful with
# this settings since there is no way to distinguish between a
# guest which is stuck or ignores shutdown requests and a guest
# which just needs a long time to shutdown. When setting
# ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a
# value suitable for your guests.
ON_SHUTDOWN=<%= libvirt_guest_on_shutdown %>
# If set to non-zero, shutdown will suspend guests concurrently. Number of
# guests on shutdown at any time will not exceed number set in this variable.
PARALLEL_SHUTDOWN=<%= libvirt_parallel_shutdown %>
# Number of seconds we're willing to wait for a guest to shut down. If parallel
# shutdown is enabled, this timeout applies as a timeout for shutting down all
# guests on a single URI defined in the variable URIS. If this is 0, then there
# is no time out (use with caution, as guests might not respond to a shutdown
# request). The default value is 300 seconds (5 minutes).
#SHUTDOWN_TIMEOUT=300
# If non-zero, try to bypass the file system cache when saving and
# restoring guests, even though this may give slower operation for
# some file systems.
#BYPASS_CACHE=0

6
munin/manifests/init.pp
View file

@ -239,11 +239,11 @@ class munin::server {
mode => "0775", mode => "0775",
owner => "munin", owner => "munin",
group => $apache::sslserver::group, group => $apache::sslserver::group,
seltype => "httpd_munin_content_t", seltype => "httpd_munin_rw_content_t",
require => Package["munin"], require => Package["munin"],
} }
selinux::manage_fcontext { "/var/cache/munin": selinux::manage_fcontext { "/var/cache/munin(/.*)?":
type => "munin_var_lib_t", type => "httpd_munin_rw_content_t",
before => File["/var/cache/munin"], before => File["/var/cache/munin"],
} }
mount { "/var/cache/munin": mount { "/var/cache/munin":

294
mythtv/files/myth.find_orphans.pl Executable file
View file

@ -0,0 +1,294 @@
#!/usr/bin/perl
# check for recording anomalies -
# based somewhat on greg froese's "myth.rebuilddatabase.pl"
# -- Lincoln Dale <ltd@interlink.com.au>, September 2006
# 2007-03-11: Added pretty print of unknown files vs. orphaned thumbnails.
# (Robert Kulagowski) 2008-02-15: Added dryrun and rerecord options (David
# George)
# The intent of this script is to be able to find orphaned rows in the
# 'recorded' table (entries which don't have matching media files) and
# orphaned media files (potentially taking up gigabytes of otherwise usable
# disk space) which have no matching row in the 'recorded' db table.
#
# By default, running the script will simply return a list of problems it
# finds. Running with --dodbdelete will remove db recorded rows for which
# there is no matching media file. Running with --dodelete will delete
# media files for which there is no matching db record.
#
# This script may be useful to fix up some orphaned db entries (causes
# mythweb to run very slowly) as well as reclaim some disk space from some
# orphaned media files. (in an ideal world, neither of these would ever
# happen, but I've seen both happen in reality). This script makes it easy
# to keep track of whether it has or hasn't happened, even if you have
# thousands of recordings and terabytes of stored media.
#
# no warranties expressed or implied. if you run this and it deletes all
# your recordings and sets mythtv to fill up all your disk space with The
# Home Shopping Network, its entirely your fault.
#
# The dryrun option will allow you to see the db entries/files that will be
# deleted without actually executing them.
# The rerecord option is useful if you lose a hard drive in your storage
# group to tell the scheduler to re-record the lost programs (if they happen
# to be shown again).
my $progname = "myth.find_orphans.pl";
my $revision = "0.21";
use DBI;
use Sys::Hostname;
use Getopt::Long;
#
# options
#
my $opt_host = hostname;
my $opt_dbhost = $opt_host;
my $opt_database = "mythconverg";
my $opt_user = "mythtv";
my $opt_pass = "mythtv";
my $opt_ext = "{nuv,mpg,mpeg,avi}";
my $opt_dir = "";
my $opt_dodelete = 0;
my $opt_dodbdelete = 0;
my $debug = 0;
my $opt_help = 0;
my $opt_dryrun = 0;
my $opt_rerecord = 0;
GetOptions(
'host=s' => \$opt_host,
'dbhost=s' => \$opt_dbhost,
'database=s' => \$opt_database,
'user=s' => \$opt_user,
'pass=s' => \$opt_pass,
'dir=s' => \$opt_dir,
'dodelete' => \$opt_dodelete,
'dodbdelete' => \$opt_dodbdelete,
'dryrun' => \$opt_dryrun,
'rerecord' => \$opt_rerecord,
'debug+' => \$debug,
'help' => \$opt_help,
'h' => \$opt_help,
'v' => \$opt_help);
if ($opt_help) {
print<<EOF
$progname (rev $revision)
(checks MythTV recording directories for orphaned files)
options:
--host=(host) MythTV backend host ($opt_host)
--dbhost=(host) host where MySQL database for backend is ($opt_dbhost)
--database=(dbname) MythTV database ($opt_database)
--user=(user) MySQL MythTV database user ($opt_user)
--pass=(pass) MySQL MythTV database password ($opt_pass)
--dir=directories manually specify recording directories (otherwise setting is from database)
--debug increase debug level
--dodbdelete remove recorded db entries with no matching file (default: don't)
--dodelete delete files with no record (default: don't)
--dryrun display delete actions without doing them
--rerecord set db entries to re-record missing files (requires --dodbdelete)
EOF
;
exit(0);
}
#
# go go go!
#
my $valid_recordings = 0;
my $missing_recordings = 0;
my $errors = 0;
my $unknown_files = 0;
my $known_files = 0;
my $unknown_size = 0;
my $known_size = 0;
my $unknown_thumbnail = 0;
if (!($dbh = DBI->connect("dbi:mysql:database=$opt_database:host=$opt_dbhost","$opt_user","$opt_pass"))) {
die "Cannot connect to database $opt_database on host $opt_dbhost: $!\n";
}
if ($opt_dir eq "") {
&dir_lookup("SELECT dirname FROM storagegroup WHERE hostname=(?) AND groupname != 'DB Backups'");
&dir_lookup("SELECT data FROM settings WHERE value='RecordFilePrefix' AND hostname=(?)");
printf STDERR "Recording directories ($opt_host): $opt_dir\n" if $debug;
}
if ($opt_dir eq "") {
printf "ERROR: no directory found or specified\n";
exit 1;
}
foreach $d (split(/,/,$opt_dir)) {
$d =~ s/\/$//g; # strip trailing /
$dirs{$d}++;
}
#
# look in recorded table, make sure we can find every file ..
#
my $q = "SELECT title, subtitle, description, starttime, endtime, chanid, basename FROM recorded WHERE hostname=(?) ORDER BY starttime";
$sth = $dbh->prepare($q);
$sth->execute($opt_host) || die "Could not execute ($q): $!\n";
while (my @row=$sth->fetchrow_array) {
($title, $subtitle, $description ,$starttime, $endtime, $channel, $basename) = @row;
# see if we can find it...
$loc = find_file($basename);
if ($loc eq "") {
printf "Missing media: %s (title:%s, start:%s)\n",$basename,$title,$starttime;
$missing_recordings++;
if ($opt_dodbdelete) {
$title =~ s/"/\\"/g;
$subtitle =~ s/"/\\"/g;
$description =~ s/"/\\"/g;
my $sql = sprintf "DELETE FROM oldrecorded WHERE title LIKE \"%s\" AND subtitle LIKE \"%s\" AND description LIKE \"%s\" LIMIT 1", $title, $subtitle, $description;
printf "unmarking program as recorded: %s\n",$sql;
$dbh->do($sql) || die "Could not execute $sql: $!\n";
my $sql = sprintf "DELETE FROM recorded WHERE basename LIKE \"%s\" LIMIT 1",$basename;
printf "performing database delete: %s\n",$sql;
if (!$opt_dryrun) {
$dbh->do($sql) || die "Could not execute $sql: $!\n";
}
if ($opt_rerecord) {
my $sql = sprintf "UPDATE oldrecorded SET duplicate = 0 where title = \"%s\" and starttime = \"%s\" and chanid = \"%s\"",
$title, $starttime, $channel;
printf "updating oldrecorded: %s\n", $sql;
if (!$opt_dryrun) {
$dbh->do($sql) || die "Could not execute $sql: $!\n";
}
}
}
} else {
$valid_recordings++;
$seen_basename{$basename}++;
$seen_basename{$basename.".png"}++; # thumbnail
}
}
#
# look in recording directories, see if there are extra files not in database
#
foreach my $this_dir (keys %dirs) {
opendir(DIR, $this_dir) || die "cannot open directory $this_dir: $!\n";
foreach $this_file (readdir(DIR)) {
if (-f "$this_dir/$this_file") {
next if ($this_file eq "nfslockfile.lock");
my $this_filesize = -s "$this_dir/$this_file";
if ($seen_basename{$this_file} == 0) {
$sorted_filesizes{$this_filesize} .= sprintf "unknown file [%s]: %s/%s\n",pretty_filesize($this_filesize),$this_dir,$this_file;
$unknown_size += $this_filesize;
if (substr($this_file,-4) eq ".png") {
$unknown_thumbnail++;
}
else {
$unknown_files++;
}
if ($opt_dodelete) {
printf STDERR "deleting [%s]: %s/%s\n",pretty_filesize($this_filesize),$this_dir,$this_file;
if (!$opt_dryrun) {
unlink "$this_dir/$this_file";
if (-f "$this_dir/$this_file") {
$errors++;
printf "ERROR: could not delete $this_dir/$this_file\n";
}
}
}
} else {
$known_files++;
$known_size += $this_filesize;
printf "KNOWN file [%s]: %s/%s\n",pretty_filesize($this_filesize),$this_dir,$this_file if $debug;
}
} else {
printf "NOT A FILE: %s/%s\n",$this_dir,$this_file if $debug;
}
}
closedir DIR;
}
#
# finished, report results
#
foreach my $key (sort { $a <=> $b } keys %sorted_filesizes) {
printf $sorted_filesizes{$key};
}
printf "Summary:\n";
printf " Host: %s, Directories: %s\n", $opt_host, join(" ",keys %dirs);
printf " %d ERRORS ENCOUNTERED (see above for details)\n",$errors if ($errors > 0);
printf " %d valid recording%s, %d missing recording%s %s\n",
$valid_recordings, ($valid_recordings != 1 ? "s" : ""),
$missing_recordings, ($missing_recordings != 1 ? "s" : ""),
($missing_recordings > 0 ? ($opt_dodbdelete ? "were fixed" : "not fixed, check above is valid and use --dodbdelete to fix") : "");
printf " %d known media files using %s\n %d orphaned thumbnails with no corresponding recording\n %d unknown files using %s %s\n",
$known_files, pretty_filesize($known_size),
$unknown_thumbnail,$unknown_files, pretty_filesize($unknown_size),
($unknown_files > 0 ? ($opt_dodelete ? "were fixed" : "not fixed, check above and use --dodelete to clean up if the above output is accurate") : "");
exit(0);
###########################################################################
# filesize bling
sub pretty_filesize
{
local($fsize) = @_;
return sprintf "%0.1fGB",($fsize / 1000000000) if ($fsize >= 1000000000);
return sprintf "%0.1fMB",($fsize / 1000000) if ($fsize >= 1000000);
return sprintf "%0.1fKB",($fsize / 1000) if ($fsize >= 1000);
return sprintf "%0.0fB",$fsize;
}
###########################################################################
# find a file in directories without globbing
sub find_file
{
local($fname) = @_;
foreach my $d (keys %dirs) {
my $f = $d."/".$fname;
if (-e $f) {
return $f;
}
}
return;
}
###########################################################################
sub dir_lookup
{
my $query = shift;
$sth = $dbh->prepare($query);
$sth->execute($opt_host) || die "Could not execute ($dir_query)";
while (my @row = $sth->fetchrow_array) {
$opt_dir .= "," if ($opt_dir ne "");
$opt_dir .= $row[0];
}
}
###########################################################################

2
mythtv/files/mythorphans
View file

@ -19,7 +19,7 @@ mysql -h "${DBHostName}" -u"${DBUserName}" -p"${DBPassword}" -s \
"${DBName}" | egrep -q "^[1-9][0-9]*\$" || exit 0 "${DBName}" | egrep -q "^[1-9][0-9]*\$" || exit 0
# find orphans and print stats if found # find orphans and print stats if found
perl /usr/share/doc/mythtv-docs-${MYTHVERSION}/contrib/maintenance/myth.find_orphans.pl \ perl /usr/local/bin/myth.find_orphans.pl \
--dbhost="${DBHostName}" \ --dbhost="${DBHostName}" \
--database="${DBName}" \ --database="${DBName}" \
--user="${DBUserName}" \ --user="${DBUserName}" \

12
mythtv/manifests/init.pp
View file

@ -121,8 +121,16 @@ class mythtv::backend {
ensure => present, ensure => present,
source => "puppet:///modules/mythtv/mythorphans", source => "puppet:///modules/mythtv/mythorphans",
mode => "0755", mode => "0755",
owner => root, owner => "root",
group => root, group => "root",
require => File["/usr/local/bin/myth.find_orphans.pl"],
}
file { "/usr/local/bin/myth.find_orphans.pl":
ensure => present,
source => "puppet:///modules/mythtv/myth.find_orphans.pl",
mode => "0755",
owner => "root",
group => "root",
} }
} }

7
mythtv/templates/config.xml.erb
View file

@ -10,4 +10,11 @@
</DefaultBackend> </DefaultBackend>
</MythFrontend> </MythFrontend>
</UPnP> </UPnP>
<Database>
<Host><%= mythtv_dbhost %></Host>
<UserName><%= mythtv_dbuser %></UserName>
<Password><%= mythtv_dbpass %></Password>
<DatabaseName><%= mythtv_dbname %></DatabaseName>
<Port>3306</Port>
</Database>
</Configuration> </Configuration>

256
nagios/files/commands.cfg Normal file
View file

@ -0,0 +1,256 @@
###############################################################################
# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS 3.4.1
#
# Last Modified: 05-31-2007
#
# NOTES: This config file provides you with some example command definitions
# that you can reference in host, service, and contact definitions.
#
# You don't need to keep commands in a separate file from your other
# object definitions. This has been done just to make things easier to
# understand.
#
###############################################################################
################################################################################
#
# SAMPLE NOTIFICATION COMMANDS
#
# These are some example notification commands. They may or may not work on
# your system without modification. As an example, some systems will require
# you to use "/usr/bin/mailx" instead of "/usr/bin/mail" in the commands below.
#
################################################################################
# 'notify-host-by-email' command definition
define command{
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
# 'notify-service-by-email' command definition
define command{
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
################################################################################
#
# SAMPLE HOST CHECK COMMANDS
#
################################################################################
# This command checks to see if a host is "alive" by pinging it
# The check must result in a 100% packet loss or 5 second (5000ms) round trip
# average time to produce a critical error.
# Note: Five ICMP echo packets are sent (determined by the '-p 5' argument)
# 'check-host-alive' command definition
define command{
command_name check-host-alive
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
################################################################################
#
# SAMPLE SERVICE CHECK COMMANDS
#
# These are some example service check commands. They may or may not work on
# your system, as they must be modified for your plugins. See the HTML
# documentation on the plugins for examples of how to configure command definitions.
#
# NOTE: The following 'check_local_...' functions are designed to monitor
# various metrics on the host that Nagios is running on (i.e. this one).
################################################################################
# 'check_local_disk' command definition
define command{
command_name check_local_disk
command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
# 'check_local_load' command definition
define command{
command_name check_local_load
command_line $USER1$/check_load -w $ARG1$ -c $ARG2$
}
# 'check_local_procs' command definition
define command{
command_name check_local_procs
command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
}
# 'check_local_users' command definition
define command{
command_name check_local_users
command_line $USER1$/check_users -w $ARG1$ -c $ARG2$
}
# 'check_local_swap' command definition
define command{
command_name check_local_swap
command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$
}
# 'check_local_mrtgtraf' command definition
define command{
command_name check_local_mrtgtraf
command_line $USER1$/check_mrtgtraf -F $ARG1$ -a $ARG2$ -w $ARG3$ -c $ARG4$ -e $ARG5$
}
################################################################################
# NOTE: The following 'check_...' commands are used to monitor services on
# both local and remote hosts.
################################################################################
# 'check_ftp' command definition
define command{
command_name check_ftp
command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
}
# 'check_hpjd' command definition
define command{
command_name check_hpjd
command_line $USER1$/check_hpjd -H $HOSTADDRESS$ $ARG1$
}
# 'check_snmp' command definition
define command{
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
# 'check_http' command definition
define command{
command_name check_http
command_line $USER1$/check_http -I $HOSTADDRESS$ $ARG1$
}
# 'check_ssh' command definition
define command{
command_name check_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
# 'check_dhcp' command definition
define command{
command_name check_dhcp
command_line $USER1$/check_dhcp $ARG1$
}
# 'check_ping' command definition
define command{
command_name check_ping
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}
# 'check_pop' command definition
define command{
command_name check_pop
command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
}
# 'check_imap' command definition
define command{
command_name check_imap
command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
}
# 'check_smtp' command definition
define command{
command_name check_smtp
command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
}
# 'check_tcp' command definition
define command{
command_name check_tcp
command_line $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
# 'check_udp' command definition
define command{
command_name check_udp
command_line $USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
# 'check_nt' command definition
define command{
command_name check_nt
command_line $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -v $ARG1$ $ARG2$
}
# 'check_nrpe' command definition
define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
################################################################################
#
# SAMPLE PERFORMANCE DATA COMMANDS
#
# These are sample performance data commands that can be used to send performance
# data output to two text files (one for hosts, another for services). If you
# plan on simply writing performance data out to a file, consider using the
# host_perfdata_file and service_perfdata_file options in the main config file.
#
################################################################################
# 'process-host-perfdata' command definition
define command{
command_name process-host-perfdata
command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/log/nagios/host-perfdata.out
}
# 'process-service-perfdata' command definition
define command{
command_name process-service-perfdata
command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/log/nagios/service-perfdata.out
}
define command{
command_name notify-host-by-prowl
command_line /usr/bin/curl -s -o /dev/null -F apikey="$CONTACTADDRESS1$" -F application="Nagios" -F event="$NOTIFICATIONTYPE$ Host Alert" -F description="$HOSTNAME$ is $HOSTSTATE$ '$HOSTOUTPUT$'" "https://prowl.weks.net/publicapi/add"
}
define command{
command_name notify-service-by-prowl
command_line /usr/bin/curl -s -o /dev/null -F apikey="$CONTACTADDRESS1$" -F application="Nagios" -F event="$NOTIFICATIONTYPE$ Service Alert" -F description="$HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ '$SERVICEOUTPUT$'" "https://prowl.weks.net/publicapi/add"
}

5
nagios/files/htaccess.Debian Normal file
View file

@ -0,0 +1,5 @@
AuthType Basic
AuthName "Nagios"
AuthUserFile /etc/nagios3/htpasswd.users
require valid-user

5
nagios/files/htaccess.RedHat Normal file
View file

@ -0,0 +1,5 @@
AuthType Basic
AuthName "Nagios"
AuthUserFile /etc/nagios/passwd
require valid-user

1313
nagios/files/nagios.cfg.Debian Normal file
View file

File diff suppressed because it is too large Load diff

1330
nagios/files/nagios.cfg.RedHat Normal file
View file

File diff suppressed because it is too large Load diff

440
nagios/manifests/init.pp Normal file
View file

@ -0,0 +1,440 @@
class nagios::server {
case $operatingsystem {
"centos","redhat","fedora": {
$etcdir = "/etc/nagios"
$confdir = "${etcdir}/conf.d"
$package = "nagios"
$service = "nagios"
$scriptalias = "/nagios/cgi-bin/"
$cgibin = $architecture ? {
"x86_64" => "/usr/lib64/nagios/cgi-bin",
default => "/usr/lib/nagios/cgi-bin",
}
$htdocs = "/usr/share/nagios/html"
}
"ubuntu","debian": {
$etcdir = "/etc/nagios3"
$confdir = "${etcdir}/conf.d"
$package = "nagios3"
$service = "nagios3"
$scriptalias = "/cgi-bin/nagios3/"
$cgibin = "/usr/lib/cgi-bin/nagios3"
$htdocs = "/usr/share/nagios3/htdocs"
}
default: {
fail("nagios::server not supported on ${::operatingsystem}")
}
}
package { "nagios":
name => $package,
ensure => installed,
}
case $operatingsystem {
"centos","redhat","fedora": {
package { [ "nagios-plugins-all",
"nagios-plugins-nrpe", ]:
ensure => installed,
}
}
"ubuntu","debian": {
package { [ "nagios-plugins",
"nagios-nrpe-plugin", ]:
ensure => installed,
}
}
}
service { "nagios":
name => $service,
ensure => running,
enable => true,
}
apache::configfile { "nagios.conf":
content => template("nagios/nagios-httpd.conf.erb"),
}
file { [ "${htdocs}/.htaccess", "${cgibin}/.htaccess" ]:
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => [ "puppet:///files/nagios/htaccess",
"puppet:///modules/nagios/htaccess.${osfamily}", ],
require => Package["nagios"],
}
file { "/etc/nagios/nagios.cfg":
name => "${etcdir}/nagios.cfg",
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/nagios/nagios.cfg.${osfamily}",
require => Package["nagios"],
notify => Service["nagios"],
}
file { "/etc/nagios/cgi.cfg":
name => "${etcdir}/cgi.cfg",
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("nagios/cgi.cfg.erb"),
require => Package["nagios"],
notify => Service["nagios"],
}
file { "/etc/nagios/commands.cfg":
name => "${etcdir}/commands.cfg",
ensure => present,
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/nagios/commands.cfg",
require => Package["nagios"],
notify => Service["nagios"],
}
file { "/etc/nagios/conf.d":
name => $confdir,
ensure => directory,
mode => "0640",
owner => "root",
group => "nagios",
purge => true,
force => true,
recurse => true,
source => "puppet:///modules/custom/empty",
require => Package["nagios"],
}
file { "${confdir}/contactgroup_all.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Contactgroup["all"],
require => File["/etc/nagios/conf.d"],
}
nagios_contactgroup { "all":
target => "${confdir}/contactgroup_all.cfg",
members => "*",
notify => Service["nagios"],
}
file { "${confdir}/host_default.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Host["default"],
require => File["/etc/nagios/conf.d"],
}
nagios_host { "default":
target => "${confdir}/host_default.cfg",
register => "0",
notifications_enabled => "1",
event_handler_enabled => "1",
flap_detection_enabled => "1",
failure_prediction_enabled => "1",
process_perf_data => "1",
retain_status_information => "1",
retain_nonstatus_information => "1",
check_command => "check-host-alive",
max_check_attempts => "5",
notification_interval => "0",
notification_period => "24x7",
notification_options => "d,u,r",
contact_groups => "all",
notify => Service["nagios"],
}
file { "${confdir}/service_default.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Service["default"],
require => File["/etc/nagios/conf.d"],
}
nagios_service { "default":
target => "${confdir}/service_default.cfg",
register => "0",
active_checks_enabled => "1",
passive_checks_enabled => "1",
parallelize_check => "1",
obsess_over_service => "1",
check_freshness => "0",
notifications_enabled => "1",
event_handler_enabled => "1",
flap_detection_enabled => "1",
failure_prediction_enabled => "1",
process_perf_data => "1",
retain_status_information => "1",
retain_nonstatus_information => "1",
notification_interval => "0",
is_volatile => "0",
check_period => "24x7",
normal_check_interval => "5",
retry_check_interval => "1",
max_check_attempts => "2",
notification_period => "24x7",
notification_options => "w,u,c,r",
contact_groups => "all",
notify => Service["nagios"],
}
file { "${confdir}/timeperiod_24x7.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Timeperiod["24x7"],
require => File["/etc/nagios/conf.d"],
}
nagios_timeperiod { "24x7":
target => "${confdir}/timeperiod_24x7.cfg",
alias => "24x7",
monday => "00:00-24:00",
tuesday => "00:00-24:00",
wednesday => "00:00-24:00",
thursday => "00:00-24:00",
friday => "00:00-24:00",
saturday => "00:00-24:00",
sunday => "00:00-24:00",
notify => Service["nagios"],
}
Nagios::Host <<||>> {
confdir => $confdir,
notify => Service["nagios"],
}
Nagios::Service <<||>> {
confdir => $confdir,
notify => Service["nagios"],
}
}
define nagios::contact::email($confdir=$nagios::server::confdir) {
file { "${confdir}/contact_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Contact[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_contact { $name:
target => "${confdir}/contact_${name}.cfg",
host_notification_commands => "notify-host-by-email",
host_notification_options => "d,r",
host_notification_period => "24x7",
service_notification_commands => "notify-service-by-email",
service_notification_options => "w,u,c,r",
service_notification_period => "24x7",
email => $name,
notify => Service["nagios"],
}
}
define nagios::contact::prowl($confdir=$nagios::server::confdir) {
file { "${confdir}/contact_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Contact[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_contact { $name:
target => "${confdir}/contact_${name}.cfg",
host_notification_commands => "notify-host-by-prowl",
host_notification_options => "d,r",
host_notification_period => "24x7",
service_notification_commands => "notify-service-by-prowl",
service_notification_options => "w,u,c,r",
service_notification_period => "24x7",
address1 => $name,
notify => Service["nagios"],
}
}
define nagios::host($confdir, $operatingsystem) {
file { "${confdir}/host_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Host[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_host { $name:
ensure => present,
use => "default",
target => "${confdir}/host_${name}.cfg"
}
# file { "${confdir}/hostextinfo_${name}.cfg":
# ensure => present,
# mode => "0640",
# owner => "root",
# group => "nagios",
# before => Nagios_Hostextinfo[$name],
# require => File["/etc/nagios/conf.d"],
# }
# nagios_hostextinfo { $name:
# ensure => present,
# icon_image_alt => $operatingsystem,
# icon_image => "base/${operatingsystem}.png",
# statusmap_image => "base/${operatingsystem}.gd2",
# target => "${confdir}/hostextinfo_${name}.cfg"
# }
}
define nagios::service($confdir, $host, $command, $description) {
file { "${confdir}/service_${name}.cfg":
ensure => present,
mode => "0640",
owner => "root",
group => "nagios",
before => Nagios_Service[$name],
require => File["/etc/nagios/conf.d"],
}
nagios_service { $name:
host_name => $host,
check_command => $command,
service_description => $description,
use => "default",
target => "${confdir}/service_${name}.cfg"
}
}
class nagios::target {
@@nagios::host { $fqdn:
operatingsystem => inline_template("<%= operatingsystem.downcase %>")
}
}
class nagios::target::nrpe {
if !$nagios_allow {
$nagios_allow = "127.0.0.1"
}
include nagios::target
case $operatingsystem {
"centos","redhat","fedora": {
package { [ "nrpe",
"nagios-plugins-disk",
"nagios-plugins-load",
"nagios-plugins-procs",
"nagios-plugins-users", ]:
ensure => installed,
before => [ Augeas["nrpe-allow"], Service["nrpe"] ],
}
$service = "nrpe"
}
"ubuntu","debian": {
package { [ "nagios-nrpe-server",
"nagios-plugins-basic", ]:
ensure => installed,
before => [ Augeas["nrpe-allow"], Service["nrpe"] ],
}
$service = "nagios-nrpe-server"
}
}
service { "nrpe":
name => $service,
ensure => running,
enable => true,
}
augeas { "nrpe-allow":
context => "/files/etc/nagios/nrpe.cfg",
changes => "set allowed_hosts '${nagios_allow}'",
notify => Service["nrpe"],
}
@@nagios::service { "${fqdn}_load":
host => $fqdn,
command => "check_nrpe!check_load",
description => "Load",
}
}
class nagios::target::ssh {
include nagios::target
@@nagios::service { "${fqdn}_ssh":
host => $fqdn,
command => "check_ssh",
description => "SSH",
}
}
class nagios::target::http {
include nagios::target
@@nagios::service { "${fqdn}_http":
host => $fqdn,
command => "check_http",
description => "HTTP",
}
}
class nagios::target::https {
include nagios::target
@@nagios::service { "${fqdn}_https":
host => $fqdn,
command => "check_http!--ssl",
description => "HTTPS",
}
}
class nagios::target::smtp {
include nagios::target
@@nagios::service { "${fqdn}_smtp":
host => $fqdn,
command => "check_smtp",
description => "SMTP",
}
}

387
nagios/templates/cgi.cfg.erb Normal file
View file

@ -0,0 +1,387 @@
#################################################################
#
# CGI.CFG - Sample CGI Configuration File for Nagios 3.4.1
#
# Last Modified: 06-17-2009
#
#################################################################
# MAIN CONFIGURATION FILE
# This tells the CGIs where to find your main configuration file.
# The CGIs will read the main and host config files for any other
# data they might need.
main_config_file=<%= etcdir %>/nagios.cfg
# PHYSICAL HTML PATH
# This is the path where the HTML files for Nagios reside. This
# value is used to locate the logo images needed by the statusmap
# and statuswrl CGIs.
physical_html_path=<%= htdocs %>
# URL HTML PATH
# This is the path portion of the URL that corresponds to the
# physical location of the Nagios HTML files (as defined above).
# This value is used by the CGIs to locate the online documentation
# and graphics. If you access the Nagios pages with an URL like
# http://www.myhost.com/nagios, this value should be '/nagios'
# (without the quotes).
url_html_path=/nagios
# CONTEXT-SENSITIVE HELP
# This option determines whether or not a context-sensitive
# help icon will be displayed for most of the CGIs.
# Values: 0 = disables context-sensitive help
# 1 = enables context-sensitive help
show_context_help=0
# PENDING STATES OPTION
# This option determines what states should be displayed in the web
# interface for hosts/services that have not yet been checked.
# Values: 0 = leave hosts/services that have not been check yet in their original state
# 1 = mark hosts/services that have not been checked yet as PENDING
use_pending_states=1
# NAGIOS PROCESS CHECK COMMAND
# This is the full path and filename of the program used to check
# the status of the Nagios process. It is used only by the CGIs
# and is completely optional. However, if you don't use it, you'll
# see warning messages in the CGIs about the Nagios process
# not running and you won't be able to execute any commands from
# the web interface. The program should follow the same rules
# as plugins; the return codes are the same as for the plugins,
# it should have timeout protection, it should output something
# to STDIO, etc.
#
# Note: The command line for the check_nagios plugin below may
# have to be tweaked a bit, as different versions of the plugin
# use different command line arguments/syntaxes.
<% if osfamily == 'Debian' -%>
nagios_check_command=/usr/lib/nagios/plugins/check_nagios /var/cache/nagios3/status.dat 5 '/usr/sbin/nagios3'
<% else -%>
<% if architecture == 'x86_64' %>
nagios_check_command=/usr/lib64/nagios/plugins/check_nagios /var/log/nagios/status.dat 5 '/usr/sbin/nagios'
<% else -%>
nagios_check_command=/usr/lib/nagios/plugins/check_nagios /var/log/nagios/status.dat 5 '/usr/sbin/nagios'
<% end -%>
<% end -%>
# AUTHENTICATION USAGE
# This option controls whether or not the CGIs will use any
# authentication when displaying host and service information, as
# well as committing commands to Nagios for processing.
#
# Read the HTML documentation to learn how the authorization works!
#
# NOTE: It is a really *bad* idea to disable authorization, unless
# you plan on removing the command CGI (cmd.cgi)! Failure to do
# so will leave you wide open to kiddies messing with Nagios and
# possibly hitting you with a denial of service attack by filling up
# your drive by continuously writing to your command file!
#
# Setting this value to 0 will cause the CGIs to *not* use
# authentication (bad idea), while any other value will make them
# use the authentication functions (the default).
use_authentication=1
# x509 CERT AUTHENTICATION
# When enabled, this option allows you to use x509 cert (SSL)
# authentication in the CGIs. This is an advanced option and should
# not be enabled unless you know what you're doing.
use_ssl_authentication=0
# DEFAULT USER
# Setting this variable will define a default user name that can
# access pages without authentication. This allows people within a
# secure domain (i.e., behind a firewall) to see the current status
# without authenticating. You may want to use this to avoid basic
# authentication if you are not using a secure server since basic
# authentication transmits passwords in the clear.
#
# Important: Do not define a default username unless you are
# running a secure web server and are sure that everyone who has
# access to the CGIs has been authenticated in some manner! If you
# define this variable, anyone who has not authenticated to the web
# server will inherit all rights you assign to this user!
#default_user_name=guest
# SYSTEM/PROCESS INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# have access to viewing the Nagios process information as
# provided by the Extended Information CGI (extinfo.cgi). By
# default, *no one* has access to this unless you choose to
# not use authorization. You may use an asterisk (*) to
# authorize any user who has authenticated to the web server.
authorized_for_system_information=*
# CONFIGURATION INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# can view ALL configuration information (hosts, commands, etc).
# By default, users can only view configuration information
# for the hosts and services they are contacts for. You may use
# an asterisk (*) to authorize any user who has authenticated
# to the web server.
authorized_for_configuration_information=*
# SYSTEM/PROCESS COMMAND ACCESS
# This option is a comma-delimited list of all usernames that
# can issue shutdown and restart commands to Nagios via the
# command CGI (cmd.cgi). Users in this list can also change
# the program mode to active or standby. By default, *no one*
# has access to this unless you choose to not use authorization.
# You may use an asterisk (*) to authorize any user who has
# authenticated to the web server.
authorized_for_system_commands=
# GLOBAL HOST/SERVICE VIEW ACCESS
# These two options are comma-delimited lists of all usernames that
# can view information for all hosts and services that are being
# monitored. By default, users can only view information
# for hosts or services that they are contacts for (unless you
# you choose to not use authorization). You may use an asterisk (*)
# to authorize any user who has authenticated to the web server.
authorized_for_all_services=*
authorized_for_all_hosts=*
# GLOBAL HOST/SERVICE COMMAND ACCESS
# These two options are comma-delimited lists of all usernames that
# can issue host or service related commands via the command
# CGI (cmd.cgi) for all hosts and services that are being monitored.
# By default, users can only issue commands for hosts or services
# that they are contacts for (unless you you choose to not use
# authorization). You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
authorized_for_all_service_commands=
authorized_for_all_host_commands=
# READ-ONLY USERS
# A comma-delimited list of usernames that have read-only rights in
# the CGIs. This will block any service or host commands normally shown
# on the extinfo CGI pages. It will also block comments from being shown
# to read-only users.
#authorized_for_read_only=user1,user2
# STATUSMAP BACKGROUND IMAGE
# This option allows you to specify an image to be used as a
# background in the statusmap CGI. It is assumed that the image
# resides in the HTML images path (i.e. /usr/local/nagios/share/images).
# This path is automatically determined by appending "/images"
# to the path specified by the 'physical_html_path' directive.
# Note: The image file may be in GIF, PNG, JPEG, or GD2 format.
# However, I recommend that you convert your image to GD2 format
# (uncompressed), as this will cause less CPU load when the CGI
# generates the image.
#statusmap_background_image=smbackground.gd2
# STATUSMAP TRANSPARENCY INDEX COLOR
# These options set the r,g,b values of the background color used the statusmap CGI,
# so normal browsers that can't show real png transparency set the desired color as
# a background color instead (to make it look pretty).
# Defaults to white: (R,G,B) = (255,255,255).
#color_transparency_index_r=255
#color_transparency_index_g=255
#color_transparency_index_b=255
# DEFAULT STATUSMAP LAYOUT METHOD
# This option allows you to specify the default layout method
# the statusmap CGI should use for drawing hosts. If you do
# not use this option, the default is to use user-defined
# coordinates. Valid options are as follows:
# 0 = User-defined coordinates
# 1 = Depth layers
# 2 = Collapsed tree
# 3 = Balanced tree
# 4 = Circular
# 5 = Circular (Marked Up)
default_statusmap_layout=5
# DEFAULT STATUSWRL LAYOUT METHOD
# This option allows you to specify the default layout method
# the statuswrl (VRML) CGI should use for drawing hosts. If you
# do not use this option, the default is to use user-defined
# coordinates. Valid options are as follows:
# 0 = User-defined coordinates
# 2 = Collapsed tree
# 3 = Balanced tree
# 4 = Circular
default_statuswrl_layout=4
# STATUSWRL INCLUDE
# This option allows you to include your own objects in the
# generated VRML world. It is assumed that the file
# resides in the HTML path (i.e. /usr/local/nagios/share).
#statuswrl_include=myworld.wrl
# PING SYNTAX
# This option determines what syntax should be used when
# attempting to ping a host from the WAP interface (using
# the statuswml CGI. You must include the full path to
# the ping binary, along with all required options. The
# $HOSTADDRESS$ macro is substituted with the address of
# the host before the command is executed.
# Please note that the syntax for the ping binary is
# notorious for being different on virtually ever *NIX
# OS and distribution, so you may have to tweak this to
# work on your system.
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
# REFRESH RATE
# This option allows you to specify the refresh rate in seconds
# of various CGIs (status, statusmap, extinfo, and outages).
refresh_rate=90
# DEFAULT PAGE LIMIT
# This option allows you to specify the default number of results
# displayed on the status.cgi. This number can be adjusted from
# within the UI after the initial page load. Setting this to 0
# will show all results.
result_limit=100
# ESCAPE HTML TAGS
# This option determines whether HTML tags in host and service
# status output is escaped in the web interface. If enabled,
# your plugin output will not be able to contain clickable links.
escape_html_tags=1
# SOUND OPTIONS
# These options allow you to specify an optional audio file
# that should be played in your browser window when there are
# problems on the network. The audio files are used only in
# the status CGI. Only the sound for the most critical problem
# will be played. Order of importance (higher to lower) is as
# follows: unreachable hosts, down hosts, critical services,
# warning services, and unknown services. If there are no
# visible problems, the sound file optionally specified by
# 'normal_sound' variable will be played.
#
#
# <varname>=<sound_file>
#
# Note: All audio files must be placed in the /media subdirectory
# under the HTML path (i.e. /usr/local/nagios/share/media/).
#host_unreachable_sound=hostdown.wav
#host_down_sound=hostdown.wav
#service_critical_sound=critical.wav
#service_warning_sound=warning.wav
#service_unknown_sound=warning.wav
#normal_sound=noproblem.wav
# URL TARGET FRAMES
# These options determine the target frames in which notes and
# action URLs will open.
action_url_target=_blank
notes_url_target=_blank
# LOCK AUTHOR NAMES OPTION
# This option determines whether users can change the author name
# when submitting comments, scheduling downtime. If disabled, the
# author names will be locked into their contact name, as defined in Nagios.
# Values: 0 = allow editing author names
# 1 = lock author names (disallow editing)
lock_author_names=1
# SPLUNK INTEGRATION OPTIONS
# These options allow you to enable integration with Splunk
# in the web interface. If enabled, you'll be presented with
# "Splunk It" links in various places in the CGIs (log file,
# alert history, host/service detail, etc). Useful if you're
# trying to research why a particular problem occurred.
# For more information on Splunk, visit http://www.splunk.com/
# This option determines whether the Splunk integration is enabled
# Values: 0 = disable Splunk integration
# 1 = enable Splunk integration
#enable_splunk_integration=1
# This option should be the URL used to access your instance of Splunk
#splunk_url=http://127.0.0.1:8000/

12
nagios/templates/nagios-httpd.conf.erb Normal file
View file

@ -0,0 +1,12 @@
ScriptAlias <%= scriptalias %> <%= cgibin %>/
Alias /nagios <%= htdocs %>
<Directory "<%= cgibin %>">
Options ExecCGI
AllowOverride AuthConfig
</Directory>
<Directory "<%= htdocs %>">
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>

19
postfix/files/aliases Normal file
View file

@ -0,0 +1,19 @@
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
# General redirections for important pseudo accounts
daemon: root
# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES
abuse: root
security: root

0
postfix/files/empty Normal file
View file

105
postfix/manifests/init.pp Normal file
View file

@ -0,0 +1,105 @@
# Install Postfix packages.
#
class postfix {
include ssl
if !$postfix_key {
$postfix_key = "${puppet_ssldir}/private_keys/${homename}.pem"
}
if !$postfix_cert {
$postfix_cert = "${puppet_ssldir}/certs/${homename}.pem"
}
if !$mail_domain {
if $domain {
$mail_domain = $domain
} else {
fail("Failed to set \$mail_domain, missing \$domain")
}
}
if !$postfix_hostname {
if $fqdn {
$postfix_hostname = $fqdn
} else {
fail("Failed to set \$postfix_hostname, missing \$fqdn")
}
}
if !$postfix_interfaces {
$postfix_interfaces = "localhost"
}
package { "postfix":
ensure => installed,
}
service { "postfix":
ensure => running,
enable => true,
require => Package["postfix"],
}
file { "${ssl::certs}/postfix.crt":
ensure => present,
source => $postfix_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["postfix"],
}
file { "${ssl::private}/postfix.key":
ensure => present,
source => $postfix_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["postfix"],
}
file { "/etc/postfix/main.cf":
ensure => present,
mode => "0644",
owner => "root",
group => "root",
content => template("postfix/main.cf.erb"),
notify => Service["postfix"],
require => Package["postfix"],
}
file { "/etc/aliases":
ensure => present,
source => [
"puppet:///files/mail/aliases.${homename}",
"puppet:///files/mail/aliases",
"puppet:///modules/postfix/aliases",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["newaliases"],
}
exec { "newaliases":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
}
file { "/etc/postfix/virtual":
ensure => present,
source => [
"puppet:///files/mail/virtual.${homename}",
"puppet:///files/mail/virtual",
"puppet:///modules/postfix/empty",
],
mode => "0644",
owner => "root",
group => "root",
notify => Exec["postmap /etc/postfix/virtual"],
}
exec { "postmap /etc/postfix/virtual":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
}
}

727
postfix/templates/main.cf.erb Normal file
View file

@ -0,0 +1,727 @@
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
<% if ['Debian','Ubuntu'].index(operatingsystem) -%>
daemon_directory = /usr/lib/postfix
<% else -%>
daemon_directory = /usr/libexec/postfix
<% end -%>
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = <%= postfix_hostname %>
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
mydomain = <%= mail_domain %>
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = <%= postfix_interfaces %>
# Enable IPv4, and IPv6 if supported
inet_protocols = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
<% if postfix_interfaces == "localhost" and has_variable?("mail_server") -%>
relayhost = [<%= mail_server %>]
<% end -%>
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
#
virtual_alias_maps = hash:/etc/postfix/virtual
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
<% if has_variable?("postfix_home_mailbox") -%>
home_mailbox <%= postfix_home_mailbox %>
<% end -%>
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# To use the old cyrus deliver program you have to set:
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
#
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client,
<% if has_variable?("postfix_rbl") -%>
<% postfix_rbl.each do |rbl| -%>
reject_rbl_client <%= rbl %>,
<% end -%>
<% end -%>
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_relay_domains
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
#sample_directory = /usr/share/doc/postfix-2.6.6/samples
# readme_directory: The location of the Postfix README files.
#
#readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
<% if postfix_interfaces != "localhost" -%>
# SASL
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
# TLS
#
smtpd_use_tls=yes
smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
<% end -%>

12
psacct/manifests/init.pp
View file

@ -3,15 +3,15 @@
# #
class psacct { class psacct {
case $kernel { case $::kernel {
linux: { "linux": {
include psacct::linux include psacct::linux
} }
openbsd: { "openbsd": {
include psacct::openbsd include psacct::openbsd
} }
default: { default: {
fail("psacct module not supported in ${kernel}") fail("psacct module not supported in ${::kernel}")
} }
} }
@ -24,7 +24,7 @@ class psacct::linux {
package { "psacct": package { "psacct":
name => $::operatingsystem ? { name => $::operatingsystem ? {
ubuntu => "acct", "ubuntu" => "acct",
default => "psacct", default => "psacct",
}, },
ensure => installed, ensure => installed,
@ -67,7 +67,7 @@ class psacct::openbsd {
exec { "accton": exec { "accton":
command => "accton /var/account/acct", command => "accton /var/account/acct",
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
user => root, user => "root",
refreshonly => true, refreshonly => true,
} }

42
puppet/manifests/init.pp
View file

@ -194,9 +194,11 @@ class puppet::server {
class puppet::server::common inherits puppet::client { class puppet::server::common inherits puppet::client {
if $::operatingsystem in ["CentOS","RedHat"] and $::operatingsystemrelease =~ /^[1-5]\..*/ { if $::operatingsystem in ["CentOS","RedHat"] and $::operatingsystemrelease =~ /^[1-5]\..*/ {
$seltype = "var_lib_t" $seltype_readonly = "var_lib_t"
$seltype_writable = "var_lib_t"
} else { } else {
$seltype = "puppet_var_lib_t" $seltype_readonly = "puppetmaster_t"
$seltype_writable = "puppet_var_lib_t"
} }
case $::operatingsystem { case $::operatingsystem {
@ -294,17 +296,25 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel", "openbsd" => "wheel",
default => "root", default => "root",
}, },
seltype => $seltype, seltype => $seltype_readonly,
require => Package["puppetmaster"], require => Package["puppetmaster"],
} }
selinux::manage_fcontext { "${puppet_datadir}(/.*)?": selinux::manage_fcontext { "${puppet_datadir}(/.*)?":
type => $seltype, type => $seltype_readonly,
before => File[$puppet_datadir], before => File[$puppet_datadir],
} }
selinux::manage_fcontext { [
"${puppet_datadir}/bucket(/.*)?",
"${puppet_datadir}/reports(/.*)?",
"${puppet_datadir}/rrd(/.*)?",
]:
type => $seltype_writable,
before => File["/srv/puppet/reports"],
}
file { "/srv/puppet": file { "/srv/puppet":
ensure => link, ensure => link,
target => $puppet_datadir, target => $puppet_datadir,
seltype => $seltype, seltype => $seltype_readonly,
require => File[$puppet_datadir], require => File[$puppet_datadir],
} }
} else { } else {
@ -316,14 +326,22 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel", "openbsd" => "wheel",
default => "root", default => "root",
}, },
seltype => $seltype, seltype => $seltype_readonly,
require => Package["puppetmaster"], require => Package["puppetmaster"],
} }
} }
selinux::manage_fcontext { "/srv/puppet(/.*)?": selinux::manage_fcontext { "/srv/puppet(/.*)?":
type => $seltype, type => $seltype_readonly,
before => File["/srv/puppet"], before => File["/srv/puppet"],
} }
selinux::manage_fcontext { [
"/srv/puppet/bucket(/.*)?",
"/srv/puppet/reports(/.*)?",
"/srv/puppet/rrd(/.*)?",
]:
type => $seltype_writable,
before => File["/srv/puppet/reports"],
}
if $puppet_storeconfigs != "none" { if $puppet_storeconfigs != "none" {
file { "/srv/puppet/storeconfigs": file { "/srv/puppet/storeconfigs":
@ -331,7 +349,7 @@ class puppet::server::common inherits puppet::client {
mode => "0750", mode => "0750",
owner => $user, owner => $user,
group => $group, group => $group,
seltype => $seltype, seltype => $seltype_readonly,
require => File["/srv/puppet"], require => File["/srv/puppet"],
} }
} }
@ -342,7 +360,7 @@ class puppet::server::common inherits puppet::client {
mode => "0750", mode => "0750",
owner => $user, owner => $user,
group => $group, group => $group,
seltype => $seltype, seltype => $seltype_writable,
require => File["/srv/puppet"], require => File["/srv/puppet"],
} }
file { [ "/srv/puppet/files", file { [ "/srv/puppet/files",
@ -354,7 +372,7 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel", "openbsd" => "wheel",
default => "root", default => "root",
}, },
seltype => $seltype, seltype => $seltype_readonly,
require => File["/srv/puppet"], require => File["/srv/puppet"],
} }
file { "/srv/puppet/files/common": file { "/srv/puppet/files/common":
@ -365,7 +383,7 @@ class puppet::server::common inherits puppet::client {
"openbsd" => "wheel", "openbsd" => "wheel",
default => "root", default => "root",
}, },
seltype => $seltype, seltype => $seltype_readonly,
require => File["/srv/puppet/files"], require => File["/srv/puppet/files"],
} }
file { "/srv/puppet/files/private": file { "/srv/puppet/files/private":
@ -373,7 +391,7 @@ class puppet::server::common inherits puppet::client {
mode => "0750", mode => "0750",
owner => "root", owner => "root",
group => $group, group => $group,
seltype => $seltype, seltype => $seltype_readonly,
require => File["/srv/puppet/files"], require => File["/srv/puppet/files"],
} }

6
puppet/templates/puppet-httpd.conf.erb
View file

@ -50,12 +50,7 @@ Listen 8140
# Proxy settings # Proxy settings
<IfModule mod_rewrite.c> <IfModule mod_rewrite.c>
<LocationMatch ^/production/file_content/.*>
ForceType application/x-raw
</LocationMatch>
RewriteEngine On RewriteEngine On
RewriteRule ^/production/file_content/files/(.+)$ /srv/puppet/files/common/$1 [L]
RewriteRule ^/production/file_content/modules/([^/]+)/files/(.+)$ /etc/puppet/modules/$1/files/$2 [L]
RewriteRule ^/(.*)$ balancer://puppetmaster%{REQUEST_URI} [P,QSA,L] RewriteRule ^/(.*)$ balancer://puppetmaster%{REQUEST_URI} [P,QSA,L]
</Ifmodule> </Ifmodule>
<IfModule !mod_rewrite.c> <IfModule !mod_rewrite.c>
@ -67,4 +62,3 @@ Listen 8140
SetEnv proxy-nokeepalive 1 SetEnv proxy-nokeepalive 1
</VirtualHost> </VirtualHost>

23
sasl/manifests/init.pp
View file

@ -20,7 +20,10 @@ class sasl::client {
# === Global variables # === Global variables
# #
# $saslauthd_mech: # $saslauthd_mech:
# Authentication mechanism to use. Defaults to system default. # Authentication mechanism to use. Defaults to system
# default. Supported mechanisms include pam, ldap and kerberos5.
#
# For ldap authentication, see ldap::client for required global variables.
# #
class sasl::saslauthd { class sasl::saslauthd {
@ -28,6 +31,24 @@ class sasl::saslauthd {
case $saslauthd_mech { case $saslauthd_mech {
"","pam": { } "","pam": { }
"ldap": {
include ldap::client
augeas { "set-saslauthd-mech":
context => "/files/etc/sysconfig/saslauthd",
changes => "set MECH ldap",
notify => Service["saslauthd"],
}
file { "/etc/saslauthd.conf":
ensure => present,
mode => 0644,
owner => "root",
group => "root",
content => template("sasl/saslauthd.conf.ldap.erb"),
notify => Service["saslauthd"],
}
}
"kerberos5": { "kerberos5": {
augeas { "set-saslauthd-mech": augeas { "set-saslauthd-mech":
context => "/files/etc/sysconfig/saslauthd", context => "/files/etc/sysconfig/saslauthd",

2
sasl/templates/saslauthd.conf.ldap.erb Normal file
View file

@ -0,0 +1,2 @@
ldap_servers: <% ldap_server.each do |uri| %><%= uri %> <% end %>
ldap_search_base: <%= ldap_basedn %>

77
syslog/files/logarchiver.sh
View file

@ -1,18 +1,21 @@
#!/bin/sh #!/bin/sh
ARCHIVEFILES="all.log"
LOGDIR="/srv/log" LOGDIR="/srv/log"
DATE=`date +%Y-%m-%d` ARCHIVE="${LOGDIR}/archive"
YEAR=`date +%Y`
ARCHIVEDIR="/srv/log/archive/" #archivedlogs will be in this DATE="`date +%Y-%m-%d`"
#directory + $YEAR YEAR="`date +%Y`"
umask 027 umask 027
myerror(){ myerror()
{
echo "Error: $*" 1>&2 echo "Error: $*" 1>&2
exit 1 exit 1
} }
archive_log(){ archive_log()
{
FILE="${1}" FILE="${1}"
DEST="${2}" DEST="${2}"
@ -21,12 +24,13 @@ archive_log(){
else else
echo "Archiving file ${FILE} to ${DEST}" echo "Archiving file ${FILE} to ${DEST}"
mv "${FILE}" "${DEST}" mv "${FILE}" "${DEST}"
touch ${FILE} touch "${FILE}"
LOGS="${LOGS} ${DEST}" LOGS="${LOGS} ${DEST}"
fi fi
} }
restart_syslog(){ restart_syslog()
{
for i in syslog.pid rsyslogd.pid syslogd.pid ; do for i in syslog.pid rsyslogd.pid syslogd.pid ; do
if [ -f "/var/run/$i" ]; then if [ -f "/var/run/$i" ]; then
PIDFILE="/var/run/$i" PIDFILE="/var/run/$i"
@ -34,31 +38,40 @@ restart_syslog(){
fi fi
done done
if [ "blah${PIDFILE}" = "blah" ]; then if [ "blah${PIDFILE}" = "blah" ]; then
myerror "Cannot find syslog pid file" 1>&2 myerror "Cannot find syslog pid file"
fi fi
kill -HUP `cat ${PIDFILE}` kill -HUP `cat ${PIDFILE}`
} }
archive(){
[ -d ${LOGDIR} ] || myerror "No such direcroty: ${LOGDIR}"
[ -d "${ARCHIVEDIR}" ] || myerror "No such archive directory: ${ARCHIVEDIR}"
[ -d "${ARCHIVEDIR}/${YEAR}" ] || mkdir ${ARCHIVEDIR}/${YEAR}
ARCHIVEDIR="${ARCHIVEDIR}/${YEAR}"
for logfile in ${ARCHIVEFILES} ; do [ $# -gt 0 ] || myerror "Usage: `basename $0` <file|dir> [file|dir] ..."
[ -f "${LOGDIR}/${logfile}" ] || myerror "File not found: ${logfile}"
archive_log "${LOGDIR}/${logfile}" "${ARCHIVEDIR}/${logfile}.${DATE}"
done
restart_syslog
for zipfile in ${ARCHIVEFILES} ; do
gzip -f "${ARCHIVEDIR}/${zipfile}.${DATE}" || myerror "Error while gzipping ${ARCHIVEDIR}/${zipfile}"
done
}
case "x$1" in [ -d ${LOGDIR} ] || myerror "Not a directory: ${LOGDIR}"
"x-v"|"x--verbose")
archive while [ "$*" ]; do
;; if [ -f "${LOGDIR}/${1}" ]; then
*) dstdir=${ARCHIVE}/${YEAR}
archive >> /dev/null dstfile=${dstdir}/`basename ${1}`.${DATE}
;; [ -d "${dstdir}" ] || mkdir -p ${dstdir}
esac archive_log ${LOGDIR}/${1} ${dstfile}
elif [ -d "${LOGDIR}/${1}" ]; then
for f in ${LOGDIR}/${1}/*.log; do
if [ -f "${f}" ]; then
dstdir=${ARCHIVE}/${1}/${YEAR}
dstfile=${dstdir}/`basename ${f}`.${DATE}
[ -d "${dstdir}" ] || mkdir -p ${dstdir}
archive_log ${f} ${dstfile}
else
echo "Skipping ${f}: not a file" 1>&2
fi
done
else
echo "Skipping ${1}: not a file or directory" 1>&2
fi
shift
done
restart_syslog
for log in ${LOGS}; do
gzip -f ${log} || myerror "Error while gzipping ${log}"
done

38
syslog/manifests/init.pp
View file

@ -212,8 +212,15 @@ class syslog::client::rsyslog {
# $syslog_datadir: # $syslog_datadir:
# Directory where to store logs. Defaults to /srv/log. # Directory where to store logs. Defaults to /srv/log.
# #
# $syslog_rotate:
# Array of log files to rotate. Defaults to 'all.log'.
#
class syslog::common::standalone inherits syslog::common { class syslog::common::standalone inherits syslog::common {
if !$syslog_rotate {
$syslog_rotate = [ "all.log" ]
}
if $syslog_datadir { if $syslog_datadir {
file { $syslog_datadir: file { $syslog_datadir:
ensure => directory, ensure => directory,
@ -277,8 +284,9 @@ class syslog::common::standalone inherits syslog::common {
default => "root", default => "root",
}, },
} }
$syslog_rotate_files = inline_template('<%= syslog_rotate.join(" ") -%>')
cron { "logarchiver.sh": cron { "logarchiver.sh":
command => "/usr/local/sbin/logarchiver.sh", command => "/usr/local/sbin/logarchiver.sh ${syslog_rotate_files} >/dev/null",
user => "root", user => "root",
hour => 0, hour => 0,
minute => 0, minute => 0,
@ -370,3 +378,31 @@ class syslog::server::rsyslog inherits syslog::client::rsyslog {
} }
} }
# Install syslog server with custom configuration.
#
class syslog::custom inherits syslog::common::standalone {
case $syslog_type {
"syslogd": { fail("Server for \$syslog_type '$syslog_type' not yet supported.") }
"rsyslog": { include syslog::custom::rsyslog }
default: { fail("Unknown \$syslog_type '$syslog_type'") }
}
}
# Install syslog server using rsyslog with custom configuration.
#
class syslog::custom::rsyslog inherits syslog::client::rsyslog {
File["/etc/rsyslog.conf"] {
content => undef,
source => [ "puppet:///files/syslog/rsyslog.conf.${homename}",
"puppet:///files/syslog/rsyslog.conf", ],
require => [ File["/srv/log"],
File["/var/log/all.log"], ],
}
}

23
tftp/manifests/init.pp
View file

@ -82,7 +82,7 @@ class tftp::server {
} }
case $::operatingsystem { case $::operatingsystem {
debian,ubuntu: { "debian","ubuntu": {
service { "tftpd-hpa": service { "tftpd-hpa":
ensure => running, ensure => running,
hasstatus => true, hasstatus => true,
@ -91,14 +91,35 @@ class tftp::server {
Package["tftp-server"], ], Package["tftp-server"], ],
} }
} }
"openbsd": {
if versioncmp($::operatingsystemrelease, '5.2') < 0 {
include inetd::server
inetd::service { "tftp":
ensure => present,
require => File["/tftpboot"],
}
} else {
service { "tftpd":
ensure => running,
hasstatus => true,
enable => true,
start => "/usr/sbin/tftpd /tftpboot",
require => File["/tftpboot"],
}
}
}
default: { default: {
include inetd::server include inetd::server
inetd::service { "tftp": inetd::service { "tftp":
ensure => present, ensure => present,
<<<<<<< HEAD
require => $::operatingsystem ? { require => $::operatingsystem ? {
"openbsd" => undef, "openbsd" => undef,
default => Package["tftp-server"], default => Package["tftp-server"],
}, },
=======
require => Package["tftp-server"],
>>>>>>> 7c4f9e6b94793caf3c9369cc0519eefddc54f7d0
} }
} }
} }

2
wiki/manifests/init.pp
View file

@ -451,7 +451,7 @@ define wiki::collab::package($source, $config="/srv/wikis/collab/wikis/collab/co
user => "collab", user => "collab",
path => "/bin:/usr/bin:/sbin:/usr/sbin", path => "/bin:/usr/bin:/sbin:/usr/sbin",
environment => "PYTHONPATH=${config}", environment => "PYTHONPATH=${config}",
command => "/bin/sh -c 'umask 007; python ${::pythonsitedir}/MoinMoin/packages.py i /usr/local/src/${name}'", command => "/bin/sh -c 'umask 007; python ${::pythonsitedir}/MoinMoin/packages.py -u collab i /usr/local/src/${name}'",
refreshonly => true, refreshonly => true,
require => Exec["collab-account-create -f -r collab"] require => Exec["collab-account-create -f -r collab"]
} }

27
yum/files/keys/dell-omsa.key Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDrbVQQRBACfyqmXDmXKLS/1TUpxb7KMVKqzk3XqiHidQWmRzquo26FReyvR
2PnGKHVtiBtZcgb+e2rPR/MNyfAGh5Xkjfzq+gPxVAJUbwbM81yo54b8oYGlqogv
wq0Y6a3H5t9nHENifLbX2HEVH/+eFKcp4gVJqRiUctf8xreUOU/HXuVXvwCgg2HG
Bm2PAjhRXxchtuyPK7SggaUD/3HsxqqCw97JAnZtMXzL/9gNDuzAB/8SZTtiw+eU
NbIAieyPydoLyoZKvbaMIHchkSQgZJ8QX6cvaME3xYpSeiUwT3WVztbDy/naEyq5
VoMMc1thtPt+Z0Bx7lwefZ1HsXmKtUen9X/wrNOjKhOJrInn4RaBw8eE1w8Uh/oj
SxhbA/0b2xxmmOh1GJxdEKRDMabXu9cJNgTuR8pDG2aGH32bNniLC69Lr34daaJn
kl0lL5JH2ivqvUB83jTGir0pqf/rWOBgVJ8sfvzhpf4w0QXSuwQsk+UdvlcsalI8
m5nah+9bRnFsibYX7Y04odE5rzRg6Vv2wqQo9eELnPXdt3JiVLRJRGVsbCBDb21w
dXRlciBDb3Jwb3JhdGlvbiAoTGludXggU3lzdGVtcyBHcm91cCkgPGxpbnV4LXNl
Y3VyaXR5QGRlbGwuY29tPohXBBMRAgAXBQI621UEBQsHCgMEAxUDAgMWAgECF4AA
CgkQyneVHSO2ap2nqACeJKS/llA45VuDrtzUnxPPiWknKtcAniG6aD7ELAM2+SzD
lG7n1cHZSqyXiEYEEBECAAYFAjujySgACgkQIavu95Lw/AluzACgluS3dEQh4iw3
t80nI+oZ2ssphEQAnjMXCjnRlkohpMgdJuvHSBuVUPjJuQENBDrbVQUQBAC2h3kC
wV0pPn44jL7kdeujexYm9hy0ImggCzMHHqplpq1vh0vK2DtZLjM3ZUs68ypCZfDt
ejvxm+m/e708ZmGxveIk0FbvC9dfuUvn5dmj9gQcXOWxqfjkOgZ2CXXY1fX9Fe4a
QLI8QuQ5sTn6GreeFQCcJXCGWiNi1Hpyi8k1ZwADBQP+KVolSCJG2KR0qScJN+2O
MRS6IowNIwLY93GlDekrqxBxVOv0FxRHH8lV0xZWMTWfsIBEZU+Iov6ns3ky4m6J
ImKZ+xaFHehgCPBy3u2pbrSbHGhMzqa40sU3mI9SA0sOJQ18oX6blNDIwnyveKXw
ZrXZC6mO7PkRnoa+J/4cvSmIRgQYEQIABgUCOttVBQAKCRDKd5UdI7ZqnYmZAJ97
LhXpWlSlrm5XCNSfO8BwJGVNGgCfR0hFclor3HLNl28ZVENT1SvbjNQ=
=sYOa
-----END PGP PUBLIC KEY BLOCK-----

40
yum/manifests/init.pp
View file

@ -129,7 +129,7 @@ class yum::exclude {
augeas { "yum-exclude": augeas { "yum-exclude":
context => "/files/etc/yum.conf/main", context => "/files/etc/yum.conf/main",
changes => "set exclude ${yum_exclude_real}", changes => "set exclude '${yum_exclude_real}'",
} }
} }
@ -257,6 +257,44 @@ class yum::repo::centos-cr {
} }
class yum::repo::dell {
case $::operatingsystem {
"centos", "redhat": { }
default: {
fail("Dell OMSA repository not supported in ${operatingsystem}")
}
}
# Required for detecting the correct system hardware via
# yum. Dell's repo then provide their own yum-dellsysid after
# installing the repos.
package { "yum-dellsysid":
ensure => installed,
require => Class["yum::repo::epel"],
}
case $operatingsystemrelease {
/^6\.[0-9]+/: {
yum::repo { "dell-omsa-indep":
descr => "Dell OMSA repository - Hardware independent",
mirrorlist => "http://linux.dell.com/repo/hardware/latest/mirrors.cgi?osname=el\$releasever&ve&basearch=\$basearch&native=1&dellsysidpluginver=\$dellsysidpluginver",
gpgkey => "puppet:///modules/yum/keys/dell-omsa.key",
require => Package["yum-dellsysid"],
}
yum::repo { "dell-omsa-specific":
descr => "Dell OMSA repository - Hardware specific",
mirrorlist => "http://linux.dell.com/repo/hardware/latest/mirrors.cgi?osname=el\$releasever&basearch=\$basearch&native=1&sys_ven_id=\$sys_ven_id&sys_dev_id=\$sys_dev_id&dellsysidpluginver=\$dellsysidpluginver",
gpgkey => "puppet:///modules/yum/keys/dell-omsa.key",
require => Package["yum-dellsysid"],
}
}
default: {
fail("Dell OMSA repository not supported in ${operatingsystem} ${operatingsystemrelease}")
}
}
}
class yum::repo::elrepo { class yum::repo::elrepo {