aboutsummaryrefslogtreecommitdiff
path: root/modules/profile
diff options
context:
space:
mode:
Diffstat (limited to 'modules/profile')
-rw-r--r--modules/profile/manifests/apache.pp15
-rw-r--r--modules/profile/manifests/fstab.pp18
-rw-r--r--modules/profile/manifests/known_hosts.pp11
-rw-r--r--modules/profile/manifests/mail.pp14
-rw-r--r--modules/profile/manifests/postgresql.pp14
-rw-r--r--modules/profile/manifests/xmr_stak.pp14
-rw-r--r--modules/profile/templates/mail/ssmtp.conf.erb14
-rw-r--r--modules/profile/templates/xmr_stak/xmr-stak.service.erb (renamed from modules/profile/files/xmr_stak/xmr-stak.service)3
8 files changed, 85 insertions, 18 deletions
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index 8db58da..382633b 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -67,13 +67,12 @@ class profile::apache {
67 install_method => "package", 67 install_method => "package",
68 package_name => "certbot", 68 package_name => "certbot",
69 package_command => "certbot", 69 package_command => "certbot",
70 # FIXME 70 email => lookup('letsencrypt::email'),
71 email => 'sites+letsencrypt@mail.immae.eu',
72 } 71 }
73 72
74 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } 73 $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
75 unless empty($real_hostname) { 74 unless empty($real_hostname) {
76 if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { 75 if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
77 letsencrypt::certonly { $real_hostname: 76 letsencrypt::certonly { $real_hostname:
78 before => Apache::Vhost["default_ssl"]; 77 before => Apache::Vhost["default_ssl"];
79 default: * => $::profile::apache::letsencrypt_certonly_default; 78 default: * => $::profile::apache::letsencrypt_certonly_default;
@@ -110,6 +109,14 @@ class profile::apache {
110 } 109 }
111 } 110 }
112 111
112 lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
113 if ($host != $real_hostname) { # Done above already
114 letsencrypt::certonly { $host: ;
115 default: * => $letsencrypt_certonly_default;
116 }
117 }
118 }
119
113 apache::vhost { "redirect_no_ssl": 120 apache::vhost { "redirect_no_ssl":
114 port => '80', 121 port => '80',
115 error_log => false, 122 error_log => false,
diff --git a/modules/profile/manifests/fstab.pp b/modules/profile/manifests/fstab.pp
new file mode 100644
index 0000000..5f2e58e
--- /dev/null
+++ b/modules/profile/manifests/fstab.pp
@@ -0,0 +1,18 @@
1class profile::fstab (
2 Optional[Array] $mounts = []
3) {
4 $mounts.each |$mount| {
5 unless empty($mount) {
6 $infos = split($mount, ';')
7
8 file { $infos[0]:
9 ensure => directory,
10 } ->
11 mount { $infos[0]:
12 ensure => mounted,
13 device => "UUID=${infos[1]}",
14 fstype => $infos[2]
15 }
16 }
17 }
18}
diff --git a/modules/profile/manifests/known_hosts.pp b/modules/profile/manifests/known_hosts.pp
new file mode 100644
index 0000000..ed9ec8e
--- /dev/null
+++ b/modules/profile/manifests/known_hosts.pp
@@ -0,0 +1,11 @@
1class profile::known_hosts (
2 Optional[Array] $hosts = []
3) {
4 $hosts.each |$host| {
5 sshkey { $host["name"]:
6 ensure => "present",
7 key => $host["key"],
8 type => $host["type"],
9 }
10 }
11}
diff --git a/modules/profile/manifests/mail.pp b/modules/profile/manifests/mail.pp
new file mode 100644
index 0000000..cc47b77
--- /dev/null
+++ b/modules/profile/manifests/mail.pp
@@ -0,0 +1,14 @@
1class profile::mail (
2 String $mailhub,
3 Optional[Integer] $mailhub_port = 25,
4) {
5 ensure_packages(["s-nail", "ssmtp"])
6
7 $hostname = lookup("base_installation::real_hostname")
8
9 file { "/etc/ssmtp/ssmtp.conf":
10 ensure => "present",
11 content => template("profile/mail/ssmtp.conf.erb"),
12 }
13}
14
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 1024c66..2cd1bcc 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -1,5 +1,5 @@
1class profile::postgresql { 1class profile::postgresql {
2 $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } 2 $password_seed = lookup("base_installation::puppet_pass_seed")
3 3
4 class { '::postgresql::globals': 4 class { '::postgresql::globals':
5 encoding => 'UTF-8', 5 encoding => 'UTF-8',
@@ -32,7 +32,7 @@ class profile::postgresql {
32 database => 'all', 32 database => 'all',
33 user => $pg_user, 33 user => $pg_user,
34 auth_method => 'ident', 34 auth_method => 'ident',
35 order => "a1", 35 order => "00-01",
36 } 36 }
37 postgresql::server::pg_hba_rule { 'localhost access as postgres user': 37 postgresql::server::pg_hba_rule { 'localhost access as postgres user':
38 description => 'Allow localhost access to postgres user', 38 description => 'Allow localhost access to postgres user',
@@ -41,7 +41,7 @@ class profile::postgresql {
41 user => $pg_user, 41 user => $pg_user,
42 address => "127.0.0.1/32", 42 address => "127.0.0.1/32",
43 auth_method => 'md5', 43 auth_method => 'md5',
44 order => "a2", 44 order => "00-02",
45 } 45 }
46 postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': 46 postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
47 description => 'Allow localhost access to postgres user', 47 description => 'Allow localhost access to postgres user',
@@ -50,7 +50,7 @@ class profile::postgresql {
50 user => $pg_user, 50 user => $pg_user,
51 address => "::1/128", 51 address => "::1/128",
52 auth_method => 'md5', 52 auth_method => 'md5',
53 order => "a3", 53 order => "00-03",
54 } 54 }
55 postgresql::server::pg_hba_rule { 'deny access to postgresql user': 55 postgresql::server::pg_hba_rule { 'deny access to postgresql user':
56 description => 'Deny remote access to postgres user', 56 description => 'Deny remote access to postgres user',
@@ -59,7 +59,7 @@ class profile::postgresql {
59 user => $pg_user, 59 user => $pg_user,
60 address => "0.0.0.0/0", 60 address => "0.0.0.0/0",
61 auth_method => 'reject', 61 auth_method => 'reject',
62 order => "a4", 62 order => "00-04",
63 } 63 }
64 64
65 postgresql::server::pg_hba_rule { 'local access': 65 postgresql::server::pg_hba_rule { 'local access':
@@ -68,7 +68,7 @@ class profile::postgresql {
68 database => 'all', 68 database => 'all',
69 user => 'all', 69 user => 'all',
70 auth_method => 'md5', 70 auth_method => 'md5',
71 order => "b1", 71 order => "10-01",
72 } 72 }
73 73
74 postgresql::server::pg_hba_rule { 'local access with same name': 74 postgresql::server::pg_hba_rule { 'local access with same name':
@@ -77,7 +77,7 @@ class profile::postgresql {
77 database => 'all', 77 database => 'all',
78 user => 'all', 78 user => 'all',
79 auth_method => 'ident', 79 auth_method => 'ident',
80 order => "b2", 80 order => "10-02",
81 } 81 }
82 82
83} 83}
diff --git a/modules/profile/manifests/xmr_stak.pp b/modules/profile/manifests/xmr_stak.pp
index e5582eb..ccb6baa 100644
--- a/modules/profile/manifests/xmr_stak.pp
+++ b/modules/profile/manifests/xmr_stak.pp
@@ -1,4 +1,9 @@
1class profile::xmr_stak { 1class profile::xmr_stak (
2 String $mining_pool,
3 String $wallet,
4 Optional[String] $cpulimit = "50",
5 Optional[String] $password = "x",
6) {
2 ensure_resource('exec', 'systemctl daemon-reload', { 7 ensure_resource('exec', 'systemctl daemon-reload', {
3 command => '/usr/bin/systemctl daemon-reload', 8 command => '/usr/bin/systemctl daemon-reload',
4 refreshonly => true 9 refreshonly => true
@@ -21,15 +26,12 @@ class profile::xmr_stak {
21 mode => "0644", 26 mode => "0644",
22 owner => "root", 27 owner => "root",
23 group => "root", 28 group => "root",
24 source => "puppet:///modules/profile/xmr_stak/xmr-stak.service", 29 content => template("profile/xmr_stak/xmr-stak.service.erb"),
25 require => User["xmr_stak"], 30 require => User["xmr_stak"],
26 notify => Exec["systemctl daemon-reload"] 31 notify => Exec["systemctl daemon-reload"]
27 } 32 }
28 33
29 $mining_pool = lookup("xmr_stak::mining_pool") |$key| { {} } 34 $instance = regsubst(lookup("base_installation::ldap_cn"), '\.', "_", "G")
30 $wallet = lookup("xmr_stak::wallet") |$key| { {} }
31 $password = lookup("xmr_stak::password") |$key| { "x" }
32 $instance = regsubst($facts["ec2_metadata"]["hostname"], '\.', "_", "G")
33 35
34 file { "/var/lib/xmr_stak/xmr-stak.conf": 36 file { "/var/lib/xmr_stak/xmr-stak.conf":
35 mode => "0644", 37 mode => "0644",
diff --git a/modules/profile/templates/mail/ssmtp.conf.erb b/modules/profile/templates/mail/ssmtp.conf.erb
new file mode 100644
index 0000000..e7a0410
--- /dev/null
+++ b/modules/profile/templates/mail/ssmtp.conf.erb
@@ -0,0 +1,14 @@
1#
2# /etc/ssmtp.conf -- a config file for sSMTP sendmail.
3#
4# The person who gets all mail for userids < 1000
5# Make this empty to disable rewriting.
6root=postmaster
7# The place where the mail goes. The actual machine name is required
8# no MX records are consulted. Commonly mailhosts are named mail.domain.com
9# The example will fit if you are in domain.com and you mailhub is so named.
10mailhub=<%= @mailhub %>:<%= @mailhub_port %>
11# Where will the mail seem to come from?
12#rewriteDomain=y
13# The full hostname
14hostname=<%= @hostname %>
diff --git a/modules/profile/files/xmr_stak/xmr-stak.service b/modules/profile/templates/xmr_stak/xmr-stak.service.erb
index 93ee383..d63103b 100644
--- a/modules/profile/files/xmr_stak/xmr-stak.service
+++ b/modules/profile/templates/xmr_stak/xmr-stak.service.erb
@@ -8,8 +8,9 @@ WorkingDirectory=/var/lib/xmr_stak
8Type=simple 8Type=simple
9User=xmr_stak 9User=xmr_stak
10Group=xmr_stak 10Group=xmr_stak
11ExecStart=/usr/bin/cpulimit --limit 90 /usr/bin/xmr-stak -c /var/lib/xmr_stak/xmr-stak.conf 11ExecStart=/usr/bin/cpulimit --limit <%= @cpulimit %> /usr/bin/xmr-stak -c /var/lib/xmr_stak/xmr-stak.conf
12Nice=19 12Nice=19
13 13
14[Install] 14[Install]
15WantedBy=multi-user.target 15WantedBy=multi-user.target
16