-
-
Save chihoko/32cc7b897c7c43ebf642 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# == Class: profiles::base | |
# | |
# Base profile | |
# | |
class profiles::base { | |
## Hiera lookups | |
$selinux_mode = hiera('profiles::base::selinux_mode') | |
$ntp_servers = hiera('profiles::base::ntp_servers') | |
$dns_resolvers = hiera('profiles::base::dns_resolvers') | |
$timezone = hiera('profiles::base::timezone') | |
$sudo_manage_sudoersd = hiera('profiles::base::sudo::manage_sudoersd') | |
$sudo_sudoers = hiera_hash('profiles::base::sudo::sudoers') | |
$accounts = hiera_hash('profiles::base::accounts') | |
$crontabs = hiera('profiles::base::crontabs', undef) | |
$network_interfaces = hiera_hash('profiles::base::network_interfaces',undef) | |
$packages = hiera_array('profiles::base::packages') | |
$puppet_server = hiera('profiles::base::puppet_server') | |
$puppet_run_style = hiera('profiles::base::puppet_run_style') | |
$puppet_configtimeout = hiera('profiles::base::puppet_configtimeout') | |
$zabbix_server = hiera('profiles::base::zabbix_server') | |
$zabbix_client_version = hiera('profiles::base::zabbix_client_version') | |
$zabbix_client_manage_resources = hiera('profiles::base::zabbix_client_manage_resources') | |
$zabbix_client_manage_repo = hiera('profiles::base::zabbix_client_manage_repo') | |
$zabbix_client_manage_firewall = hiera('profiles::base::zabbix_client_manage_firewall') | |
$zabbix_client_host_group = hiera('profiles::base::zabbix_client_host_group') | |
$zabbix_client_host_templates = hiera('profiles::base::zabbix_client_host_templates') | |
$zabbix_client_userparameters = hiera_hash('profiles::base::zabbix_client_userparameters',{}) | |
$rsyslog_log_remote = hiera('profiles::base::rsyslog_log_remote') | |
$rsyslog_log_local = hiera('profiles::base::rsyslog_log_local') | |
$rsyslog_auth_local = hiera('profiles::base::rsyslog_auth_local') | |
$fail2ban_mailto = hiera('profiles::base::fail2ban_mailto') | |
$yum_cron_yum_parameter = hiera('profiles::base::yum_cron_yum_parameter') | |
$yum_cron_check_only = hiera('profiles::base::yum_cron_check_only') | |
$yum_cron_mailto = hiera('profiles::base::yum_cron_mailto') | |
$yum_cron_service_ensure = hiera('profiles::base::yum_cron_service_ensure') | |
$sshd_storeconfigs_enabled = hiera('profiles::base::sshd_storeconfigs_enabled') | |
$sshd_port = hiera('profiles::base::sshd_port') | |
$sshd_protocol = hiera('profiles::base::sshd_protocol') | |
$sshd_syslogfacility = hiera('profiles::base::sshd_syslogfacility') | |
$sshd_loglevel = hiera('profiles::base::sshd_loglevel') | |
$sshd_permit_root_login = hiera('profiles::base::sshd_permit_root_login') | |
$sshd_allowgroups = hiera('profiles::base::sshd_allowgroups') | |
$sshd_passwordauthentication = hiera('profiles::base::sshd_passwordauthentication') | |
$sshd_challengeresponseauthentication = hiera('profiles::base::sshd_challengeresponseauthentication') | |
$sshd_gssapiauthentication = hiera('profiles::base::sshd_gssapiauthentication') | |
$sshd_gssapicleanupcredentials = hiera('profiles::base::sshd_gssapicleanupcredentials') | |
$sshd_tcpkeepalive = hiera('profiles::base::sshd_tcpkeepalive') | |
$sshd_allowagentforwarding = hiera('profiles::base::sshd_allowagentforwarding') | |
$sshd_banner = hiera('profiles::base::sshd_banner') | |
$sshd_x11forwarding = hiera('profiles::base::sshd_x11forwarding') | |
$sshd_subsystem = hiera('profiles::base::sshd_subsystem') | |
$sshd_usepam = hiera('profiles::base::sshd_usepam') | |
$shorewall_startup_enabled = hiera('profiles::base::shorewall_startup_enabled') | |
$shorewall_interfaces = hiera_hash('profiles::base::shorewall_interfaces') | |
$shorewall_zones = hiera_hash('profiles::base::shorewall_zones') | |
$shorewall_policy = hiera_hash('profiles::base::shorewall_policy') | |
$shorewall_rules = hiera_hash('profiles::base::shorewall_rules') | |
$shorewall_tunnels = hiera_hash('profiles::base::shorewall_tunnels',{}) | |
$shorewall_hosts = hiera_hash('profiles::base::shorewall_hosts',{}) | |
$shorewall_rulesections = hiera_hash('profiles::base::shorewall_rulesections',{}) | |
$shorewall_masq = hiera_hash('profiles::base::shorewall_masq',{}) | |
$shorewall_proxyarp = hiera_hash('profiles::base::shorewall_proxyarp',{}) | |
$shorewall_nat = hiera_hash('profiles::base::shorewall_nat',{}) | |
$shorewall_blacklist = hiera_hash('profiles::base::shorewall_blacklist',{}) | |
$shorewall_rfc1918 = hiera_hash('profiles::base::shorewall_rfc1918',{}) | |
$shorewall_routestopped = hiera_hash('profiles::base::shorewall_routestopped',{}) | |
$shorewall_params = hiera_hash('profiles::base::shorewall_params',{}) | |
$shorewall_tcdevices = hiera_hash('profiles::base::shorewall_tcdevices',{}) | |
$shorewall_tcrules = hiera_hash('profiles::base::shorewall_tcrules',{}) | |
$shorewall_tcclasses = hiera_hash('profiles::base::shorewall_tcclasses',{}) | |
$shorewall_rtrules = hiera_hash('profiles::base::shorewall_rtrules',{}) | |
## Class declarations | |
class { '::profiles::base::repos': | |
stage => 'pre', | |
} | |
# Create user accounts | |
create_resources('account', $accounts) | |
if $crontabs { | |
create_resources(cron, $crontabs) | |
} | |
class { '::ssh::server': | |
storeconfigs_enabled => $sshd_storeconfigs_enabled, | |
options => { | |
'Port' => $sshd_port, | |
'Protocol' => $sshd_protocol, | |
'SyslogFacility' => $sshd_syslogfacility, | |
'LogLevel' => $sshd_loglevel, | |
'PermitRootLogin' => $sshd_permit_root_login, | |
'AllowGroups' => $sshd_allowgroups, | |
'PasswordAuthentication' => $sshd_passwordauthentication, | |
'ChallengeResponseAuthentication' => $sshd_challengeresponseauthentication, | |
'GSSAPIAuthentication' => $sshd_gssapiauthentication, | |
'GSSAPICleanupCredentials' => $sshd_gssapicleanupcredentials, | |
'TCPKeepAlive' => $sshd_tcpkeepalive, | |
'AllowAgentForwarding' => $sshd_allowagentforwarding, | |
'banner' => $sshd_banner, | |
'X11Forwarding' => $sshd_x11forwarding, | |
'Subsystem' => $sshd_subsystem, | |
'UsePAM' => $sshd_usepam, | |
}, | |
} | |
class { '::shorewall': | |
interfaces => $shorewall_interfaces, | |
zones => $shorewall_zones, | |
tunnels => $shorewall_tunnels, | |
policy => $shorewall_policy, | |
hosts => $shorewall_hosts, | |
rules => $shorewall_rules, | |
rulesections => $shorewall_rulesections, | |
masq => $shorewall_masq, | |
proxyarp => $shorewall_proxyarp, | |
nat => $shorewall_nat, | |
blacklist => $shorewall_blacklist, | |
rfc1918 => $shorewall_rfc1918, | |
routestopped => $shorewall_routestopped, | |
params => $shorewall_params, | |
tcdevices => $shorewall_tcdevices, | |
tcrules => $shorewall_tcrules, | |
tcclasses => $shorewall_tcclasses, | |
rtrules => $shorewall_rtrules, | |
} | |
## Manage SSH before Shorewall to prevent lockout | |
Class['::ssh::server'] -> Class['::shorewall'] | |
# Enable shorewall to startup | |
augeas { 'enable_shorewall_startup': | |
changes => "set /files/etc/shorewall/shorewall.conf/STARTUP_ENABLED $shorewall_startup_enabled", | |
lens => 'Shellvars.lns', | |
incl => '/etc/shorewall/shorewall.conf', | |
notify => Service[shorewall], | |
require => Class['::shorewall'], | |
} | |
# set BLACKLIST to ALL to ensure rules added by fail2ban to ban an IP address will affect ALL (not only new) connections. | |
augeas { 'enable_shorewall_blacklist': | |
changes => "set /files/etc/shorewall/shorewall.conf/BLACKLIST ALL", | |
lens => 'Shellvars.lns', | |
incl => '/etc/shorewall/shorewall.conf', | |
notify => Service[shorewall], | |
require => Class['::shorewall'], | |
} | |
service{ ['iptables','ip6tables']: | |
enable => false, | |
require => Class['::shorewall'], | |
} | |
# Export shorewall rule to be collected on puppetmaster | |
@@shorewall::rule { "allow puppet from ${::fqdn}": | |
source => "net:${::ipaddress}", | |
destination => '$FW', | |
proto => 'tcp', | |
destinationport => '8140', | |
order => 500, | |
tag => 'allow_puppet', | |
action => 'ACCEPT'; | |
} | |
# Export shorewall rule to be collected on Zabbix server | |
@@shorewall::rule { "allow zabbix from ${::fqdn}": | |
source => "net:${::ipaddress}", | |
destination => '$FW', | |
proto => 'tcp', | |
destinationport => '10050', | |
order => 510, | |
tag => 'allow_zabbix', | |
action => 'ACCEPT'; | |
} | |
class { '::selinux': | |
mode => $selinux_mode, | |
} | |
file { '/etc/issue.net': | |
ensure => present, | |
mode => '0644', | |
owner => 'root', | |
group => 'root', | |
before => Class['ssh::server'], | |
source => 'puppet:///modules/nab/sshd/issue.net', | |
} | |
# Do not manage Networking on virtualbox | |
unless $::virtual == 'virtualbox' { | |
class { '::network': | |
interfaces_hash => $network_interfaces, | |
} | |
} | |
package { $packages: | |
ensure => present; | |
} | |
class { '::ntp': | |
servers => $ntp_servers, | |
} | |
class { '::resolv_conf': | |
nameservers => $dns_resolvers, | |
} | |
class { '::timezone': | |
timezone => $timezone, | |
} | |
class { 'fail2ban': | |
mailto => $fail2ban_mailto, | |
} | |
class { '::rsyslog::client': | |
log_remote => $rsyslog_log_remote, | |
log_local => $rsyslog_log_local, | |
log_auth_local => $rsyslog_auth_local, | |
} | |
class { '::yum_cron': | |
yum_parameter => $yum_cron_yum_parameter, | |
check_only => $yum_cron_check_only, | |
mailto => $yum_cron_mailto, | |
service_ensure => $yum_cron_service_ensure, | |
} | |
class { '::sudo': | |
manage_sudoersd => $sudo_manage_sudoersd, | |
sudoers => $sudo_sudoers, | |
} | |
class { '::puppet::agent': | |
puppet_server => $puppet_server, | |
puppet_run_style => $puppet_run_style, | |
configtimeout => $puppet_configtimeout, | |
} | |
class { '::zabbix::agent': | |
zabbix_version => $zabbix_client_version, | |
server => $zabbix_server, | |
manage_resources => $zabbix_client_manage_resources, | |
manage_repo => $zabbix_client_manage_repo, | |
manage_firewall => $zabbix_client_manage_firewall, | |
zbx_group => $zabbix_client_host_group, | |
zbx_templates => $zabbix_client_host_templates, | |
} | |
# Create directory for Zabbix external scripts | |
file { '/etc/zabbix/externalscripts': | |
ensure => directory, | |
owner => zabbix, | |
group => zabbix, | |
mode => '0755', | |
require => Class['::zabbix::agent'], | |
} | |
create_resources('::zabbix::userparameters', $zabbix_client_userparameters) | |
file { '/var/backups/': | |
ensure => directory, | |
owner => root, | |
group => root, | |
mode => '0755' | |
} | |
} | |
# == Class: profiles::dovecot | |
# | |
# Dovecot IMAP profile | |
# | |
class profiles::dovecot { | |
## Hiera lookups | |
$dovecot_plugins = hiera('profiles::dovecot::plugins') | |
$dovecot_protocols = hiera('profiles::dovecot::protocols') | |
$dovecot_verbose_proctitle = hiera('profiles::dovecot::verbose_proctitle') | |
$dovecot_auth_include = hiera('profiles::dovecot::auth_include') | |
$dovecot_disable_plaintext_auth = hiera('profiles::dovecot::disable_plaintext_auth') | |
$dovecot_auth_mechanisms = hiera('profiles::dovecot::auth_mechanisms') | |
$dovecot_mail_location = hiera('profiles::dovecot::mail_location') | |
$dovecot_auth_listener_userdb_mode = hiera('profiles::dovecot::auth_listener_userdb_mode') | |
$dovecot_auth_listener_userdb_group = hiera('profiles::dovecot::auth_listener_userdb_group') | |
$dovecot_auth_listener_postfix = hiera('profiles::dovecot::auth_listener_postfix') | |
$dovecot_ssl = hiera('profiles::dovecot::ssl') | |
$dovecot_ssl_cert = hiera('profiles::dovecot::ssl_cert') | |
$dovecot_ssl_key = hiera('profiles::dovecot::ssl_key') | |
$dovecot_postmaster_address = hiera('profiles::dovecot::postmaster_address') | |
$dovecot_hostname = hiera('profiles::dovecot::hostname') | |
$dovecot_lda_mail_plugins = hiera('profiles::dovecot::lda_mail_plugins') | |
$dovecot_auth_sql_userdb_static = hiera('profiles::dovecot::auth_sql_userdb_static') | |
$dovecot_log_timestamp = hiera('profiles::dovecot::log_timestamp') | |
$dovecot_dbname = hiera('profiles::dovecot::dbname') | |
$dovecot_dbuser = hiera('profiles::dovecot::dbuser') | |
$dovecot_dbpassword = hiera('profiles::dovecot::dbpassword') | |
$dovecot_dbhost = hiera('profiles::dovecot::dbhost') | |
$dovecot_dbgrants = hiera('profiles::dovecot::dbgrants') | |
$dovecot_lmtp_socket_path = hiera('profiles::dovecot::lmtp_socket_path') | |
$dovecot_lmtp_socket_user = hiera('profiles::dovecot::lmtp_socket_user') | |
$dovecot_lmtp_socket_group = hiera('profiles::dovecot::lmtp_socket_group') | |
$dovecot_lmtp_socket_mode = hiera('profiles::dovecot::lmtp_socket_mode') | |
$dovecot_lmtp_mail_plugins = hiera('profiles::dovecot::lmtp_mail_plugins') | |
class { '::dovecot': | |
plugins => $dovecot_plugins, | |
protocols => $dovecot_protocols, | |
verbose_proctitle => $dovecot_verbose_proctitle, | |
auth_include => $dovecot_auth_include, | |
disable_plaintext_auth => $dovecot_disable_plaintext_auth, | |
auth_mechanisms => $dovecot_auth_mechanisms, | |
mail_location => $dovecot_mail_location, | |
auth_listener_userdb_mode => $dovecot_auth_listener_userdb_mode, | |
auth_listener_userdb_group => $dovecot_auth_listener_userdb_group, | |
auth_listener_postfix => $dovecot_auth_listener_postfix, | |
ssl => $dovecot_ssl, | |
ssl_cert => $dovecot_ssl_cert, | |
ssl_key => $dovecot_ssl_key, | |
postmaster_address => $dovecot_postmaster_address, | |
hostname => $dovecot_hostname, | |
lda_mail_plugins => $dovecot_lda_mail_plugins, | |
auth_sql_userdb_static => $dovecot_auth_sql_userdb_static, | |
log_timestamp => $dovecot_log_timestamp, | |
lmtp_socket_path => $dovecot_lmtp_socket_path, | |
lmtp_socket_user => $dovecot_lmtp_socket_user, | |
lmtp_socket_group => $dovecot_lmtp_socket_group, | |
lmtp_socket_mode => $dovecot_lmtp_socket_mode, | |
lmtp_mail_plugins => dovecot_lmtp_mail_plugins, | |
} | |
dovecot::file { 'dovecot-sql.conf.ext': | |
source => 'puppet:///modules/nab/dovecot/dovecot-sql.conf.ext', | |
} | |
# Add custom namspace | |
dovecot::file { 'conf.d/95-custom.conf': | |
source => 'puppet:///modules/nab/dovecot/95-custom.conf', | |
} | |
mysql::db { $dovecot_dbname: | |
user => $dovecot_dbuser, | |
password => $dovecot_dbpassword, | |
host => $dovecot_dbhost, | |
grant => $dovecot_dbgrants, | |
} | |
file {['/var/mail/vhosts/','/var/mail/vhosts/nab.net']: | |
ensure => directory, | |
owner => 'vmail', | |
group => 'vmail', | |
require => User['vmail'] | |
} | |
user {'vmail': | |
ensure => present, | |
uid => '5000', | |
groups => 'vmail', | |
shell => '/bin/bash', | |
home => '/home/vmail', | |
require => Group['vmail'] | |
} | |
group {'vmail': | |
ensure => present, | |
} | |
shorewall::rule { "allow secure IMAP": | |
source => 'net', | |
destination => '$FW', | |
proto => 'tcp', | |
destinationport => '993', | |
order => '200', | |
action => 'ACCEPT'; | |
} | |
shorewall::rule { "allow secure POP3": | |
source => 'net', | |
destination => '$FW', | |
proto => 'tcp', | |
destinationport => '995', | |
order => '200', | |
action => 'ACCEPT'; | |
} | |
} | |
# == Class: profiles::confluence | |
# | |
# Atlassian Confluence profile | |
# | |
class profiles::confluence { | |
## Hiera lookups | |
$confluence_version = hiera('profiles::confluence::version') | |
$confluence_installdir = hiera('profiles::confluence::installdir') | |
$confluence_homedir = hiera('profiles::confluence::homedir') | |
$confluence_javahome = hiera('profiles::confluence::javahome') | |
$confluence_manage_service = hiera('profiles::confluence::manage_service') | |
$confluence_user = hiera('profiles::confluence::user') | |
$confluence_group = hiera('profiles::confluence::group') | |
$confluence_dbuser = hiera('profiles::confluence::dbuser') | |
$confluence_dbpassword = hiera('profiles::confluence::dbpassword') | |
$confluence_dbname = hiera('profiles::confluence::dbname') | |
$confluence_dbhost = hiera('profiles::confluence::dbhost') | |
$confluence_jvm_xms = hiera('profiles::confluence::jvm_xms') | |
$confluence_jvm_xmx = hiera('profiles::confluence::jvm_xmx') | |
$confluence_java_opts = hiera('profiles::confluence::java_opts') | |
$confluence_format = hiera('profiles::confluence::format') | |
$confluence_downloadURL = hiera('profiles::confluence::downloadURL') | |
$confluence_tomcat_proxy = hiera_hash('profiles::confluence::tomcat_proxy') | |
include profiles::jdk_oracle | |
## Create database for confluence | |
include profiles::postgres | |
postgresql::server::db { $confluence_dbname: | |
user => $confluence_dbuser, | |
password => postgresql_password($confluence_dbuser, $confluence_dbpassword), | |
encoding => 'UTF8', | |
} | |
::selinux::module { 'NAB_dryad_httpd': | |
ensure => 'present', | |
source => 'puppet:///modules/nab/selinux/NAB_dryad_httpd.te', | |
} | |
include apache | |
## Setup Apache reverse proxy to Confluence app server | |
apache::vhost { 'docs.tamazaki.com-443': | |
port => '443', | |
docroot => '/opt/confluence/', | |
ssl => true, | |
ssl_cert => '/etc/pki/tls/certs/tamazaki.com.crt', | |
ssl_chain => '/etc/pki/tls/certs/tamazaki.com.bundle', | |
ssl_key => '/etc/pki/tls/private/tamazaki.com.key', | |
ssl_proxyengine => true, | |
proxy_preserve_host => true, | |
proxy_pass => [ | |
{ 'path' => '/', 'url' => 'http://localhost:8090/' }, | |
], | |
} | |
# Redirect HTTP to HTTPS | |
apache::vhost { 'docs.tamazaki.com-80': | |
port => '80', | |
docroot => '/opt/confluence/', | |
rewrites => [ | |
{ | |
comment => 'redirect to https', | |
rewrite_cond => ['%{HTTPS} off'], | |
rewrite_rule => ['(.*) https://%{HTTP_HOST}%{REQUEST_URI}'], | |
}, | |
], | |
} | |
shorewall::rule { "allow https": | |
source => 'net', | |
destination => '$FW', | |
proto => 'tcp', | |
destinationport => '443', | |
order => '200', | |
action => 'ACCEPT'; | |
} | |
file { ['/var/atlassian/','/var/atlassian/application-data/']: | |
ensure => directory, | |
before => Class['::confluence'], | |
} | |
file { '/opt/atlassian': | |
ensure => directory, | |
before => Class['::confluence'], | |
} | |
class { '::confluence': | |
version => $confluence_version, | |
installdir => $confluence_installdir, | |
homedir => $confluence_homedir, | |
javahome => $confluence_javahome, | |
manage_service => $confluence_manage_service, | |
user => $confluence_user, | |
group => $confluence_group, | |
jvm_xms => $confluence_jvm_xms, | |
jvm_xmx => $confluence_jvm_xmx, | |
java_opts => $confluence_java_opts, | |
format => $confluence_format, | |
downloadURL => $confluence_downloadURL, | |
tomcat_proxy => $confluence_tomcat_proxy, | |
} | |
} | |
# == Class: profiles::mysqlserver | |
# | |
# MySQL server profile | |
# | |
class profiles::mysqlserver { | |
## Hiera lookups | |
$mysql_root_pass = hiera('profiles::mysqlserver::root_pass') | |
$mysql_override_options = hiera_hash('profiles::mysqlserver::override_options') | |
$mysql_users = hiera_hash('profiles::mysqlserver::users',{}) | |
$mysql_grants = hiera_hash('profiles::mysqlserver::grants',{}) | |
$mysql_databases = hiera_hash('profiles::mysqlserver::databases',{}) | |
$mysql_backup_ensure = hiera('profiles::mysqlserver::backup_ensure') | |
$mysql_backupuser = hiera('profiles::mysqlserver::backupuser') | |
$mysql_backuppassword = hiera('profiles::mysqlserver::backuppassword') | |
$mysql_backupdir = hiera('profiles::mysqlserver::backupdir') | |
$mysql_backupdirmode = hiera('profiles::mysqlserver::backupdirmode') | |
$mysql_backupdirowner = hiera('profiles::mysqlserver::backupdirowner') | |
$mysql_backupdirgroup = hiera('profiles::mysqlserver::backupdirgroup') | |
$mysql_backup_time = hiera('profiles::mysqlserver::backup_time') | |
$mysql_backupdatabases = hiera_array('profiles::mysqlserver::backupdatabases') | |
class { '::mysql::server': | |
root_password => $mysql_root_pass, | |
override_options => $mysql_override_options, | |
users => $mysql_users, | |
grants => $mysql_grants, | |
databases => $mysql_databases, | |
} | |
# Create databases | |
#create_resources('::mysql::db', $mysql_databases) | |
# Delete default MySQL accounts | |
include mysql::server::account_security | |
# Backup databases | |
class { '::backup::mysql': | |
ensure => $mysql_backup_ensure, | |
backupuser => $mysql_backupuser, | |
backuppassword => $mysql_backuppassword, | |
backupdir => $mysql_backupdir, | |
backupdirmode => $mysql_backupdirmode, | |
backupdirowner => $mysql_backupdirowner, | |
backupdirgroup => $mysql_backupdirgroup, | |
time => $mysql_backup_time, | |
backupdatabases => $mysql_backupdatabases, | |
} | |
} | |
# == Class: profiles::piwik | |
# | |
# Nginx profile | |
# | |
class profiles::piwik { | |
## Hiera lookups | |
$nginx_mail = hiera('profiles::piwik::nginx::mail') | |
$nginx_worker_processes = hiera('profiles::piwik::nginx::worker_processes') | |
$nginx_server_tokens = hiera('profiles::piwik::nginx::server_tokens') | |
$nginx_nginx_error_log = hiera('profiles::piwik::nginx::nginx_error_log') | |
$nginx_http_access_log = hiera('profiles::piwik::nginx::http_access_log') | |
$nginx_proxy_cache_path = hiera('profiles::piwik::nginx::proxy_cache_path') | |
$nginx_proxy_cache_levels = hiera('profiles::piwik::nginx::proxy_cache_levels') | |
$nginx_proxy_cache_keys_zone = hiera('profiles::piwik::nginx::proxy_cache_keys_zone') | |
$nginx_proxy_cache_max_size = hiera('profiles::piwik::nginx::proxy_cache_max_size') | |
$nginx_vhosts = hiera('profiles::piwik::nginx::vhosts') | |
$nginx_locations = hiera('profiles::piwik::nginx::locations') | |
$php_ensure = hiera('profiles::piwik::php::php_ensure') | |
$php_manage_repos = hiera('profiles::piwik::php::php_manage_repos') | |
$php_fpm = hiera('profiles::piwik::php::php_fpm') | |
$php_dev = hiera('profiles::piwik::php::php_dev') | |
$php_composer = hiera('profiles::piwik::php::php_composer') | |
$php_pear = hiera('profiles::piwik::php::php_pear') | |
$php_phpunit = hiera('profiles::piwik::php::php_phpunit') | |
$php_extensions = hiera_hash('profiles::piwik::php::php_extensions') | |
$php_fpm_settings = hiera_hash('profiles::piwik::php::php_fpm_settings') | |
$remi_enabled = hiera('profiles::piwik::remi::remi_enabled') | |
$remi_extras = hiera('profiles::piwik::remi::remi_extras') | |
$remi_php55_repo = hiera('profiles::piwik::remi::remi_php55_repo') | |
$piwik_dbname = hiera('profiles::piwik::mysql::piwik_dbname') | |
$piwik_dbuser = hiera('profiles::piwik::mysql::piwik_dbuser') | |
$piwik_dbpassword = hiera('profiles::piwik::mysql::piwik_dbpassword') | |
$piwik_dbhost = hiera('profiles::piwik::mysql::piwik_dbhost') | |
$piwik_dbgrants = hiera('profiles::piwik::mysql::piwik_dbgrants') | |
include profiles::mysqlserver | |
mysql::db { $piwik_dbname: | |
user => $piwik_dbuser, | |
password => $piwik_dbpassword, | |
host => $piwik_dbhost, | |
grant => $piwik_dbgrants, | |
} | |
mysql_grant { "$piwik_dbuser@localhost/*.*": | |
ensure => 'present', | |
options => ['GRANT'], | |
privileges => ['FILE'], | |
table => '*.*', | |
user => "$piwik_dbuser@localhost", | |
} | |
class { '::nginx::config': | |
mail => $nginx_mail, | |
worker_processes => $nginx_worker_processes, | |
server_tokens => $nginx_server_tokens, | |
nginx_error_log => $nginx_nginx_error_log, | |
http_access_log => $nginx_http_access_log, | |
proxy_cache_path => $nginx_proxy_cache_path, | |
proxy_cache_levels => $nginx_proxy_cache_levels, | |
proxy_cache_keys_zone => $nginx_proxy_cache_keys_zone, | |
proxy_cache_max_size => $nginx_proxy_cache_max_size, | |
} | |
include nginx | |
file {['/srv','/srv/www']: | |
ensure => directory | |
} | |
file { '/srv/www/piwik' : | |
ensure => directory, | |
group => 'apache', | |
owner => 'apache', | |
recurse => true, | |
} | |
create_resources('::nginx::resource::vhost', $nginx_vhosts) | |
create_resources('::nginx::resource::location', $nginx_locations) | |
Class['::remi'] -> Class['::php'] | |
class { '::remi': | |
enabled => $remi_enabled, | |
extras => $remi_extras, | |
php55 => $remi_php55_repo, | |
} | |
class { '::php': | |
ensure => $php_ensure, | |
manage_repos => $php_manage_repos, | |
fpm => $php_fpm, | |
dev => $php_dev, | |
composer => $php_composer, | |
pear => $php_pear, | |
phpunit => $php_phpunit, | |
extensions => $php_extensions, | |
settings => $php_fpm_settings, | |
} | |
shorewall::rule { "allow https": | |
source => 'net', | |
destination => '$FW', | |
proto => 'tcp', | |
destinationport => '443', | |
order => '200', | |
action => 'ACCEPT'; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment