diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-03-20 13:14:41 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-03-20 13:14:41 +0100 |
commit | 9155df0063c42e02fcf989da6b58f7a3d06e428d (patch) | |
tree | d0b8571c0d7d20298f89ca08947ead21cc4abbcf /modules/profile | |
parent | ca4a52d503d433064019e234212fcf7c211761fe (diff) | |
parent | 5a1aab82ab45c14db40026bb7b1f19d0ee8a3cb3 (diff) | |
download | Puppet-9155df0063c42e02fcf989da6b58f7a3d06e428d.tar.gz Puppet-9155df0063c42e02fcf989da6b58f7a3d06e428d.tar.zst Puppet-9155df0063c42e02fcf989da6b58f7a3d06e428d.zip |
Merge branch 'dev'
Diffstat (limited to 'modules/profile')
-rw-r--r-- | modules/profile/manifests/apache.pp | 15 | ||||
-rw-r--r-- | modules/profile/manifests/fstab.pp | 18 | ||||
-rw-r--r-- | modules/profile/manifests/known_hosts.pp | 11 | ||||
-rw-r--r-- | modules/profile/manifests/mail.pp | 14 | ||||
-rw-r--r-- | modules/profile/manifests/postgresql.pp | 14 | ||||
-rw-r--r-- | modules/profile/manifests/xmr_stak.pp | 14 | ||||
-rw-r--r-- | modules/profile/templates/mail/ssmtp.conf.erb | 14 | ||||
-rw-r--r-- | modules/profile/templates/xmr_stak/xmr-stak.service.erb (renamed from modules/profile/files/xmr_stak/xmr-stak.service) | 3 |
8 files changed, 85 insertions, 18 deletions
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index 8db58da..382633b 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp | |||
@@ -67,13 +67,12 @@ class profile::apache { | |||
67 | install_method => "package", | 67 | install_method => "package", |
68 | package_name => "certbot", | 68 | package_name => "certbot", |
69 | package_command => "certbot", | 69 | package_command => "certbot", |
70 | # FIXME | 70 | email => lookup('letsencrypt::email'), |
71 | email => 'sites+letsencrypt@mail.immae.eu', | ||
72 | } | 71 | } |
73 | 72 | ||
74 | $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } | 73 | $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef }) |
75 | unless empty($real_hostname) { | 74 | unless empty($real_hostname) { |
76 | if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { | 75 | if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) { |
77 | letsencrypt::certonly { $real_hostname: | 76 | letsencrypt::certonly { $real_hostname: |
78 | before => Apache::Vhost["default_ssl"]; | 77 | before => Apache::Vhost["default_ssl"]; |
79 | default: * => $::profile::apache::letsencrypt_certonly_default; | 78 | default: * => $::profile::apache::letsencrypt_certonly_default; |
@@ -110,6 +109,14 @@ class profile::apache { | |||
110 | } | 109 | } |
111 | } | 110 | } |
112 | 111 | ||
112 | lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| { | ||
113 | if ($host != $real_hostname) { # Done above already | ||
114 | letsencrypt::certonly { $host: ; | ||
115 | default: * => $letsencrypt_certonly_default; | ||
116 | } | ||
117 | } | ||
118 | } | ||
119 | |||
113 | apache::vhost { "redirect_no_ssl": | 120 | apache::vhost { "redirect_no_ssl": |
114 | port => '80', | 121 | port => '80', |
115 | error_log => false, | 122 | error_log => false, |
diff --git a/modules/profile/manifests/fstab.pp b/modules/profile/manifests/fstab.pp new file mode 100644 index 0000000..5f2e58e --- /dev/null +++ b/modules/profile/manifests/fstab.pp | |||
@@ -0,0 +1,18 @@ | |||
1 | class profile::fstab ( | ||
2 | Optional[Array] $mounts = [] | ||
3 | ) { | ||
4 | $mounts.each |$mount| { | ||
5 | unless empty($mount) { | ||
6 | $infos = split($mount, ';') | ||
7 | |||
8 | file { $infos[0]: | ||
9 | ensure => directory, | ||
10 | } -> | ||
11 | mount { $infos[0]: | ||
12 | ensure => mounted, | ||
13 | device => "UUID=${infos[1]}", | ||
14 | fstype => $infos[2] | ||
15 | } | ||
16 | } | ||
17 | } | ||
18 | } | ||
diff --git a/modules/profile/manifests/known_hosts.pp b/modules/profile/manifests/known_hosts.pp new file mode 100644 index 0000000..ed9ec8e --- /dev/null +++ b/modules/profile/manifests/known_hosts.pp | |||
@@ -0,0 +1,11 @@ | |||
1 | class profile::known_hosts ( | ||
2 | Optional[Array] $hosts = [] | ||
3 | ) { | ||
4 | $hosts.each |$host| { | ||
5 | sshkey { $host["name"]: | ||
6 | ensure => "present", | ||
7 | key => $host["key"], | ||
8 | type => $host["type"], | ||
9 | } | ||
10 | } | ||
11 | } | ||
diff --git a/modules/profile/manifests/mail.pp b/modules/profile/manifests/mail.pp new file mode 100644 index 0000000..cc47b77 --- /dev/null +++ b/modules/profile/manifests/mail.pp | |||
@@ -0,0 +1,14 @@ | |||
1 | class profile::mail ( | ||
2 | String $mailhub, | ||
3 | Optional[Integer] $mailhub_port = 25, | ||
4 | ) { | ||
5 | ensure_packages(["s-nail", "ssmtp"]) | ||
6 | |||
7 | $hostname = lookup("base_installation::real_hostname") | ||
8 | |||
9 | file { "/etc/ssmtp/ssmtp.conf": | ||
10 | ensure => "present", | ||
11 | content => template("profile/mail/ssmtp.conf.erb"), | ||
12 | } | ||
13 | } | ||
14 | |||
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 1024c66..2cd1bcc 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp | |||
@@ -1,5 +1,5 @@ | |||
1 | class profile::postgresql { | 1 | class profile::postgresql { |
2 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 2 | $password_seed = lookup("base_installation::puppet_pass_seed") |
3 | 3 | ||
4 | class { '::postgresql::globals': | 4 | class { '::postgresql::globals': |
5 | encoding => 'UTF-8', | 5 | encoding => 'UTF-8', |
@@ -32,7 +32,7 @@ class profile::postgresql { | |||
32 | database => 'all', | 32 | database => 'all', |
33 | user => $pg_user, | 33 | user => $pg_user, |
34 | auth_method => 'ident', | 34 | auth_method => 'ident', |
35 | order => "a1", | 35 | order => "00-01", |
36 | } | 36 | } |
37 | postgresql::server::pg_hba_rule { 'localhost access as postgres user': | 37 | postgresql::server::pg_hba_rule { 'localhost access as postgres user': |
38 | description => 'Allow localhost access to postgres user', | 38 | description => 'Allow localhost access to postgres user', |
@@ -41,7 +41,7 @@ class profile::postgresql { | |||
41 | user => $pg_user, | 41 | user => $pg_user, |
42 | address => "127.0.0.1/32", | 42 | address => "127.0.0.1/32", |
43 | auth_method => 'md5', | 43 | auth_method => 'md5', |
44 | order => "a2", | 44 | order => "00-02", |
45 | } | 45 | } |
46 | postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': | 46 | postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': |
47 | description => 'Allow localhost access to postgres user', | 47 | description => 'Allow localhost access to postgres user', |
@@ -50,7 +50,7 @@ class profile::postgresql { | |||
50 | user => $pg_user, | 50 | user => $pg_user, |
51 | address => "::1/128", | 51 | address => "::1/128", |
52 | auth_method => 'md5', | 52 | auth_method => 'md5', |
53 | order => "a3", | 53 | order => "00-03", |
54 | } | 54 | } |
55 | postgresql::server::pg_hba_rule { 'deny access to postgresql user': | 55 | postgresql::server::pg_hba_rule { 'deny access to postgresql user': |
56 | description => 'Deny remote access to postgres user', | 56 | description => 'Deny remote access to postgres user', |
@@ -59,7 +59,7 @@ class profile::postgresql { | |||
59 | user => $pg_user, | 59 | user => $pg_user, |
60 | address => "0.0.0.0/0", | 60 | address => "0.0.0.0/0", |
61 | auth_method => 'reject', | 61 | auth_method => 'reject', |
62 | order => "a4", | 62 | order => "00-04", |
63 | } | 63 | } |
64 | 64 | ||
65 | postgresql::server::pg_hba_rule { 'local access': | 65 | postgresql::server::pg_hba_rule { 'local access': |
@@ -68,7 +68,7 @@ class profile::postgresql { | |||
68 | database => 'all', | 68 | database => 'all', |
69 | user => 'all', | 69 | user => 'all', |
70 | auth_method => 'md5', | 70 | auth_method => 'md5', |
71 | order => "b1", | 71 | order => "10-01", |
72 | } | 72 | } |
73 | 73 | ||
74 | postgresql::server::pg_hba_rule { 'local access with same name': | 74 | postgresql::server::pg_hba_rule { 'local access with same name': |
@@ -77,7 +77,7 @@ class profile::postgresql { | |||
77 | database => 'all', | 77 | database => 'all', |
78 | user => 'all', | 78 | user => 'all', |
79 | auth_method => 'ident', | 79 | auth_method => 'ident', |
80 | order => "b2", | 80 | order => "10-02", |
81 | } | 81 | } |
82 | 82 | ||
83 | } | 83 | } |
diff --git a/modules/profile/manifests/xmr_stak.pp b/modules/profile/manifests/xmr_stak.pp index e5582eb..ccb6baa 100644 --- a/modules/profile/manifests/xmr_stak.pp +++ b/modules/profile/manifests/xmr_stak.pp | |||
@@ -1,4 +1,9 @@ | |||
1 | class profile::xmr_stak { | 1 | class profile::xmr_stak ( |
2 | String $mining_pool, | ||
3 | String $wallet, | ||
4 | Optional[String] $cpulimit = "50", | ||
5 | Optional[String] $password = "x", | ||
6 | ) { | ||
2 | ensure_resource('exec', 'systemctl daemon-reload', { | 7 | ensure_resource('exec', 'systemctl daemon-reload', { |
3 | command => '/usr/bin/systemctl daemon-reload', | 8 | command => '/usr/bin/systemctl daemon-reload', |
4 | refreshonly => true | 9 | refreshonly => true |
@@ -21,15 +26,12 @@ class profile::xmr_stak { | |||
21 | mode => "0644", | 26 | mode => "0644", |
22 | owner => "root", | 27 | owner => "root", |
23 | group => "root", | 28 | group => "root", |
24 | source => "puppet:///modules/profile/xmr_stak/xmr-stak.service", | 29 | content => template("profile/xmr_stak/xmr-stak.service.erb"), |
25 | require => User["xmr_stak"], | 30 | require => User["xmr_stak"], |
26 | notify => Exec["systemctl daemon-reload"] | 31 | notify => Exec["systemctl daemon-reload"] |
27 | } | 32 | } |
28 | 33 | ||
29 | $mining_pool = lookup("xmr_stak::mining_pool") |$key| { {} } | 34 | $instance = regsubst(lookup("base_installation::ldap_cn"), '\.', "_", "G") |
30 | $wallet = lookup("xmr_stak::wallet") |$key| { {} } | ||
31 | $password = lookup("xmr_stak::password") |$key| { "x" } | ||
32 | $instance = regsubst($facts["ec2_metadata"]["hostname"], '\.', "_", "G") | ||
33 | 35 | ||
34 | file { "/var/lib/xmr_stak/xmr-stak.conf": | 36 | file { "/var/lib/xmr_stak/xmr-stak.conf": |
35 | mode => "0644", | 37 | mode => "0644", |
diff --git a/modules/profile/templates/mail/ssmtp.conf.erb b/modules/profile/templates/mail/ssmtp.conf.erb new file mode 100644 index 0000000..e7a0410 --- /dev/null +++ b/modules/profile/templates/mail/ssmtp.conf.erb | |||
@@ -0,0 +1,14 @@ | |||
1 | # | ||
2 | # /etc/ssmtp.conf -- a config file for sSMTP sendmail. | ||
3 | # | ||
4 | # The person who gets all mail for userids < 1000 | ||
5 | # Make this empty to disable rewriting. | ||
6 | root=postmaster | ||
7 | # The place where the mail goes. The actual machine name is required | ||
8 | # no MX records are consulted. Commonly mailhosts are named mail.domain.com | ||
9 | # The example will fit if you are in domain.com and you mailhub is so named. | ||
10 | mailhub=<%= @mailhub %>:<%= @mailhub_port %> | ||
11 | # Where will the mail seem to come from? | ||
12 | #rewriteDomain=y | ||
13 | # The full hostname | ||
14 | hostname=<%= @hostname %> | ||
diff --git a/modules/profile/files/xmr_stak/xmr-stak.service b/modules/profile/templates/xmr_stak/xmr-stak.service.erb index 93ee383..d63103b 100644 --- a/modules/profile/files/xmr_stak/xmr-stak.service +++ b/modules/profile/templates/xmr_stak/xmr-stak.service.erb | |||
@@ -8,8 +8,9 @@ WorkingDirectory=/var/lib/xmr_stak | |||
8 | Type=simple | 8 | Type=simple |
9 | User=xmr_stak | 9 | User=xmr_stak |
10 | Group=xmr_stak | 10 | Group=xmr_stak |
11 | ExecStart=/usr/bin/cpulimit --limit 90 /usr/bin/xmr-stak -c /var/lib/xmr_stak/xmr-stak.conf | 11 | ExecStart=/usr/bin/cpulimit --limit <%= @cpulimit %> /usr/bin/xmr-stak -c /var/lib/xmr_stak/xmr-stak.conf |
12 | Nice=19 | 12 | Nice=19 |
13 | 13 | ||
14 | [Install] | 14 | [Install] |
15 | WantedBy=multi-user.target | 15 | WantedBy=multi-user.target |
16 | |||