2 package { 'iptables-persistent':
5 resources { 'firewall':
8 Package['iptables-persistent'] ->
13 todest => "${$ips[front-nginx]}:80",
14 iniface => $internet_iface,
16 chain => 'PREROUTING',
18 firewall { '80 dnat-https':
22 todest => "${$ips[front-nginx]}:443",
23 iniface => $internet_iface,
25 chain => 'PREROUTING',
27 firewall {'80 dnatv6':
28 provider => 'ip6tables',
32 todest => "[${$ipsv6[front-nginx]}]:80",
33 iniface => $internet_iface,
37 firewall {'80 dnatv6-https':
38 provider => 'ip6tables',
42 todest => "[${$ipsv6[front-nginx]}]:443",
43 iniface => $internet_iface,
47 firewall {'80 MASQ-v6':
48 provider => 'ip6tables',
49 chain => 'POSTROUTING',
53 source => "[fc00:1::]/64",
54 outiface => $internet_iface,
56 firewall { '80 dnat-git':
60 todest => "${$ips[gitweb]}:9418",
61 iniface => $internet_iface,
63 chain => 'PREROUTING',
65 firewall { '80 dnat-htop-ssh':
69 todest => "${$ips[hop]}:22",
70 iniface => $internet_iface,
72 chain => 'PREROUTING',
75 chain => 'POSTROUTING',
79 outiface => $internet_iface,
80 source => '10.0.3.0/24',
88 exec { "enable forwarding on $hostname":
90 command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
91 unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward",
92 require => Class['lxc']
93 } -> exec { "enable v6 forwarding on $hostname":
95 command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding",
96 unless => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding"
98 file_line {"root-resolv1":
99 path => "/etc/resolv.conf",
101 match_for_absence => "true",
105 file_line {"root-resolv2":
106 path => "/etc/resolv.conf",
108 match_for_absence => "true",
112 if $signerLocation == 'self' {
113 exec {"create cassiopeia-comm-keys":
114 command => '/etc/puppet/code/modules/cassiopeia/mkcassiopeia',
115 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
118 exec {"create cassiopeia-comm-keys":
119 command => '/bin/false',
120 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
123 exec {"gigi keystore.pkcs12":
124 command => '/bin/bash -c \'keystorepw=$(/usr/bin/head -c 15 /dev/urandom | base64); /usr/bin/openssl pkcs12 -export -name "mail" -in /etc/puppet/code/modules/gigi/files/client.crt -inkey /etc/puppet/code/modules/gigi/client.key -CAfile /etc/puppet/codemodules/nre/files/config/ca/root.crt -password file:<(echo $keystorepw) > /etc/puppet/code/modules/gigi/files/keystore.pkcs12; /usr/bin/printf "%s" "$keystorepw" > /etc/puppet/code/modules/gigi/files/keystorepw\'',
125 unless => '/usr/bin/[ /etc/puppet/code/modules/gigi/files/keystore.pkcs12 -nt /etc/puppet/code/modules/gigi/files/client.crt ] || ! /usr/bin/[ -f /etc/puppet/code/modules/gigi/files/client.crt ]'
127 lxc::container { 'front-nginx':
128 contname => 'front-nginx',
129 ip => $ips[front-nginx],
130 require => File['/data/crl/htdocs']
132 lxc::container_bind{ '/data/nginx':
133 container => 'front-nginx',
137 lxc::container_bind{ '/data/crl':
138 container => 'front-nginx',
139 target => 'data-crl',
142 lxc::container_bind{ '/data/gigi-crl':
143 container => 'front-nginx',
144 target => 'data-crl-gigi',
147 lxc::container_bind{ '/run/gitweb-socket':
148 container => 'front-nginx',
149 target => 'gitweb-socket',
151 lxc::container_bind{ '/run/git-smart-http-socket':
152 container => 'front-nginx',
153 target => 'git-smart-http-socket',
155 lxc::container_bind{ '/data/git':
156 container => 'front-nginx',
161 ensure => 'directory',
163 file { '/data/nginx':
164 ensure => 'directory',
167 ensure => 'directory',
168 owner => $administrativeUser
171 ensure => 'directory',
172 owner => $administrativeUser,
174 file { '/data/gigi-crl':
175 ensure => 'directory',
176 owner => $administrativeUser
178 file { '/data/crl/htdocs':
179 ensure => 'directory',
180 owner => $administrativeUser
182 file { '/data/postgres/conf':
183 ensure => 'directory',
185 file { '/data/postgres/data':
186 ensure => 'directory',
188 file { '/data/postgres':
189 ensure => 'directory',
192 ensure => 'directory',
194 lxc::container { 'postgres-primary':
195 contname => 'postgres-primary',
196 ip => $ips[postgres],
197 dir => ["/var/lib/postgresql", "/etc/postgresql"],
199 "/data/postgres/data" => { target => "var/lib/postgresql"},
200 "/data/postgres/conf" => { target => "etc/postgresql"}
203 $gigi_serial_conf= $signerLocation ? {
205 '/dev/ttyS0' => ["lxc.cgroup.devices.allow = c 4:64 rwm"]
208 lxc::container { 'gigi':
211 dir => ["/var/lib/wpia-gigi", "/var/lib/wpia-gigi/keys", '/var/lib/cassiopeia', '/var/lib/cassiopeia/ca'],
213 "/data/gigi" => { target => "var/lib/wpia-gigi/keys"},
214 "/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
216 confline => $gigi_serial_conf,
218 if $signerLocation == 'self' {
219 lxc::container { 'cassiopeia':
220 contname => 'cassiopeia',
221 ip => $ips[cassiopeia]
224 lxc::container { 'exim':
228 lxc::container { 'hop':
232 lxc::container { 'quiz':
236 File <| tag == root |>
237 Lxc::Container <| tag == root |>
238 Lxc::Container_bind <| tag == root |>
239 file{'/run/gitweb-socket':
240 ensure => 'directory'
242 file{'/run/git-smart-http-socket':
243 ensure => 'directory'
245 lxc::container { 'gitweb':
246 contname => 'gitweb',
247 dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
249 "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
250 "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
251 "/data/git" => { 'target' => "srv/git", option => ",ro"}
255 # Required for bootstrap-user
257 ensure => 'installed'