2 package { 'iptables-persistent':
5 resources { 'firewall':
8 Package['iptables-persistent'] ->
13 todest => "${$ips[front-nginx]}:80",
14 iniface => $internet_iface,
16 chain => 'PREROUTING',
18 firewall { '80 dnat-https':
22 todest => "${$ips[front-nginx]}:443",
23 iniface => $internet_iface,
25 chain => 'PREROUTING',
27 firewall { '80 dnat-htop-ssh':
31 todest => "${$ips[hop]}:22",
32 iniface => $internet_iface,
34 chain => 'PREROUTING',
37 chain => 'POSTROUTING',
41 outiface => $internet_iface,
42 source => '10.0.3.0/24',
50 package {'bridge-utils':
52 } -> file {'/etc/network/interfaces.d/lxcbr0':
53 source => 'puppet:///modules/lxc/lxcbr0'
54 } -> exec {'ifup lxcbr0':
55 command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
57 subscribe => File['/etc/network/interfaces.d/lxcbr0']
58 } -> exec { "enable forwarding on $hostname":
60 command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
61 unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward";
63 file_line {"root-resolv1":
64 path => "/etc/resolv.conf",
66 match_for_absence => "true",
70 file_line {"root-resolv2":
71 path => "/etc/resolv.conf",
73 match_for_absence => "true",
77 if $signerLocation == 'self' {
78 exec {"create cassiopeia-comm-keys":
79 command => '/etc/puppet/code/modules/cassiopeia/mkcassiopeia',
80 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
83 exec {"create cassiopeia-comm-keys":
84 command => '/bin/false',
85 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
88 exec {"gigi keystore.pkcs12":
89 command => '/bin/bash -c \'keystorepw=$(/usr/bin/head -c 15 /dev/urandom | base64); /usr/bin/openssl pkcs12 -export -name "mail" -in /etc/puppet/code/modules/gigi/files/client.crt -inkey /etc/puppet/code/modules/gigi/client.key -CAfile /etc/puppet/codemodules/nre/files/config/ca/root.crt -password file:<(echo $keystorepw) > /etc/puppet/code/modules/gigi/files/keystore.pkcs12; /usr/bin/printf "%s" "$keystorepw" > /etc/puppet/code/modules/gigi/files/keystorepw\'',
90 unless => '/usr/bin/[ /etc/puppet/code/modules/gigi/files/keystore.pkcs12 -nt /etc/puppet/code/modules/gigi/files/client.crt ] || ! /usr/bin/[ -f /etc/puppet/code/modules/gigi/files/client.crt ]'
92 lxc::container { 'front-nginx':
93 contname => 'front-nginx',
94 ip => $ips[front-nginx],
95 dir => ["/data", "/data-crl", '/data-crl-gigi'],
97 "/data/nginx" => {target => "data", option => ",ro"},
98 "/data/crl" => {target => "data-crl", option => ",ro"},
99 "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"}
101 require => File['/data/nginx', '/data/crl/htdocs', '/data/gigi-crl']
104 ensure => 'directory',
106 file { '/data/nginx':
107 ensure => 'directory',
110 ensure => 'directory',
111 owner => $administrativeUser
113 file { '/data/gigi-crl':
114 ensure => 'directory',
115 owner => $administrativeUser
117 file { '/data/crl/htdocs':
118 ensure => 'directory',
119 owner => $administrativeUser
121 file { '/data/postgres/conf':
122 ensure => 'directory',
124 file { '/data/postgres/data':
125 ensure => 'directory',
127 file { '/data/postgres':
128 ensure => 'directory',
131 ensure => 'directory',
133 lxc::container { 'postgres-primary':
134 contname => 'postgres-primary',
135 ip => $ips[postgres],
136 dir => ["/var/lib/postgresql", "/etc/postgresql"],
138 "/data/postgres/data" => { target => "var/lib/postgresql"},
139 "/data/postgres/conf" => { target => "etc/postgresql"}
141 require => File['/data/postgres']
143 $gigi_serial_conf= $signerLocation ? {
145 '/dev/ttyS0' => ["lxc.cgroup.devices.allow = c 4:64 rwm"]
148 lxc::container { 'gigi':
151 dir => ["/var/lib/wpia-gigi", "/var/lib/wpia-gigi/keys", '/var/lib/cassiopeia', '/var/lib/cassiopeia/ca'],
153 "/data/gigi" => { target => "var/lib/wpia-gigi/keys"},
154 "/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
156 confline => $gigi_serial_conf,
157 require => File['/data/gigi', '/data/gigi-crl']
159 if $signerLocation == 'self' {
160 lxc::container { 'cassiopeia':
161 contname => 'cassiopeia',
162 ip => $ips[cassiopeia]
165 lxc::container { 'exim':
169 lxc::container { 'hop':
173 lxc::container { 'quiz':
177 # Required for bootstrap-user
179 ensure => 'installed'