RubyGems - provizioning - Versions diffs - 0.1.2 → 0.4.0 - Mend

provizioning 0.1.2 → 0.4.0

Files changed (223) hide show

data/.gitignore +17 -0
data/Gemfile +4 -0
data/README.md +29 -0
data/Rakefile +2 -0
data/bootstrap/bootstrap.sh +71 -0
data/{lib/templates/sources.list → bootstrap/lucid.sources.list} +2 -1
data/bootstrap/natty.sources.list +14 -0
data/lib/provizioning/puppet.rb +94 -0
data/lib/provizioning/version.rb +3 -0
data/lib/provizioning.rb +1 -3
data/provizioning.gemspec +20 -0
data/puppet/classes/apache/centos.conf +978 -0
data/puppet/classes/apache/ssl.conf +75 -0
data/puppet/classes/apache.pp +152 -0
data/puppet/classes/apt.pp +5 -0
data/puppet/classes/base/ntp/ntpd-sysconfig +13 -0
data/puppet/classes/base.pp +79 -0
data/puppet/classes/freerange.pp +53 -0
data/puppet/classes/gemrc/gemrc +9 -0
data/puppet/classes/gemrc.pp +10 -0
data/puppet/classes/imagemagick.pp +19 -0
data/puppet/classes/iptables/load-iptables +3 -0
data/puppet/classes/iptables/post-iptables +2 -0
data/puppet/classes/iptables/pre-iptables +2 -0
data/puppet/classes/iptables.pp +59 -0
data/puppet/classes/logrotate/logrotate.erb +15 -0
data/puppet/classes/logrotate.pp +37 -0
data/puppet/classes/mongo/mongodb.conf +89 -0
data/puppet/classes/mongo.pp +86 -0
data/puppet/classes/monit/monit.conf +242 -0
data/puppet/classes/monit.pp +39 -0
data/puppet/classes/munin/plugins/passenger_memory_stats +123 -0
data/puppet/classes/munin/plugins/passenger_status +130 -0
data/puppet/classes/munin/plugins/rails_database_time +174 -0
data/puppet/classes/munin/plugins/rails_request_duration +173 -0
data/puppet/classes/munin/plugins/rails_request_error +169 -0
data/puppet/classes/munin/plugins/rails_requests +175 -0
data/puppet/classes/munin/plugins/rails_view_render_time +173 -0
data/puppet/classes/munin/rails-plugin-config +4 -0
data/puppet/classes/munin.pp +60 -0
data/puppet/classes/mysql/password.erb +1 -0
data/puppet/classes/mysql.pp +71 -0
data/puppet/classes/openswan/ipsec.conf +17 -0
data/puppet/classes/openswan/ipsec.secrets +1 -0
data/puppet/classes/openswan/patched_ipsec_initd_script +223 -0
data/puppet/classes/openswan/secret.erb +1 -0
data/puppet/classes/openswan.pp +71 -0
data/puppet/classes/post-flight.pp +17 -0
data/puppet/classes/postfix/main.cf +39 -0
data/puppet/classes/postfix.pp +16 -0
data/puppet/classes/rack/centos/passenger.load.erb +5 -0
data/puppet/classes/rack/ubuntu/passenger.conf.erb +6 -0
data/puppet/classes/rack.pp +66 -0
data/puppet/classes/redis/redis.conf.erb +187 -0
data/puppet/classes/redis.pp +20 -0
data/puppet/classes/sudo/sudoers +6 -0
data/puppet/classes/sudo.pp +24 -0
data/puppet/classes/syslogng/CentOS.cnf +61 -0
data/puppet/classes/syslogng/Ubuntu.cnf +347 -0
data/puppet/classes/syslogng.pp +146 -0
data/puppet/classes/xml.pp +23 -0
data/puppet/classes/yum.pp +6 -0
data/puppet/classes/zsh.pp +5 -0
data/puppet/modules/README +74 -0
data/puppet/modules/cron/README +4 -0
data/puppet/modules/cron/manifests/base.pp +26 -0
data/puppet/modules/cron/manifests/crontabs.pp +11 -0
data/puppet/modules/cron/manifests/init.pp +18 -0
data/puppet/modules/drupal/Modulefile +7 -0
data/puppet/modules/drupal/README +110 -0
data/puppet/modules/drupal/manifests/absent.pp +25 -0
data/puppet/modules/drupal/manifests/backup/absent.pp +23 -0
data/puppet/modules/drupal/manifests/backup.pp +49 -0
data/puppet/modules/drupal/manifests/conf.pp +23 -0
data/puppet/modules/drupal/manifests/debug.pp +26 -0
data/puppet/modules/drupal/manifests/disable.pp +22 -0
data/puppet/modules/drupal/manifests/disableboot.pp +13 -0
data/puppet/modules/drupal/manifests/drush.pp +20 -0
data/puppet/modules/drupal/manifests/example42/backup.pp +8 -0
data/puppet/modules/drupal/manifests/example42/monitor.pp +8 -0
data/puppet/modules/drupal/manifests/example42.pp +25 -0
data/puppet/modules/drupal/manifests/extra.pp +30 -0
data/puppet/modules/drupal/manifests/firewall/absent.pp +19 -0
data/puppet/modules/drupal/manifests/firewall.pp +24 -0
data/puppet/modules/drupal/manifests/init.pp +54 -0
data/puppet/modules/drupal/manifests/install.pp +20 -0
data/puppet/modules/drupal/manifests/module.pp +37 -0
data/puppet/modules/drupal/manifests/monitor/absent.pp +42 -0
data/puppet/modules/drupal/manifests/monitor.pp +77 -0
data/puppet/modules/drupal/manifests/package.pp +20 -0
data/puppet/modules/drupal/manifests/params.pp +277 -0
data/puppet/modules/drupal/manifests/site.pp +63 -0
data/puppet/modules/drupal/manifests/theme.pp +33 -0
data/puppet/modules/drupal/templates/variables_drupal.erb +62 -0
data/puppet/modules/drupal/tests/absent.pp +1 -0
data/puppet/modules/drupal/tests/backup.pp +1 -0
data/puppet/modules/drupal/tests/debug.pp +1 -0
data/puppet/modules/drupal/tests/disable.pp +1 -0
data/puppet/modules/drupal/tests/disableboot.pp +1 -0
data/puppet/modules/drupal/tests/firewall.pp +1 -0
data/puppet/modules/drupal/tests/init.pp +1 -0
data/puppet/modules/drupal/tests/monitor.pp +1 -0
data/puppet/modules/hosts/README +0 -0
data/puppet/modules/hosts/manifests/example42.pp +5 -0
data/puppet/modules/hosts/manifests/init.pp +16 -0
data/puppet/modules/hosts/templates/hosts.erb +11 -0
data/puppet/modules/iptables/README +4 -0
data/puppet/modules/iptables/files/iptables +19 -0
data/puppet/modules/iptables/manifests/disable.pp +15 -0
data/puppet/modules/iptables/manifests/init.pp +9 -0
data/puppet/modules/iptables/manifests/redhat.pp +24 -0
data/puppet/modules/mysql/Modulefile +7 -0
data/puppet/modules/mysql/README +56 -0
data/puppet/modules/mysql/manifests/absent.pp +12 -0
data/puppet/modules/mysql/manifests/backup/example42.pp +8 -0
data/puppet/modules/mysql/manifests/backup.pp +49 -0
data/puppet/modules/mysql/manifests/client.pp +18 -0
data/puppet/modules/mysql/manifests/conf.pp +23 -0
data/puppet/modules/mysql/manifests/debug.pp +25 -0
data/puppet/modules/mysql/manifests/disable.pp +13 -0
data/puppet/modules/mysql/manifests/disableboot.pp +13 -0
data/puppet/modules/mysql/manifests/example42.pp +25 -0
data/puppet/modules/mysql/manifests/firewall.pp +23 -0
data/puppet/modules/mysql/manifests/grant.pp +29 -0
data/puppet/modules/mysql/manifests/init.pp +67 -0
data/puppet/modules/mysql/manifests/monitor/example42.pp +8 -0
data/puppet/modules/mysql/manifests/monitor.pp +77 -0
data/puppet/modules/mysql/manifests/params.pp +240 -0
data/puppet/modules/mysql/manifests/query.pp +30 -0
data/puppet/modules/mysql/templates/grant.erb +6 -0
data/puppet/modules/mysql/templates/query.erb +5 -0
data/puppet/modules/mysql/templates/variables_mysql.erb +42 -0
data/puppet/modules/network/README +4 -0
data/puppet/modules/network/manifests/init.pp +13 -0
data/puppet/modules/nginx/manifests/fcgi.pp +87 -0
data/puppet/modules/nginx/manifests/init.pp +205 -0
data/puppet/modules/nginx/templates/fcgi_site.erb +38 -0
data/puppet/modules/nginx/templates/includes/fastcgi_params.erb +23 -0
data/puppet/modules/nginx/templates/nginx.conf.erb +31 -0
data/puppet/modules/passenger/manifests/init.pp +12 -0
data/puppet/modules/passenger/templates/myapp +39 -0
data/puppet/modules/php/README +26 -0
data/puppet/modules/php/manifests/init.pp +42 -0
data/puppet/modules/php/manifests/module.pp +22 -0
data/puppet/modules/php/manifests/pear/module.pp +21 -0
data/puppet/modules/php/manifests/pear.pp +20 -0
data/puppet/modules/php/manifests/pecl/config.pp +19 -0
data/puppet/modules/php/manifests/pecl/module.pp +44 -0
data/puppet/modules/php/manifests/pecl.pp +8 -0
data/puppet/modules/php/manifests/soap.pp +20 -0
data/puppet/modules/postgres/Copyright +13 -0
data/puppet/modules/postgres/manifests/database.pp +40 -0
data/puppet/modules/postgres/manifests/init.pp +25 -0
data/puppet/modules/postgres/manifests/role.pp +40 -0
data/puppet/modules/ruby/files/install-ruby-stow +43 -0
data/puppet/modules/ruby/manifests/init.pp +18 -0
data/puppet/modules/rvm/files/install-system-rvm +2 -0
data/puppet/modules/rvm/manifests/classes/dependencies.pp +24 -0
data/puppet/modules/rvm/manifests/classes/passenger.pp +166 -0
data/puppet/modules/rvm/manifests/classes/system.pp +33 -0
data/puppet/modules/rvm/manifests/definitions/system_user.pp +13 -0
data/puppet/modules/rvm/manifests/init.pp +2 -0
data/puppet/modules/rvm/templates/passenger-apache.conf.erb +9 -0
data/puppet/modules/ssh/README +4 -0
data/puppet/modules/ssh/manifests/auth.pp +39 -0
data/puppet/modules/ssh/manifests/auth.pp.good +340 -0
data/puppet/modules/ssh/manifests/eal4.pp +69 -0
data/puppet/modules/ssh/manifests/init.pp +74 -0
data/puppet/modules/stow/manifests/init.pp +5 -0
data/puppet/modules/sudo/files/sudoers +25 -0
data/puppet/modules/sudo/manifests/init.pp +1 -0
data/puppet/modules/sudo/manifests/install.pp +5 -0
data/puppet/modules/sudo/manifests/sudoers.pp +14 -0
data/puppet/modules/ufw/manifests/init.pp +12 -0
data/puppet/modules/users/README +28 -0
data/puppet/modules/users/manifests/adduser.pp +16 -0
data/puppet/modules/users/manifests/admin.pp +11 -0
data/puppet/modules/users/manifests/automount.pp +34 -0
data/puppet/modules/users/manifests/deluser.pp +8 -0
data/puppet/modules/users/manifests/example42.pp +16 -0
data/puppet/modules/users/manifests/init.pp +31 -0
data/puppet/modules/users/manifests/ldap.pp +114 -0
data/puppet/modules/users/manifests/params.pp +84 -0
data/puppet/modules/users/templates/ldap/ldap.conf.erb +13 -0
data/puppet/modules/users/templates/ldap/nsswitch.conf.erb +23 -0
data/puppet/modules/users/templates/ldap/openldap-ldap.conf.erb +8 -0
data/puppet/modules/webmin/manifests/init.pp +31 -0
data/puppet/roles/blank.pp +1 -0
data/puppet/site.pp +8 -0
metadata +235 -81
data/README +0 -3
data/bin/provizion +0 -52
data/lib/policies/chef-client.rb +0 -37
data/lib/policies/lamp.rb +0 -42
data/lib/policies/passenger.rb +0 -44
data/lib/recipes/apache.rb +0 -70
data/lib/recipes/apache_conf.rb +0 -3
data/lib/recipes/bundler.rb +0 -4
data/lib/recipes/chef_client.rb +0 -11
data/lib/recipes/curl.rb +0 -8
data/lib/recipes/essential.rb +0 -4
data/lib/recipes/git.rb +0 -15
data/lib/recipes/imagemagick.rb +0 -8
data/lib/recipes/mailserver.rb +0 -9
data/lib/recipes/memcached.rb +0 -16
data/lib/recipes/mysql.rb +0 -21
data/lib/recipes/nginx/init.d +0 -63
data/lib/recipes/nginx.rb +0 -25
data/lib/recipes/passenger.rb +0 -67
data/lib/recipes/php.rb +0 -8
data/lib/recipes/postgresql.rb +0 -21
data/lib/recipes/ruby_enterprise.rb +0 -24
data/lib/recipes/rvm.rb +0 -25
data/lib/recipes/sources.rb +0 -5
data/lib/recipes/subversion.rb +0 -8
data/lib/recipes/syslog.rb +0 -7
data/lib/recipes/ufw.rb +0 -12
data/lib/recipes/vim.rb +0 -8
data/lib/recipes/webmin.rb +0 -17
data/lib/templates/apache.conf.erb +0 -12
data/lib/templates/my.cnf +0 -132
data/lib/templates/passenger.conf +0 -11
data/lib/templates/passenger.load +0 -1

data/puppet/modules/rvm/manifests/classes/passenger.pp ADDED Viewed

@@ -0,0 +1,166 @@
+class rvm::ruby($ruby_version, $rvm_prefix) {
+    $binpath = "${rvm_prefix}bin/"
+    exec {
+        "rvm-install-ruby":
+            command => "${binpath}rvm install ${ruby_version}",
+            creates => "${rvm_prefix}rvm/rubies/${ruby_version}",
+            logoutput => 'on_failure',
+            timeout => "-1",
+            require => [Class["rvm::system"], Exec["system-rvm"]];
+    }
+}
+class rvm::passenger($ruby_version, $version, $rvm_prefix) {
+    $gempath = "${rvm_prefix}rvm/gems/${ruby_version}/gems"
+    $binpath = "${rvm_prefix}rvm/rubies/${ruby_version}/bin"
+    exec {
+        "passenger-gem":
+            command => "${rvm_prefix}rvm/rubies/${ruby_version}/bin/gem install passenger --no-ri --no-rdoc",
+            creates => "${binpath}/passenger",
+            require => Exec["rvm-install-ruby"];
+    }
+}
+class rvm::passenger::apache(
+    $ruby_version = 'ruby-1.9.2-p290',
+    $version = '3.0.8',
+    $rvm_prefix = '/usr/local/',
+    $mininstances = '1',
+    $maxpoolsize = '6',
+    $poolidletime = '300',
+    $maxinstancesperapp = '0',
+    $spawnmethod = 'smart-lv2'
+) {
+    # TODO: How can we get the gempath automatically using the ruby version
+    # Can we read the output of a command into a variable?
+    # e.g. $gempath = `usr/local/bin/rvm ${ruby_version} exec rvm gemdir`
+    $gempath = "${rvm_prefix}rvm/gems/${ruby_version}/gems"
+    $binpath = $rvm_prefix ? {
+        '/usr/local/' => '/usr/local/bin/',
+        default => "${rvm_prefix}rvm/bin/"
+    }
+    # TODO: How to inherit this from above?
+    class { 'rvm::ruby': ruby_version => $ruby_version, rvm_prefix => $rvm_prefix }
+    class { 'rvm::passenger': ruby_version => $ruby_version, version => $version, rvm_prefix => $rvm_prefix }
+    include apache
+    # Dependencies
+    if ! defined(Package['build-essential'])      { package { build-essential:      ensure => installed } }
+    if ! defined(Package['apache2-prefork-dev'])  { package { apache2-prefork-dev:  ensure => installed } }
+    if ! defined(Package['libapr1-dev'])          { package { libapr1-dev:          ensure => installed, alias => 'libapr-dev' } }
+    if ! defined(Package['libaprutil1-dev'])      { package { libaprutil1-dev:      ensure => installed, alias => 'libaprutil-dev' } }
+    if ! defined(Package['libcurl4-openssl-dev']) { package { libcurl4-openssl-dev: ensure => installed } }
+    exec {
+        'passenger-install-apache2-module':
+            command => "${binpath}rvm ${ruby_version} exec passenger-install-apache2-module -a",
+            creates => "${gempath}/passenger-${version}/ext/apache2/mod_passenger.so",
+            logoutput => 'on_failure',
+            require => [
+                Class['rvm::system'],
+                Exec['system-rvm'],
+                Exec['rvm-install-ruby'],
+                Exec['passenger-gem'],
+                Package[
+                    'apache2',
+                    'build-essential',
+                    'apache2-prefork-dev',
+                    'libapr-dev',
+                    'libaprutil-dev',
+                    'libcurl4-openssl-dev'
+                ]
+            ];
+    }
+    file {
+        '/etc/apache2/mods-available/passenger.load':
+            content => "LoadModule passenger_module ${gempath}/passenger-${version}/ext/apache2/mod_passenger.so",
+            ensure => file,
+            require => Exec['passenger-install-apache2-module'];
+        '/etc/apache2/mods-available/passenger.conf':
+            content => template('rvm/passenger-apache.conf.erb'),
+            ensure => file,
+            require => Exec['passenger-install-apache2-module'];
+        '/etc/apache2/mods-enabled/passenger.load':
+            ensure => 'link',
+            target => '../mods-available/passenger.load',
+            require => File['/etc/apache2/mods-available/passenger.load'];
+        '/etc/apache2/mods-enabled/passenger.conf':
+            ensure => 'link',
+            target => '../mods-available/passenger.conf',
+            require => File['/etc/apache2/mods-available/passenger.conf'];
+    }
+    # Add Apache restart hooks
+    File['/etc/apache2/mods-available/passenger.load'] ~> Service['apache']
+    File['/etc/apache2/mods-available/passenger.conf'] ~> Service['apache']
+    File['/etc/apache2/mods-enabled/passenger.load']   ~> Service['apache']
+    File['/etc/apache2/mods-enabled/passenger.conf']   ~> Service['apache']
+}
+class ruby::passenger::apache::disable {
+    file {
+        '/etc/apache2/mods-enabled/passenger.load':
+            ensure => 'absent';
+        '/etc/apache2/mods-enabled/passenger.conf':
+            ensure => 'absent';
+    }
+    # Add Apache restart hooks
+    if defined(Service['apache']) { File['/etc/apache2/mods-enabled/passenger.load']   ~> Service['apache'] }
+    if defined(Service['apache']) { File['/etc/apache2/mods-enabled/passenger.conf']   ~> Service['apache'] }
+}
+class rvm::passenger::nginx(
+    $ruby_version = 'ruby-1.9.2-p290',
+    $version = '3.0.8',
+    $rvm_prefix = '/usr/local/',
+    $mininstances = '1',
+    $maxpoolsize = '6',
+    $poolidletime = '300',
+    $maxinstancesperapp = '0',
+    $spawnmethod = 'smart-lv2'
+) {
+    # TODO: How can we get the gempath automatically using the ruby version
+    # Can we read the output of a command into a variable?
+    # e.g. $gempath = `usr/local/bin/rvm ${ruby_version} exec rvm gemdir`
+    $gempath = "${rvm_prefix}rvm/gems/${ruby_version}/gems"
+    $binpath = $rvm_prefix ? {
+        '/usr/local/' => '/usr/local/bin/',
+        default => "${rvm_prefix}rvm/bin/"
+    }
+    # TODO: How to inherit this from above?
+    class { 'rvm::ruby': ruby_version => $ruby_version, rvm_prefix => $rvm_prefix }
+    class { 'rvm::passenger': ruby_version => $ruby_version, version => $version, rvm_prefix => $rvm_prefix }
+    # Dependencies
+    if ! defined(Package['build-essential'])      { package { build-essential:      ensure => installed } }
+    if ! defined(Package['libcurl4-openssl-dev']) { package { libcurl4-openssl-dev: ensure => installed } }
+    exec {
+        'passenger-install-nginx-module':
+            command => "${binpath}rvm ${ruby_version} exec passenger-install-nginx-module --auto --auto-download",
+            creates => "${gempath}/passenger-${version}/ext/nginx/mod_passenger.so",
+            logoutput => 'on_failure',
+            require => [
+                Class['rvm::system'],
+                Exec['system-rvm'],
+                Exec['rvm-install-ruby'],
+                Exec['passenger-gem'],
+                Package[
+                    'build-essential',
+                    'libcurl4-openssl-dev'
+                ]
+            ];
+    }
+}

data/puppet/modules/rvm/manifests/classes/system.pp ADDED Viewed

@@ -0,0 +1,33 @@
+class rvm::system {
+  include rvm::dependencies
+  file {'install-system-rvm':
+    ensure => 'present',
+    path => '/root/install-system-rvm',
+    owner => 'root', group => 'root', mode => '0774',
+    source => 'puppet:///modules/rvm/install-system-rvm';
+  }
+  exec { 'system-rvm':
+    command => '/root/install-system-rvm',
+    require => [
+      File['install-system-rvm'],
+      Package['curl', 'git-core'],
+      Class['rvm::dependencies'],
+    ],
+    creates => '/usr/local/rvm';
+  }
+  exec { 'rvm-get-head':
+    command => '/usr/local/rvm/bin/rvm get head',
+    require => [
+      Exec['system-rvm'],
+      File['install-system-rvm'],
+      Package['curl', 'git-core'],
+      Class['rvm::dependencies'],
+    ],
+    creates => '/usr/local/bin/rvm';
+  }
+}

data/puppet/modules/rvm/manifests/definitions/system_user.pp ADDED Viewed

@@ -0,0 +1,13 @@
+define rvm::system_user () {
+    $username = $title
+    $group = $operatingsystem ? {
+        default => 'rvm',
+    }
+    exec { "/usr/sbin/usermod -a -G $group $username":
+        unless => "cat /etc/group | grep $group | grep $username",
+        require => [User[$username], Exec['system-rvm']];
+    }
+}

data/puppet/modules/rvm/manifests/init.pp ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import "classes/*.pp"
2	+ import "definitions/*.pp"

data/puppet/modules/rvm/templates/passenger-apache.conf.erb ADDED Viewed

@@ -0,0 +1,9 @@
+<IfModule passenger_module>
+    PassengerRoot <%= gempath %>/passenger-<%= version %>
+    PassengerRuby <%= rvm_prefix %>rvm/wrappers/<%= ruby_version %>/ruby
+    PassengerMaxPoolSize <%= maxpoolsize %>
+    PassengerPoolIdleTime <%= poolidletime %>
+    PassengerMinInstances <%= mininstances %>
+    PassengerMaxInstancesPerApp <%= maxinstancesperapp %>
+    PassengerSpawnMethod <%= spawnmethod %>
+</IfModule>

data/puppet/modules/ssh/README ADDED Viewed

@@ -0,0 +1,4 @@
+# Lab42 Puppet Infrastructure #
+# PROVIDED 'AS IS'

data/puppet/modules/ssh/manifests/auth.pp ADDED Viewed

@@ -0,0 +1,39 @@
+# Fake null class
+class ssh::auth {
+define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
+}
+class keymaster {
+} # class keymaster
+define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
+} # define client
+define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
+} # define server
+} # class ssh::auth
+define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
+} # define ssh_auth_key_master
+define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
+} # define ssh_auth_key_client
+define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
+} # define ssh_auth_key_server
+define ssh_auth_key_namecheck ($parm, $value) {
+} # define namecheck

data/puppet/modules/ssh/manifests/auth.pp.good ADDED Viewed

@@ -0,0 +1,340 @@
+# This class has been written by Andrew E. Schulman
+# It has been imported in Example42 under the terms of GPL3
+#
+# =========
+# ssh::auth
+# =========
+#
+# The latest official release and documentation for ssh::auth can always
+# be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
+#
+# Version:          0.3.2
+# Release date:     2009-12-29
+class ssh::auth {
+$keymaster_storage = "/var/lib/keys"
+Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
+Notify { withpath => false }
+##########################################################################
+# ssh::auth::key
+# Declare keys.  The approach here is just to define a bunch of
+# virtual resources, representing key files on the keymaster, client,
+# and server.  The virtual keys are then realized by
+# ssh::auth::{keymaster,client,server}, respectively.  The reason for
+# doing things that way is that it makes ssh::auth::key into a "one
+# stop shop" where users can declare their keys with all of their
+# parameters, whether those parameters apply to the keymaster, server,
+# or client.  The real work of creating, installing, and removing keys
+# is done in the private definitions called by the virtual resources:
+# ssh_auth_key_{master,server,client}.
+define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
+  ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
+  # apply defaults
+  $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
+  $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }
+  $_user = $user ? {
+    ""      => regsubst($title, '^([^@]*)@?.*$', '\1'),
+    default => $user,
+  }
+  $_home = $home ? { "" => "/home/$_user",  default => $home }
+  ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
+  @ssh_auth_key_master { $title:
+    ensure  => $ensure,
+    force   => $force,
+    keytype => $keytype,
+    length  => $_length,
+    maxdays => $maxdays,
+    mindate => $mindate,
+  }
+  @ssh_auth_key_client { $title:
+    ensure   => $ensure,
+    filename => $_filename,
+    group    => $group,
+    home     => $_home,
+    user     => $_user,
+  }
+  @ssh_auth_key_server { $title:
+    ensure  => $ensure,
+    group   => $group,
+    home    => $_home,
+    options => $options,
+    user    => $_user,
+  }
+}
+##########################################################################
+# ssh::auth::keymaster
+#
+# Keymaster host:
+# Create key storage; create, regenerate, and remove key pairs
+class keymaster {
+  # Set up key storage
+  file { $ssh::auth::keymaster_storage:
+    ensure => directory,
+    owner  => puppet,
+    group  => puppet,
+    mode   => 644,
+  }
+  # Realize all virtual master keys
+  Ssh_auth_key_master <| |>
+} # class keymaster
+##########################################################################
+# ssh::auth::client
+#
+# Install generated key pairs onto clients
+define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
+  # Realize the virtual client keys.
+  # Override the defaults set in ssh::auth::key, as needed.
+  if $ensure   { Ssh_auth_key_client <| title == $title |> { ensure   => $ensure   } }
+  if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
+  if $group    { Ssh_auth_key_client <| title == $title |> { group    => $group    } }
+  if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
+  if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }
+  realize Ssh_auth_key_client[$title]
+} # define client
+##########################################################################
+# ssh::auth::server
+#
+# Install public keys onto clients
+define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
+  # Realize the virtual server keys.
+  # Override the defaults set in ssh::auth::key, as needed.
+  if $ensure  { Ssh_auth_key_server <| title == $title |> { ensure  => $ensure  } }
+  if $group   { Ssh_auth_key_server <| title == $title |> { group   => $group   } }
+  if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
+  if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
+  if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }
+  realize Ssh_auth_key_server[$title]
+} # define server
+} # class ssh::auth
+##########################################################################
+# ssh_auth_key_master
+#
+# Create/regenerate/remove a key pair on the keymaster.
+# This definition is private, i.e. it is not intended to be called directly by users.
+# ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
+define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
+  Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
+  File {
+    owner => puppet,
+    group => puppet,
+    mode  => 600,
+  }
+  $keydir = "${ssh::auth::keymaster_storage}/${title}"
+  $keyfile = "${keydir}/key"
+  file {
+    "$keydir":
+      ensure => directory,
+      mode   => 644;
+    "$keyfile":
+      ensure => $ensure;
+    "${keyfile}.pub":
+      ensure => $ensure,
+      mode   => 644;
+  }
+  if $ensure == "present" {
+    # Remove the existing key pair, if
+    # * $force is true, or
+    # * $maxdays or $mindate criteria aren't met, or
+    # * $keytype or $length have changed
+    $keycontent = file("${keyfile}.pub", "/dev/null")
+    if $keycontent {
+      if $force {
+        $reason = "force=true"
+      }
+      if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
+        $reason = "created before ${mindate}"
+      }
+      if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
+        $reason = "older than ${maxdays} days"
+      }
+      if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
+        if       $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }
+        else { if $length != $2 { $reason = "length changed: $2 -> $length" } }
+      }
+      if $reason {
+        exec { "Revoke previous key ${title}: ${reason}":
+          command => "rm $keyfile ${keyfile}.pub",
+          before  => Exec["Create key $title: $keytype, $length bits"],
+        }
+      }
+    }
+    # Create the key pair.
+    # We "repurpose" the comment field in public keys on the keymaster to
+    # store data about the key, i.e. $keytype and $length.  This avoids
+    # having to rerun ssh-keygen -l on every key at every run to determine
+    # the key length.
+    exec { "Create key $title: $keytype, $length bits":
+      command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
+      user    => "puppet",
+      group   => "puppet",
+      creates => $keyfile,
+      require => File[$keydir],
+      before  => File[$keyfile, "${keyfile}.pub"],
+    }
+  } # if $ensure  == "present"
+} # define ssh_auth_key_master
+##########################################################################
+# ssh_auth_key_client
+#
+# Install a key pair into a user's account.
+# This definition is private, i.e. it is not intended to be called directly by users.
+define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
+  File {
+    owner   => $user,
+    group   => $group,
+    mode    => 600,
+    require => User[$user],
+  }
+  $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
+  $key_tgt_file = "${home}/.ssh/${filename}" # on the client
+  $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
+  if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
+    $keytype = $1
+    $modulus = $2
+    file {
+      $key_tgt_file:
+        ensure  => $ensure,
+        content => file($key_src_file, "/dev/null");
+      "${key_tgt_file}.pub":
+        ensure  => $ensure,
+        content => "$keytype $modulus $title\n",
+        mode    => 644;
+    }
+  } else {
+    notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
+  }
+} # define ssh_auth_key_client
+##########################################################################
+# ssh_auth_key_server
+#
+# Install a public key into a server user's authorized_keys(5) file.
+# This definition is private, i.e. it is not intended to be called directly by users.
+define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
+  # on the keymaster:
+  $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
+  $key_src_file = "${key_src_dir}/key.pub"
+  # on the server:
+  $key_tgt_file = "${home}/.ssh/authorized_keys"
+  File {
+    owner   => $user,
+    group   => $group,
+    require => User[$user],
+    mode    => 600,
+  }
+  Ssh_authorized_key {
+    user   => $user,
+    target => $key_tgt_file,
+  }
+  if $ensure == "absent" {
+    ssh_authorized_key { $title: ensure => "absent" }
+  }
+  else {
+    $key_src_content = file($key_src_file, "/dev/null")
+    if ! $key_src_content {
+      notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
+    } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
+      err("Can't parse public key file $key_src_file")
+      notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
+    } else {
+      $keytype = $1
+      $modulus = $2
+      ssh_authorized_key { $title:
+        ensure  => "present",
+        type    => $keytype,
+        key     => $modulus,
+        options => $options ? { "" => undef, default => $options },
+      }
+    }} # if ... else ... else
+  } # if ... else
+} # define ssh_auth_key_server
+##########################################################################
+# ssh_auth_key_namecheck
+#
+# Check a name (e.g. key title or filename) for the allowed form
+define ssh_auth_key_namecheck ($parm, $value) {
+  if $value !~ /^[A-Za-z0-9]/ {
+    fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
+  }
+  if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
+    fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
+  }
+} # define namecheck

data/puppet/modules/ssh/manifests/eal4.pp ADDED Viewed

@@ -0,0 +1,69 @@
+class ssh::eal4 {
+    # Cripto settings
+    ssh::config { Protocol:
+        value => "2",
+    }
+    ssh::config { Ciphers:
+        value => "3des-cbc",
+    }
+    # X11 forwarding (You MAY allow)
+    ssh::config { X11Forwarding:
+        value => "no",
+    }
+    # Login settings
+    ssh::config { UsePAM:
+        value => "yes",
+    }
+    ssh::config { PermitRootLogin:
+        value => "no",
+    }
+    ssh::config { PermitEmptyPasswords:
+        value => "no",
+    }
+    ssh::config { PasswordAuthentication:
+        value => "no",
+    }
+    ssh::config { ChallengeResponseAuthentication:
+        value => "yes",
+    }
+    # Disables other authentication methods (you MAY want to change some of these settings)
+    ssh::config { IgnoreRhosts:
+        value => "yes",
+    }
+    ssh::config { HostbasedAuthentication:
+        value => "no",
+    }
+    ssh::config { PubkeyAuthentication:
+        value => "no",
+    }
+    ssh::config { RhostsRSAAuthentication:
+        value => "no",
+    }
+    ssh::config { RSAAuthentication:
+        value => "no",
+    }
+    ssh::config { KerberosAuthentication:
+        value => "no",
+    }
+    ssh::config { GSSAPIAuthentication:
+        value => "no",
+    }
+}