provizioning 0.1.2 → 0.4.0

data/puppet/classes/munin/plugins/rails_view_render_time

@@ -0,0 +1,173 @@
+#!/usr/bin/env ruby
+pod=<<-POD
+
+=head1 NAME
+rails_view_render_time - Munin plugin to monitor the minimum, average and maximum view render times.
+
+=head1 APPLICABLE SYSTEMS
+All systems that have a rails application log.
+
+=head1 CONFIGURATION
+The request-log-analyzer gem has to be intalled.
+Also the script has to be able to access the rails log file and tail.
+This configuration section shows the defaults of the plugin:
+
+  [rails_view_render_time]
+  env.log_file '/path/to/production.log'
+  user www-data
+  command /usr/local/bin/ruby %c
+  
+Options
+  env.lines 50000                             # Number of lines to tail
+  env.interval 300                            # Munin interval in seconds (used for graphs and caching)
+  env.request_log_analyzer '/usr/local/bin'   # Path to gem. Use this for Debian.
+  env.graph_category 'App'                    # Graph Category. Defaults to App.
+
+ln -s /usr/share/munin/plugins/rails_view_render_time /etc/munin/plugins/rails_view_render_time
+
+=head1 INTERPRETATION
+Three lines are graphed, showing the minimum, average and maximum view render times.
+
+=head1 MAGIC MARKERS
+  #%# family=auto
+  #%# capabilities=autoconf
+
+=head1 VERSION
+1.5
+
+=head1 BUGS
+None known
+
+=head1 AUTHOR
+Bart ten Brinke - railsdoctors.com
+
+=head1 LICENSE
+MIT
+
+POD
+
+# Globals
+GRAPH_CATEGORY  = ENV['graph_category'] || 'App'
+INTERVAL        = ENV['interval'] ? ENV['interval'].to_i : 300
+NUMBER_OF_LINES = ENV['lines'] || 50000
+LOG_FILE        = ENV['log_file']
+AFTER_TIME      = (Time.now - INTERVAL).strftime('%Y%m%d%H%M%S')
+FLOOR_TIME      = Time.at((Time.now.to_f / INTERVAL).floor * INTERVAL)
+
+TEMP_FOLDER     = '/tmp'
+TEMP_PREFIX     = GRAPH_CATEGORY == 'App' ? 'rla' : GRAPH_CATEGORY.downcase
+TEMP_FILE       = "#{TEMP_PREFIX}_#{FLOOR_TIME.to_i}.yml"
+REQUEST_LOG_ANALYZER = ENV['request_log_analyzer'] || '/usr/bin/request-log-analyzer'
+
+# Check if we can run this plugin on this system
+def autoconf
+  begin
+    require 'rubygems'
+    gem "request-log-analyzer", ">=1.1.6"
+    require "yaml"
+  rescue Exception => e
+    puts "no (Gem not found: #{e})"
+    exit 1
+  end
+
+  unless `echo "test" | tail 2>/dev/null`.include?("test")
+    puts "no (tail command not found)"
+    exit 1
+  end
+  
+  puts "yes"
+  exit 0
+end
+
+# Uptput the config
+def config
+  puts <<-CONFIG
+graph_category #{GRAPH_CATEGORY}
+graph_title View render times
+graph_vlabel Seconds
+graph_args --base 1000 -l 0
+graph_info The minimum, maximum and average view render times - railsdoctors.com
+ 
+min.label min
+max.label max
+average.label avg
+CONFIG
+  exit 0
+end
+
+# Fetch or create yaml cache file using request-log-analyzer
+def fetch_or_create_yaml_file(log_file, debug = false)
+  # Clean up any old temp files left in de temp folder
+  Dir.new(TEMP_FOLDER).entries.each do |file_name|
+    if match = file_name.match(/^#{TEMP_PREFIX}_.*\.yml/)
+      if match[0] != TEMP_FILE
+        puts "Removing old cache file: #{file_name}" if debug
+        File.delete(TEMP_FOLDER + "/" + file_name) 
+      end
+    end
+  end
+  
+  temp_file = TEMP_FOLDER + "/" + TEMP_FILE
+  
+  # Create temp file rla if needed
+  unless File.exists?(temp_file)
+    puts "Processing the last #{NUMBER_OF_LINES} lines of #{log_file} which are less then #{INTERVAL} seconds old." if debug    
+    p "tail -n #{NUMBER_OF_LINES} #{log_file} | #{REQUEST_LOG_ANALYZER} - --format rails3 --after #{AFTER_TIME} -b --dump #{temp_file} 2>/dev/null"
+    status = `tail -n #{NUMBER_OF_LINES} #{log_file} | #{REQUEST_LOG_ANALYZER} - --format rails3 --after #{AFTER_TIME} -b --dump #{temp_file} 2>/dev/null`
+
+    unless $?.success?
+      $stderr.puts "failed executing request-log-analyzer. Is the path to the binary correct?"
+      exit 1
+    end
+  else
+    puts "Processing cached YAML result #{temp_file}" if debug      
+  end
+  
+  return temp_file
+end
+
+# Gather information
+def run(log_file, debug = false)
+
+  if log_file == "" || log_file.nil?
+    $stderr.puts "Filepath unspecified. Exiting"
+    exit 1  
+  end
+
+  # Initialize values
+  max_value = 0
+  min_value = 1.0/0.0
+  cumulative = 0
+  hits = 0
+  
+  # Walk through the
+  require "yaml"
+  rla = YAML::load_file( fetch_or_create_yaml_file(log_file, debug) )
+
+  if rla && rla["View rendering time"]  
+    rla["View rendering time"].each do |item|
+      max_value = item[1][:max] if item[1][:max] > max_value
+      min_value = item[1][:min] if item[1][:min] < min_value
+      hits += item[1][:hits]
+      cumulative += item[1][:sum]
+    end
+  else
+    hits = 1
+    min_value = 0
+  end
+  
+  puts "max.value #{max_value}"
+  puts "min.value #{min_value}"
+  puts "average.value #{cumulative / hits.to_f}"
+end
+
+# Main
+if ARGV[0] == "config"
+  config
+elsif ARGV[0] == "autoconf"
+  autoconf
+elsif ARGV[0] == "debug"
+  run(LOG_FILE || ARGV[1], true)
+else
+  run(LOG_FILE || ARGV[0])
+end

data/puppet/classes/munin/rails-plugin-config

@@ -0,0 +1,4 @@
+env.log_file '<%= log %>'
+env.request_log_analyzer '/usr/local/bin/request-log-analyzer'
+user application
+command /usr/local/bin/ruby %c

data/puppet/classes/munin.pp

@@ -0,0 +1,60 @@
+class munin {
+  package {"munin":
+    ensure => present
+  }
+
+  package {"munin-node":
+    ensure => present,
+    require => Package["munin"]
+  }
+
+  service {"munin-node":
+    require => Package["munin-node"],
+    ensure => running,
+    enable => true
+  }
+
+  package {"request-log-analyzer":
+    ensure => present,
+    provider => gem
+  }
+
+  define rails($log) {
+    munin::plugin {"$name-rails-requests":
+      config => template("munin/rails-plugin-config"),
+      content => template("munin/plugins/rails_requests")
+    }
+
+    munin::plugin {"$name-rails-request-duration":
+      config => template("munin/rails-plugin-config"),
+      content => template("munin/plugins/rails_request_duration")
+    }
+
+    munin::plugin {"$name-rails-request-error":
+      config => template("munin/rails-plugin-config"),
+      content => template("munin/plugins/rails_request_error")
+    }
+
+    munin::plugin {"$name-rails-view-render-time":
+      config => template("munin/rails-plugin-config"),
+      content => template("munin/plugins/rails_view_render_time")
+    }
+  }
+
+  define plugin($config, $content) {
+    include munin
+
+    file {"/etc/munin/plugins/$name":
+      content => $content,
+      mode => 777,
+      require => Package["munin-node"],
+      notify => Service["munin-node"]
+    }
+
+    file {"/etc/munin/plugin-conf.d/$name":
+      content => "[$name]\n$config",
+      require => Package["munin-node"],
+      notify => Service["munin-node"]
+    }
+  }
+}

data/puppet/classes/mysql/password.erb

@@ -0,0 +1 @@
+<%= 16.times.collect{('a'..'z').to_a[rand(26)]}.join %>

data/puppet/classes/mysql.pp

@@ -0,0 +1,71 @@
+class mysql {
+
+  class client {
+    $package_name = $operatingsystem ? {
+      centos => mysql,
+      default => mysql-client
+    }
+
+    $development_package_name = $operatingsystem ? {
+      centos => mysql-devel,
+      default => libmysqlclient-dev
+    }
+
+    package { $package_name:
+      ensure => present
+    }
+
+    package { $development_package_name:
+      ensure => present
+    }
+  }
+
+  class server {
+    include mysql::client
+
+    $mysql_password = template("mysql/password.erb")
+
+    package {"mysql-server":
+      ensure => present
+    }
+
+    $service_name =  $operatingsystem ? {
+      centos => mysqld,
+      default => mysql
+    }
+
+    service {$service_name:
+      require => Package["mysql-server"],
+      ensure => running,
+      alias => mysql-server,
+      enable => true
+    }
+
+    exec { "Initialize MySQL server root password":
+      unless      => "/usr/bin/test -f /root/.my.cnf",
+      command     => "/usr/bin/mysqladmin -uroot password ${mysql_password}",
+      notify      => File["/root/.my.cnf"],
+      require     => [Package["mysql-server"], Service[mysql-server]]
+    }
+
+    file { "/root/.my.cnf":
+      content => "[mysql]\nuser=root\npassword=${mysql_password}\n[mysqladmin]\nuser=root\npassword=${mysql_password}\n[mysqldump]\nuser=root\npassword=${mysql_password}\n[mysqlshow]\nuser=root\npassword=${mysql_password}\n",
+      mode => 600,
+      replace => false
+    }
+
+    define db( $user, $password ) {
+      exec { "create-${name}-db":
+        unless => "/usr/bin/mysql -uroot ${name}",
+        command => "/usr/bin/mysql -uroot -e \"create database ${name};\"",
+        require => Service[mysql-server],
+      }
+
+      exec { "grant-${name}-db":
+        unless => "/usr/bin/mysql -u${user} -p${password} ${name}",
+        command => "/usr/bin/mysql -uroot -e \"grant all on ${name}.* to ${user}@localhost identified by '$password';\"",
+        require => [Service[mysql-server], Exec["create-${name}-db"]]
+      }
+    }
+  }
+}

data/puppet/classes/openswan/ipsec.conf

@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - Openswan IPsec configuration file
+#
+# Manual:     ipsec.conf.5
+#
+# Please place your own config files in /etc/ipsec.d/ ending in .conf
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+# basic configuration
+config setup
+  plutodebug="control parsing"
+  oe=no
+  protostack=auto
+  interfaces=%defaultroute
+
+include /etc/ipsec.d/*.conf
+

data/puppet/classes/openswan/ipsec.secrets

@@ -0,0 +1 @@
+include /etc/ipsec.d/*.secret

data/puppet/classes/openswan/patched_ipsec_initd_script

@@ -0,0 +1,223 @@
+#!/bin/bash
+# IPsec startup and shutdown script
+#
+### BEGIN INIT INFO
+# Provides:          openswan
+# Required-Start:    $network $syslog $named
+# Required-Stop:     $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start Openswan IPsec at boot time
+# Description:       Enable automatic key management for IPsec (KLIPS and NETKEY)
+### END INIT INFO
+#
+# Copyright (C) 1998, 1999, 2001  Henry Spencer.
+# Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
+# Copyright (C) 2006              Michael Richardson <mcr@xelerance.com>
+# Copyright (C) 2008              Michael Richardson <mcr@sandelman.ca>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+#
+# ipsec         init.d script for starting and stopping
+#               the IPsec security subsystem (KLIPS and Pluto).
+#
+# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
+# and is also accessible as "ipsec setup" (the preferred route for human
+# invocation).
+#
+# The startup and shutdown times are a difficult compromise (in particular,
+# it is almost impossible to reconcile them with the insanely early/late
+# times of NFS filesystem startup/shutdown).  Startup is after startup of
+# syslog and pcmcia support; shutdown is just before shutdown of syslog.
+#
+# chkconfig: 2345 47 76
+# description: IPsec provides encrypted and authenticated communications; \
+# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
+
+me='ipsec setup'		# for messages
+
+# where the private directory and the config files are
+IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/lib/ipsec}"
+IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
+IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
+IPSEC_CONFS="${IPSEC_CONFS-/etc}"
+
+if test " $IPSEC_DIR" = " "	# if we were not called by the ipsec command
+then
+    # we must establish a suitable PATH ourselves
+    PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/bin:/bin:/usr/bin
+    export PATH
+
+    IPSEC_DIR="$IPSEC_LIBDIR"
+    export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
+fi
+
+# Check that the ipsec command is available.
+found=
+for dir in `echo $PATH | tr ':' ' '`
+do
+	if test -f $dir/ipsec -a -x $dir/ipsec
+	then
+		found=yes
+		break			# NOTE BREAK OUT
+	fi
+done
+if ! test "$found"
+then
+	echo "cannot find ipsec command -- \`$1' aborted" |
+		logger -s -p daemon.error -t ipsec_setup
+	exit 1
+fi
+
+# accept a few flags
+
+export IPSEC_setupflags
+IPSEC_setupflags=""
+
+config=""
+
+for dummy
+do
+	case "$1" in
+	--showonly|--show)  IPSEC_setupflags="$1" ;;
+	--config)  config="--config $2" ; shift	;;
+	*) break ;;
+	esac
+	shift
+done
+
+
+# Pick up IPsec configuration (until we have done this, successfully, we
+# do not know where errors should go, hence the explicit "daemon.error"s.)
+# Note the "--export", which exports the variables created.
+variables=`ipsec addconn $config --varprefix IPSEC --configsetup`
+
+# Free Range / JGA / JM: the provided version of the script didn't return the actual
+# exit code which meant that puppet didn't know that the service failed to start.
+RETVAL=$?
+
+
+if [ $RETVAL != 0 ]
+then
+    echo "Failed to parse config setup portion of ipsec.conf"
+    exit $RETVAL
+fi
+eval $variables
+
+if test " $IPSEC_confreadstatus" != " "
+then
+    case $1 in 
+    stop|--stop|_autostop) 
+	echo "$IPSEC_confreadstatus -- \`$1' may not work" |
+		logger -s -p daemon.error -t ipsec_setup;;
+		
+    *) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
+	    logger -s -p daemon.error -t ipsec_setup;
+	exit 1;;
+    esac
+fi
+
+IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
+export IPSEC_confreadsection
+
+IPSECsyslog=${IPSECsyslog-daemon.error}
+export IPSECsyslog
+
+# misc setup
+umask 022
+
+mkdir -p /var/run/pluto
+
+RETVAL=0
+
+start_stop() {
+	# remove for: @cygwin_START@ 
+	# portable way for checking for root
+	if test " `id -u`" != " 0"
+	then
+		echo "permission denied (must be superuser)" |
+			logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
+		exit 1
+	fi
+	# remove for: @cygwin_END@
+
+	# Free Range / KS / CR: _realsetup script from ipsec does not correctly create this directory on reboot
+	mkdir -p /var/lock/subsys
+
+	(
+	ipsec _realsetup $1
+	RETVAL="$?" 
+	) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1  
+
+	return $RETVAL
+}
+
+
+restart_reload() {
+	$0 $IPSEC_setupflags stop
+	$0 $IPSEC_setupflags start
+}
+
+
+autorestart() {
+	$0 $IPSEC_setupflags _autostop
+	$0 $IPSEC_setupflags _autostart
+}
+
+version() {
+	ipsec version
+	RETVAL=$?
+	return $RETVAL
+}
+
+
+show_help() {
+	echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
+	echo "       $me --status"
+	RETVAL=0
+	return $RETVAL
+}
+
+# do it
+case "$1" in
+  start|--start|stop|--stop|_autostop|_autostart)
+	start_stop $1
+	;;
+
+  restart|--restart|force-reload)
+	restart_reload
+	;;
+
+  _autorestart)			# for internal use only
+	autorestart
+	;;
+
+  status|--status)
+	ipsec _realsetup $1
+	RETVAL=$?
+	;;
+
+  version|--version)
+	version
+	;;
+
+  help|--help)
+	show_help
+	;;
+
+  *)
+	echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
+	echo "       $me --status"
+	RETVAL=2
+esac
+
+exit $RETVAL

data/puppet/classes/openswan/secret.erb

@@ -0,0 +1 @@
+<%= client_ip %> <%= server_ip %>: PSK "<%= pre_shared_key %>"

data/puppet/classes/openswan.pp

@@ -0,0 +1,71 @@
+class openswan {
+  package { "openswan":
+    ensure => "1:2.6.23+dfsg-1ubuntu1"
+  }
+
+  file { "/etc/init.d/ipsec":
+    content => template("openswan/patched_ipsec_initd_script"),
+    owner => root,
+    group => root,
+    mode => 755,
+    require => Package[openswan]
+  }
+
+  file { "/etc/ipsec.d":
+    ensure => directory,
+    owner => root,
+    group => root,
+    require => Package[openswan]
+  }
+
+  file { "/etc/ipsec.conf":
+    content => template("openswan/ipsec.conf"),
+    owner => root,
+    group => root,
+    require => File["/etc/ipsec.d"]
+  }
+
+  define connection($content) {
+    include openswan
+
+    file { "/etc/ipsec.d/$name.conf":
+      owner => root,
+      group => root,
+      mode => 644,
+      content => $content,
+      notify => Service[ipsec]
+    }
+  }
+
+  file { "/etc/ipsec.secrets":
+    content => template("openswan/ipsec.secrets"),
+    owner => root,
+    group => root,
+    mode => 600,
+    require => File["/etc/ipsec.d"]
+  }
+
+  define psk_secret($client_ip, $server_ip, $pre_shared_key) {
+    include openswan
+
+    file { "/etc/ipsec.d/$name.secret":
+      owner => root,
+      group => root,
+      mode => 600,
+      content => template("openswan/secret.erb"),
+      notify => Service[ipsec]
+    }
+  }
+
+  exec {"fix-runlevel":
+    command => "update-rc.d -f ipsec remove && update-rc.d ipsec defaults",
+    require => Package[openswan]
+  }
+
+  service { "ipsec":
+    require => [Package["openswan"], File["/etc/ipsec.conf"], File["/etc/ipsec.secrets"], File["/etc/init.d/ipsec"], Exec["fix-runlevel"]],
+    ensure => running,
+    subscribe => [File["/etc/ipsec.conf"], File["/etc/ipsec.secrets"], File["/etc/init.d/ipsec"]]
+  }
+
+}

data/puppet/classes/post-flight.pp

@@ -0,0 +1,17 @@
+stage { "post-flight": require => Stage[main] }
+class { "post-flight": stage => "post-flight" }
+
+class post-flight {
+  exec { "application group ownership":
+    command => "chgrp -R application /var/apps",
+    require => File["/var/apps"]
+  }
+  exec { "application sticky bit":
+    command => "chmod -R g+rwxs /var/apps",
+    require => File["/var/apps"]
+  }
+  exec { "application permissions":
+    command => "chmod -R g+rww /var/apps",
+    require => File["/var/apps"]
+  }
+}

data/puppet/classes/postfix/main.cf

@@ -0,0 +1,39 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=no
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+#myhostname = localhost
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localdomain, localhost, localhost.localdomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+