swedenconnect/eid-ops
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial sync with nunoc-ops

Browse source
This commit is contained in:
Leif Johansson 2017-08-15 11:37:45 +02:00
parent 544fde0797
commit 41eeccd9cb
26 changed files with 1555 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
addhost
View file

@ -37,6 +37,11 @@ defrepo=`git remote -v | grep ${remote:="ro"} | grep fetch | awk '{print $2}'`
rrepo=${repo:="$defrepo"}
rtag=${tag:="changeme"}
if [ "x$rrepo" = "x" ]; then
echo "$0: repo not set in cosmos.conf and no git remote named 'ro' found"
exit 1
fi
if [ ! -d $cmd_hostname ]; then
cp -pr default $cmd_fqdn
git add $cmd_fqdn
@ -45,7 +50,7 @@ if [ ! -d $cmd_hostname ]; then
fi
if [ "$cmd_do_bootstrap" = "yes" ]; then
scp apt/cosmos_1.2-2_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname:
scp apt/cosmos_1.5-1_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname:
ssh root@$cmd_hostname ./bootstrap-cosmos.sh $cmd_fqdn $rrepo $rtag
ssh root@$cmd_hostname cosmos update
ssh root@$cmd_hostname cosmos apply

10
bump-tag
View file

@ -11,8 +11,13 @@ tagpfx=${tag:="$deftag"}
last_tag=`git tag -l "${tagpfx}-*"|sort|tail -1`
git tag -v $last_tag
echo "Verifying last tag $last_tag:"
(git tag -v $last_tag | grep ^gpg:) || true
# again to not mask exit status of git with grep
git tag -v $last_tag > /dev/null 2>&1
echo ""
echo "Differences between tag $last_tag and what you are about to sign:"
PAGER=cat git diff $last_tag..master
iter=1
@ -29,7 +34,8 @@ while test -z "$ok"; do
esac
done
echo using new tag $this_tag
echo ""
echo "Using new tag $this_tag"
echo ONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE
# GITTAGEXTRA is for putting things like "-u 2117364A"

1
cosmos-site.pp Symbolic link
View file

@ -0,0 +1 @@
global/overlay/etc/puppet/manifests/cosmos-site.pp

3
cosmos.conf
View file

@ -1,2 +1 @@
tag="eduid-cosmos"
#repo=git://override-repo-URL
tag="eid-ops"

19
edit-secrets
View file

@ -11,7 +11,7 @@ if [ "x$1" = "x" ]; then
fi
if [ "x$1" != "x-l" ]; then
host=$1
host=$(echo $1 | sed -e 's!/*$!!') # remove trailing slashes
if [ ! -d $host ]; then
echo "$0: No host-directory for '$host' found - execute in top-level cosmos dir"
@ -19,12 +19,12 @@ if [ "x$1" != "x-l" ]; then
fi
# Execute this very script, on a remote host
TMPFILE=$(mktemp)
TMPFILE=$(mktemp edit-secrets.$$.XXXXXXX)
if [ ! -f $TMPFILE ]; then
echo "$0: Failed creating temporary file"
exit 1
fi
TMPFILE2=$(mktemp)
TMPFILE2=$(mktemp edit-secrets.$$.XXXXXXX)
if [ ! -f $TMPFILE2 ]; then
echo "$0: Failed creating temporary file"
exit 1
@ -98,8 +98,11 @@ fi
trap "rm -f $TMPFILE $TMPFILE2" EXIT
if [ ! -f "$GNUPGHOME/secring.gpg" ]; then
echo "$0: Secret keyring $GNUPGHOME/secring.gpg does not exist."
if ! $GPG --list-secret-keys | grep -q ^"sec\s"; then
echo "$0: Secret key does not exist (in $GNUPGHOME)."
echo ""
echo "Generate it with /var/cache/cosmos/model/pre-tasks.d/040hiera-gpg"
echo ""
exit 1
fi
@ -126,10 +129,16 @@ else
# figure out this hosts gpg key id
recipient=$($GPG --list-secret-key | grep ^sec | head -1 | awk '{print $2}' | cut -d / -f 2)
save_to="`hostname --fqdn`/overlay${SECRETFILE}"
echo ""
(
echo "STATUS=UPDATED"
echo ""
) > $LAST_OUTPUT_FILENAME
$GPG --output - --armor --recipient $recipient --sign --encrypt $TMPFILE >> $LAST_OUTPUT_FILENAME
echo ""
echo "GPG output saved in $LAST_OUTPUT_FILENAME - save it in Cosmos as"
echo ""
echo " $save_to"
echo ""
fi

44
fabfile/__init__.py
View file

@ -5,6 +5,7 @@ import yaml
import re
import sys
from fabfile.db import cosmos_db
from fabric.api import task
env.user = 'root'
env.timeout = 30
@ -12,24 +13,67 @@ env.connection_attempts = 3
env.warn_only = True
env.skip_bad_hosts = True
env.roledefs = cosmos_db()['members']
env.use_ssh_config = True
def _lookup(node_name):
if os.path.exists(os.path.join(node_name,".hostname")):
with open(os.path.join(node_name,".hostname"),"r") as fd:
return fd.readline().strip()
return node_name
@task
def all():
env.hosts = cosmos_db()['members']['all']
@task
def h(key=None):
db = cosmos_db()
env.roledefs = db['members']
if key is None:
key = 'all'
_hosts = [key]
if key in env.roledefs:
_hosts = env.roledefs[key]
env.hosts = [ _lookup(h) for h in _hosts ]
@task
def cosmos():
run("/usr/local/bin/run-cosmos");
@task
def set_no_automatic_cosmos():
run("touch /etc/no-automatic-cosmos")
@task
def remove_no_automatic_cosmos():
run("rm /etc/no-automatic-cosmos")
@task
def upgrade():
run("apt-get -qq update && apt-get -y -q upgrade");
@task
def distupgrade():
run("apt-get -qq update && apt-get -y -q dist-upgrade");
@task
def facts():
get("/var/run/facts.yaml",local_path="facts/%(host)s.yaml")
@task
def chassis():
run("ipmi-chassis --get-chassis-status")
def newvm(fqdn,ip,domain):
run("vmbuilder kvm ubuntu --domain %s --dest /var/lib/libvirt/images/%s.img --arch x86_64 --hostname %s --mem 512 --ip %s --addpkg openssh-server" % (domain,fqdn,fqdn,ip))
@task
def cp(local,remote):
put(local,remote)
@task
def synci():
get("/etc/network/interfaces",local_path="%(host)s/global/overlay/etc/interfaces")

BIN
fabfile/__init__.pyc
View file

Binary file not shown.

4
fabfile/db.py
View file

@ -32,6 +32,10 @@ def _load_db():
node_classes.update(cls)
classes[node_name] = node_classes
# Sort member lists for a more easy to read diff
for cls in members.keys():
members[cls].sort()
return dict(classes=classes,members=members)
_db = None

15
global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh
View file

@ -1,6 +1,7 @@
#!/bin/sh
set -e
#set -e
# not all breakage is un-recoverable...
cmd_hostname="$1"
if test -z "$cmd_hostname"; then
@ -20,16 +21,20 @@ if test -z "$cmd_tags"; then
exit 3
fi
set -x
apt-get -y install rsync git-core wget
dpkg -i cosmos_1.2-2_all.deb
apt-get -y update
apt-get -y upgrade
for pkg in rsync git git-core wget; do
apt-get -y install $pkg
done
dpkg -i cosmos_1.5-1_all.deb
if ! test -d /var/cache/cosmos/repo; then
cosmos clone "$cmd_repo"
fi
hostname $cmd_hostname
short=`echo ${cmd_hostname} | awk -F. '{print $1}'`
echo "127.0.1.1 ${cmd_hostname} ${short}" >> /etc/hosts
perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"\\\$COSMOS_REPO/global/:\\\$COSMOS_REPO/$cmd_hostname/\"," /etc/cosmos/cosmos.conf
perl -pi -e "s,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=\"${cmd_tags}*\"," /etc/cosmos/cosmos.conf

BIN
global/overlay/etc/cosmos/apt/cosmos_1.5-1_all.deb Normal file
View file

Binary file not shown.

BIN
global/overlay/etc/cosmos/apt/puppetlabs-release-trusty.deb Normal file
View file

Binary file not shown.

BIN
global/overlay/etc/cosmos/apt/puppetlabs-release-xenial.deb Normal file
View file

Binary file not shown.

790
global/overlay/etc/puppet/cosmos-db.yaml Normal file
View file

@ -0,0 +1,790 @@
classes:
acme-c.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: &id001 {domain: sunet.se}
nrpe: null
nunoc: null
sunet_iaas_cloud: null
sunetops: null
artisan-saas-idp-proxy.sunet.se:
autoupdate: null
dhcp6_client: null
entropyclient: null
https_server: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
saml_metadata: {filename: /etc/satosa/metadata/artisan.xml, url: 'https://idp1.artologik.net/federationmetadata/2007-06/federationmetadata.xml'}
sunet::dehydrated::client: {domain: artisan-saas-idp-proxy.sunet.se}
sunet::satosa: {dehydrated_name: artisan-saas-idp-proxy.sunet.se, image: docker.sunet.se/satosa,
tag: artisan}
sunet_iaas_cloud: null
sunetops: null
swamid_metadata: {filename: /etc/satosa/metadata/swamid-2.0.xml}
ca.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
cdr1.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet_cdr: null
sunetops: null
cdr2.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet_cdr: null
sunetops: null
ci.nordu.net:
entropyclient: null
infra_ca_rp: null
mailclient: &id002 {domain: nordu.net}
nrpe: null
nunoc: null
sunetops: null
ci.sunet.se:
entropyclient: null
https_server: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
code.nordu.net:
entropyclient: null
infra_ca_rp: null
mailclient: *id002
nrpe: null
nunoc: null
sunetops: null
comanage.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
crowd.sunet.se:
autoupdate: null
eduix: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost_eduix: null
sunet::dehydrated::client: {domain: crowd.sunet.se}
sunet_iaas_cloud: null
sunetops: null
webserver: null
datasets.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
docker.sunet.se:
entropyclient: null
https_server: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
ds-legacy.sunet.se:
autoupdate: null
ds_legacy: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet::dehydrated::client: {domain: ds-legacy.sunet.se, ssl_links: true}
sunet_iaas_cloud: null
sunetops: null
ds-test.swamid.se:
autoupdate: null
dhcp6_client: null
ds_test: null
entropyclient: null
infra_ca_rp: null
mailclient: &id003 {domain: sunet.se}
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet::dehydrated::client: {domain: ds-test.swamid.se}
sunet_iaas_cloud: null
sunetops: null
swamidops: null
webserver: null
flog.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
git.swamid.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunet::dehydrated::client: {domain: git.swamid.se}
sunetops: null
swamid_md_master: {hostname: git.swamid.se}
swamidops: null
gitlab.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
idp-test.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
idp.sunet.se:
autoupdate: null
entropyclient: null
https_server: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet::dehydrated::client: {domain: idp.sunet.se}
sunet::frontend::register_sites:
sites:
idp.sunet.se:
frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se]
port: '443'
sunet::satosa: {dehydrated_name: idp.sunet.se, tag: sunet-idp}
sunet_iaas_cloud: null
sunetops: null
swamid_metadata: {filename: /etc/satosa/metadata/swamid-2.0.xml}
imap2.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet::dovecot: null
sunet_iaas_cloud: null
sunetops: null
lobo2.lab.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
loke.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet::frontend::route_reflector: null
sunetops: null
md-master.reep.refeds.org: {entropyclient: null, infra_ca_rp: null, nrpe: null,
nunoc: null, swamidops: null}
mds1.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunet::dehydrated::client: {domain: mds.swamid.se}
sunetops: null
swamid_static_signer: null
swamidops: null
mds2.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunet::dehydrated::client: {domain: mds.swamid.se}
sunetops: null
swamid_static_signer: null
swamidops: null
mdx1.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunet::dehydrated::client: {domain: mdx.swamid.se}
sunetops: null
swamid_pyff_signer: null
swamidops: null
mdx2.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunet::dehydrated::client: {domain: mdx.swamid.se}
sunetops: null
swamid_pyff_signer: null
swamidops: null
meta.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
monitor.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
nagiosxi-kvm-lab.nordu.net:
entropyclient: null
infra_ca_rp: null
mailclient: *id002
nrpe: null
nunoc: null
sunetops: null
nidev-consumer2.nordu.net:
entropyclient: null
infra_ca_rp: null
mailclient: *id002
nrpe: null
nunoc: null
sunetops: null
webserver: null
people.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
pypi.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet::dehydrated::client: {domain: pypi.sunet.se}
sunet::pypi: null
sunet_iaas_cloud: null
sunetops: null
webserver: null
random1.nordu.net:
entropyserver: null
infra_ca_rp: null
mailclient: *id002
nrpe: null
nunoc: null
sunetops: null
random2.nordu.net:
entropyserver: null
infra_ca_rp: null
mailclient: *id002
nrpe: null
nunoc: null
sunetops: null
redis-fe-1.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
redis_frontend_node: &id004 {hostname: jsub.sunet.se}
sunet_iaas_cloud: null
sunetops: null
redis-fe-2.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
redis_frontend_node: *id004
sunet_iaas_cloud: null
sunetops: null
registry-test.swamid.se:
autoupdate: null
emergya: null
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet_iaas_cloud: null
sunetops: null
swamidops: null
registry.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
rt.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
saas-idp-test.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
ubuntu_dockerhost: null
samltest.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
se-east-1-infra-rs-1.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet::frontend::route_reflector: {router_id: 89.45.232.186}
sunet_iaas_cloud: null
sunetops: null
se-east-1-jsub-1.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost_net_host: null
redis_cluster_node: null
sunet_iaas_cloud: null
sunetops: null
se-east-1-jsub-2.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost_net_host: null
redis_cluster_node: null
sunet_iaas_cloud: null
sunetops: null
se-east-1-jsub-3.sunet.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost_net_host: null
redis_cluster_node: null
sunet_iaas_cloud: null
sunetops: null
se-fre-lb-1.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet::dockerhost: {docker_version: 17.03.1~ce-0~ubuntu-xenial, manage_dockerhost_unbound: true}
sunet::frontend::load_balancer: null
sunetops: null
se-tug-lb-1.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunet::dockerhost: {docker_version: 17.05.0~ce-0~ubuntu-xenial, manage_dockerhost_unbound: true}
sunet::frontend::load_balancer: null
sunetops: null
sp.swamid.se:
autoupdate: null
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet::dehydrated::client: {domain: sp.swamid.se, ssl_links: true}
sunet_iaas_cloud: null
sunetops: null
swamid_sp_test: null
swamidops: null
sto-fre-kvm1.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
sto-tug-kvm-lab1.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
sto-tug-kvm-lab2.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
sto-tug-kvm1.swamid.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id003
nrpe: null
nunoc: null
sunetops: null
swamidops: null
web-a1.sunet.se:
api_sunet_se_kalturabilling: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
static_sunet_se: null
sunetops: null
webappserver: null
webcommon: null
www_sunet_se: null
web-a2.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
static_sunet_se: null
sunetops: null
webappserver: null
webcommon: null
www_sunet_se_master: null
web-a3.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
static_sunet_se: null
sunetops: null
webappserver: null
webcommon: null
www_sunet_se: null
web-archive.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
webserver: null
web-db1.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
webbackend: null
webcommon: null
web-db2.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
webbackend: null
webcommon: null
web-db3.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
webbackend: null
webcommon: null
web-f1.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
webcommon: null
webfrontend: null
webserver: null
web-f2.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
sunetops: null
webcommon: null
webfrontend: null
webserver: null
web.nordu.net:
entropyclient: null
https_server: null
infra_ca_rp: null
mailclient: *id002
nrpe: null
nunoc: null
sunetops: null
wifiprobe.sunet.se:
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost: null
sunet::wifiprobe: null
sunetops: null
wiki.sunet.se:
autoupdate: null
eduix: null
entropyclient: null
infra_ca_rp: null
mailclient: *id001
nrpe: null
nunoc: null
openstack_ubuntu_16_04_dockerhost_eduix: null
sunet::dehydrated::client: {domain: wiki.sunet.se}
sunet_iaas_cloud: null
sunetops: null
webserver: null
members:
all: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se,
cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se,
datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se,
git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se,
lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se,
mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se,
nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se,
random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se,
registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se,
samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se,
se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se,
sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se,
web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se,
web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se]
api_sunet_se_kalturabilling: [web-a1.sunet.se]
autoupdate: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, crowd.sunet.se, ds-legacy.sunet.se,
ds-test.swamid.se, git.swamid.se, idp.sunet.se, imap2.sunet.se, loke.sunet.se,
pypi.sunet.se, redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se,
se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se,
se-east-1-jsub-3.sunet.se, sp.swamid.se, wiki.sunet.se]
dhcp6_client: [artisan-saas-idp-proxy.sunet.se, ds-test.swamid.se]
ds_legacy: [ds-legacy.sunet.se]
ds_test: [ds-test.swamid.se]
eduix: [crowd.sunet.se, wiki.sunet.se]
emergya: [registry-test.swamid.se]
entropyclient: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se,
cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se,
datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se,
git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se,
lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se,
mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se,
nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se,
redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se, registry.swamid.se,
rt.sunet.se, saas-idp-test.swamid.se, samltest.swamid.se, se-east-1-infra-rs-1.sunet.se,
se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se,
se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, sp.swamid.se, sto-fre-kvm1.swamid.se,
sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se,
web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, web-db1.sunet.se,
web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, web.nordu.net,
wifiprobe.sunet.se, wiki.sunet.se]
entropyserver: [random1.nordu.net, random2.nordu.net]
https_server: [artisan-saas-idp-proxy.sunet.se, ci.sunet.se, docker.sunet.se, idp.sunet.se,
web.nordu.net]
infra_ca_rp: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se,
cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se,
datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se,
git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se,
lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se,
mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se,
nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se,
random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se,
registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se,
samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se,
se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se,
sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se,
web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se,
web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se]
mailclient: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se,
cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se,
datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se,
git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se,
lobo2.lab.sunet.se, loke.sunet.se, mds1.swamid.se, mds2.swamid.se, mdx1.swamid.se,
mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, nagiosxi-kvm-lab.nordu.net,
nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, random1.nordu.net,
random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se,
registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se, samltest.swamid.se,
se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se,
se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, sp.swamid.se,
sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se,
web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se,
web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se]
nrpe: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se,
cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se,
datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se,
git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se,
lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se,
mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se,
nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se,
random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se,
registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se,
samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se,
se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se,
sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se,
web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se,
web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se]
nunoc: [acme-c.sunet.se, acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, artisan-saas-idp-proxy.sunet.se,
ca.sunet.se, ca.sunet.se, cdr1.sunet.se, cdr1.sunet.se, cdr1.sunet.se, cdr2.sunet.se,
cdr2.sunet.se, cdr2.sunet.se, ci.nordu.net, ci.sunet.se, ci.sunet.se, code.nordu.net,
comanage.sunet.se, comanage.sunet.se, crowd.sunet.se, crowd.sunet.se, datasets.sunet.se,
datasets.sunet.se, docker.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-legacy.sunet.se,
ds-test.swamid.se, ds-test.swamid.se, flog.sunet.se, flog.sunet.se, git.swamid.se,
git.swamid.se, gitlab.sunet.se, gitlab.sunet.se, idp-test.swamid.se, idp-test.swamid.se,
idp.sunet.se, idp.sunet.se, imap2.sunet.se, imap2.sunet.se, lobo2.lab.sunet.se,
lobo2.lab.sunet.se, loke.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se,
mds1.swamid.se, mds2.swamid.se, mds2.swamid.se, mdx1.swamid.se, mdx1.swamid.se,
mdx2.swamid.se, mdx2.swamid.se, meta.swamid.se, meta.swamid.se, monitor.sunet.se,
monitor.sunet.se, nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se,
people.sunet.se, pypi.sunet.se, pypi.sunet.se, random1.nordu.net, random2.nordu.net,
redis-fe-1.sunet.se, redis-fe-1.sunet.se, redis-fe-2.sunet.se, redis-fe-2.sunet.se,
registry-test.swamid.se, registry-test.swamid.se, registry.swamid.se, registry.swamid.se,
rt.sunet.se, rt.sunet.se, saas-idp-test.swamid.se, saas-idp-test.swamid.se, samltest.swamid.se,
samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-infra-rs-1.sunet.se,
se-east-1-jsub-1.sunet.se, se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se,
se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-east-1-jsub-3.sunet.se,
se-fre-lb-1.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, se-tug-lb-1.sunet.se,
sp.swamid.se, sp.swamid.se, sto-fre-kvm1.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se,
sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se, sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a1.sunet.se,
web-a2.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-a3.sunet.se, web-archive.sunet.se,
web-archive.sunet.se, web-db1.sunet.se, web-db1.sunet.se, web-db2.sunet.se, web-db2.sunet.se,
web-db3.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f1.sunet.se, web-f2.sunet.se,
web-f2.sunet.se, web.nordu.net, wifiprobe.sunet.se, wifiprobe.sunet.se, wiki.sunet.se,
wiki.sunet.se]
openstack_ubuntu_16_04_dockerhost: [artisan-saas-idp-proxy.sunet.se, ds-legacy.sunet.se,
ds-test.swamid.se, idp.sunet.se, pypi.sunet.se, redis-fe-1.sunet.se, redis-fe-2.sunet.se,
registry-test.swamid.se, sp.swamid.se, wifiprobe.sunet.se]
openstack_ubuntu_16_04_dockerhost_eduix: [crowd.sunet.se, wiki.sunet.se]
openstack_ubuntu_16_04_dockerhost_net_host: [se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se,
se-east-1-jsub-3.sunet.se]
redis_cluster_node: [se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se]
redis_frontend_node: [redis-fe-1.sunet.se, redis-fe-2.sunet.se]
saml_metadata: [artisan-saas-idp-proxy.sunet.se]
static_sunet_se: [web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se]
sunet::dehydrated::client: [artisan-saas-idp-proxy.sunet.se, crowd.sunet.se, ds-legacy.sunet.se,
ds-test.swamid.se, git.swamid.se, idp.sunet.se, mds1.swamid.se, mds2.swamid.se,
mdx1.swamid.se, mdx2.swamid.se, pypi.sunet.se, sp.swamid.se, wiki.sunet.se]
sunet::dockerhost: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se]
sunet::dovecot: [imap2.sunet.se]
sunet::frontend::load_balancer: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se]
sunet::frontend::register_sites: [idp.sunet.se]
sunet::frontend::route_reflector: [loke.sunet.se, se-east-1-infra-rs-1.sunet.se]
sunet::pypi: [pypi.sunet.se]
sunet::satosa: [artisan-saas-idp-proxy.sunet.se, idp.sunet.se]
sunet::wifiprobe: [wifiprobe.sunet.se]
sunet_cdr: [cdr1.sunet.se, cdr2.sunet.se]
sunet_iaas_cloud: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, crowd.sunet.se,
ds-legacy.sunet.se, ds-test.swamid.se, idp.sunet.se, imap2.sunet.se, pypi.sunet.se,
redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se, se-east-1-infra-rs-1.sunet.se,
se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se,
sp.swamid.se, wiki.sunet.se]
sunetops: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se,
cdr1.sunet.se, cdr2.sunet.se, cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net,
comanage.sunet.se, crowd.sunet.se, datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se,
ds-test.swamid.se, flog.sunet.se, git.swamid.se, gitlab.sunet.se, idp-test.swamid.se,
idp.sunet.se, imap2.sunet.se, lobo2.lab.sunet.se, loke.sunet.se, mds1.swamid.se,
mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se,
nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se,
random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se,
registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se,
samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se,
se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se,
sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se,
web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se,
web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se]
swamid_md_master: [git.swamid.se]
swamid_metadata: [artisan-saas-idp-proxy.sunet.se, idp.sunet.se]
swamid_pyff_signer: [mdx1.swamid.se, mdx2.swamid.se]
swamid_sp_test: [sp.swamid.se]
swamid_static_signer: [mds1.swamid.se, mds2.swamid.se]
swamidops: [ds-test.swamid.se, git.swamid.se, idp-test.swamid.se, md-master.reep.refeds.org,
mds1.swamid.se, mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se,
registry-test.swamid.se, registry.swamid.se, saas-idp-test.swamid.se, samltest.swamid.se,
sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se,
sto-tug-kvm1.swamid.se]
ubuntu_dockerhost: [saas-idp-test.swamid.se]
webappserver: [web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se]
webbackend: [web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se]
webcommon: [web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-db1.sunet.se,
web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se]
webfrontend: [web-f1.sunet.se, web-f2.sunet.se]
webserver: [crowd.sunet.se, ds-test.swamid.se, nidev-consumer2.nordu.net, pypi.sunet.se,
web-archive.sunet.se, web-f1.sunet.se, web-f2.sunet.se, wiki.sunet.se]
www_sunet_se: [web-a1.sunet.se, web-a3.sunet.se]
www_sunet_se_master: [web-a2.sunet.se]

57
global/overlay/etc/puppet/cosmos-modules.conf
View file

@ -1,36 +1,23 @@
# name source (puppetlabs fq name or git url) upgrade (yes/no)
#
# name source (puppetlabs fq name or git url) upgrade (yes/no) tag-pattern
#
# NOTE that Git packages MUST be tagged with signatures by someone
# in the Cosmos trust list. That is why all the URLs point to forked
# versions in the SUNET github organization.
#
concat git://github.com/SUNET/puppetlabs-concat.git yes sunet-*
stdlib git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-*
cosmos git://github.com/SUNET/puppet-cosmos.git yes sunet-*
ufw git://github.com/SUNET/puppet-module-ufw.git yes sunet_dev-*
apt git://github.com/SUNET/puppetlabs-apt.git yes sunet_dev-*
vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-*
xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-*
hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-*
#
# Alternate sources you might or might not want to use:
#concat puppetlabs/concat no
#stdlib puppetlabs/stdlib no
#ufw attachmentgenie/ufw no
#apt puppetlabs/apt no
#vcsrepo puppetlabs/vcsrepo no
#xinetd puppetlabs/xinetd no
#cosmos git://github.com/leifj/puppet-cosmos.git yes
#python git://github.com/SUNET/puppet-python.git yes sunet-*
#erlang git://github.com/SUNET/garethr-erlang.git yes sunet-*
#rabbitmq git://github.com/SUNET/puppetlabs-rabbitmq.git yes sunet_dev-*
#pound git://github.com/SUNET/puppet-pound.git yes sunet_dev-*
#augeas git://github.com/SUNET/puppet-augeas.git yes sunet-*
#bastion git://github.com/SUNET/puppet-bastion.git yes sunet-*
#postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet_dev-*
#munin git://github.com/SUNET/ssm-munin.git yes sunet-*
#nagios git://github.com/SUNET/puppet-nagios.git yes sunet-*
#staging git://github.com/SUNET/puppet-staging.git yes sunet-*
#apparmor git://github.com/SUNET/puppet-apparmor.git yes sunet-*
#docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-*
concat git://github.com/SUNET/puppetlabs-concat.git yes sunet_dev-*
stdlib git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-*
cosmos git://github.com/SUNET/puppet-cosmos.git yes sunet-*
ufw git://github.com/SUNET/puppet-module-ufw.git yes sunet-*
apt git://github.com/SUNET/puppetlabs-apt.git yes sunet-*
vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-*
xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-*
python git://github.com/SUNET/puppet-python.git yes sunet-*
hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-*
pound git://github.com/SUNET/puppet-pound.git yes sunet-*
augeas git://github.com/SUNET/puppet-augeas.git yes sunet-*
bastion git://github.com/SUNET/puppet-bastion.git yes sunet-*
pyff git://github.com/samlbits/puppet-pyff.git yes puppet-pyff-*
dhcp git://github.com/SUNET/puppetlabs-dhcp.git yes sunet_dev-*
varnish git://github.com/samlbits/puppet-varnish.git yes puppet-varnish-*
apparmor https://github.com/SUNET/puppet-apparmor.git yes sunet-*
docker git://github.com/SUNET/garethr-docker.git yes sunet-*
network git://github.com/SUNET/attachmentgenie-network.git yes sunet-*
sunet git://github.com/SUNET/puppet-sunet.git yes sunet-*
sysctl git://github.com/SUNET/puppet-sysctl.git yes sunet-*
nagioscfg git://github.com/SUNET/puppet-nagioscfg.git yes sunet-*

9
global/overlay/etc/puppet/cosmos-rules.yaml
View file

@ -1,2 +1,7 @@
'ns[0-9]?.mnt.se$':
nameserver:
'.+':
common:
sunetops:
nrpe:
infra_ca_rp:
mailclient:
domain: sunet.se

11
global/overlay/etc/puppet/cosmos_config_version Executable file
View file

@ -0,0 +1,11 @@
#!/bin/sh
set -e
set -a
COSMOS_CONF_DIR="/etc/cosmos"
. /etc/cosmos/cosmos.conf
COSMOS_VERBOSE="yes"
set +a
/etc/cosmos/update.d/25verify-git 2>/dev/null | grep ^"tag " | head -1 | cut -b 5-

22
global/overlay/etc/puppet/facter/cosmos.rb Normal file
View file

@ -0,0 +1,22 @@
#
# Extract local Cosmos configuration
#
require 'facter'
Facter.add(:cosmos_repo) do
setcode do
Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && echo $COSMOS_REPO'")
end
end
Facter.add(:cosmos_tag_pattern) do
setcode do
Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && echo $COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN'")
end
end
Facter.add(:cosmos_repo_origin_url) do
setcode do
Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && cd $COSMOS_REPO && git remote show -n origin | grep \"Fetch URL\" | awk \"{print \\$NF }\"'")
end
end

573
global/overlay/etc/puppet/manifests/cosmos-site.pp
View file

@ -4,49 +4,550 @@ Exec {
path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}
# include some of this stuff for additional features
include sunet
#include cosmos::tools
#include cosmos::motd
#include cosmos::ntp
#include cosmos::rngtools
#include cosmos::preseed
include ufw
include apt
include cosmos
class mailclient ($domain) {
sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}}
}
# you need a default node
class autoupdate {
class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true }
}
node default {
class infra_ca_rp {
sunet::ici_ca::rp { 'infra': }
}
# you need a default node, all nodes need ssh + ufw
node default {
}
class common {
include sunet::tools
include sunet::motd
include sunet::ntp
include ufw
include apt
include apparmor
}
class dhcp6_client {
ufw::allow { "allow-dhcp6-546":
ip => 'any',
port => '546',
proto => 'udp',
}
ufw::allow { "allow-dhcp6-547":
ip => 'any',
port => '547',
proto => 'udp'
}
}
class entropyclient {
include sunet::simple_entropy
sunet::ucrandom {'random.nordu.net': }
sunet::nagios::nrpe_check_process { 'haveged': }
}
class dockerhost {
class { 'sunet::dockerhost':
run_docker_cleanup => true,
manage_dockerhost_unbound => true
}
}
class ubuntu_dockerhost {
class { 'sunet::dockerhost':
docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}",
storage_driver => "aufs",
run_docker_cleanup => true,
manage_dockerhost_unbound => true,
docker_dns => '172.17.0.1'
}
}
class openstack_ubuntu_16_04_dockerhost {
class { 'sunet::dockerhost':
docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}",
storage_driver => "aufs",
run_docker_cleanup => true,
manage_dockerhost_unbound => true,
docker_dns => '172.17.0.1'
}
}
# ONLY to be used for those that start containers with --net host.
# The only difference from openstack_ubuntu_16_04_dockerhost is that
# this class has docker_dns set to 127.0.0.1
class openstack_ubuntu_16_04_dockerhost_net_host {
class { 'sunet::dockerhost':
docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}",
storage_driver => "aufs",
run_docker_cleanup => true,
manage_dockerhost_unbound => true,
docker_dns => '127.0.0.1'
}
}
# The only difference from openstack_ubuntu_16_04_dockerhost is that
# this class uses a eduix specific registry.
class openstack_ubuntu_16_04_dockerhost_eduix {
class { 'sunet::dockerhost':
docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}",
storage_driver => "aufs",
run_docker_cleanup => true,
manage_dockerhost_unbound => true,
docker_dns => '172.17.0.1',
docker_extra_parameters => '--insecure-registry registry.lab.eduix.fi'
}
}
class sunet_iaas_cloud {
sunet::cloud_init::config { 'disable_datasources':
config => { datasource_list => [ 'None' ] }
}
sunet::cloud_init::config { 'keep_root_enabled':
config => { disable_root => 'false' }
}
# rdrand is exposed to VMs and can therefore be used.
package {'rng-tools': } ->
service {'rng-tools':
ensure => 'running'
}
}
# edit and uncomment to manage ssh root keys in a simple way
class webserver {
ufw::allow { "allow-http":
ip => 'any',
port => '80'
}
ufw::allow { "allow-https":
ip => 'any',
port => '443'
}
}
#class { 'cosmos::access':
# keys => [
# "ssh-rsa ..."
# ]
#}
class swamid_metadata($filename=undef) {
sunet::metadata::swamid { "$filename": }
}
# example config for the nameserver class which is matched in cosmos-rules.yaml
class saml_metadata($filename=undef, $cert=undef, $url=undef) {
sunet::metadata { "$filename": url => $url, cert => $cert }
}
#class nameserver {
# package {'bind9':
# ensure => latest
# }
# service {'bind9':
# ensure => running
# }
# ufw::allow { "allow-dns-udp":
# ip => 'any',
# port => 53,
# proto => "udp"
# }
# ufw::allow { "allow-dns-tcp":
# ip => 'any',
# port => 53,
# proto => "tcp"
# }
#}
class swamid_metadata_repo($hostname=undef) {
$host = $hostname ? {
undef => $title,
default => $hostname
}
sunet::ssh_keyscan::host {$host: } ->
vcsrepo { '/opt/swamid-metadata':
ensure => present,
provider => git,
source => "git@$host:swamid-metadata.git"
}
}
class swamid_md_master($hostname) {
class {'openstack_ubuntu_16_04_dockerhost': } ->
class {'sunet::gitolite': } ->
sunet::docker_run {'gitweb':
image => 'docker.sunet.se/gitweb',
imagetag => 'latest',
volumes => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'],
ports => ['443:443','80:80'],
env => ["HOSTNAME=$hostname","KEYDIR=/etc/dehydrated"]
} ->
class {'webserver': } ->
class {'https_server': }
}
class swamid_pyff_signer {
class {'ubuntu_dockerhost': }
class { 'swamid_metadata_repo': hostname => 'git.swamid.se'} ->
cron {'update-swamid-metadata':
command => "cd /opt/swamid-metadata && git pull -q",
user => root,
minute => '*/5'
} ->
sunet::pyff {'swamid':
ssl_dir => '/etc/dehydrated',
dir => '/opt/swamid-metadata',
acme_tool_uri => "http://acme-c.sunet.se/.well-known/acme-challenge/"
}
#sunet::exabgp::config {'swamid':
# local_as => "65433",
# local_address => "${::ipaddress_eth0}",
# remote_as => "1653",
# remote_address => hiera("1653-peer-address"),
# route => "130.242.125.192/32 next-hop self"
#} ->
#sunet::exabgp::monitor::url {'check-for-sp-swamid':
# url => "localhost/metadata/%7Bsha1%7D152713cd66ffc27ec9ef42cc43c85df399f6a85e.json",
# match => "https://sp.swamid.se/shibboleth"
#} ->
sunet::exabgp { 'swamid': }
}
class sunetops {
# Allow hosts to configure sshd as needed
$sshd_config = $hostname ? {
'pypi' => false,
default => true,
}
class { 'sunet::server':
sshd_config => $sshd_config,
}
ssh_authorized_key {'leifj+neo':
ensure => present,
name => 'leifj+neo@mnt.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'ft+505152DD':
ensure => present,
name => 'fredrik+505152DD@thulin.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'ft+4030CCAD':
ensure => present,
name => 'fredrik+4030CCAD@thulin.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'lundberg+9303C5DB':
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv',
ensure => present,
user => 'root',
name => 'lundberg+9303C5DB'
}
ssh_authorized_key {'lundberg+8D03C7D1':
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDPjXvKEL2vAngTdVu3MguEE6gfPH2UigGDPgPV5SBYm0UZ/gZBbB0CuoQjkKEIpq3gzcbLH8kG/00r8hkeBeMa+tfWBDvUXk3wQRw5fKw5StBJFC3C04atJBGlusx6C8stgdmj5SwFhHN86uzVWpqbqJ9TKId18UABgq1hEBMRRVymSXE5zAJ6nCOh2PLtRI8GAkd+Lye0MMh2zEtOIFeHZDd1AiocaLfKBKDUlTSe1+suktyzgQsxJynLlwLA8BXmOZe0/LcE6Nint1beNq/DoKNySxdFN8ebGAC/F7w+JX7hB/DZH7aZevwdDp8cuchoFDUvu3uAXwH5eulXLt+VUJbn3MzFn/rSGqbfdYRlRhAOyo5qSJ3E6DO8WVKCLpwrUXjc4fQT7FwA7JPElunuU8jKxL/PiE5cJlt2cgC6v9qn3C47n0yc7c/078a+34w1mWf2Mp/lqBIJJnOUvKzisKmpEW/t3D1iAFr2z14omPDS9Vnoo1/FrAwGPYGKCeirBDe0FwNzMpC/wC1sglTU236/13zrUzyyQSJoXmn1MkS3aPOusqEYSo65tMoB5qOB7h2/lWLSQ7kHAMVtuMEoCGx/2Aa86EvuWYd1iMPelodEQlNIjCbKz9HX7c1b640FAvU8smefwfk52msqmKvHMbjm86WAPpXThhiN/eAuxQ==',
ensure => present,
user => 'root',
name => 'lundberg+8D03C7D1'
}
ssh_authorized_key {'salu+7B44FE7C':
ensure => present,
name => 'salu+7B44FE7C@sunet.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDepp02t6/oNnO/qKJtB+U2yLWUa+dYo4ECsbX/DGOgr1MYzhtIbP18gUAX0PN9Hj40XdmY5EtAJZamMWCLi0EijanhOLDCzw5s0hzi/gYysmEReLRxhqq4ppjZhSj2HF09a6Rq1TTkndG9mYzTYTkdOyOqmdNcmIZRRvJD0BE1UBkERrURGhA+8YPnHoxEVUqdEDMFX7nHmNl4Q5brj7pNXaBv35PsVIlzDSfltgN7yENF6dv8Fu7nxjKZ+r9Anrb5rCEiBnOkNAbwEMfMvjRRehbY9Nvz1CEn0cP8SstbLYQfBQuCeJW3w9PygLN/a0asva0ttmVhprbnSeZtKmm3',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'dennis+3EE4E6C7':
ensure => present,
name => 'dennis+3EE4E6C7@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'patrik+soft':
ensure => present,
name => 'patrik@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAs0nFlZmXga5A789gFwmRVYREPNuaGvZBNAkN+fHpfzNfxSDQNlu1v4OWlU2QAs4XBMVIo5O14EuqqunSgFnX1gh9++AM1cQ8pBUeTi0l99MTl7qxc9MIHCyvHhbzra7o3MHEUuNQzbAjEUsuGV5/ymNJv4ysbncX+BiZplkydq2H/MuDQD8dzghfq6HUgf/BZDVxM3K4Ak8ll65PPPA6xnWJA4a2abgHvoBf40R6xF2dgOK3wq4xQRQSUWdw0olRSyXXZ68mt45m9fvwLnpY3xIFWEWJ6ZbEW+K8BsVT7zqbCBdpnfT8Rc2myz3cjgf7WpTHd8JXEcKk2BaEGD4y+w==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'mikott+BEBCB9C0':
ensure => present,
name => 'mikott+BEBCB9C0@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC36l/Qxb+sByKKZwBOPLiqScqWg6Q9elraB4vj13MjkoGsNoCmzWDEcAE9hUVwnlprYnWNyaJZ3OliEawFJlRDF8MxgVN+jHYUCUhPoHCE4ChS9Y0EayLb+AQ2JbfI1KAADga161P+/P1ofALMnZHW2NpK1p+2eiE891c1sc+NfLCNySX/hcvkkP6zNrCmZxgFcqIBbYNNxDjU33G3StypFe/7YgmVvd/ZfY22fhWb4gm1fX/3HelxCU6FirDJHujhDm79btjR221emlqTMH3WQvgGBKhLGOoQTKTHEadBmPa16nxv01mTtHVH6tnqGrWXhSrn6WEw3qQSzKrBnHIV',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'john+B3337B77':
ensure => present,
name => 'john+B3337B77@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCv+QT4hyxx7m89a+PkdBXAlBuNVoufNoNWpZ6uhDWSKYf7+Ic/M/R1tnsHpSihNAVnaDOLpmC8H1JWaKpuLHrvTolKwFi+imekqzUZ4ajUBuFIbieeHZMTdmv946fpOpB8FpWSFC/TQWyZwq3iVFfm8r/GYGIVSH8MtNBVmfRolH6aZgmZHl67xII59RI20nUm4gzs2yDfReUGRPB/nDWIJ1CuzvzVUFOeJTi3M31TNuxnqUHH0ol0t0bX6MOlDkPGRznOFbr2LhoxvuIIHkjZkZEvAYnQ6fmhExlqge5Trwud/jeZZUhdt7qx+FfgNaTdooUgbCVszgv9CK+rNOOrHD+qIi277j36loPcb0zymb6bnBmZPTo1RJNfaOVC/uuoSTKuFjNQ2UURsu5UepOhSRvLmA1fw+69n6tj0fwd627qxG0jmYmUmzW8U7mSypEXPKLDCbcR+hvWUDaYim1UAKi4ji5AGoOWBSsPuFLtfNYtmpBii+gaglGR6YrDDkQW7Pj/12asga9TrJSqGM1MMTLwuQal1+gtchF+9leKwVf5NOXDMw8SIG0xtqNDfWzk6BMEBcwl7wMObjEwmxxnuHzk8Q7922kvvsgK1VRiO20hmDtOxW2+oBk1yY1F072AjuuXNaZpBxD3c2Iug8GWK8R5pF9fIxAmeeLeFvQCSw==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'el-sunet':
ensure => present,
name => 'el@sunet.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC4BWg9cW5fmx8C7K0UN8zzp//NWDcZosrDBl7mEf3MGNBGwrX1orEWFjTWoUZivFoC1TUlEpRP92e3kB3oayMQQz6ZfvYh4ztZBmkDOPIOMykLVsQtvWbWJ1iQuvqCC/s9bVDJmkxkH/Mw/7OyN7Jyb0vPv6JGsSJmbEFkPpzsKUEuXUOFleN7oD59YQVbzDs0ukuAsc3FQ7GSv8q28p/GbFd0ZnfAMjBz2nVJcIkAM9q4OrR90P0gLsW8QqZyVl/uTs5/8iXlkYSe26T4uM697UnD8jFM4yyOTTlS5LHKo8pwNZjqYHdIhkSWscApRqfOVPSm3diQ1nNrm/x2Io4k9GnPmho67YacTA6EisTK4mwnEeCT3tVoHPSfLlGrKOGuug5MnQd5ds+7OlfRPHUua1/sgSiDGjIVQDyktqujrcaI1eK+pT4jmJa0c7HTGSB+dZwmswDsxry3JMdZ75iqYAJGFTIbmWAQAVnRJkzjmge+qIW7joM74I5LBfb20EOVU4rh35bFTsAsK1c/Z08Zut5IgNsg8DyVhVS2PSuvirR4/+OWYZpiO6R4M2nDgtRVPq/nl1iRsZEtiLP9xSyza8TSHm842MfPUbzWPV+JNGjA46QxGprI4OSoqAI//dfBFtpta130U/mvOJsF2xq0NYTyrGqx9qy7iJb8YolFsw==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'jac+3438F957':
ensure => present,
name => 'jac+3438F957@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC7cQCp8MJ4VX1UWb6PW4wnkQfbV8g4WB1vLO2MBUycjoXG3t9xXziy+VAxBmsMIFtpysddsU2Sz6d6Y3vlvXr9DHLvZ7Fqn2Cnyn3q+kDG677zPjGFV4DBZVnmH7dHpkTN1mYKfgV2vnKGwRJE651gwqbR0zkbQxRakLM5/Sh0bm9VtQw8iQvLrAOZGbUdSPx2u1p6XZjwkHGxRdEb06bhLDSr1DlXyVk8bfVVj5JXy+/o/6VbYQUlvotxlZnFr0k5Q84t7mkbaoQwE3gZQTBQLmxpguGKnIN9IiC1hmJGOXcMFpFvxsbJd+lg+DkM7Cl7OByPVTe+EflXctVacyg62s2WZbyH7SyUGNR3GUDQRjEXnDF4eKfk3pniMcTIRGt0eIo88hUV2Ep/EW6i06kTiPV5luAht8hVAayTfoNW+MQbKsLuRJEqEjMADZVY0PMYcLv0TWzjh6xkx/Y7Qth/DeBQYk24DqoOkLFB2HOwTN/qy5Xc0GJmu0pwiUXImSJto6Abh8S8nw95+TnFymybLfJCqm4buUGeJsG3Ej9Bo5KajW6/FDcaj4LlJV9Hq6kNdtXCFxe/DV+WpL1JEvuwyXfjBVoX9GpiquKvUiLJOpeT4Gmc7tsoAISrcZ2LOwq2JPSZUtOO5m+dd1OncGg7zMllTsjZnpebhczqODprZQ==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'jbr+55F5842C@nordu.net':
ensure => present,
name => 'jbr+55F5842C@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCb88AZ1OPH62tCbkY0Iqu4kS0iRD/HwiQU+UDoosWPMuaIrULz0FOGidEHdhGhoxiUOCj0Uu8B8PwC2sztprBqpgDm2F8lKRd86Pw1BgblnnFA6m3+N8LbVhm8ux93xLqW04TKrxfCQtVGYKdOvva4+7b1Xf3R7UsnJQJoJwW1TCiZaHSNK1e6t2iofXTInhKzh9OVdmczyczjxsJVg9EnNGSf6/B26vIJPDs0pS7t9gUZ4SN6fLdrCG+tLqx76Obvzi1TZ441ZVnRKEUF/+oWsUv7he6ZGO/b4XGVhfb/c8P9pmioet6rxo3EyEsw2978V85vJmg3DA+gqQQXj3Pa0PXn7lrY62niiIQvSm/4fCCcWPVaeTlAS0wc4r2hsVlgYQJjAXDSab2K5ZHWUux2bMZkdJKXK2wC8Q0hf9OTVCfeMgcF8HRU7PPni1vymuurLgS67Ny1ucrOwbWsWjqrOfnT03huRdOhhdik8cRX5qz6PleBiq5Jly/KcjsyahiNDE2uTLDn7+z59HaHd2qp1NDVWtxTDjP46LqGF4VYnPTOooVv+4EFF9AAjqJRVTr1WdJjWtG3R7aDnWqFKRI912stlOXRvblOvF5iJjQHCecPWcE06ZrkUSa91i2ylf16q82tdEv3Hj3hvh873aAE8YnMHAnkSbnE+7VjF9jsZQ==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'markus+FA2CC191':
ensure => present,
name => 'markus+FA2CC191@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDjBx/TbLSK9Ocf8Vefrddy62xH/gwPwT4/23xN8+ZEo7YG+0rKxFVRDFchnS9lMx+1UFubyZEui1CjRMwwFcFN/uOQ94oEPnFjyVZZ4jwXmmQu/xY1oiWg25h1WfwR9xTkOfe2CvPXjmtUwqYy+AO82YpXKpLTi/J7y3CVOxS2kRZzfe99CaB0nSzX7lSYmaq9KoThJ7VAsoyObJ2vcpuliIhNUsYL2RWHYdnSOdJoNftZkegN87so62fY7YcYWJkET9Rvydm9Qn1fDiUvGuMCitvS4OeWgJ97g3yAwdmhXExcQEzePxcx4LgR0DndzU/MqXYw2KqAVeRsjct2HFAqo0uL1jj8mb7tWYVpQTq8KNgUuA4o2wTvmKuNtWzhfb+J6TMCLrCXx9/3nH0NbO3JqUvxQxblnh3cZYIiphdIDxpXUGPXxVOtHjd2M0KaTrrhd+4ntnf0c9A0kcMCvSv/pEjy2saVpuNSjz13iO8Db7IOan4oC9ACheKAoDyBVLpmZFVMc4t2scLPqqeJjzwu/BozxPVQy8nhKdKznGmg3QGnPcrvNfGoO4huBPxlJZsLSmaPenImK4tHYDmFTjjQWSJ+gFkTlkJzDCqsDB/H+SZQEuAH/JIpzULApouVUi42dJq/MUN4SUvfuij7Zsx+jyWqOnxAkx0gpUnu8UsF5Q==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'htj+key-from-ldap':
ensure => present,
name => 'htj+key-from-ldap@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeME6LuIRZzHh8f7wTBE1RRX8fX4DftnZambVOoGOzg5ujtVnmwBZiFFcumqRGs7o/iradUY0IB5K2tbooHJkTYh+B0sIR/5jOPJJZ+bS45bngcGq1vz++z1VSXlTGH13H8OFXHZPnjwvFzO5eauHnen4uKVKrN9A/lNhTfbjpiHRN1yfXuunlvar4Go6OLAm6tgWe93scdXiAdxd3LoZ/I91w7djfAi0SpMiTDbYchrtt9wC3l4U42wehcANU4EhEJfMrwcMcRXRSZ/3IejXp2I1PueQhiHjknAkVX/r4Y23RKT77B1OEbVXg8VizFVnHrhkGWW1JZzQWrvb/MruT',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'pettai+BD795A53':
ensure => present,
name => 'pettai+BD795A53@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDcvRAnhdoty3OpQnC3zYEUQijkhlg9eiU7y6EVR/rdy+HID4aRZU57EuEB17wmoP6OliXZc02R5oHwoTT42cugUPgwPyxfgofwMRhl9zHUDumvnI9apiW6TMTz8F/zg26eLHhrB9k3tmviPhPV3PQKqEOvfKMwM47aEieGRcUTRLqOAJnrfoE+JRLtql/eaFFYKnVNtMscpNnBcvl77cAG3ciGqe4FLo21Sxo5WieoKElBswZzNKt+vQSZMI8yIA/DU1XGg6Yn5hhbqhgMJLhye3JXM9qSlzXo+T5SrBF8T8uZ3LpkPoA06T7k2DBjaj3iXueJVmoibdRG3t53YfE7',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'berra+DA7C099B':
ensure => present,
name => 'berra+DA7C099B@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDoUEUPOtw5ZUBblnDlf03EfA8xmoOMVnoxV6nrAwPWsNOWCY39+OO5ckfv8B/n/i/JRIvokPp+YrPpOXi8fLkchiu5AFDBwN4cqS8NETLMwJhImfObIM6M1P9a4re4WuAZ4u2BQ2/Nin7WRewJfAfbvbSx6o5zRp95IotiQiXIH8LyYC7whDUjT7OKvESUwLRnK6wQ4kQRgxpgUbAZxAgPZxRzTL0jPKx5dW2pald5WWXcu9ki4uiPg5fDjHVwAJ3MFNzFfDUrJX0bKSln/ocAJFBuAKTCUHEMXo9arD6LBcj7JoXZP6ZiXlcIUG6hd93vAmL+1fxOWu3Adbtz31hxzfmTHGLwF5HyfBIpdygNBZILwICjKimocD0oevrNcJ0KmgBWnw6ZlZJjKIcxN77wEbmskQ19kj+nTHQIgDeocISfio3iJIKdAGsLo+L+d8x4vMoPgIhJUJf8vT2piTa532mumfH2buWt841Yq3fsP98AQJTPDdsXRUGkIVTIIRIqFN1thV9FaMX5wIErq3oEYNJNDhJ6g+5z6N3Zq4AivXzQnmUOeqIttP0jryO85BBGjAz6LIBTCnirKwdsKv7Bq3g3Y5QARUgL42DQ9ddMyMWud5OKrVSwhPf1tqeQEyhgctA0Ve007h9nfovKFhDyUA24HFfDHlIqIWxuOnk1sw==',
type => 'ssh-rsa',
user => 'root'
}
# OS hardening
if $::hostname =~ /kvm/ {
class {'bastion':
fstab_fix_shm => false,
sysctl_net_hardening => false,
}
} elsif $::hostname =~ /random/ { # pollen requires exec on /tmp
class {'bastion':
fixperms_enable => false,
fixperms_paranoia => false,
}
} else {
class {'bastion':
fstab_fix_shm => false,
fixperms_paranoia => true,
}
}
}
class nrpe {
require apt
class {'sunet::nagios': }
if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '12.04') {
class {'apt::backports': }
}
package {'nagios-plugins-contrib': ensure => latest}
package {'nagios-plugins-extra': ensure => latest}
sunet::nagios::nrpe_command {'check_memory':
command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
}
sunet::nagios::nrpe_command {'check_mem':
command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
}
sunet::nagios::nrpe_command {'check_boot_15_5':
command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot'
}
sunet::nagios::nrpe_command {'check_entropy':
command_line => '/usr/lib/nagios/plugins/check_entropy'
}
sunet::nagios::nrpe_command {'check_ntp_time':
command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost'
}
sunet::nagios::nrpe_command {'check_scriptherder':
command_line => '/usr/local/bin/scriptherder --mode check'
}
sunet::nagios::nrpe_command {'check_apt':
command_line => '/usr/lib/nagios/plugins/check_apt'
}
}
node 'monitor.sunet.se' {
$nrpe_clients = hiera_array('nrpe_clients',[]);
$allowed_hosts = join($nrpe_clients," ");
class { 'ubuntu_dockerhost': }
class { 'webserver': }
class { 'nagioscfg':
hostgroups => $::roles,
config => 'nunoc'
}
file { "/var/www/nagios_config":
ensure => directory,
owner => "www-data",
group => "www-data"
} ->
class {'nagioscfg::slack': domain => 'sunet.slack.com', token => safe_hiera('slack_token','') } ->
package { 'pynag': ensure => installed } ->
cron { "publish_nagios_config":
command => "/usr/bin/nagios-export.py > /var/www/nagios_config/export.cfg && chown -R www-data:www-data /var/www/nagios_config",
user => root,
minute => "*/5"
} ->
file { "/etc/apache2/conf-available/nagios_config.conf":
content => "Alias /nagios-config /var/www/nagios_config\n<Directory /var/www/nagios_config>\n\tDeny from all\n\tAllow from $allowed_hosts\n</Directory>",
} ->
exec { "enable-nagios-config-publish":
command => "a2enconf nagios_config",
refreshonly => true
}
class {'nagioscfg::passive': enable_notifications => '1'}
nagioscfg::slack::channel {'nagios': } ->
nagioscfg::contactgroup {'alerts': } ->
nagioscfg::contact {'slack-alerts':
host_notification_commands => ['notify-host-to-slack-nagios'],
service_notification_commands => ['notify-service-to-slack-nagios'],
contact_groups => ['alerts']
}
nagioscfg::slack::channel {'swamidops': } ->
nagioscfg::contactgroup {'swamid': } ->
nagioscfg::contact {'slack-swamid':
host_notification_commands => ['notify-host-to-slack-swamidops'],
service_notification_commands => ['notify-service-to-slack-swamidops'],
contact_groups => ['swamid']
}
nagioscfg::service {'service_ping':
hostgroup_name => ['all'],
description => 'PING',
check_command => 'check_ping!400.0,1%!500.0,2%',
contact_groups => ['alerts']
}
nagioscfg::service {'service_ssh':
hostgroup_name => ['all'],
description => 'SSH',
check_command => 'check_ssh_4_hostname',
contact_groups => ['alerts']
}
nagioscfg::service {'check_load':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_load',
description => 'System Load',
contact_groups => ['alerts']
}
nagioscfg::service {'check_users':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_users',
description => 'Active Users',
contact_groups => ['alerts']
}
nagioscfg::service {'check_zombie_procs':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_zombie_procs',
description => 'Zombie Processes',
contact_groups => ['alerts']
}
nagioscfg::service {'check_total_procs':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_total_procs_lax',
description => 'Total Processes',
contact_groups => ['alerts']
}
nagioscfg::service {'check_root':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_root',
description => 'Root Disk',
contact_groups => ['alerts']
}
nagioscfg::service {'check_boot':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_boot_15_5',
description => 'Boot Disk',
contact_groups => ['alerts']
}
nagioscfg::service {'check_var':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_var',
description => 'Var Disk',
contact_groups => ['alerts']
}
nagioscfg::service {'check_uptime':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_uptime',
description => 'Uptime',
contact_groups => ['alerts']
}
nagioscfg::service {'check_reboot':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_reboot',
description => 'Reboot Needed',
contact_groups => ['alerts']
}
nagioscfg::service {'check_memory':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_memory',
description => 'System Memory',
contact_groups => ['alerts']
}
nagioscfg::service {'check_entropy':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_entropy',
description => 'System Entropy',
contact_groups => ['alerts']
}
nagioscfg::service {'check_ntp_time':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_ntp_time',
description => 'System NTP Time',
contact_groups => ['alerts']
}
nagioscfg::service {'check_process_haveged':
hostgroup_name => ['entropyclient'],
check_command => 'check_nrpe_1arg!check_process_haveged',
description => 'haveged running',
contact_groups => ['alerts']
}
nagioscfg::service {'check_scriptherder':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_scriptherder',
description => 'Scriptherder Status',
contact_groups => ['alerts']
}
nagioscfg::service {'etcd_cluster_health':
hostgroup_name => ['webcommon'],
check_command => 'check_nrpe_1arg!etcd_cluster_health',
description => 'etcd cluster health',
contact_groups => ['alerts']
}
nagioscfg::service {'swamid-2.0-2-age':
hostgroup_name => ['swamid_static_signer'],
check_command => 'check_nrpe_1arg!check_fileage_swamid-2.0-2',
description => 'swamid 2.0 2016 metadata age',
contact_groups => ['alerts']
}
nagioscfg::command {'check_ssl_cert_3':
command_line => "/usr/lib/nagios/plugins/check_ssl_cert -A -H '\$HOSTADDRESS\$' -c '\$ARG2\$' -w '\$ARG1\$' -p '\$ARG3\$'"
}
nagioscfg::service {'check_ssl_cert':
hostgroup_name => ['swamid_static_signer','swamid_pyff_signer','ds_legacy','swamid_sp_test','webfrontend','entropyserver','https_server'],
check_command => 'check_ssl_cert_3!30!14!443',
description => 'check https certificate validity on port 443',
contact_groups => ['alerts']
}
}

7
global/overlay/etc/puppet/puppet.conf
View file

@ -3,11 +3,14 @@ logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
# factpath is supposed to be colon-delimeted, but that does not appear to work
# (tested with 'strace -f facter --puppet something' - does not split on colon in Puppet 3.4.2).
factpath=/etc/puppet/facter
node_terminus = exec
external_nodes = /etc/puppet/cosmos_enc.py
basemodulepath = /etc/puppet/modules:/etc/puppet/cosmos-modules:/usr/share/puppet/modules
parser = future
disable_warnings = deprecations
[master]
# These are needed when the puppetmaster is run by passenger

12
global/post-tasks.d/015cosmos-trust
View file

@ -4,11 +4,19 @@ if [ -z "$COSMOS_KEYS" ]; then
COSMOS_KEYS=/etc/cosmos/keys
fi
# Install new keys discovered in the $COSMOS_KEYS directory
for k in $COSMOS_KEYS/*.pub; do
fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'`
cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k
fp=`cosmos gpg --with-colons --with-fingerprint < $k | awk -F: '$1 == "pub" {print $5}'`
fp_in_db=`cosmos gpg --with-colons --fingerprint | grep ":$fp:"`
if [ "x`echo $fp_in_db | grep '^pub:e:'`" != "x" ]; then
echo "$0: Key expired, will re-import it from $k"
cosmos gpg --fingerprint $fp
fi
# The removal of any ^pub:e: entrys means to ignore expired keys - thereby importing them again.
echo $fp_in_db | grep -v "^pub:e:" | grep -q ":$fp:" || cosmos gpg --import < $k
done
# Delete keys no longer present in $COSMOS_KEYS directory
for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
seen="no"
for k in $COSMOS_KEYS/*.pub; do

6
global/post-tasks.d/018packages
View file

@ -24,8 +24,8 @@ if [ -f $CONFIG ]; then
# First pass to clone any new modules, and update those marked for updating.
grep -E -v "^#" $CONFIG | (
while read module src update pattern; do
# We only support git:// urls atm
if [ "${src:0:6}" = "git://" ]; then
# We only support git:// urls and https:// urls atm
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
if [ ! -d $CACHE_DIR/scm/$module ]; then
git clone -q $src $CACHE_DIR/scm/$module
elif [ -d $CACHE_DIR/scm/$module/.git ]; then
@ -63,7 +63,7 @@ if [ -f $CONFIG ]; then
grep -E -v "^#" $CONFIG | (
while read module src update pattern; do
# We only support git:// urls atm
if [ "${src:0:6}" = "git://" ]; then
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
# Verify git tag
cd $CACHE_DIR/scm/$module
TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)

4
global/post-tasks.d/020reports
View file

@ -1,4 +1,4 @@
#!/bin/sh
rm -f /var/run/facts.json
facter -p -y > /var/run/facts.yaml
#rm -f /var/run/facts.json
#facter -p -y > /var/run/facts.yaml

4
global/pre-tasks.d/020common-tools
View file

@ -5,10 +5,10 @@
set -e
stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp"
stamp="$COSMOS_BASE/stamps/common-tools-v02.stamp"
if ! test -f $stamp; then
apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp
apt-get -y update && apt-get -y upgrade && apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp wget
update-alternatives --set editor /usr/bin/vim.basic
mkdir -p `dirname $stamp`

10
global/pre-tasks.d/030puppet
View file

@ -9,9 +9,13 @@ stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"
if ! test -f $stamp -a -f /usr/bin/puppet; then
codename=`lsb_release -c| awk '{print $2}'`
wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb
dpkg -i puppetlabs-release-${codename}.deb
rm -f puppetlabs-release-${codename}.deb*
puppetdeb="$COSMOS_REPO/apt/puppetlabs-release-${codename}.deb"
if [ ! -f $puppetdeb ]; then
echo "$0: Puppet deb for release $codename not found in $COSMOS_REPO/apt/"
echo " Get it from https://apt.puppetlabs.com/ and put it in the Cosmos repo."
exit 1
fi
dpkg -i $puppetdeb
apt-get update
apt-get -y install puppet-common

7
global/pre-tasks.d/040hiera-gpg
View file

@ -14,8 +14,12 @@ if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then
apt-get -y install ruby-gpgme
fi
# this is useful to make the cmdline hiera tool work
if [ -f /etc/hiera/data/secrets.yaml.asc -a ! -f /etc/hiera/data/secrets.yaml.gpg ]; then
(cd /etc/hiera/data && ln -s secrets.yaml.asc secrets.yaml.gpg)
fi
if [ ! -s $GNUPGHOME/secring.gpg ]; then
if [ ! -s $GNUPGHOME/secring.gpg -a ! -s /etc/hiera/gpg/pubring.kbx ]; then
if [ "x$1" != "x--force" ]; then
echo ""
@ -44,6 +48,7 @@ Name-Comment: Hiera GPG key
Name-Email: root@`hostname --fqdn`
Expire-Date: 0
# Do a commit here, so that we can later print "done" :-)
%no-protection
%commit
%echo done
EOF

43
host-puppet-conf-test Executable file
View file

@ -0,0 +1,43 @@
#!/bin/bash
set +x
HOSTNAME=$1
PUPPET_ARGS=$2
if [ -z "$HOSTNAME" ]; then
echo "Usage: $0 fqdn"
exit 1
fi
if [ ! -d $host ]; then
echo "$0: No host-directory for '$HOSTNAME' found - execute in top-level cosmos dir"
exit 1
fi
PUPPET_ARGS=${PUPPET_ARGS-"--verbose"}
# Check if cosmos or puppet is already running on host
echo "Checking if puppet or cosmos is already running..."
ssh root@$HOSTNAME ps aux | grep -ve grep -e edit-secrets | egrep -q "cosmos|puppet"
if [ $? -eq 1 ]
then
echo "Copying files to host..."
rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-rules.yaml root@$HOSTNAME:/etc/puppet/cosmos-rules.yaml
rsync -av --exclude '*~' global/overlay/etc/puppet/manifests/cosmos-site.pp root@$HOSTNAME:/etc/puppet/manifests/cosmos-site.pp
rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-db.yaml root@$HOSTNAME:/etc/puppet/cosmos-db.yaml
# Test if the user has symlinked puppet-sunet correctly
# by first checking if the link exits and then whether
# or not the directory contains any files.
if [ -L global/overlay/etc/puppet/cosmos-modules/sunet ] && \
[ -n "$(ls -A global/overlay/etc/puppet/cosmos-modules/sunet/*)" ]
then
rsync -av --delete --exclude '*~' global/overlay/etc/puppet/cosmos-modules/sunet/* root@$HOSTNAME:/etc/puppet/cosmos-modules/sunet/.
fi
echo "Running puppet apply..."
ssh root@$HOSTNAME /usr/bin/puppet apply $PUPPET_ARGS /etc/puppet/manifests/cosmos-site.pp
else
echo "Cosmos or puppet already running. Exiting."
exit 1
fi