2 package { 'iptables-persistent':
5 resources { 'firewall':
8 Package['iptables-persistent'] ->
13 todest => "${$ips[front-nginx]}:80",
14 iniface => $internet_iface,
16 chain => 'PREROUTING',
18 firewall { '80 dnat-https':
22 todest => "${$ips[front-nginx]}:443",
23 iniface => $internet_iface,
25 chain => 'PREROUTING',
27 firewall {'80 dnatv6':
28 provider => 'ip6tables',
32 todest => "[${$ipsv6[front-nginx]}]:80",
33 iniface => $internet_iface,
37 firewall {'80 dnatv6-https':
38 provider => 'ip6tables',
42 todest => "[${$ipsv6[front-nginx]}]:443",
43 iniface => $internet_iface,
47 firewall {'80 dnatv6-hop-ssh':
48 provider => 'ip6tables',
52 todest => "[${$ipsv6[hop]}]:22",
53 iniface => $internet_iface,
57 firewall {'80 MASQ-v6':
58 provider => 'ip6tables',
59 chain => 'POSTROUTING',
63 source => "[fc00:1::]/64",
64 outiface => $internet_iface,
66 firewall { '80 dnat-git':
70 todest => "${$ips[gitweb]}:9418",
71 iniface => $internet_iface,
73 chain => 'PREROUTING',
75 firewall { '80 dnat-htop-ssh':
79 todest => "${$ips[hop]}:22",
80 iniface => $internet_iface,
82 chain => 'PREROUTING',
85 chain => 'POSTROUTING',
89 outiface => $internet_iface,
90 source => '10.0.3.0/24',
98 exec { "enable forwarding on $hostname":
100 command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
101 unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward",
102 require => Class['lxc']
103 } -> exec { "enable v6 forwarding on $hostname":
105 command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding",
106 unless => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding"
108 file_line {"root-resolv1":
109 path => "/etc/resolv.conf",
111 match_for_absence => "true",
115 file_line {"root-resolv2":
116 path => "/etc/resolv.conf",
118 match_for_absence => "true",
122 if $signerLocation == 'self' {
123 exec {"create cassiopeia-comm-keys":
124 command => '/etc/puppet/code/modules/cassiopeia/mkcassiopeia',
125 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
128 exec {"create cassiopeia-comm-keys":
129 command => '/bin/false',
130 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
133 exec {"gigi keystore.pkcs12":
134 command => '/bin/bash -c \'keystorepw=$(/usr/bin/head -c 15 /dev/urandom | base64); /usr/bin/openssl pkcs12 -export -name "mail" -in /etc/puppet/code/modules/gigi/files/client.crt -inkey /etc/puppet/code/modules/gigi/client.key -CAfile /etc/puppet/codemodules/nre/files/config/ca/root.crt -password file:<(echo $keystorepw) > /etc/puppet/code/modules/gigi/files/keystore.pkcs12; /usr/bin/printf "%s" "$keystorepw" > /etc/puppet/code/modules/gigi/files/keystorepw\'',
135 unless => '/usr/bin/[ /etc/puppet/code/modules/gigi/files/keystore.pkcs12 -nt /etc/puppet/code/modules/gigi/files/client.crt ] || ! /usr/bin/[ -f /etc/puppet/code/modules/gigi/files/client.crt ]'
137 lxc::container { 'front-nginx':
138 contname => 'front-nginx',
139 ip => $ips[front-nginx],
140 require => File['/data/crl/htdocs']
142 lxc::container_bind{ '/data/nginx':
143 container => 'front-nginx',
147 lxc::container_bind{ '/data/crl':
148 container => 'front-nginx',
149 target => 'data-crl',
152 lxc::container_bind{ '/data/gigi-crl':
153 container => 'front-nginx',
154 target => 'data-crl-gigi',
157 lxc::container_bind{ '/run/gitweb-socket':
158 container => 'front-nginx',
159 target => 'gitweb-socket',
161 lxc::container_bind{ '/run/git-smart-http-socket':
162 container => 'front-nginx',
163 target => 'git-smart-http-socket',
165 lxc::container_bind{ '/data/git':
166 container => 'front-nginx',
171 ensure => 'directory',
173 file { '/data/nginx':
174 ensure => 'directory',
177 ensure => 'directory',
178 owner => $administrativeUser
181 ensure => 'directory',
182 owner => $administrativeUser,
184 file { '/data/gigi-crl':
185 ensure => 'directory',
186 owner => $administrativeUser
188 file { '/data/crl/htdocs':
189 ensure => 'directory',
190 owner => $administrativeUser
192 file { '/data/postgres/conf':
193 ensure => 'directory',
195 file { '/data/postgres/data':
196 ensure => 'directory',
198 file { '/data/postgres':
199 ensure => 'directory',
202 ensure => 'directory',
204 lxc::container { 'postgres-primary':
205 contname => 'postgres-primary',
206 ip => $ips[postgres],
207 dir => ["/var/lib/postgresql", "/etc/postgresql"],
209 "/data/postgres/data" => { target => "var/lib/postgresql"},
210 "/data/postgres/conf" => { target => "etc/postgresql"}
213 $gigi_serial_conf= $signerLocation ? {
215 '/dev/ttyS0' => ["lxc.cgroup.devices.allow = c 4:64 rwm"]
218 lxc::container { 'gigi':
221 dir => ["/var/lib/wpia-gigi", "/var/lib/wpia-gigi/keys", '/var/lib/cassiopeia', '/var/lib/cassiopeia/ca'],
223 "/data/gigi" => { target => "var/lib/wpia-gigi/keys"},
224 "/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
226 confline => $gigi_serial_conf,
228 if $signerLocation == 'self' {
229 lxc::container { 'cassiopeia':
230 contname => 'cassiopeia',
231 ip => $ips[cassiopeia]
234 lxc::container { 'exim':
238 lxc::container { 'hop':
242 lxc::container { 'quiz':
246 File <| tag == root |>
247 Lxc::Container <| tag == root |>
248 Lxc::Container_bind <| tag == root |>
249 file{'/run/gitweb-socket':
250 ensure => 'directory'
252 file{'/run/git-smart-http-socket':
253 ensure => 'directory'
255 lxc::container { 'gitweb':
256 contname => 'gitweb',
257 dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
259 "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
260 "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
261 "/data/git" => { 'target' => "srv/git", option => ",ro"}
265 # Required for bootstrap-user
267 ensure => 'installed'