import

README

@@ -0,0 +1,24 @@
+
+Initial setup:
+ 
+  git clone git://github.com/leifj/multiverse.git myproj-cosmos
+  cd myproj-cosmos
+
+  - rename the github upstream
+  
+    git remote rename origin github
+
+  - add a new upstream & ro branch
+
+    git remote add origin git@//yourhost/myproj-cosmos.git
+    git remote add ro git://yourhost/myproj-cosmos.git
+ 
+  - add stuff...
+
+    make bump
+
+To add a new host:
+
+  - Make sure you have root access using an SSH key
+  - ./addhost <fqdn>
+

addhost

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+cmd_hostname=""
+cmd_do_bootstrap="no"
+
+set -- $(getopt b?h? "$@")
+
+while [ $# -gt 0 ]; do
+   case "$1" in
+      (-h) echo "Usage: $0 [-h] [-b] [--] [<host>]"; exit 0;;
+      (-b) cmd_do_bootstrap="yes" ;;
+      (--) shift; break;;
+      (-*) echo "Unknown option $1\nUsage: $0 [-b] [-h] [--] <host>"; exit 1;;
+      (*) break;;
+   esac
+   shift
+done
+
+if [ ! -z "$1" -a -z "$cmd_hostname" ]; then 
+   cmd_hostname="$1"
+fi
+
+if test -z "$cmd_hostname"; then
+    echo "Usage: $0 [-h] [-b] [--] <host>"
+    exit 1
+fi
+
+test -f cosmos.conf && . ./cosmos.conf
+
+defrepo=`git remote -v | grep ${remote:="ro"} | grep fetch | awk '{print $2}'`
+rrepo=${repo:="$defrepo"}
+
+if [ ! -d $cmd_hostname ]; then
+   cp -pr default $cmd_hostname
+   git add $cmd_hostname
+   git commit -m "$cmd_hostname added" $cmd_hostname
+   ./bump-tag
+fi
+
+if [ "$cmd_do_bootstrap" = "yes" ]; then
+   scp apt/cosmos_1.2-2_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname:
+   ssh root@$cmd_hostname ./bootstrap-cosmos.sh $cmd_hostname $rrepo
+   ssh root@$cmd_hostname cosmos update 
+   ssh root@$cmd_hostname cosmos apply
+fi

apt/bootstrap-cosmos.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -e
+
+cmd_hostname="$1"
+if test -z "$cmd_hostname"; then
+    echo "Usage: $0 HOSTNAME REPO"
+    exit 1
+fi
+
+cmd_repo="$2"
+if test -z "$cmd_repo"; then
+   echo "Usage $0 HOSTNAME REPO"
+   exit 2
+fi
+
+set -x
+
+apt-get -y install rsync git-core
+dpkg -i cosmos_1.2-2_all.deb
+
+if ! test -d /var/cache/cosmos/repo; then
+    cosmos clone "$cmd_repo"
+fi
+
+hostname $cmd_hostname
+
+perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"\\\$COSMOS_REPO/global/:\\\$COSMOS_REPO/$cmd_hostname/\"," /etc/cosmos/cosmos.conf
+perl -pi -e 's,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN="eduid-cosmos*",' /etc/cosmos/cosmos.conf
+
+COSMOS_BASE=/var/cache/cosmos /var/cache/cosmos/repo/global/pre-tasks.d/010cosmos-trust
+
+(date; nohup cosmos -v update && nohup cosmos -v apply; date) > /var/log/cosmos.log 2>&1
+
+exit 0

cosmos-rules.yaml

@@ -0,0 +1 @@
+global/overlay/etc/puppet/cosmos-rules.yaml

cosmos.conf

@@ -0,0 +1,2 @@
+tag="eduid-cosmos"
+#repo=git://override-repo-URL

default/README

@@ -0,0 +1 @@
+../README

fabfile/__init__.py

@@ -0,0 +1,53 @@
+from fabric.api import run,env
+from fabric.operations import get
+import os
+import yaml
+import re
+
+def _all_hosts():
+   return filter(lambda fn: '.' in fn and not fn.startswith('.') and os.path.isdir(fn),os.listdir("."))
+
+def _roledefs():
+   rules = dict()
+
+   rules_file = "cosmos-rules.yaml";
+   if os.path.exists(rules_file):
+      with open(rules_file) as fd:
+         rules.update(yaml.load(fd))
+
+   roles = dict() 
+   for node_name in _all_hosts():
+      for reg,cls in rules.iteritems():
+         if re.search(reg,node_name):
+            for cls_name in cls.keys():
+               h = roles.get(cls_name,[])
+               h.append(node_name)
+               roles[cls_name] = h
+   return roles
+
+env.user = 'root'
+env.timeout = 30
+env.connection_attempts = 3
+env.warn_only = True
+env.skip_bad_hosts = True
+env.roledefs = _roledefs()
+
+print repr(env.roledefs)
+
+def all():
+    env.hosts = _all_hosts()
+
+def cosmos():
+    run("cosmos update && cosmos apply");
+
+def upgrade():
+    run("apt-get -qq update && apt-get -y -q dist-upgrade");
+
+def facts():
+    get("/var/run/facts.yaml",local_path="facts/%(host)s.yaml")
+
+def chassis():
+    run("ipmi-chassis --get-chassis-status")
+
+def newvm(fqdn,ip,domain):
+    run("vmbuilder kvm ubuntu --domain %s --dest /var/lib/libvirt/images/%s.img --arch x86_64 --hostname %s --mem 512 --ip %s --addpkg openssh-server" % (domain,fqdn,fqdn,ip))

global/overlay/etc/cron.d/cosmos

@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+*/15 * * * *   root   test -f /etc/no-automatic-cosmos || (cosmos update && cosmos apply)

global/overlay/etc/puppet/cosmos-modules.conf

@@ -0,0 +1,11 @@
+#
+# name source (puppetlabs fq name or git url) upgrade (yes/no)
+#
+concat puppetlabs/concat no
+stdlib puppetlabs/stdlib no
+ufw attachmentgenie/ufw no
+apt puppetlabs/apt no
+vcsrepo puppetlabs/vcsrepo no
+xinetd puppetlabs/xinetd no
+#golang elithrar/golang yes
+#python git://github.com/stankevich/puppet-python.git yes

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -0,0 +1,2 @@
+'ns[0-9]?.mnt.se$':
+   nameserver:

global/overlay/etc/puppet/cosmos_enc.py

@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+import sys
+import yaml
+import os
+import re
+
+rules_path = os.environ.get("COSMOS_RULES_PATH","/etc/puppet")
+
+node_name = sys.argv[1]
+
+rules = dict()
+for p in rules_path.split(":"):
+   rules_file = os.path.join(p,"cosmos-rules.yaml")
+   if os.path.exists(rules_file):
+      with open(rules_file) as fd:
+         rules.update(yaml.load(fd))
+
+classes = dict()
+for reg,cls in rules.iteritems():
+   if re.search(reg,node_name):
+      classes.update(cls)
+
+print yaml.dump(dict(classes=classes))

global/overlay/etc/puppet/manifests/cosmos-site.pp

@@ -0,0 +1,52 @@
+# This manifest is managed using cosmos
+
+Exec {
+  path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+}
+
+# include some of this stuff for additional features
+
+#include cosmos::tools
+#include cosmos::motd
+#include cosmos::ntp
+#include cosmos::rngtools
+#include cosmos::preseed
+include ufw
+include apt
+include cosmos
+
+# you need a default node
+
+node default { 
+
+}
+
+# edit and uncomment to manage ssh root keys in a simple way
+
+#class { 'cosmos::access':
+#   keys => [
+#      "ssh-rsa ..."
+#   ]
+#}
+
+# example config for the nameserver class which is matched in cosmos-rules.yaml
+
+#class nameserver {
+#   package {'bind9':
+#      ensure => latest 
+#   } 
+#   service {'bind9':
+#      ensure => running
+#   }
+#   ufw::allow { "allow-dns-udp":
+#      ip   => 'any',
+#      port => 53,
+#      proto => "udp"
+#   }
+#   ufw::allow { "allow-dns-tcp":
+#      ip   => 'any',
+#      port => 53,
+#      proto => "tcp"
+#   }
+#}
+

global/overlay/etc/puppet/puppet.conf

@@ -0,0 +1,14 @@
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+templatedir=$confdir/templates
+node_terminus = exec
+external_nodes = /etc/puppet/cosmos_enc.py
+
+[master]
+# These are needed when the puppetmaster is run by passenger
+# and can safely be removed if webrick is used.
+ssl_client_header = SSL_CLIENT_S_DN 

global/post-tasks.d/010fix-ssh-perms

@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+if test -d /root/.ssh && \
+    test `stat -t /root/.ssh | cut -d\  -f5` != 0; then
+    chown root.root /root/.ssh
+fi
+
+if test -d /root/.ssh && \
+    test `stat -c %a /root/.ssh` != 700; then
+    chmod 700 /root/.ssh
+fi
+
+if test -f /root/.ssh/authorized_keys; then
+    if test `stat -t /root/.ssh/authorized_keys | cut -d\  -f5` != 0; then
+	chown root.root /root/.ssh/authorized_keys
+    fi
+    if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
+	chmod 600 /root/.ssh/authorized_keys
+    fi
+fi

global/post-tasks.d/015cosmos-trust

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+for k in /etc/cosmos/keys/*.pub; do
+   fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'`
+   cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k
+done
+
+for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
+   seen="no"
+   for k in /etc/cosmos/keys/*.pub; do
+      cosmos gpg --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes"
+   done
+   if [ "x$seen" = "xno" ]; then
+      cosmos gpg --yes --batch --delete-key $fp || true
+   fi
+done

global/post-tasks.d/020reports

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rm -f /var/run/facts.json
+facter -p -y > /var/run/facts.yaml

global/post-tasks.d/030puppet

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [ "x$COSMOS_VERBOSE" = "xy" ]; then
+   args="--verbose"
+else
+   args="--logdest=syslog"
+fi
+
+if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then
+   for m in `find /etc/puppet/manifests -name \*.pp`; do
+      puppet apply $args $m
+   done
+fi

global/post-tasks.d/099autoremove

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+apt-get -qq update
+apt-get -qq -y autoremove

global/post-tasks.d/999reboot

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+test -f /var/run/reboot-required -a ! -f /etc/cosmos-manual-reboot && reboot

global/pre-tasks.d/020common-tools

@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+set -e
+
+stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp"
+
+if ! test -f $stamp; then
+    apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp
+    update-alternatives --set editor /usr/bin/vim.basic
+
+    mkdir -p `dirname $stamp`
+    touch $stamp
+fi

global/pre-tasks.d/030puppet

@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+set -e
+
+stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"
+
+if ! test -f $stamp -a -f /usr/bin/puppet; then
+    codename=`lsb_release -c| awk '{print $2}'`
+    wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb
+    dpkg -i puppetlabs-release-${codename}.deb
+    rm -f puppetlabs-release-${codename}.deb*
+    apt-get update
+    apt-get -y install puppet-common
+
+    mkdir -p `dirname $stamp`
+    touch $stamp
+fi
+
+python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml
+
+if [ -f /etc/puppet/cosmos-modules.conf ]; then
+   grep -E -v "^#" /etc/puppet/cosmos-modules.conf | (
+   cd /etc/puppet/modules && while read module src update; do
+       if [ ! -d /etc/puppet/modules/$module ]; then
+          echo $src | grep -q "://" && git clone $src $module || puppet module install $src
+       else
+          if [ "x$update" = "xyes" ]; then
+             echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src
+          fi
+       fi
+   done)
+fi