2 package { 'iptables-persistent':
5 resources { 'firewall':
8 Package['iptables-persistent'] ->
13 todest => "${$ips[front-nginx]}:80",
14 iniface => $internet_iface,
16 chain => 'PREROUTING',
18 firewall { '80 dnat-https':
22 todest => "${$ips[front-nginx]}:443",
23 iniface => $internet_iface,
25 chain => 'PREROUTING',
27 firewall {'80 dnatv6':
28 provider => 'ip6tables',
32 todest => "[${$ipsv6[front-nginx]}]:80",
33 iniface => $internet_iface,
37 firewall {'80 dnatv6-https':
38 provider => 'ip6tables',
42 todest => "[${$ipsv6[front-nginx]}]:443",
43 iniface => $internet_iface,
47 firewall {'80 MASQ-v6':
48 provider => 'ip6tables',
49 chain => 'POSTROUTING',
53 source => "[fc00:1::]/64",
54 outiface => $internet_iface,
56 firewall { '80 dnat-git':
60 todest => "${$ips[gitweb]}:9418",
61 iniface => $internet_iface,
63 chain => 'PREROUTING',
65 firewall { '80 dnat-htop-ssh':
69 todest => "${$ips[hop]}:22",
70 iniface => $internet_iface,
72 chain => 'PREROUTING',
75 chain => 'POSTROUTING',
79 outiface => $internet_iface,
80 source => '10.0.3.0/24',
88 exec { "enable forwarding on $hostname":
90 command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
91 unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward",
92 require => Class['lxc']
93 } -> exec { "enable v6 forwarding on $hostname":
95 command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding",
96 unless => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding"
98 file_line {"root-resolv1":
99 path => "/etc/resolv.conf",
101 match_for_absence => "true",
105 file_line {"root-resolv2":
106 path => "/etc/resolv.conf",
108 match_for_absence => "true",
112 if $signerLocation == 'self' {
113 exec {"create cassiopeia-comm-keys":
114 command => '/etc/puppet/code/modules/cassiopeia/mkcassiopeia',
115 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
118 exec {"create cassiopeia-comm-keys":
119 command => '/bin/false',
120 creates => '/etc/puppet/code/modules/cassiopeia/files/signer_client.crt'
123 exec {"gigi keystore.pkcs12":
124 command => '/bin/bash -c \'keystorepw=$(/usr/bin/head -c 15 /dev/urandom | base64); /usr/bin/openssl pkcs12 -export -name "mail" -in /etc/puppet/code/modules/gigi/files/client.crt -inkey /etc/puppet/code/modules/gigi/client.key -CAfile /etc/puppet/codemodules/nre/files/config/ca/root.crt -password file:<(echo $keystorepw) > /etc/puppet/code/modules/gigi/files/keystore.pkcs12; /usr/bin/printf "%s" "$keystorepw" > /etc/puppet/code/modules/gigi/files/keystorepw\'',
125 unless => '/usr/bin/[ /etc/puppet/code/modules/gigi/files/keystore.pkcs12 -nt /etc/puppet/code/modules/gigi/files/client.crt ] || ! /usr/bin/[ -f /etc/puppet/code/modules/gigi/files/client.crt ]'
127 lxc::container { 'front-nginx':
128 contname => 'front-nginx',
129 ip => $ips[front-nginx],
130 dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
132 "/data/nginx" => {target => "data", option => ",ro"},
133 "/data/crl" => {target => "data-crl", option => ",ro"},
134 "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"},
135 "/run/gitweb-socket" => {target => 'gitweb-socket'},
136 "/run/git-smart-http-socket" => {target => 'git-smart-http-socket'},
137 "/data/git" => { 'target' => "srv/git", option => ",ro"}
139 require => File['/data/crl/htdocs']
142 ensure => 'directory',
144 file { '/data/nginx':
145 ensure => 'directory',
148 ensure => 'directory',
149 owner => $administrativeUser
152 ensure => 'directory',
153 owner => $administrativeUser,
155 file { '/data/gigi-crl':
156 ensure => 'directory',
157 owner => $administrativeUser
159 file { '/data/crl/htdocs':
160 ensure => 'directory',
161 owner => $administrativeUser
163 file { '/data/postgres/conf':
164 ensure => 'directory',
166 file { '/data/postgres/data':
167 ensure => 'directory',
169 file { '/data/postgres':
170 ensure => 'directory',
173 ensure => 'directory',
175 lxc::container { 'postgres-primary':
176 contname => 'postgres-primary',
177 ip => $ips[postgres],
178 dir => ["/var/lib/postgresql", "/etc/postgresql"],
180 "/data/postgres/data" => { target => "var/lib/postgresql"},
181 "/data/postgres/conf" => { target => "etc/postgresql"}
184 $gigi_serial_conf= $signerLocation ? {
186 '/dev/ttyS0' => ["lxc.cgroup.devices.allow = c 4:64 rwm"]
189 lxc::container { 'gigi':
192 dir => ["/var/lib/wpia-gigi", "/var/lib/wpia-gigi/keys", '/var/lib/cassiopeia', '/var/lib/cassiopeia/ca'],
194 "/data/gigi" => { target => "var/lib/wpia-gigi/keys"},
195 "/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
197 confline => $gigi_serial_conf,
199 if $signerLocation == 'self' {
200 lxc::container { 'cassiopeia':
201 contname => 'cassiopeia',
202 ip => $ips[cassiopeia]
205 lxc::container { 'exim':
209 lxc::container { 'hop':
213 lxc::container { 'quiz':
217 file{'/run/gitweb-socket':
218 ensure => 'directory'
220 file{'/run/git-smart-http-socket':
221 ensure => 'directory'
223 lxc::container { 'gitweb':
224 contname => 'gitweb',
225 dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
227 "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
228 "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
229 "/data/git" => { 'target' => "srv/git", option => ",ro"}
233 # Required for bootstrap-user
235 ensure => 'installed'