Skip to content

Instantly share code, notes, and snippets.

@jtopjian
Created November 28, 2015 03:38
Show Gist options
  • Save jtopjian/38a4f154d3f2828cac4e to your computer and use it in GitHub Desktop.
Save jtopjian/38a4f154d3f2828cac4e to your computer and use it in GitHub Desktop.
node 'puppet.example.com' {
contain site::roles::puppet_server
}
---
# Firewall
trusted_networks:
- '192.168.1.0/24'
- '10.255.0.0/24'
# Puppet
site::puppet::puppet_package_ensure: 'latest'
site::puppet::server_package_ensure: 'latest'
site::puppet::settings::main:
server: 'puppet'
parser: 'future'
ordering: 'manifest'
pluginsync: true
logdir: '/var/log/puppet'
vardir: '/var/lib/puppet'
ssldir: '/var/lib/puppet/ssl'
rundir: '/var/run/puppet'
site::puppet::settings::agent:
certname: "%{::fqdn}"
show_diff: true
splay: false
configtimeout: 360
usecacheonfailure: true
report: true
environment: "%{::environment}"
site::puppet::settings::server_default:
JAVA_ARGS: '-Xms1g -Xmx1g -XX:MaxPermSize=256m'
site::puppet::settings::master:
ca: true
ssldir: '/var/lib/puppet/ssl'
puppetdb::master::config::restart_puppet: false
---
:backends:
- yaml
:hierarchy:
- "node/%{::hostname}"
- "location/%{::location}"
- "role/%{::role}"
- common
:yaml:
:datadir: /etc/puppet/modules/site/data
:merge_behavior: deeper
mod 'concat',
:git => 'https://github.com/puppetlabs/puppetlabs-concat',
:ref => '1.1.2'
mod 'firewall',
:git => 'https://github.com/puppetlabs/puppetlabs-firewall'
mod 'inifile',
:git => 'https://github.com/puppetlabs/puppetlabs-inifile',
:ref => '792d35cdb48fc2cba08ab578c1b7bc42ef3a0ace'
mod 'ntp',
:git => 'https://github.com/puppetlabs/puppetlabs-ntp'
mod 'postgresql',
:git => 'https://github.com/puppetlabs/puppetlabs-postgresql',
:ref => '4.1.0'
mod 'puppet',
:git => 'https://github.com/jtopjian/puppet-puppet',
:ref => 'puppetserver'
mod 'puppetdb',
:git => 'https://github.com/puppetlabs/puppetlabs-puppetdb',
:ref => '4.1.0'
mod 'stdlib',
:git => 'https://github.com/puppetlabs/puppetlabs-stdlib',
:ref => '4.4.x'
class site::firewall {
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
firewall { '002 accept related established rules':
proto => 'all',
ctstate => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
$trusted_networks = hiera_array('trusted_networks')
$trusted_networks.each |$network| {
firewall { "003 allow all traffic from ${network}":
proto => 'all',
source => $network,
action => 'accept',
}
}
firewall { '999 drop all':
proto => 'all',
action => 'drop',
}
}
class site::profiles::base {
class { '::ntp': }
class { '::firewall': }
class { '::site::firewall': }
$packages = ['git', 'vim']
package { $packages: ensure => latest }
}
class site::profiles::puppet::server {
# Hiera
$main_settings = hiera('site::puppet::settings::main')
$agent_settings = hiera('site::puppet::settings::agent')
$master_settings = hiera('site::puppet::settings::master')
$server_default_settings = hiera('site::puppet::settings::server_default')
$puppet_package_ensure = hiera('site::puppet::puppet_package_ensure')
$server_package_ensure = hiera('site::puppet::server_package_ensure')
# Resources
class { '::puppet':
server => true,
main_settings => $main_settings,
agent_settings => $agent_settings,
master_settings => $master_settings,
server_default_settings => $server_default_settings,
puppet_package_ensure => $server_package_ensure,
}
class { 'puppetdb': }
class { 'puppetdb::master::config': }
}
class site::profiles::puppet::agent {
# Hiera
$main_settings = hiera('site::puppet::settings::main')
$agent_settings = hiera('site::puppet::settings::agent')
$puppet_package_ensure = hiera('site::puppet::puppet_package_ensure')
# Resources
class { '::puppet':
main_settings => $main_settings,
agent_settings => $agent_settings,
puppet_package_ensure => $server_package_ensure,
}
}
class site::roles::puppet_server {
contain site::profiles::base
contain site::profiles::puppet::server
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment