]> WPIA git - infra.git/blobdiff - environments/production/manifests/root.pp
projects / infra.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix: accept dp to work with current gigi and others
[infra.git] / environments / production / manifests / root.pp
diff --git a/environments/production/manifests/root.pp b/environments/production/manifests/root.pp
index e2b5d6b11417c6023ad656dd3158f0d46548c49e..c193f9a9dcb04e92dea3a17be01b7816830c66ef 100644 (file)
--- a/environments/production/manifests/root.pp
+++ b/environments/production/manifests/root.pp
@@ -24,6 +24,45 @@ class my_fw::post {
     table    => 'nat',
     chain    => 'PREROUTING',
   } ->
+  firewall {'80 dnatv6':
+    provider => 'ip6tables',
+    proto  => 'tcp',
+    dport => '80',
+    jump => 'DNAT',
+    todest => "[${$ipsv6[front-nginx]}]:80",
+    iniface => $internet_iface,
+    table => 'nat',
+    chain => 'PREROUTING'
+  } ->
+  firewall {'80 dnatv6-https':
+    provider => 'ip6tables',
+    proto  => 'tcp',
+    dport => '443',
+    jump => 'DNAT',
+    todest => "[${$ipsv6[front-nginx]}]:443",
+    iniface => $internet_iface,
+    table => 'nat',
+    chain => 'PREROUTING'
+  } ->
+  firewall {'80 dnatv6-hop-ssh':
+    provider => 'ip6tables',
+    proto  => 'tcp',
+    dport => '2222',
+    jump => 'DNAT',
+    todest => "[${$ipsv6[hop]}]:22",
+    iniface => $internet_iface,
+    table => 'nat',
+    chain => 'PREROUTING'
+  } ->
+  firewall {'80 MASQ-v6':
+    provider => 'ip6tables',
+    chain => 'POSTROUTING',
+    table => 'nat',
+    proto  => 'all',
+    jump => 'MASQUERADE',
+    source => "[fc00:1::]/64",
+    outiface => $internet_iface,
+  } ->
   firewall { '80 dnat-git':
     proto  => 'tcp',
     dport  => '9418',
@@ -56,18 +95,15 @@ class my_fw::post {
 node host01 {
     include my_fw::post
     include lxc
-    package {'bridge-utils':
-        ensure => 'installed'
-    } -> file {'/etc/network/interfaces.d/lxcbr0':
-        source => 'puppet:///modules/lxc/lxcbr0'
-    } -> exec {'ifup lxcbr0':
-      command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
-      refreshonly => true,
-      subscribe => File['/etc/network/interfaces.d/lxcbr0']
-    } -> exec { "enable forwarding on $hostname":
+    exec { "enable forwarding on $hostname":
       user    => "root",
       command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
-      unless  => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward";
+      unless  => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward",
+      require => Class['lxc']
+    } -> exec { "enable v6 forwarding on $hostname":
+      user    => "root",
+      command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding",
+      unless  => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding"
     }->
       file_line {"root-resolv1":
       path   => "/etc/resolv.conf",
@@ -101,15 +137,35 @@ if $signerLocation == 'self' {
     lxc::container { 'front-nginx':
         contname => 'front-nginx',
         ip => $ips[front-nginx],
-        dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/srv/git'],
-        bind => {
-          "/data/nginx" => {target => "data", option => ",ro"},
-          "/data/crl" => {target => "data-crl", option => ",ro"},
-          "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"},
-          "/run/gitweb-socket" => {target => 'gitweb-socket'},
-          "/data/git" => { 'target' => "srv/git", option => ",ro"}
-        },
-        require => File['/data/nginx', '/data/crl/htdocs', '/data/gigi-crl']
+        require => File['/data/crl/htdocs']
+    }
+    lxc::container_bind{ '/data/nginx':
+      container => 'front-nginx',
+      target => 'data',
+      option => ',ro'
+    }
+    lxc::container_bind{ '/data/crl':
+      container => 'front-nginx',
+      target => 'data-crl',
+      option => ',ro'
+    }
+    lxc::container_bind{ '/data/gigi-crl':
+      container => 'front-nginx',
+      target => 'data-crl-gigi',
+      option => ',ro'
+    }
+    lxc::container_bind{ '/run/gitweb-socket':
+      container => 'front-nginx',
+      target => 'gitweb-socket',
+    }
+    lxc::container_bind{ '/run/git-smart-http-socket':
+      container => 'front-nginx',
+      target => 'git-smart-http-socket',
+    }
+    lxc::container_bind{ '/data/git':
+      container => 'front-nginx',
+      target => 'srv/git',
+      option => ',ro'
     }
     file { '/data':
        ensure => 'directory',
@@ -153,7 +209,6 @@ if $signerLocation == 'self' {
           "/data/postgres/data" => { target => "var/lib/postgresql"},
           "/data/postgres/conf" => { target => "etc/postgresql"}
         },
-        require => File['/data/postgres']
     }
     $gigi_serial_conf= $signerLocation ? {
       'self'          => [],
@@ -169,7 +224,6 @@ if $signerLocation == 'self' {
           "/data/gigi-crl" => { target => "var/lib/cassiopeia/ca"}
         },
         confline => $gigi_serial_conf,
-        require => File['/data/gigi', '/data/gigi-crl']
     }
     if $signerLocation == 'self' {
       lxc::container { 'cassiopeia':
@@ -189,15 +243,21 @@ if $signerLocation == 'self' {
         contname => 'quiz',
         ip => $ips[quiz]
     }
+    File <| tag == root |>
+    Lxc::Container <| tag == root |>
+    Lxc::Container_bind <| tag == root |>
     file{'/run/gitweb-socket':
         ensure => 'directory'
     }
+    file{'/run/git-smart-http-socket':
+        ensure => 'directory'
+    }
     lxc::container { 'gitweb':
-        require => File['/data/git', '/run/gitweb-socket'],
         contname => 'gitweb',
-        dir => ['/gitweb-socket', '/srv/git'],
+        dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
         bind => {
           "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
+          "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
           "/data/git" => { 'target' => "srv/git", option => ",ro"}
         },
         ip => $ips[gitweb]
WPIA Technical Infrastructure