Major refactor

17 files changed, 513 insertions, 0 deletions

diff --git a/manifests/role/dns.pp b/manifests/role/dns.pp
new file mode 100644
index 0000000..2faa69b
--- /dev/null
+++ b/manifests/role/dns.pp
@@ -0,0 +1,3 @@
+class nodo::role::dns inherits nodo::vserver {
+  include bind
+}
diff --git a/manifests/role/jabber.pp b/manifests/role/jabber.pp
new file mode 100644
index 0000000..b510ccd
--- /dev/null
+++ b/manifests/role/jabber.pp
@@ -0,0 +1,36 @@
+class nodo::role::jabber inherits nodo::vserver {
+  include ssl
+  include ejabberd
+
+  # We can offer jabber web access in a web node, so
+  # we leave this out.
+  #
+  #include websites::setup
+  #
+  #package { 'jwchat':
+  #  ensure => present,
+  #}
+
+  host { "chat":
+    ensure       => present,
+    ip           => "127.0.0.1",
+    host_aliases => [ "chat.${domain}" ],
+  }
+
+  file { [ "/etc/ejabberd/ssl", "/etc/ejabberd/ssl/certs", "/etc/ejabberd/ssl/private" ]:
+    ensure  => directory,
+    owner   => "root",
+    group   => "ejabberd",
+    mode    => 0750,
+  }
+
+  # We use a concatenated cert file
+  # http://site4fast.blogspot.com.br/2011/10/ejabberd-ssl-how-to.html
+  ssl::cert { "cert-concat":
+    owner   => 'ejabberd',
+    group   => 'ejabberd',
+    base    => '/etc/ejabberd/ssl',
+    notify  => Service['ejabberd'],
+    require => File['/etc/ejabberd/ssl/private'],
+  }
+}
diff --git a/manifests/role/mail.pp b/manifests/role/mail.pp
new file mode 100644
index 0000000..4c33ed4
--- /dev/null
+++ b/manifests/role/mail.pp
@@ -0,0 +1,3 @@
+class nodo::role::mail {
+  class { [ 'nodo::vserver', 'mail::system' ]: }
+}
diff --git a/manifests/role/master.pp b/manifests/role/master.pp
new file mode 100644
index 0000000..2adb8a5
--- /dev/null
+++ b/manifests/role/master.pp
@@ -0,0 +1,60 @@
+class nodo::role::master {
+  $main        = hiera('nodo::role::master::main',        false)
+  $db_password = hiera('nodo::role::master::db_password', '')
+
+  case $db_password {
+    '': { fail("Please set nodo::master::db_password in your config") }
+  }
+
+  if $main == true {
+    # Puppetmaster should be included before nodo::vserver
+    class { 'puppet::master':
+      main => true,
+    }
+
+    include munin::host
+    include munin::plugins::muninhost
+
+    # The main master has a host entry pointing to itself, other
+    # masters still retrieve catalogs from the main master.
+    host { "puppet":
+      ensure => present,
+      ip     => "127.0.0.1",
+      alias  => ["puppet.${::domain}"],
+    }
+  } else {
+    class { 'puppet::master':
+      main => false,
+    }
+
+    host { "puppet":
+      ensure => absent,
+    }
+  }
+
+  # These should be included after puppetmaster
+  include nodo::vserver
+  include database
+  include git::daemon
+  include websites::admin
+  include nagios::headless
+  include nagios::defaults
+
+  # Nagios apache workaround
+  file { "/etc/apache2/conf.d/nagios3.conf":
+    ensure => absent,
+  }
+
+  # Update master's puppet.conf if you change here
+  database::instance { "puppet":
+    password => "${db_password}",
+  }
+
+  # Used for trac dependency graphs
+  package { "graphviz":
+    ensure => present,
+  }
+
+  # Check domain registration
+  domain_check::instance { $::domain: }
+}
diff --git a/manifests/role/mumble.pp b/manifests/role/mumble.pp
new file mode 100644
index 0000000..764c0d8
--- /dev/null
+++ b/manifests/role/mumble.pp
@@ -0,0 +1,3 @@
+class nodo::role::mumble inherits nodo::vserver {
+  include mumble::ssl
+}
diff --git a/manifests/role/nas.pp b/manifests/role/nas.pp
new file mode 100644
index 0000000..134216e
--- /dev/null
+++ b/manifests/role/nas.pp
@@ -0,0 +1,233 @@
+class nodo::role::nas {
+  # Firewall rules
+  include firewall::nas
+
+  # DLNA
+  class { 'minidlna': }
+
+  #
+  # NFS
+  #
+  # References
+  # https://github.com/arioch/puppet-nfs
+  # https://github.com/stankevich/puppet-nfs
+  # https://github.com/camptocamp/puppet-nfs
+  # https://github.com/haraldsk/puppet-module-nfs/
+  # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary
+  # http://wiki.debian.org/NFSServerSetup
+  # http://www.tldp.org/HOWTO/NFS-HOWTO/
+
+  # Main class
+  class { 'nfs':
+    server => true;
+  }
+
+  #
+  # FTP
+  #
+
+  # References
+  # https://forge.puppetlabs.com/tags/ftp
+  # https://forum.openwrt.org/viewtopic.php?id=12976
+  # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ
+  # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd
+
+  # Main class
+  class { 'pureftpd':
+    virtualchroot => true,
+  }
+
+  # Enable anonymous ftp
+  file { '/etc/pure-ftpd/conf/NoAnonymous':
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => 0644,
+    content => "no\n",
+    notify  => Service[$pureftpd::params::service_name],
+  }
+
+  #  
+  # Samba
+  #
+
+  # References
+  # https://github.com/ajjahn/puppet-samba
+  # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364
+  # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets
+  # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2
+  # http://forums.fedoraforum.org/showthread.php?t=260519
+  # http://randombio.com/linuxsetup38.html
+
+  # Main class
+  class { 'samba::server':
+    workgroup     => hiera('nodo::samba::workgroup',     'WORKGROUP'),
+    server_string => hiera('nodo::samba::server_string', 'Samba Server'),
+    interfaces    => hiera('nodo::samba::interfaces',    'lo eth0'),
+    security      => hiera('nodo::samba::security',      'share'),
+  }
+
+  # We are avoiding multicast
+  # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/
+  # http://linux-igd.sourceforge.net/documentation.php
+  set_samba_option {
+   # Remote announce won't work since routers don't forward broadcast traffic
+   #'remote announce': value => hiera('nodo::samba::remote_announce', '');
+   'wins support':     value => 'yes';
+   'preferred master': value => 'yes';
+   'domain master':    value => 'yes';
+   'printing':         value => 'cups';
+   'printcap name':    value => 'cups';
+  }
+
+  # Disable browsing of printer drivers
+  samba::server::share { 'print$':
+    comment   => 'Printer Drivers',
+    path      => '/var/lib/samba/printers',
+    browsable => 'no',
+    read_only => 'yes',
+    guest_ok  => 'no',
+  }
+
+  #
+  # HTTP
+  #
+
+  # References
+  # https://github.com/camptocamp/puppet-lighttpd
+  # https://github.com/example42/puppet-lighttpd
+  # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary
+
+  # Main class
+  class { 'lighttpd': }
+
+  # Document root
+  file { '/var/www/data':
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0755,
+  }
+
+  #
+  # TFTP
+  #
+
+  # Main class
+  class { 'tftp':
+    directory => '/srv/tftp',
+    address   => $::ipaddress,
+    options   => '--ipv4 --timeout 60',
+    inetd     => false,
+  }
+
+  # Rsync
+  include rsync::server
+
+  # MPD
+  include mpd
+  include mpd::client
+
+  #
+  # CUPS
+  #
+
+  # References
+  # https://github.com/mosen/puppet-cups
+  # https://github.com/camptocamp/puppet-cups
+
+  # Package
+  package { [ 'cups', 'cups-client' ]:
+    ensure => installed,
+  }
+
+  #
+  # Avahi
+  #
+
+  # References
+  # http://nfs-lan.sevka.info/
+  # http://en.gentoo-wiki.com/wiki/Avahi
+  # https://wiki.archlinux.org/index.php/Avahi
+  # http://packages.debian.org/wheezy/libnss-mdns
+  # http://packages.debian.org/wheezy/mdns-scan
+  # http://packages.debian.org/wheezy/avahi-discover
+  # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf
+  # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1
+  # https://github.com/stahnma/puppet-module-avahi
+  # https://github.com/tjfontaine/airprint-generate
+  # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi
+  # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html
+  # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols
+  # http://www.dns-sd.org/ServiceTypes.html
+
+  # Main class
+  include avahi
+
+  file { '/etc/avahi/services/rsync.service':
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => 'puppet:///modules/site_avahi/services/rsync.service',
+    notify => Service['avahi-daemon'],
+  }
+
+  file { '/etc/avahi/services/http.service':
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => 'puppet:///modules/site_avahi/services/http.service',
+    notify => Service['avahi-daemon'],
+  }
+
+  file { '/etc/avahi/services/samba.service':
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => 'puppet:///modules/site_avahi/services/samba.service',
+    notify => Service['avahi-daemon'],
+  }
+
+  file { '/etc/avahi/services/ftp.service':
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => 'puppet:///modules/site_avahi/services/ftp.service',
+    notify => Service['avahi-daemon'],
+  }
+
+  #
+  # DAAP
+  #
+
+  # References
+  # http://packages.debian.org/stable/forked-daapd
+  # http://packages.debian.org/squeeze/mt-daapd
+  # https://github.com/stahnma/puppet-module-daap_server
+  
+  # Main class, but package not available on wheezy
+  #class { 'daap_server':
+  #  collection_name => 'Noise - DAAP',
+  #  music_dir       => '/var/cache/media/noise',
+  #}
+
+  #
+  # Media folders
+  #
+
+  # Main classes
+  class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: }
+  
+  # Make sure basic media exist, no matter if there is an external disk attached
+  $cache = hiera('nodo::media::folders', '')
+
+  if $cache != '' {
+    file { "${cache}":
+      ensure => directory,
+    }
+  }
+}
diff --git a/manifests/role/personal.pp b/manifests/role/personal.pp
new file mode 100644
index 0000000..f7afdc0
--- /dev/null
+++ b/manifests/role/personal.pp
@@ -0,0 +1,43 @@
+# Personal computer
+class nodo::role::personal {
+  include nodo::physical
+  include nodo::utils::personal
+  include autossh
+
+  class { 'nodo::subsystem::pam': }
+  class { 'nodo::subsystem::xorg': }
+
+  if $::lsbdistcodename == 'squeeze' {
+    include nodo::subsystem::gdm
+  }
+  else {
+    include nodo::subsystem::gdm3
+  }
+
+  # Monitoring
+  class { 'monitor':
+    type       => 'personal',
+    use_nagios => hiera('nodo::personal::use_nagios', false),
+  }
+
+  # Media folders and groups
+  class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: }
+
+  # Mountpoint for encrypted home folders
+  file { [ '/mnt/crypt/', '/mnt/crypt/home' ]:
+    ensure => directory,
+  }
+
+  # Misc user data
+  file { [ "/var/data/code", "/var/data/crypt", "/var/data/crypt/home", "/var/data/load" ]:
+    ensure  => directory,
+    mode    => 0755,
+    require => File['/var/cache/media'],
+  }
+
+  # Development
+  file { [ "/var/cache/vagrant", "/var/cache/virtualbox" ]:
+    ensure => directory,
+    mode   => 0755,
+  }
+}
diff --git a/manifests/role/proxy.pp b/manifests/role/proxy.pp
new file mode 100644
index 0000000..821e975
--- /dev/null
+++ b/manifests/role/proxy.pp
@@ -0,0 +1,3 @@
+class nodo::role::proxy inherits nodo::vserver {
+  include nginx
+}
diff --git a/manifests/role/router.pp b/manifests/role/router.pp
new file mode 100644
index 0000000..068837d
--- /dev/null
+++ b/manifests/role/router.pp
@@ -0,0 +1,25 @@
+class nodo::role::router inherits nodo::appliance {
+  # We use monitor class on the router as the DNS server might by
+  # inside a vserver and thus cannot access the network devices directly
+  include nodo::utils::dns
+
+  # Network auditing
+  include nodo::utils::network::analyzer
+
+  # Enable IP forwarding
+  augeas { 'enable_ip_forwarding':
+    changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On',
+    lens    => 'Shellvars.lns',
+    incl    => '/etc/shorewall/shorewall.conf',
+    notify  => Service[shorewall];
+  }
+
+  # Make sure shorewall is reloaded after dhcp renew
+  file { '/etc/dhcp/dhclient-exit-hooks.d/shorewall':
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => 0644,
+    source => 'puppet:///modules/site_nodo/dhclient-exit-hooks.d/shorewall'
+  }
+}
diff --git a/manifests/role/storage.pp b/manifests/role/storage.pp
new file mode 100644
index 0000000..0cf7f60
--- /dev/null
+++ b/manifests/role/storage.pp
@@ -0,0 +1,3 @@
+class nodo::role::storage inherits nodo::vserver {
+  include nodo::utils::storage
+}
diff --git a/manifests/role/test.pp b/manifests/role/test.pp
new file mode 100644
index 0000000..330a5ee
--- /dev/null
+++ b/manifests/role/test.pp
@@ -0,0 +1,3 @@
+class nodo::role::test inherits nodo::web {
+  # Class for test nodes
+}
diff --git a/manifests/role/tor.pp b/manifests/role/tor.pp
new file mode 100644
index 0000000..2d5ff58
--- /dev/null
+++ b/manifests/role/tor.pp
@@ -0,0 +1,4 @@
+class nodo::role::tor inherits nodo::vserver {
+  include tor::daemon
+  include nodo::utils::tor
+}
diff --git a/manifests/role/web.pp b/manifests/role/web.pp
new file mode 100644
index 0000000..7cdd93f
--- /dev/null
+++ b/manifests/role/web.pp
@@ -0,0 +1,49 @@
+class nodo::role::web inherits nodo::vserver {
+  # Hidden services
+  $hidden = hiera('apache::site::hidden', false)
+  if $hidden == true {
+    include onion
+  }
+
+  # Classes for web nodes
+  include websites
+  include database
+  include users::virtual
+  include nodo::utils::web
+
+  # Reprepro configuration
+  $reprepro         = hiera('nodo::web::reprepro', false)
+  $reprepro_basedir = '/var/reprepro'
+
+  case $reprepro {
+    true,'enabled': {
+      class { 'reprepro':
+        basedir   => '/var/reprepro',
+        uploaders => hiera('nodo::web::reprepro_uploaders', [ ]),
+      }
+
+      include reprepro::cron
+    }
+    'disabled': {
+      class { 'reprepro::disabled':
+        basedir => '/var/reprepro',
+      }
+    }
+    'purged': {
+      class { 'reprepro::purged':
+        basedir => '/var/reprepro',
+      }
+    }
+    false,default: { }
+  }
+
+  $git_daemon = hiera('nodo::web::git_daemon', True)
+
+  if $git_daemon != false {
+    class { 'git::daemon': }
+  }
+
+  backupninja::svn { "svn":
+    src => "/var/svn",
+  }
+}
diff --git a/manifests/role/webdev.pp b/manifests/role/webdev.pp
new file mode 100644
index 0000000..6154cc0
--- /dev/null
+++ b/manifests/role/webdev.pp
@@ -0,0 +1,5 @@
+class nodo::role::webdev {
+  include websites::dev
+  include database
+  include utils::web
+}
diff --git a/manifests/role/webdev/desktop.pp b/manifests/role/webdev/desktop.pp
new file mode 100644
index 0000000..063140a
--- /dev/null
+++ b/manifests/role/webdev/desktop.pp
@@ -0,0 +1,3 @@
+class nodo::role::webdev::desktop inherits nodo::desktop {
+  include nodo::role::webdev
+}
diff --git a/manifests/role/webdev/laptop.pp b/manifests/role/webdev/laptop.pp
new file mode 100644
index 0000000..e9c1aab
--- /dev/null
+++ b/manifests/role/webdev/laptop.pp
@@ -0,0 +1,3 @@
+class nodo::role::webdev::laptop inherits nodo::laptop {
+  include nodo::role::webdev
+}
diff --git a/manifests/role/yacy.pp b/manifests/role/yacy.pp
new file mode 100644
index 0000000..379297c
--- /dev/null
+++ b/manifests/role/yacy.pp
@@ -0,0 +1,34 @@
+class nodo::role::yacy inherits nodo::vserver {
+  class { 'onion': }
+
+  package { 'yacy':
+    ensure => installed,
+  }
+
+  service { 'yacy':
+    ensure  => running,
+    require => Package['yacy'],
+  }
+
+  # Gracefully restart yacy everyday
+  cron { "yacy-restart":
+    command  => "/etc/init.d/yacy restart > /dev/null 2>&1",
+    user     => root,
+    hour     => "*/4",
+    minute   => "0",
+    ensure   => present,
+    require  => Service['yacy'],
+  }
+
+  tor::daemon::hidden_service { 'yacy':
+    ports    => [ '8090 127.0.0.1:8090', '80 127.0.0.1:8090' ],
+    data_dir => "$tor::daemon::data_dir/hidden",
+    ensure   => present,
+  }
+
+  # Why they don't sign their releases?
+  apt::sources_list { "yacy.net.list":
+    content => "deb http://debian.yacy.net ./\n",
+    ensure  => absent,
+  }
+}