2 package { 'iptables-persistent':
5 resources { 'firewall':
8 Package['iptables-persistent'] ->
13 todest => "${$ips[front-nginx]}:80",
14 iniface => $internet_iface,
16 chain => 'PREROUTING',
18 firewall { '80 dnat-https':
22 todest => "${$ips[front-nginx]}:443",
23 iniface => $internet_iface,
25 chain => 'PREROUTING',
27 firewall { '80 dnat-git':
31 todest => "${$ips[gitweb]}:9418",
32 iniface => $internet_iface,
34 chain => 'PREROUTING',
36 firewall { '80 dnat-htop-ssh':
40 todest => "${$ips[hop]}:22",
41 iniface => $internet_iface,
43 chain => 'PREROUTING',
46 chain => 'POSTROUTING',
50 outiface => $internet_iface,
51 source => '10.0.3.0/24',
59 package {'bridge-utils':
61 } -> file {'/etc/network/interfaces.d/lxcbr0':
62 source => 'puppet:///modules/lxc/lxcbr0'
63 } -> exec {'ifup lxcbr0':
64 command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
66 subscribe => File['/etc/network/interfaces.d/lxcbr0']
67 } -> exec { "enable forwarding on $hostname":
69 command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
70 unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward";
72 file_line {"root-resolv1":
73 path => "/etc/resolv.conf",
75 match_for_absence => "true",
79 file_line {"root-resolv2":
80 path => "/etc/resolv.conf",
82 match_for_absence => "true",
86 if $signerLocation == 'self' {
87 exec {"create cassiopeia-comm-keys":
88 command => '/etc/puppet/code/modules/cassiopeia/mkcassiopeia',
89 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
92 exec {"create cassiopeia-comm-keys":
93 command => '/bin/false',
94 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
97 exec {"gigi keystore.pkcs12":
98 command => '/bin/bash -c \'keystorepw=$(/usr/bin/head -c 15 /dev/urandom | base64); /usr/bin/openssl pkcs12 -export -name "mail" -in /etc/puppet/code/modules/gigi/files/client.crt -inkey /etc/puppet/code/modules/gigi/client.key -CAfile /etc/puppet/codemodules/nre/files/config/ca/root.crt -password file:<(echo $keystorepw) > /etc/puppet/code/modules/gigi/files/keystore.pkcs12; /usr/bin/printf "%s" "$keystorepw" > /etc/puppet/code/modules/gigi/files/keystorepw\'',
99 unless => '/usr/bin/[ /etc/puppet/code/modules/gigi/files/keystore.pkcs12 -nt /etc/puppet/code/modules/gigi/files/client.crt ] || ! /usr/bin/[ -f /etc/puppet/code/modules/gigi/files/client.crt ]'
101 lxc::container { 'front-nginx':
102 contname => 'front-nginx',
103 ip => $ips[front-nginx],
104 dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
106 "/data/nginx" => {target => "data", option => ",ro"},
107 "/data/crl" => {target => "data-crl", option => ",ro"},
108 "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"},
109 "/run/gitweb-socket" => {target => 'gitweb-socket'},
110 "/run/git-smart-http-socket" => {target => 'git-smart-http-socket'},
111 "/data/git" => { 'target' => "srv/git", option => ",ro"}
113 require => File['/data/nginx', '/data/crl/htdocs', '/data/gigi-crl']
116 ensure => 'directory',
118 file { '/data/nginx':
119 ensure => 'directory',
122 ensure => 'directory',
123 owner => $administrativeUser
126 ensure => 'directory',
127 owner => $administrativeUser,
129 file { '/data/gigi-crl':
130 ensure => 'directory',
131 owner => $administrativeUser
133 file { '/data/crl/htdocs':
134 ensure => 'directory',
135 owner => $administrativeUser
137 file { '/data/postgres/conf':
138 ensure => 'directory',
140 file { '/data/postgres/data':
141 ensure => 'directory',
143 file { '/data/postgres':
144 ensure => 'directory',
147 ensure => 'directory',
149 lxc::container { 'postgres-primary':
150 contname => 'postgres-primary',
151 ip => $ips[postgres],
152 dir => ["/var/lib/postgresql", "/etc/postgresql"],
154 "/data/postgres/data" => { target => "var/lib/postgresql"},
155 "/data/postgres/conf" => { target => "etc/postgresql"}
157 require => File['/data/postgres']
159 $gigi_serial_conf= $signerLocation ? {
161 '/dev/ttyS0' => ["lxc.cgroup.devices.allow = c 4:64 rwm"]
164 lxc::container { 'gigi':
167 dir => ["/var/lib/wpia-gigi", "/var/lib/wpia-gigi/keys", '/var/lib/cassiopeia', '/var/lib/cassiopeia/ca'],
169 "/data/gigi" => { target => "var/lib/wpia-gigi/keys"},
170 "/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
172 confline => $gigi_serial_conf,
173 require => File['/data/gigi', '/data/gigi-crl']
175 if $signerLocation == 'self' {
176 lxc::container { 'cassiopeia':
177 contname => 'cassiopeia',
178 ip => $ips[cassiopeia]
181 lxc::container { 'exim':
185 lxc::container { 'hop':
189 lxc::container { 'quiz':
193 file{'/run/gitweb-socket':
194 ensure => 'directory'
196 file{'/run/git-smart-http-socket':
197 ensure => 'directory'
199 lxc::container { 'gitweb':
200 require => File['/data/git', '/run/gitweb-socket', '/run/git-smart-http-socket'],
201 contname => 'gitweb',
202 dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
204 "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
205 "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
206 "/data/git" => { 'target' => "srv/git", option => ",ro"}
210 # Required for bootstrap-user
212 ensure => 'installed'