111 lines
3.2 KiB
Puppet
111 lines
3.2 KiB
Puppet
#Class for SUNET-Drive-Script-receiver
|
|
class sunetdrive::scriptreceiver()
|
|
{
|
|
sunet::system_user {'script': username => 'script', group => 'script', managehome => true, shell => '/bin/bash' }
|
|
|
|
# These tasks correspond to a ${task}.erb.sh template
|
|
$tasks = ['list_users', 'list_files_for_user', 'create_bucket', 'backup_db', 'purge_backups', 'maintenancemode', 'restart_sunet_service', 'start_sentinel', 'stop_sentinel', 'makeswap', 'backup_multinode_db']
|
|
|
|
$environment = sunetdrive::get_environment()
|
|
$config = hiera_hash($environment)
|
|
$script_server = $config['script_server']
|
|
$script_ipv4 = $config['script']
|
|
$script_ipv6 = $config['script_v6']
|
|
$script_pub_key = $config['script_pub_key']
|
|
file { '/etc/sudoers.d/99-script-user':
|
|
ensure => absent,
|
|
}
|
|
|
|
file { '/home/script/bin':
|
|
ensure => directory,
|
|
mode => '0750',
|
|
owner => 'script',
|
|
group => 'script',
|
|
}
|
|
|
|
$kano_shell = ['89.46.21.246','2001:6b0:6c::1bc']
|
|
sunet::misc::ufw_allow { 'script_port':
|
|
from => $script_ipv4 + $script_ipv6 + $kano_shell,
|
|
port => 22,
|
|
}
|
|
|
|
ssh_authorized_key { "script@${script_server}":
|
|
ensure => present,
|
|
user => 'script',
|
|
type => 'ssh-ed25519',
|
|
key => $script_pub_key,
|
|
}
|
|
|
|
file { '/opt/rotate':
|
|
ensure => directory,
|
|
mode => '0750',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
-> file { '/opt/rotate/conf.d':
|
|
ensure => directory,
|
|
mode => '0750',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
file { '/usr/local/bin/safer_reboot':
|
|
ensure => file,
|
|
content => template('sunetdrive/scriptreceiver/safer_reboot.erb'),
|
|
mode => '0740',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
file { "/etc/sudoers.d/99-safer_reboot":
|
|
ensure => file,
|
|
content => "script ALL=(root) NOPASSWD: /usr/local/bin/safer_reboot\n",
|
|
mode => '0440',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
file { '/usr/local/bin/rotatefiles':
|
|
ensure => file,
|
|
content => template('sunetdrive/scriptreceiver/rotatefiles.erb'),
|
|
mode => '0740',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
file { '/usr/local/bin/ini2json':
|
|
ensure => file,
|
|
content => template('sunetdrive/scriptreceiver/ini2json.py'),
|
|
mode => '0740',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
-> file { '/etc/scriptherder/check/rotatefiles.ini':
|
|
ensure => file,
|
|
content => "[check]\nok = exit_status=0, max_age=35m\nwarning = exit_status=0, max_age=1h\n",
|
|
mode => '0644',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
cron { 'rotate_logs':
|
|
command => ' /usr/local/bin/scriptherder --mode wrap --syslog --name rotatefiles -- /usr/local/bin/rotatefiles',
|
|
require => File['/usr/local/bin/rotatefiles'],
|
|
user => 'root',
|
|
minute => '*',
|
|
hour => '*',
|
|
}
|
|
$tasks.each |String $task| {
|
|
file { "/home/script/bin/${task}.sh":
|
|
ensure => file,
|
|
content => template("sunetdrive/scriptreceiver/${task}.erb.sh"),
|
|
mode => '0740',
|
|
owner => 'script',
|
|
group => 'script',
|
|
}
|
|
file { "/etc/sudoers.d/99-${task}":
|
|
ensure => file,
|
|
content => "script ALL=(root) NOPASSWD: /home/script/bin/${task}.sh\n",
|
|
mode => '0440',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
}
|
|
}
|
|
|