traylenator/gist:6339447

## gistfile1.pp
/*
# whitespace
We need a site.pp to define global class paramerters
basically.
*/

/* Set hostgroup variables in top scope. We need
   to set anything that hiera needs very early, in
   particular this will win over any facts present
   on the box. */

$hostarray = split($::hostgroup,'/')

#Check if the hostarray has more than 7 members
if size($hostarray) >= 7 {
  fail("The length of the hostgroup isn't supported. Only 7 layers are supported.")
}


if $hostarray[0] {
  $encgroup_0 = $hostarray[0]
}
if $hostarray[1] {
  $encgroup_1 = $hostarray[1]
}
if $hostarray[2] {
  $encgroup_2 = $hostarray[2]
}
if $hostarray[3] {
  $encgroup_3 = $hostarray[3]
}
if $hostarray[4] {
  $encgroup_4 = $hostarray[4]
}
if $hostarray[5] {
  $encgroup_5 = $hostarray[5]
}
if $hostarray[6] {
  $encgroup_6 = $hostarray[6]
}

$hostgroup_prefix = hiera('hostgroup_prefix', 'hg_')

stage { 'osrepos':
      before => Stage['main'],
}

stage { 'late':
      require => Stage['main'],
}

class { 'osrepos':
    stage => osrepos
}

class{ 'base': }

# If /base is first hostgroup then we ignore and consider
# the next one the real first hostgroup.

if $encgroup_0 == 'base' {
   $encgroup_1hg = "${hostgroup_prefix}${encgroup_1}"
   loadclass_ifexists($encgroup_1hg)
   if $encgroup_2 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}")
   }
   if $encgroup_3 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}")
   }
   if $encgroup_4 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
   }
   if $encgroup_5 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
   }
   if $encgroup_6 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
   }

} else {
   $encgroup_0hg = "${hostgroup_prefix}${encgroup_0}"
   loadclass_ifexists($encgroup_0hg)
   if $encgroup_1 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}")
   }
   if $encgroup_2 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}")
   }
   if $encgroup_3 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}")
   }
   if $encgroup_4 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
   }
   if $encgroup_5 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
   }
   if $encgroup_6 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
   }
}


# can control things globally.
# Purge non existing cron jobs.
resources{'cron':
    purge => true
}


###### Beginning if firewall defaults.
# See: https://twiki.cern.ch/twiki/bin/view/AgileInfrastructure/PuppetIptables
case $::writefirewall {
   'false': {
      $firewallnoop     = true
      $firewallloglevel = 'debug'
      $firewallpurge    = false
   }
   'true': {
      $firewallnoop     = false
      $firewallloglevel = 'verbose'
      $firewallpurge    = true
   }
   default:  {
      fail('Variable $writefirewall must be set to true or false, see site.pp')
   }
}
# fix for AI-1521, temporarily disabled
#exec { "blank_iptables_start":
#    path        => "/usr/bin:/usr/sbin:/bin",
#    unless      => "/sbin/service iptables status",
#    command     => '/sbin/iptables -L',
#}

# What to do with the collection of firewall instances everywhere.
if $::writefirewall == 'true' {
  Firewall {
    noop      =>  $firewallnoop,
    loglevel  =>  $firewallloglevel,
    before    => Class['cernfw::post_cernfw'],
    require   => Class['cernfw::pre_cernfw'],
  }
} else {
  Firewall {
    noop      =>  $firewallnoop,
    loglevel  =>  $firewallloglevel,
    before    => Class['cernfw::post_cernfw'],
    require   => Class['cernfw::pre_cernfw'],
  }
}

Firewallchain {
   noop      => $firewallnoop,
   loglevel  => $firewallloglevel
}
resources { 'firewall':
    purge    => $firewallpurge
}
###### End of firewall defaults.

###### Some defaults for yumrepo typo.
if $::osfamily == 'RedHat' {
  Yumrepo{
      stage     => 'setup',
      tag       => 'kickstart',
      notify    => Exec[yum-clean-all],
  }
  exec { yum-clean-all:
            command => '/usr/bin/yum clean all',
            refreshonly => true
  }
}

# Some defaults for sysctl type, in particular reload sysctl
# if entries are changed.
if $::kernel == 'Linux' {
  Sysctl{
    notify => Exec[load-sysctl]
  }
  exec { load-sysctl:
         command => '/sbin/sysctl -e -p /etc/sysctl.conf',
         refreshonly => true
  }
}

# End of sysctl.

#Windows ACL best practise (Owner: LocalSystem, Group: Administrators):
#https://groups.google.com/d/topic/puppet-users/0mu9E7ttN58/discussion
$file_owner = $::kernel ? {
  windows => 'S-1-5-18',
  default => 'root'
}

$file_group = $::kernel ? {
  windows => 'S-1-5-32-544',
  default => 'root'
}

File{
   owner => $file_owner,
   group => $file_group,
}
	/*
	# whitespace
	We need a site.pp to define global class paramerters
	basically.
	*/

	/* Set hostgroup variables in top scope. We need
	to set anything that hiera needs very early, in
	particular this will win over any facts present
	on the box. */

	$hostarray = split($::hostgroup,'/')

	#Check if the hostarray has more than 7 members
	if size($hostarray) >= 7 {
	fail("The length of the hostgroup isn't supported. Only 7 layers are supported.")
	}





	if $hostarray[0] {
	$encgroup_0 = $hostarray[0]
	}
	if $hostarray[1] {
	$encgroup_1 = $hostarray[1]
	}
	if $hostarray[2] {
	$encgroup_2 = $hostarray[2]
	}
	if $hostarray[3] {
	$encgroup_3 = $hostarray[3]
	}
	if $hostarray[4] {
	$encgroup_4 = $hostarray[4]
	}
	if $hostarray[5] {
	$encgroup_5 = $hostarray[5]
	}
	if $hostarray[6] {
	$encgroup_6 = $hostarray[6]
	}

	$hostgroup_prefix = hiera('hostgroup_prefix', 'hg_')

	stage { 'osrepos':
	before => Stage['main'],
	}

	stage { 'late':
	require => Stage['main'],
	}

	class { 'osrepos':
	stage => osrepos
	}

	class{ 'base': }

	# If /base is first hostgroup then we ignore and consider
	# the next one the real first hostgroup.

	if $encgroup_0 == 'base' {
	$encgroup_1hg = "${hostgroup_prefix}${encgroup_1}"
	loadclass_ifexists($encgroup_1hg)
	if $encgroup_2 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}")
	}
	if $encgroup_3 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}")
	}
	if $encgroup_4 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
	}
	if $encgroup_5 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
	}
	if $encgroup_6 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
	}

	} else {
	$encgroup_0hg = "${hostgroup_prefix}${encgroup_0}"
	loadclass_ifexists($encgroup_0hg)
	if $encgroup_1 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}")
	}
	if $encgroup_2 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}")
	}
	if $encgroup_3 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}")
	}
	if $encgroup_4 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
	}
	if $encgroup_5 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
	}
	if $encgroup_6 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
	}
	}


	# can control things globally.
	# Purge non existing cron jobs.
	resources{'cron':
	purge => true
	}




	###### Beginning if firewall defaults.
	# See: https://twiki.cern.ch/twiki/bin/view/AgileInfrastructure/PuppetIptables
	case $::writefirewall {
	'false': {
	$firewallnoop = true
	$firewallloglevel = 'debug'
	$firewallpurge = false
	}
	'true': {
	$firewallnoop = false
	$firewallloglevel = 'verbose'
	$firewallpurge = true
	}
	default: {
	fail('Variable $writefirewall must be set to true or false, see site.pp')
	}
	}
	# fix for AI-1521, temporarily disabled
	#exec { "blank_iptables_start":
	# path => "/usr/bin:/usr/sbin:/bin",
	# unless => "/sbin/service iptables status",
	# command => '/sbin/iptables -L',
	#}

	# What to do with the collection of firewall instances everywhere.
	if $::writefirewall == 'true' {
	Firewall {
	noop => $firewallnoop,
	loglevel => $firewallloglevel,
	before => Class['cernfw::post_cernfw'],
	require => Class['cernfw::pre_cernfw'],
	}
	} else {
	Firewall {
	noop => $firewallnoop,
	loglevel => $firewallloglevel,
	before => Class['cernfw::post_cernfw'],
	require => Class['cernfw::pre_cernfw'],
	}
	}

	Firewallchain {
	noop => $firewallnoop,
	loglevel => $firewallloglevel
	}
	resources { 'firewall':
	purge => $firewallpurge
	}
	###### End of firewall defaults.

	###### Some defaults for yumrepo typo.
	if $::osfamily == 'RedHat' {
	Yumrepo{
	stage => 'setup',
	tag => 'kickstart',
	notify => Exec[yum-clean-all],
	}
	exec { yum-clean-all:
	command => '/usr/bin/yum clean all',
	refreshonly => true
	}
	}

	# Some defaults for sysctl type, in particular reload sysctl
	# if entries are changed.
	if $::kernel == 'Linux' {
	Sysctl{
	notify => Exec[load-sysctl]
	}
	exec { load-sysctl:
	command => '/sbin/sysctl -e -p /etc/sysctl.conf',
	refreshonly => true
	}
	}

	# End of sysctl.

	#Windows ACL best practise (Owner: LocalSystem, Group: Administrators):
	#https://groups.google.com/d/topic/puppet-users/0mu9E7ttN58/discussion
	$file_owner = $::kernel ? {
	windows => 'S-1-5-18',
	default => 'root'
	}

	$file_group = $::kernel ? {
	windows => 'S-1-5-32-544',
	default => 'root'
	}

	File{
	owner => $file_owner,
	group => $file_group,
	}