table => 'nat',
chain => 'PREROUTING',
} ->
+ firewall {'80 dnatv6':
+ provider => 'ip6tables',
+ proto => 'tcp',
+ dport => '80',
+ jump => 'DNAT',
+ todest => "[${$ipsv6[front-nginx]}]:80",
+ iniface => $internet_iface,
+ table => 'nat',
+ chain => 'PREROUTING'
+ } ->
+ firewall {'80 dnatv6-https':
+ provider => 'ip6tables',
+ proto => 'tcp',
+ dport => '443',
+ jump => 'DNAT',
+ todest => "[${$ipsv6[front-nginx]}]:443",
+ iniface => $internet_iface,
+ table => 'nat',
+ chain => 'PREROUTING'
+ } ->
+ firewall {'80 dnatv6-hop-ssh':
+ provider => 'ip6tables',
+ proto => 'tcp',
+ dport => '2222',
+ jump => 'DNAT',
+ todest => "[${$ipsv6[hop]}]:22",
+ iniface => $internet_iface,
+ table => 'nat',
+ chain => 'PREROUTING'
+ } ->
+ firewall {'80 MASQ-v6':
+ provider => 'ip6tables',
+ chain => 'POSTROUTING',
+ table => 'nat',
+ proto => 'all',
+ jump => 'MASQUERADE',
+ source => "[fc00:1::]/64",
+ outiface => $internet_iface,
+ } ->
+ firewall { '80 dnat-git':
+ proto => 'tcp',
+ dport => '9418',
+ jump => 'DNAT',
+ todest => "${$ips[gitweb]}:9418",
+ iniface => $internet_iface,
+ table => 'nat',
+ chain => 'PREROUTING',
+ } ->
firewall { '80 dnat-htop-ssh':
proto => 'tcp',
dport => '2222',
node host01 {
include my_fw::post
include lxc
- package {'bridge-utils':
- ensure => 'installed'
- } -> file {'/etc/network/interfaces.d/lxcbr0':
- source => 'puppet:///modules/lxc/lxcbr0'
- } -> exec {'ifup lxcbr0':
- command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
- refreshonly => true,
- subscribe => File['/etc/network/interfaces.d/lxcbr0']
- } -> exec { "enable forwarding on $hostname":
+ exec { "enable forwarding on $hostname":
user => "root",
command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
- unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward";
+ unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward",
+ require => Class['lxc']
+ } -> exec { "enable v6 forwarding on $hostname":
+ user => "root",
+ command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding",
+ unless => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding"
}->
file_line {"root-resolv1":
path => "/etc/resolv.conf",
lxc::container { 'front-nginx':
contname => 'front-nginx',
ip => $ips[front-nginx],
- dir => ["/data", "/data-crl", '/data-crl-gigi'],
- bind => {
- "/data/nginx" => {target => "data", option => ",ro"},
- "/data/crl" => {target => "data-crl", option => ",ro"},
- "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"}
- },
- require => File['/data/nginx', '/data/crl/htdocs', '/data/gigi-crl']
+ require => File['/data/crl/htdocs']
+ }
+ lxc::container_bind{ '/data/nginx':
+ container => 'front-nginx',
+ target => 'data',
+ option => ',ro'
+ }
+ lxc::container_bind{ '/data/crl':
+ container => 'front-nginx',
+ target => 'data-crl',
+ option => ',ro'
+ }
+ lxc::container_bind{ '/data/gigi-crl':
+ container => 'front-nginx',
+ target => 'data-crl-gigi',
+ option => ',ro'
+ }
+ lxc::container_bind{ '/run/gitweb-socket':
+ container => 'front-nginx',
+ target => 'gitweb-socket',
+ }
+ lxc::container_bind{ '/run/git-smart-http-socket':
+ container => 'front-nginx',
+ target => 'git-smart-http-socket',
+ }
+ lxc::container_bind{ '/data/git':
+ container => 'front-nginx',
+ target => 'srv/git',
+ option => ',ro'
}
file { '/data':
ensure => 'directory',
ensure => 'directory',
owner => $administrativeUser
}
+ file { '/data/git':
+ ensure => 'directory',
+ owner => $administrativeUser,
+ }
file { '/data/gigi-crl':
ensure => 'directory',
owner => $administrativeUser
"/data/postgres/data" => { target => "var/lib/postgresql"},
"/data/postgres/conf" => { target => "etc/postgresql"}
},
- require => File['/data/postgres']
}
$gigi_serial_conf= $signerLocation ? {
'self' => [],
"/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
},
confline => $gigi_serial_conf,
- require => File['/data/gigi', '/data/gigi-crl']
}
if $signerLocation == 'self' {
lxc::container { 'cassiopeia':
contname => 'quiz',
ip => $ips[quiz]
}
+ File <| tag == root |>
+ Lxc::Container <| tag == root |>
+ Lxc::Container_bind <| tag == root |>
+ file{'/run/gitweb-socket':
+ ensure => 'directory'
+ }
+ file{'/run/git-smart-http-socket':
+ ensure => 'directory'
+ }
+ lxc::container { 'gitweb':
+ contname => 'gitweb',
+ dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
+ bind => {
+ "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
+ "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
+ "/data/git" => { 'target' => "srv/git", option => ",ro"}
+ },
+ ip => $ips[gitweb]
+ }
# Required for bootstrap-user
package {'acl':
ensure => 'installed'