// node.pp
node 'a.valid.hostname' {
$admin = [ "jbooth", "haggin", "hougland" ]
include local
samba::client {
"dres-kennel":
description => "DRES Fedora 10 Test VM";
}
localuser {
["nhoyt"]:
ensure => present;
}
$faecustom = 'SNIP'
apache::vhost {
"test":
host => "a.valid.hostname",
serveralias => "a.valid.hostname",
provider => "ip",
https => true,
group => "a.group",
http_custom => "$faecustom",
https_custom => "$faecustom";
}
package {
["Django", "ocaml", "python-psycopg2", "python-docutils", "python-lxml"]:
ensure => present;
["emacs"]:
ensure => present;
}
file {
"/services/test/reports":
seltype => "httpd_sys_script_rw_t",
ensure => directory, require => File["/services/test"];
"/services/test/sites":
seltype => "httpd_sys_script_rw_t",
ensure => directory, require => File["/services/test"];
}
}
// apache module
class apache {
package {
"httpd":
ensure => latest;
}
service {
"httpd":
hasstatus => true, hasrestart => true,
enable => true,
ensure => running,
require => Package["httpd"],
}
File { require => Package["httpd"] }
file {
"/etc/httpd/conf.d/welcome.conf":
ensure => absent;
}
}
class apache::ssl inherits apache {
package {
"mod_ssl":
ensure => latest,
require => Package["httpd"];
}
file {
"/etc/httpd/conf.d/ssl.conf":
ensure => present,
source => "puppet://$servername/apache/ssl.conf";
}
}
define apache::vhost (
$ensure = "present",
$host,
$ip = $ipaddress,
$provider = "named",
$http = true,
$http_port = "80",
$http_custom = "",
$https = false,
$https_port = "443",
$https_custom = "",
$serveradmin = "generate_in_template",
$serveralias = "",
$owner = "apache",
$group = "apache",
$dirmode = "2775",
$filemode = "664",
$replace = false
) {
if ($http == false) and ($https == false) {
fail("apache::vhost: what's the point in a vhost with no http or https access?")
}
if ($provider != "named") and ($provider != "ip") {
fail("apache::vhost: provider $provider unknown!")
}
include apache
include services
services::add {
"$title":
owner => $owner, group => $group, mode => $dirmode,
lib_seltype => "httpd_sys_content_rw_t",
ensure => $ensure;
}
if ($https == true) {
include apache::ssl
}
include sudo
sudo::add {
"vhost-$title":
who => "%$group",
host => "ALL",
command => "/sbin/service httpd restart",
runas_user => "ALL",
ensure => $ensure;
}
include iptables
if ($http == true) and !defined(Iptables::Add["apache $ipaddress $http_port"]) {
iptables::add {
"apache $ipaddress $http_port":
port => $http_port;
}
}
if ($https == true) and !defined(Iptables::Add["apache $ipaddress $https_port"]) {
iptables::add {
"apache $ipaddress $https_port":
port => $https_port;
}
}
$configroot = "/etc/httpd/conf.d"
$configfile = "/services/$title/vhost.conf"
$documentroot = "/services/$title/html"
$logroot = "/services/$title/logs"
File {
owner => $owner, group => $group, require => Package["httpd"],
ensure => $ensure,
}
file {
"$configroot/vhost-$title.conf":
content => template("apache/vhost-site.conf.erb"),
seltype => "httpd_config_t", replace => $replace,
notify => Service["httpd"];
"$configfile":
require => File["/services/$title"],
seltype => "httpd_config_t",
ensure => $ensure ? {
absent => "absent",
default => "$configroot/vhost-$title.conf"
};
"$documentroot":
require => File["/services/$title"], seltype => "httpd_sys_content_t",
mode => $dirmode, ensure => $ensure ? {
absent => "absent",
default => "directory"
};
"$documentroot/index.html":
require => File["$documentroot"], seltype => "httpd_sys_content_t",
mode => $filemode, replace => $replace,
content => template("apache/index.html.erb");
"$logroot":
require => File["/services/$title"], seltype => "httpd_log_t",
mode => $dirmode, ensure => $ensure ? {
absent => "absent",
default => "directory"
};
}
}
// iptables module
class iptables {
package {
"iptables":
ensure => present;
}
service {
"iptables":
hasstatus => true,
enable => true,
ensure => running;
}
concat_file {
"/etc/sysconfig/iptables":
mode => 0400,
notify => Service["iptables"];
}
concat_file_chunk {
"iptables-header":
file => "/etc/sysconfig/iptables",
priority => "00",
content => template("iptables/iptables-header.erb");
"iptables-footer":
file => "/etc/sysconfig/iptables",
priority => "99",
content => template("iptables/iptables-footer.erb");
}
}
define iptables::add (
$port
) {
include iptables
concat_file_chunk {
"iptables-$title":
file => "/etc/sysconfig/iptables",
content => template("iptables/iptables-rule.erb");
}
}
// concat module ("custom")
class custom {
file {
"/tmp/puppet":
ensure => directory,
mode => 700, owner => root, group => root;
}
exec {
"cleanup /tmp/puppet":
path => "/bin/",
cwd => "/tmp",
command => "rm -rf puppet",
require => File["/tmp/puppet"];
}
}
define mkdir (
$ensure = present
) {
$parent = template("custom/mkdir.erb")
if !defined(Mkdir["$parent"]) and $parent != "/tmp/puppet" {
mkdir {
"$parent":
ensure => $ensure;
}
}
file {
"$name":
ensure => directory,
owner => root, group => root, mode => 400,
require => File["$parent"];
}
}
define concat_file (
$ensure = present,
$mode = 0644, $owner = root, $group = root
) {
include custom
$file = "/tmp/puppet/${name}"
$dir = "/tmp/puppet/${name}.d"
$parent = template("custom/mkdir.erb")
mkdir {
"$dir":
ensure => present;
}
file {
"${dir}/__nonempty__":
owner => root, group => root, mode => 400,
ensure => present,
content => '',
require => File["${dir}"];
}
exec {
"concat_file_$title":
path => ["/bin", "/usr/bin"],
cwd => $parent,
command => "cat $dir/* >| $file",
require => File["${dir}/__nonempty__"];
}
file {
"${name}":
ensure => $ensure,
owner => $owner, group => $group, mode => $mode,
source => $file,
require => Exec["concat_file_${name}"],
before => Exec["cleanup /tmp/puppet"];
}
}
define concat_file_chunk (
$file,
$priority = "50",
$content = ""
) {
file {
"/tmp/puppet/${file}.d/${priority}-${title}":
owner => root, group => root, mode => 400,
content => $content,
before => Exec["concat_file_${file}"],
require => File["/tmp/puppet/${file}.d"];
}
}
Pastie << self Blog
