Merge branch 'master' of git.nordu.net:eid-ops
This commit is contained in:
commit
39ef574eb7
16 changed files with 308 additions and 118 deletions
3
fe-fre-3.komreg.net/README
Normal file
3
fe-fre-3.komreg.net/README
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
|
||||
The system documentation is in the docs directory of the multiverse repository.
|
||||
|
||||
|
|
@ -10,3 +10,18 @@ nrpe_clients:
|
|||
- 109.105.111.111
|
||||
- 2001:948:4:6::111
|
||||
- 89.45.233.197
|
||||
|
||||
ssh_authorized_keys:
|
||||
|
||||
'mariah+CA747E57':
|
||||
ensure: 'present'
|
||||
name: 'mariah+CA747E57@nordu.net'
|
||||
key: "AAAAB3NzaC1yc2EAAAADAQABAAABAQDLQfL3uYsqjzkKOxn9nhjDHeWdWQ5SRwcPz\
|
||||
q7gINcwJ7omA5c7wJ4RKDqBPihJ9tp2rgM6DKKGxtSyjO6LFhkGNa86uub2PLS0ar+aRobPZ\
|
||||
6sOeASqHbO3S1mmvZZWTQ30AFjtY98jjlvfKEI5Xu1+UKyQJqK+/UBVKlPaW6GMSYLr9Z5Uu\
|
||||
4XS/sBPdL/ZtR95zDO9OKY8OtTufQi8Zy3pl4Q3xcOsSLZrKiEKMYDCLPlxytHD8FDDYLsgi\
|
||||
uPlbF8/uVYYrt/LHHMkD552xC+EjA7Qde1jDU6iHTpttn7j/3FKoxvM8BXUG+QpbqGUESjAl\
|
||||
Az/PMNCUZ0kVYh9eeXr"
|
||||
type: 'ssh-rsa'
|
||||
user: 'root'
|
||||
|
||||
|
|
|
|||
|
|
@ -36,6 +36,14 @@ classes:
|
|||
sunet::rsyslog: null
|
||||
sunet_iaas_cloud: null
|
||||
sunetops: null
|
||||
fe-fre-3.komreg.net:
|
||||
common: null
|
||||
entropyclient: null
|
||||
infra_ca_rp: null
|
||||
mailclient: *id001
|
||||
nrpe: null
|
||||
sunet::rsyslog: null
|
||||
sunetops: null
|
||||
jmp.komreg.net:
|
||||
autoupdate: null
|
||||
common: null
|
||||
|
|
@ -87,6 +95,11 @@ classes:
|
|||
sunetops: null
|
||||
kvmfe-fre-3.komreg.net:
|
||||
common: null
|
||||
eid::kvm_vms:
|
||||
vms:
|
||||
fe-fre-3.komreg.net: {bridge: br-fe, cpus: '4', description: eid fre frontend,
|
||||
gateway: 94.176.224.161, ip: 94.176.224.165, mac: '52:54:20:01:00:01', memory: '4096',
|
||||
netmask: 255.255.255.240}
|
||||
eid::kvmhost: null
|
||||
entropyclient: null
|
||||
infra_ca_rp: null
|
||||
|
|
@ -234,52 +247,59 @@ classes:
|
|||
sunet_iaas_cloud: null
|
||||
sunetops: null
|
||||
members:
|
||||
all: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net, jump-fre-3.komreg.net,
|
||||
jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
|
||||
kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
all: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
autoupdate: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, md-eu1.qa.komreg.net, nic.komreg.net,
|
||||
p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
common: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
common: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
eid::kvm_vms: [kvmfe-fre-3.komreg.net]
|
||||
eid::kvmhost: [kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
|
||||
kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net]
|
||||
eidas_connector: [eidas-node-1.qa.sveidas.se]
|
||||
eidas_proxy: [eidas-proxy-1.qa.sveidas.se]
|
||||
entropyclient: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
infra_ca_rp: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
entropyclient: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
infra_ca_rp: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
konsulter: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, md-eu1.qa.komreg.net, nic.komreg.net,
|
||||
prid-1.qa.sveidas.se]
|
||||
mailclient: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
mailclient: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
md_publisher: [p1.komreg.net, p2.qa.komreg.net]
|
||||
md_repo_client: [md-eu1.qa.komreg.net]
|
||||
md_repo_server: [r1.komreg.net]
|
||||
md_signer: [md-eu1.qa.komreg.net, md1.komreg.net]
|
||||
nagios_monitor: [nic.komreg.net]
|
||||
nrpe: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
nrpe: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
openstack_dockerhost: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
|
||||
md-eu1.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
prid: [prid-1.qa.sveidas.se]
|
||||
|
|
@ -287,17 +307,19 @@ members:
|
|||
sunet::dehydrated: [r1.komreg.net]
|
||||
sunet::frontend::register_sites: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
|
||||
p1.komreg.net, p2.qa.komreg.net]
|
||||
sunet::rsyslog: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
sunet::rsyslog: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
sunet_iaas_cloud: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
md-eu1.qa.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se,
|
||||
r1.komreg.net]
|
||||
sunetops: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
|
||||
jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
|
||||
kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
|
||||
kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
|
||||
nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
sunetops: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, fe-fre-3.komreg.net,
|
||||
jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
|
||||
kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
|
||||
kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
|
||||
md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
|
||||
prid-1.qa.sveidas.se, r1.komreg.net]
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,19 @@ jmp.komreg.net:
|
|||
konsulter:
|
||||
autoupdate:
|
||||
|
||||
kvmfe-fre-3.komreg.net:
|
||||
eid::kvm_vms:
|
||||
vms:
|
||||
fe-fre-3.komreg.net:
|
||||
mac: '52:54:20:01:00:01'
|
||||
ip: '94.176.224.165'
|
||||
netmask: '255.255.255.240'
|
||||
gateway: '94.176.224.161'
|
||||
bridge: 'br-fe'
|
||||
description: 'eid fre frontend'
|
||||
cpus: '4'
|
||||
memory: '4096'
|
||||
|
||||
nic.komreg.net:
|
||||
sunet_iaas_cloud:
|
||||
autoupdate:
|
||||
|
|
|
|||
|
|
@ -30,6 +30,14 @@ class common {
|
|||
include apt
|
||||
include apparmor
|
||||
package {'jq': ensure => 'latest'}
|
||||
|
||||
if $::is_virtual == true {
|
||||
file { '/usr/local/bin/sunet-reinstall':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
content => template('sunet/cloudimage/sunet-reinstall.erb'),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class dhcp6_client {
|
||||
|
|
@ -327,6 +335,12 @@ class sunetops {
|
|||
sshd_config => $sshd_config,
|
||||
}
|
||||
|
||||
# SSH config, create SSH authorized keys from Hiera
|
||||
$ssh_authorized_keys = hiera_hash('ssh_authorized_keys', undef)
|
||||
if is_hash($ssh_authorized_keys) {
|
||||
create_resources('ssh_authorized_key', $ssh_authorized_keys)
|
||||
}
|
||||
|
||||
ssh_authorized_key {'leifj+neo':
|
||||
ensure => present,
|
||||
name => 'leifj+neo@mnt.se',
|
||||
|
|
@ -479,14 +493,6 @@ class sunetops {
|
|||
user => 'root'
|
||||
}
|
||||
|
||||
ssh_authorized_key {'mariah+CA747E57':
|
||||
ensure => present,
|
||||
name => 'mariah+CA747E57@nordu.net',
|
||||
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDLQfL3uYsqjzkKOxn9nhjDHeWdWQ5SRwcPzq7gINcwJ7omA5c7wJ4RKDqBPihJ9tp2rgM6DKKGxtSyjO6LFhkGNa86uub2PLS0ar+aRobPZ6sOeASqHbO3S1mmvZZWTQ30AFjtY98jjlvfKEI5Xu1+UKyQJqK+/UBVKlPaW6GMSYLr9Z5Uu4XS/sBPdL/ZtR95zDO9OKY8OtTufQi8Zy3pl4Q3xcOsSLZrKiEKMYDCLPlxytHD8FDDYLsgiuPlbF8/uVYYrt/LHHMkD552xC+EjA7Qde1jDU6iHTpttn7j/3FKoxvM8BXUG+QpbqGUESjAlAz/PMNCUZ0kVYh9eeXr',
|
||||
type => 'ssh-rsa',
|
||||
user => 'root'
|
||||
}
|
||||
|
||||
# OS hardening
|
||||
if $::hostname =~ /kvm/ {
|
||||
class {'bastion':
|
||||
|
|
|
|||
|
|
@ -0,0 +1,49 @@
|
|||
# Wrapper with eid common settings for sunet::cloudimage
|
||||
define eid::cloudimage(
|
||||
String $mac,
|
||||
String $cpus = '1',
|
||||
String $memory = '1024',
|
||||
String $description = undef,
|
||||
Optional[String] $ip = undef,
|
||||
Optional[String] $netmask = undef,
|
||||
Optional[String] $gateway = undef,
|
||||
Optional[String] $ip6 = undef,
|
||||
Optional[String] $netmask6 = '64',
|
||||
Optional[String] $gateway6 = undef,
|
||||
String $bridge = 'br0',
|
||||
String $size = '40G',
|
||||
String $local_size = '0',
|
||||
String $image_url = 'https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64.img',
|
||||
) {
|
||||
# This is a hack, use SSH keys from KVM host?
|
||||
$_ssh_key = hiera('ssh_authorized_keys')['mariah+CA747E57']
|
||||
$cloudimage_ssh_keys = [sprintf('%s %s %s', $_ssh_key['type'], $_ssh_key['key'], $_ssh_key['name'])]
|
||||
|
||||
sunet::cloudimage { $name:
|
||||
image_url => $image_url,
|
||||
ssh_keys => $cloudimage_ssh_keys,
|
||||
apt_dir => '/etc/cosmos/apt',
|
||||
disable_ec2 => true,
|
||||
#
|
||||
bridge => $bridge,
|
||||
dhcp => false,
|
||||
mac => $mac,
|
||||
ip => $ip,
|
||||
netmask => $netmask,
|
||||
gateway => $gateway,
|
||||
ip6 => $ip6,
|
||||
netmask6 => $netmask6,
|
||||
gateway6 => $gateway6,
|
||||
resolver => ['130.242.80.14', '130.242.80.99'],
|
||||
search => ['komreg.net'],
|
||||
#
|
||||
repo => $::cosmos_repo_origin_url,
|
||||
tagpattern => $::cosmos_tag_pattern,
|
||||
#
|
||||
cpus => $cpus,
|
||||
memory => $memory,
|
||||
description => $description,
|
||||
size => $size,
|
||||
local_size => $local_size,
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
class eid::kvm_vms(
|
||||
Hash $vms
|
||||
) {
|
||||
create_resources('eid::cloudimage', $vms)
|
||||
}
|
||||
|
|
@ -55,14 +55,16 @@ if ! test -d /var/cache/cosmos/repo; then
|
|||
cosmos clone "$cmd_repo"
|
||||
fi
|
||||
|
||||
# re-run cosmos at reboot until it succeeds - use bash -l to get working proxy settings
|
||||
grep -v "^exit 0" /etc/rc.local > /etc/rc.local.new
|
||||
(echo ""
|
||||
echo "test -f /etc/run-cosmos-at-boot && (bash -l cosmos -v update; bash -l cosmos -v apply && rm /etc/run-cosmos-at-boot)"
|
||||
echo ""
|
||||
echo "exit 0"
|
||||
) >> /etc/rc.local.new
|
||||
mv -f /etc/rc.local.new /etc/rc.local
|
||||
if [ -f /etc/rc.local ]; then
|
||||
# re-run cosmos at reboot until it succeeds - use bash -l to get working proxy settings
|
||||
grep -v "^exit 0" /etc/rc.local > /etc/rc.local.new
|
||||
(echo ""
|
||||
echo "test -f /etc/run-cosmos-at-boot && (bash -l cosmos -v update; bash -l cosmos -v apply && rm /etc/run-cosmos-at-boot)"
|
||||
echo ""
|
||||
echo "exit 0"
|
||||
) >> /etc/rc.local.new
|
||||
mv -f /etc/rc.local.new /etc/rc.local
|
||||
fi
|
||||
|
||||
touch /etc/run-cosmos-at-boot
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,12 @@ basemodulepath = /etc/puppet/modules:/etc/puppet/cosmos-modules:/usr/share/puppe
|
|||
parser = future
|
||||
disable_warnings = deprecations
|
||||
|
||||
# Recommended New Features settings from
|
||||
# https://docs.puppet.com/puppet/3.8/config_important_settings.html#recommended-and-safe
|
||||
stringify_facts = false
|
||||
trusted_node_data = true
|
||||
ordering = manifest
|
||||
|
||||
[master]
|
||||
# These are needed when the puppetmaster is run by passenger
|
||||
# and can safely be removed if webrick is used.
|
||||
|
|
|
|||
|
|
@ -1,28 +1,63 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
if [ -z "$COSMOS_KEYS" ]; then
|
||||
COSMOS_KEYS=/etc/cosmos/keys
|
||||
fi
|
||||
|
||||
# Install new keys discovered in the $COSMOS_KEYS directory
|
||||
for k in $COSMOS_KEYS/*.pub; do
|
||||
fp=`cosmos gpg --with-colons --with-fingerprint < $k | awk -F: '$1 == "pub" {print $5}'`
|
||||
fp_in_db=`cosmos gpg --with-colons --fingerprint | grep ":$fp:"`
|
||||
if [ "x`echo $fp_in_db | grep '^pub:e:'`" != "x" ]; then
|
||||
echo "$0: Key expired, will re-import it from $k"
|
||||
cosmos gpg --fingerprint $fp
|
||||
fi
|
||||
# The removal of any ^pub:e: entrys means to ignore expired keys - thereby importing them again.
|
||||
echo $fp_in_db | grep -v "^pub:e:" | grep -q ":$fp:" || cosmos gpg --import < $k
|
||||
bold='\e[1m'
|
||||
reset='\e[0m'
|
||||
red='\033[01;31m'
|
||||
|
||||
# Associative array of fingerprints in the GPG keyring
|
||||
declare -A KEYRING
|
||||
|
||||
# Associative array with expired keys in the GPG keyring
|
||||
declare -A EXPIRED
|
||||
|
||||
# associative array with non-expired keys found in $COSMOS_KEYS directory
|
||||
declare -A SEEN
|
||||
|
||||
# Load information about all keys present in the GPG keyring
|
||||
for line in $(cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" { print $2 ":" $5 }'); do
|
||||
IFS=':' read -r expired fp <<< $line
|
||||
KEYRING[$fp]='1'
|
||||
if [[ $expired == 'e' ]]; then
|
||||
EXPIRED[$fp]=1
|
||||
fi
|
||||
done
|
||||
|
||||
# Delete keys no longer present in $COSMOS_KEYS directory
|
||||
for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
|
||||
seen="no"
|
||||
for k in $COSMOS_KEYS/*.pub; do
|
||||
cosmos gpg --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes"
|
||||
done
|
||||
if [ "x$seen" = "xno" ]; then
|
||||
cosmos gpg --yes --batch --delete-key $fp || true
|
||||
fi
|
||||
# Install new keys discovered in the $COSMOS_KEYS directory
|
||||
for k in $COSMOS_KEYS/*.pub; do
|
||||
if [[ ! -s $k ]]; then
|
||||
# Silently ignore empty files
|
||||
continue
|
||||
fi
|
||||
pubkeys_in_file=$(cosmos gpg --with-colons --with-fingerprint < $k | grep "^pub:")
|
||||
non_expired_pubkeys_in_file=$(echo ${pubkeys_in_file} | awk -F: '$2 != "e" { print $0 }')
|
||||
if [[ ! $non_expired_pubkeys_in_file ]]; then
|
||||
echo -e "$0: ${red}Ignoring file with expired pubkey: ${k}${reset}"
|
||||
continue
|
||||
fi
|
||||
|
||||
fp=$(echo ${pubkeys_in_file} | awk -F: '{print $5}')
|
||||
|
||||
# Remember that we saw fingerprint $fp in file $k
|
||||
SEEN[$fp]=$k
|
||||
|
||||
if [[ ! ${KEYRING[$fp]} ]]; then
|
||||
echo -e "$0: ${bold}Importing new key ${fp}${reset} from ${k}"
|
||||
cosmos gpg --import < $k
|
||||
elif [[ ${EXPIRED[$fp]} ]]; then
|
||||
echo -e "$0: ${bold}Re-importing expired key ${fp}${reset} from ${k}"
|
||||
cosmos gpg --import < $k
|
||||
fi
|
||||
done
|
||||
|
||||
# Delete keys no longer present (or expired) in $COSMOS_KEYS directory
|
||||
for fp in ${!KEYRING[@]}; do
|
||||
if [[ ! ${SEEN[$fp]} ]]; then
|
||||
echo -e "$0: ${bold}Deleting key${reset} ${fp} not present (or expired) in ${COSMOS_KEYS}"
|
||||
cosmos gpg --fingerprint $fp
|
||||
cosmos gpg --yes --batch --delete-key $fp || true
|
||||
fi
|
||||
done
|
||||
|
|
|
|||
|
|
@ -1,19 +1,23 @@
|
|||
#!/bin/bash
|
||||
|
||||
CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf}
|
||||
LOCALCONFIG=${LOCALCONFIG:=/etc/puppet/cosmos-modules_local.conf}
|
||||
CACHE_DIR=/var/cache/puppet-modules
|
||||
MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules}
|
||||
export GNUPGHOME=/etc/cosmos/gnupg
|
||||
|
||||
python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml
|
||||
|
||||
bold='\e[1m'
|
||||
reset='\e[0m'
|
||||
red='\033[01;31m'
|
||||
|
||||
stage_module() {
|
||||
rm -rf $CACHE_DIR/staging/$1
|
||||
git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -)
|
||||
}
|
||||
|
||||
if [ -f $CONFIG ]; then
|
||||
if [ -f $CONFIG -o $LOCALCONFIG ]; then
|
||||
if [ ! -d $MODULES_DIR ]; then
|
||||
mkdir -p $MODULES_DIR
|
||||
fi
|
||||
|
|
@ -21,11 +25,14 @@ if [ -f $CONFIG ]; then
|
|||
mkdir -p $CACHE_DIR/{scm,staging}
|
||||
fi
|
||||
|
||||
test -f $CONFIG || CONFIG=''
|
||||
test -f $LOCALCONFIG || LOCALCONFIG=''
|
||||
|
||||
# First pass to clone any new modules, and update those marked for updating.
|
||||
grep -E -v "^#" $CONFIG | (
|
||||
grep -h -E -v "^#" $CONFIG $LOCALCONFIG | sort | (
|
||||
while read module src update pattern; do
|
||||
# We only support git:// urls and https:// urls atm
|
||||
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
|
||||
# We only support git://, file:/// and https:// urls at the moment
|
||||
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "file:///" -o "${src:0:8}" = "https://" ]; then
|
||||
if [ ! -d $CACHE_DIR/scm/$module ]; then
|
||||
git clone -q $src $CACHE_DIR/scm/$module
|
||||
elif [ -d $CACHE_DIR/scm/$module/.git ]; then
|
||||
|
|
@ -39,16 +46,14 @@ if [ -f $CONFIG ]; then
|
|||
continue
|
||||
fi
|
||||
else
|
||||
echo "ERROR: Ignoring non-git repository"
|
||||
echo -e "${red}ERROR: Ignoring non-git repository${reset}"
|
||||
continue
|
||||
fi
|
||||
elif [[ "$src" =~ .*:// ]]; then
|
||||
echo "ERROR: Don't know how to install '$src'"
|
||||
echo -e "${red}ERROR: Don't know how to install '${src}'${reset}"
|
||||
continue
|
||||
else
|
||||
echo "WARNING"
|
||||
echo "WARNING - attempting UNSAFE installation/upgrade of puppet-module $module from $src"
|
||||
echo "WARNING"
|
||||
echo -e "${bold}WARNING - attempting UNSAFE installation/upgrade of puppet-module ${module} from ${src}${reset}"
|
||||
if [ ! -d /etc/puppet/modules/$module ]; then
|
||||
puppet module install $src
|
||||
elif [ "$update" = "yes" ]; then
|
||||
|
|
@ -60,34 +65,32 @@ if [ -f $CONFIG ]; then
|
|||
|
||||
# Second pass to verify the signatures on all modules and stage those that
|
||||
# have good signatures.
|
||||
grep -E -v "^#" $CONFIG | (
|
||||
grep -h -E -v "^#" $CONFIG $LOCALCONFIG | sort | (
|
||||
while read module src update pattern; do
|
||||
# We only support git:// urls atm
|
||||
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
|
||||
# We only support git://, file:/// and https:// urls at the moment
|
||||
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "file:///" -o "${src:0:8}" = "https://" ]; then
|
||||
# Verify git tag
|
||||
cd $CACHE_DIR/scm/$module
|
||||
TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
|
||||
if [ "$COSMOS_VERBOSE" = "y" ]; then
|
||||
echo ""
|
||||
echo "Checking signature on tag ${TAG} for puppet-module $module"
|
||||
echo -e "Checking signature on puppet-module:tag ${bold}${module}:${TAG}${reset}"
|
||||
fi
|
||||
if [ -z "$TAG" ]; then
|
||||
echo "ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module $module"
|
||||
echo -e "${red}ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module ${module}${reset}"
|
||||
continue
|
||||
fi
|
||||
git tag -v $TAG &> /dev/null
|
||||
if [ $? == 0 ]; then
|
||||
if [ "$COSMOS_VERBOSE" = "y" ]; then
|
||||
# short output on good signature
|
||||
git tag -v $TAG 2>&1 | grep "gpg: Good signature"
|
||||
fi
|
||||
#if [ "$COSMOS_VERBOSE" = "y" ]; then
|
||||
# # short output on good signature
|
||||
# git tag -v $TAG 2>&1 | grep "gpg: Good signature"
|
||||
#fi
|
||||
# Put archive in staging since tag verified OK
|
||||
stage_module $module $TAG
|
||||
else
|
||||
echo "################################################################"
|
||||
echo "FAILED signature check on puppet-module $module"
|
||||
echo "################################################################"
|
||||
echo -e "${red}FAILED signature check on puppet-module ${module}${reset}"
|
||||
git tag -v $TAG
|
||||
echo ''
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
|
@ -95,9 +98,9 @@ if [ -f $CONFIG ]; then
|
|||
|
||||
# Cleanup removed puppet modules from CACHE_DIR
|
||||
for MODULE in $(ls -1 $CACHE_DIR/staging/); do
|
||||
if ! grep -E -q "^$MODULE\s+" $CONFIG; then
|
||||
rm -rf $CACHE_DIR/{scm,staging}/$MODULE
|
||||
fi
|
||||
if ! grep -h -E -q "^$MODULE\s+" $CONFIG $LOCALCONFIG; then
|
||||
rm -rf $CACHE_DIR/{scm,staging}/$MODULE
|
||||
fi
|
||||
done
|
||||
|
||||
# Installing verified puppet modules
|
||||
|
|
|
|||
|
|
@ -1,13 +1,14 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
|
||||
args="--verbose"
|
||||
args="--verbose --show_diff"
|
||||
else
|
||||
args="--logdest=syslog"
|
||||
fi
|
||||
|
||||
if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then
|
||||
for m in `find /etc/puppet/manifests -name \*.pp`; do
|
||||
puppet apply $args < $m
|
||||
test "x$COSMOS_VERBOSE" = "xy" && echo "$0: Applying Puppet manifest $m"
|
||||
puppet apply $args $m
|
||||
done
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
apt-get -qq update
|
||||
apt-get -qq -y autoremove
|
||||
if (( $RANDOM % 20 == 0)); then
|
||||
apt-get -qq update
|
||||
apt-get -qq -y autoremove
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,5 +1,26 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
if [ -f /var/run/reboot-required -a -f /etc/cosmos-automatic-reboot ]; then
|
||||
reboot
|
||||
if [[ -f /var/run/reboot-required && -f /etc/cosmos-automatic-reboot ]]; then
|
||||
|
||||
if [[ $HOSTNAME =~ -tug- ]]; then
|
||||
# Reboot hosts in site TUG with 15 seconds delay (enough to manually
|
||||
# cancel the reboot if logged in and seeind the 'emerg' message broadcasted to console)
|
||||
sleep=15
|
||||
elif [[ $HOSTNAME =~ -fre- ]]; then
|
||||
# reboot hosts in site FRE with 15+180 to 15+180+180 seconds delay
|
||||
sleep=$(( 180 + ($RANDOM % 180)))
|
||||
elif [[ $HOSTNAME =~ -lla- ]]; then
|
||||
# reboot hosts in site LLA with 15+180+180 to 15+180+180+180 seconds delay
|
||||
sleep=$(( 375 + ($RANDOM % 180)))
|
||||
else
|
||||
# reboot hosts in any other site with 15 to 315 seconds delay
|
||||
sleep=$(( 15 + ($RANDOM % 300)))
|
||||
fi
|
||||
|
||||
logger -p local0.emerg -i -t cosmos-automatic-reboot "Rebooting automatically in $sleep seconds (if /var/run/reboot-required still exists)"
|
||||
sleep $sleep
|
||||
if [ -f /var/run/reboot-required ]; then
|
||||
logger -p local0.crit -i -t cosmos-automatic-reboot "Rebooting automatically"
|
||||
reboot
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -8,14 +8,16 @@ set -e
|
|||
stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"
|
||||
|
||||
if ! test -f $stamp -a -f /usr/bin/puppet; then
|
||||
codename=`lsb_release -c| awk '{print $2}'`
|
||||
puppetdeb="$COSMOS_REPO/apt/puppetlabs-release-${codename}.deb"
|
||||
if [ ! -f $puppetdeb ]; then
|
||||
echo "$0: Puppet deb for release $codename not found in $COSMOS_REPO/apt/"
|
||||
echo " Get it from https://apt.puppetlabs.com/ and put it in the Cosmos repo."
|
||||
exit 1
|
||||
fi
|
||||
dpkg -i $puppetdeb
|
||||
#codename=`lsb_release -c| awk '{print $2}'`
|
||||
#puppetdeb="$COSMOS_REPO/apt/puppetlabs-release-${codename}.deb"
|
||||
#if [ ! -f $puppetdeb ]; then
|
||||
# echo "$0: Puppet deb for release $codename not found in $COSMOS_REPO/apt/"
|
||||
# echo " Get it from https://apt.puppetlabs.com/ and put it in the Cosmos repo."
|
||||
# exit 1
|
||||
#fi
|
||||
## The key currently in use does not appear to actually be installed with $puppetdeb
|
||||
#test -f apt-key add $COSMOS_REPO/apt/keys/puppetlabs-EF8D349F.pub && apt-key add $COSMOS_REPO/apt/keys/puppetlabs-EF8D349F.pub
|
||||
#dpkg -i $puppetdeb
|
||||
apt-get update
|
||||
apt-get -y install puppet-common
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,12 @@ if [ -f /etc/hiera/data/secrets.yaml.asc -a ! -f /etc/hiera/data/secrets.yaml.gp
|
|||
(cd /etc/hiera/data && ln -s secrets.yaml.asc secrets.yaml.gpg)
|
||||
fi
|
||||
|
||||
if [ ! -s $GNUPGHOME/secring.gpg -a ! -s /etc/hiera/gpg/pubring.kbx ]; then
|
||||
if [ ! -f /usr/bin/eyaml ]; then
|
||||
apt-get update
|
||||
apt-get -y install hiera-eyaml
|
||||
fi
|
||||
|
||||
if [ ! -s $GNUPGHOME/secring.gpg -a ! -s $GNUPGHOME/pubring.kbx ]; then
|
||||
|
||||
if [ "x$1" != "x--force" ]; then
|
||||
echo ""
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue