X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=environments%2Fproduction%2Fmanifests%2Froot.pp;h=9adaee13767d6152e3f55e235247cfb506bb779d;hb=95266f6237df2334741f3ce60050618259452ed4;hp=e0411584bf14701b408088e95e8a60134408fc39;hpb=8f38a27c5d1514d7f17f859655e5e62ba38f7242;p=infra.git diff --git a/environments/production/manifests/root.pp b/environments/production/manifests/root.pp index e041158..9adaee1 100644 --- a/environments/production/manifests/root.pp +++ b/environments/production/manifests/root.pp @@ -24,6 +24,35 @@ class my_fw::post { table => 'nat', chain => 'PREROUTING', } -> + firewall {'80 dnatv6': + provider => 'ip6tables', + proto => 'tcp', + dport => '80', + jump => 'DNAT', + todest => "[${$ipsv6[front-nginx]}]:80", + iniface => $internet_iface, + table => 'nat', + chain => 'PREROUTING' + } -> + firewall {'80 dnatv6-https': + provider => 'ip6tables', + proto => 'tcp', + dport => '443', + jump => 'DNAT', + todest => "[${$ipsv6[front-nginx]}]:443", + iniface => $internet_iface, + table => 'nat', + chain => 'PREROUTING' + } -> + firewall {'80 MASQ-v6': + provider => 'ip6tables', + chain => 'POSTROUTING', + table => 'nat', + proto => 'all', + jump => 'MASQUERADE', + source => "[fc00:1::]/64", + outiface => $internet_iface, + } -> firewall { '80 dnat-git': proto => 'tcp', dport => '9418', @@ -56,18 +85,15 @@ class my_fw::post { node host01 { include my_fw::post include lxc - package {'bridge-utils': - ensure => 'installed' - } -> file {'/etc/network/interfaces.d/lxcbr0': - source => 'puppet:///modules/lxc/lxcbr0' - } -> exec {'ifup lxcbr0': - command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0', - refreshonly => true, - subscribe => File['/etc/network/interfaces.d/lxcbr0'] - } -> exec { "enable forwarding on $hostname": + exec { "enable forwarding on $hostname": user => "root", command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward", - unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward"; + unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward", + require => Class['lxc'] + } -> exec { "enable v6 forwarding on $hostname": + user => "root", + command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding", + unless => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding" }-> file_line {"root-resolv1": path => "/etc/resolv.conf", @@ -101,17 +127,36 @@ if $signerLocation == 'self' { lxc::container { 'front-nginx': contname => 'front-nginx', ip => $ips[front-nginx], - dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/git-smart-http-socket', '/srv/git'], - bind => { - "/data/nginx" => {target => "data", option => ",ro"}, - "/data/crl" => {target => "data-crl", option => ",ro"}, - "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"}, - "/run/gitweb-socket" => {target => 'gitweb-socket'}, - "/run/git-smart-http-socket" => {target => 'git-smart-http-socket'}, - "/data/git" => { 'target' => "srv/git", option => ",ro"} - }, require => File['/data/crl/htdocs'] } + lxc::container_bind{ '/data/nginx': + container => 'front-nginx', + target => 'data', + option => ',ro' + } + lxc::container_bind{ '/data/crl': + container => 'front-nginx', + target => 'data-crl', + option => ',ro' + } + lxc::container_bind{ '/data/gigi-crl': + container => 'front-nginx', + target => 'data-crl-gigi', + option => ',ro' + } + lxc::container_bind{ '/run/gitweb-socket': + container => 'front-nginx', + target => 'gitweb-socket', + } + lxc::container_bind{ '/run/git-smart-http-socket': + container => 'front-nginx', + target => 'git-smart-http-socket', + } + lxc::container_bind{ '/data/git': + container => 'front-nginx', + target => 'srv/git', + option => ',ro' + } file { '/data': ensure => 'directory', } @@ -188,6 +233,9 @@ if $signerLocation == 'self' { contname => 'quiz', ip => $ips[quiz] } + File <| tag == root |> + Lxc::Container <| tag == root |> + Lxc::Container_bind <| tag == root |> file{'/run/gitweb-socket': ensure => 'directory' }