Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa...

* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet:
  A comma, a comma, my kingdom for a comma.  (Typo fix)
  Only use bacula on berlioz for now
  Make sure to get rid of any old client configs
  Adjust path for bacula storage
  Whitespace, cargo-cult a ferm rule bit
  Allow all debian hosts access to the bacula storage
  More fqdns
  Use fqdn as the client name, at least for now
  Typo
  Allow some bacula director traffic too
  Add swiss domains
  Autogenerate the largest part of this file
  Make named.conf.debian-zones a template
  Drop using subchains here, since they give me a syntax error
  Ensure we get string interpolation for director address
  Allow traffic from bacula-director to fd
  Back up berlioz using bacula
  Add initial client configuration

diff --git a/manifests/site.pp b/manifests/site.pp
index 07bc8ea..40d9d33 100644 (file)
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -44,6 +44,10 @@ node default {
                include bacula::director
        }
 
+       if $::hostname in [berlioz] {
+               include bacula::client
+       }
+
        if $::hostname == 'beethoven' {
                include bacula::storage
        }

diff --git a/modules/bacula/manifests/bacula.pp b/modules/bacula/manifests/bacula.pp
index 9dde19d..6643e09 100644 (file)
--- a/modules/bacula/manifests/bacula.pp
+++ b/modules/bacula/manifests/bacula.pp
@@ -4,7 +4,7 @@ class bacula {
 
   $bacula_director_name     = "debian-dir"
   $bacula_storage_name      = "debian-sd"
-  $bacula_client_name       = "$hostname-fd"
+  $bacula_client_name       = "$fqdn-fd"
   $bacula_monitor_name      = "debian-mon"
   $bacula_filestor_name     = "File"
   $bacula_filestor_device   = "FileStorage"
@@ -18,12 +18,12 @@ class bacula {
   $bacula_db_address        = "danzi.debian.org"
   $bacula_db_port           = 5433
 
-  $bacula_backup_path       = "/srv/backup.debian.org/bacula"
+  $bacula_backup_path       = "/srv/bacula"
 
   $bacula_director_secret   = hmac("/etc/puppet/secret", "bacula-dir-$hostname")
   $bacula_db_secret         = hmac("/etc/puppet/secret", "bacula-db-$hostname")
   $bacula_storage_secret    = hmac("/etc/puppet/secret", "bacula-sd-$bacula_storage_name")
-  $bacula_client_secret     = hmac("/etc/puppet/secret", "bacula-fd-$hostname")
+  $bacula_client_secret     = hmac("/etc/puppet/secret", "bacula-fd-$fqdn")
   $bacula_monitor_secret    = hmac("/etc/puppet/secret", "bacula-monitor-$bacula_director_name")
 
   package {

diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp
new file mode 100644 (file)
index 0000000..879978c
--- /dev/null
+++ b/modules/bacula/manifests/client.pp
@@ -0,0 +1,38 @@
+class bacula::client inherits bacula {
+
+  package {
+    "bacula-client": ensure => installed;
+    "bacula-fd": ensure => installed;
+  }
+
+  service {
+    "bacula-fd":
+      ensure => running,
+      enable => true,
+      hasstatus => true,
+      require => Package["bacula-fd"];
+  }
+
+  file {
+    "/etc/bacula/bacula-fd.conf":
+      content => template("bacula/bacula-fd.conf.erb"),
+      mode => 640,
+      owner => root,
+      group => bacula,
+      require => Package["bacula-fd"],
+      notify  => Exec["bacula-fd restart"]
+      ;
+  }
+
+  exec {
+    "bacula-fd restart":
+      path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+      refreshonly => true;
+  }
+
+  @ferm::rule { 'dsa-bacula-fd':
+    domain      => '(ip)',
+    description => 'Allow bacula access from storage and director',
+    rule        => "proto tcp mod state state (NEW) dport (bacula-fd) saddr ($bacula_director_address) ACCEPT",
+  }
+}

diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp
index 40720b7..b94a999 100644 (file)
--- a/modules/bacula/manifests/director.pp
+++ b/modules/bacula/manifests/director.pp
@@ -18,6 +18,7 @@ class bacula::director inherits bacula {
       ensure  => directory,
       mode => 755,
       group => bacula,
+      purge => true,
       notify  => Exec["bacula-director restart"]
       ;
     "/etc/bacula/bacula-dir.conf":
@@ -50,7 +51,14 @@ class bacula::director inherits bacula {
       ;
     }
   }
-  $allhosts = keys($site::allnodeinfo)
-
+#  $allhosts = keys($site::allnodeinfo)
+  $allhosts = [ "berlioz.debian.org" ]
   bacula_client { $allhosts: }
+
+  @ferm::rule { 'dsa-bacula-dir':
+    domain      => '(ip ip6)',
+    description => 'Allow bacula access from localhost',
+    rule        => "proto tcp mod state state (NEW) dport (bacula-dir) saddr ($bacula_director_address localhost) ACCEPT",
+  }
+
 }

diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp
index 5ed32b9..f0a09df 100644 (file)
--- a/modules/bacula/manifests/storage.pp
+++ b/modules/bacula/manifests/storage.pp
@@ -25,4 +25,18 @@ class bacula::storage inherits bacula {
       path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
       refreshonly => true;
   }
+
+  @ferm::rule { 'dsa-bacula-sd-v4':
+    domain      => '(ip)',
+    description => 'Allow bacula-sd access from director and clients',
+    rule         => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V4) ACCEPT; }',
+    notarule        => true,
+  }
+
+  @ferm::rule { 'dsa-bacula-sd-v6':
+    domain      => '(ip6)',
+    description => 'Allow bacula-sd access from director and clients',
+    rule         => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V6) ACCEPT; }',
+    notarule        => true,
+  }
 }

diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb
new file mode 100644 (file)
index 0000000..b222569
--- /dev/null
+++ b/modules/bacula/templates/bacula-fd.conf.erb
@@ -0,0 +1,28 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+#  For Bacula release 5.0.1 (24 February 2010) -- debian 5.0.4
+
+# List Directors who are permitted to contact this File daemon
+Director {
+  Name = <%= bacula_director_name %>
+  Password = "<%= bacula_client_secret %>"
+}
+
+# "Global" File daemon configuration specifications
+FileDaemon {
+  Name = <%= bacula_client_name %>
+  FDport = <%= bacula_client_port %>
+  WorkingDirectory = /var/lib/bacula
+  Pid Directory = /var/run/bacula
+  Maximum Concurrent Jobs = 20
+  FDAddress = <%= fqdn %>
+  Maximum Network Buffer Size =        65536
+}
+
+# Send all messages except skipped files back to Director
+Messages {
+  Name = Standard
+  director = <%=bacula_director_name%> = all, !skipped, !restored
+}

diff --git a/modules/named/files/common/named.conf.debian-zones b/modules/named/files/common/named.conf.debian-zones
deleted file mode 100644 (file)
index 0dd0b1f..0000000
--- a/modules/named/files/common/named.conf.debian-zones
+++ /dev/null
@@ -1,252 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-// Slave domains, include in bind.conf
-
-zone "debian.org" {
-       type slave;
-       notify no;
-       file "db.debian.org";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above)
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-zone "debian.net" {
-       type slave;
-       notify no;
-       file "db.debian.net";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-zone "mirror.debian.net" {
-       type slave;
-       notify no;
-       file "db.mirror.debian.net";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-zone "debian.com" {
-       type slave;
-       notify no;
-       file "db.debian.com";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// debian rack with sil.at
-zone "144-28.118.59.86.in-addr.arpa" {
-       type slave;
-       notify no;
-       file "db.86.59.118.144";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-zone "2.0.0.0.2.0.0.0.8.5.8.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:0858:0002:0002";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// debian rack with grnet
-zone "192-27.211.177.194.in-addr.arpa" {
-       type slave;
-       notify no;
-       file "db.194.177.211.192-27";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-zone "b.e.d.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:0648:2ffc:0deb";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-
-// ipv6 at 1&1 - powell: 2001:08d8:0081:1520::/60
-zone "2.5.1.1.8.0.0.8.d.8.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:08d8:0081:1520";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-// ipv6 at 1&1 - wieck and schumann  - old range April 2011
-zone "2.6.a.0.4.6.5.6.1.0.0.0.2.0.0.0.8.d.8.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:8d8:2:1:6564:0a62";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-// ipv6 at 1&1 - wieck and schumann  - new range April 2011
-zone "2.6.a.0.4.6.5.6.0.0.4.0.0.8.5.0.8.d.8.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:8d8:580:400:6564:a62";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// 19.12.206.in-addr.arpa zone - reverse zone for 206.12.19/24 - debian at UBC/ECE
-zone "19.12.206.in-addr.arpa" {
-       type slave;
-       notify no;
-       file "db.206.12.19";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// 0.0.0.4.0.1.6.0.0.f.8.f.7.0.6.2.ip6.arpa - reverse zone for 2607:f8f0:0610:4000::/64 - ubcece6
-zone "0.0.0.4.0.1.6.0.0.f.8.f.7.0.6.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2607:f8f0:0610:4000";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// 0.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa - reverse for 2001:a78:5:0::/64 (villa)
-zone "0.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:0a78:0005:0000";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// 1.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa - reverse for 2001:a78:5:1::/64 (lobos)
-zone "1.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:0a78:0005:0001";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-// 0.0.0.4.6.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa - reverse for 2001:630:206:4000::/64 (sanger)
-zone "0.0.0.4.6.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa" {
-       type slave;
-       notify no;
-       file "db.2001:0630:0206:4000";
-       masters {
-               194.177.211.209; // orff
-               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
-               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
-               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-
-zone "alioth.debian.org" {
-       type slave;
-       notify no;
-       file "db.alioth.debian.org";
-       masters {
-               217.196.43.132;
-       };
-       allow-query { any; };
-       allow-transfer { };
-};
-
-
-// vim:set syn=named:

diff --git a/modules/named/manifests/authoritative.pp b/modules/named/manifests/authoritative.pp
index a1024d8..d33e406 100644 (file)
--- a/modules/named/manifests/authoritative.pp
+++ b/modules/named/manifests/authoritative.pp
@@ -1,6 +1,6 @@
 class named::authoritative inherits named {
        file { '/etc/bind/named.conf.debian-zones':
-               source  => 'puppet:///modules/named/common/named.conf.debian-zones',
+               content => template('named/named.conf.debian-zones.erb'),
                notify  => Service['bind9'],
        }
        file { '/etc/bind/named.conf.options':

diff --git a/modules/named/templates/named.conf.debian-zones.erb b/modules/named/templates/named.conf.debian-zones.erb
new file mode 100644 (file)
index 0000000..1f5566d
--- /dev/null
+++ b/modules/named/templates/named.conf.debian-zones.erb
@@ -0,0 +1,83 @@
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+// Slave domains, include in bind.conf
+
+<%
+zones = []
+
+zones << "debian.org"
+zones << "debian.net"
+zones << "mirror.debian.net"
+zones << "debian.com"
+
+zones << "debian.ch"
+zones << "debian.li"
+zones << "debconf13.ch"
+
+# debian rack with sil.at
+zones << "144-28.118.59.86.in-addr.arpa"
+zones << "2.0.0.0.2.0.0.0.8.5.8.0.1.0.0.2.ip6.arpa"
+
+# debian rack with grnet
+zones << "192-27.211.177.194.in-addr.arpa"
+zones << "b.e.d.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa"
+
+# ipv6 at 1&1 - powell: 2001:08d8:0081:1520::/60
+zones << "2.5.1.1.8.0.0.8.d.8.0.1.0.0.2.ip6.arpa"
+
+# ipv6 at 1&1 - wieck and schumann  - old range April 2011
+zones << "2.6.a.0.4.6.5.6.1.0.0.0.2.0.0.0.8.d.8.0.1.0.0.2.ip6.arpa"
+
+# ipv6 at 1&1 - wieck and schumann  - new range April 2011
+zones << "2.6.a.0.4.6.5.6.0.0.4.0.0.8.5.0.8.d.8.0.1.0.0.2.ip6.arpa"
+
+# 19.12.206.in-addr.arpa zone - reverse zone for 206.12.19/24 - debian at UBC/ECE
+zones << "19.12.206.in-addr.arpa"
+
+# 0.0.0.4.0.1.6.0.0.f.8.f.7.0.6.2.ip6.arpa - reverse zone for 2607:f8f0:0610:4000::/64 - ubcece6
+zones << "0.0.0.4.0.1.6.0.0.f.8.f.7.0.6.2.ip6.arpa"
+
+# 0.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa - reverse for 2001:a78:5:0::/64 (villa)
+zones << "0.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa"
+
+# 1.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa - reverse for 2001:a78:5:1::/64 (lobos)
+zones << "1.0.0.0.5.0.0.0.8.7.a.0.1.0.0.2.ip6.arpa"
+
+# 0.0.0.4.6.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa - reverse for 2001:630:206:4000::/64 (sanger)
+zones << "0.0.0.4.6.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa"
+
+zones.each do |zone|
+-%>
+
+zone "<%= zone %>" {
+       type slave;
+       notify no;
+       file "db.<%= zone %>";
+       masters {
+               194.177.211.209; // orff
+               2001:648:2ffc:deb:213:72ff:fe69:e188; // orff
+               82.195.75.106; // draghi (backup master - requires manual reconfiguration on draghi)
+               2001:41b8:202:deb:216:36ff:fe40:3906; // draghi (see above)
+       };
+       allow-query { any; };
+       allow-transfer { };
+};
+
+<% end -%>
+
+
+
+zone "alioth.debian.org" {
+       type slave;
+       notify no;
+       file "db.alioth.debian.org";
+       masters {
+               217.196.43.132;
+       };
+       allow-query { any; };
+       allow-transfer { };
+};
+