From f833a1c122597f80da4d4095cae8d7d5bd852a7a Mon Sep 17 00:00:00 2001 From: Tollef Fog Heen Date: Wed, 1 Jan 2014 16:12:14 +0100 Subject: [PATCH] Move all roles from local.yaml to hiera Hopefully this won't break anything. --- hieradata/common.yaml | 63 +++++++++ modules/apache2/manifests/init.pp | 10 ++ modules/apache2/templates/resource-limits.erb | 18 +-- modules/debian-org/misc/local.yaml | 40 ------ modules/exim/manifests/mx.pp | 2 +- modules/exim/templates/eximconf.erb | 52 ++++---- modules/exim/templates/manualroute.erb | 2 +- modules/ferm/templates/me.conf.erb | 6 +- .../lib/puppet/parser/functions/has_role.rb | 10 ++ modules/roles/manifests/buildd_master.pp | 5 + modules/roles/manifests/contributors.pp | 5 + modules/roles/manifests/dbmaster.pp | 5 + modules/roles/manifests/init.pp | 121 +++++++----------- modules/roles/manifests/lists.pp | 5 + modules/roles/manifests/nm.pp | 5 + modules/roles/manifests/piuparts.pp | 5 + modules/roles/manifests/release.pp | 5 + modules/roles/manifests/rtmaster.pp | 5 + modules/roles/manifests/security_tracker.pp | 5 + modules/roles/manifests/sso.pp | 5 + modules/roles/manifests/udd.pp | 5 + modules/roles/manifests/vote.pp | 5 + modules/samhain/templates/samhainrc.erb | 14 +- modules/site/manifests/init.pp | 1 + 24 files changed, 230 insertions(+), 169 deletions(-) create mode 100644 modules/puppetmaster/lib/puppet/parser/functions/has_role.rb create mode 100644 modules/roles/manifests/buildd_master.pp create mode 100644 modules/roles/manifests/contributors.pp create mode 100644 modules/roles/manifests/dbmaster.pp create mode 100644 modules/roles/manifests/lists.pp create mode 100644 modules/roles/manifests/nm.pp create mode 100644 modules/roles/manifests/piuparts.pp create mode 100644 modules/roles/manifests/release.pp create mode 100644 modules/roles/manifests/rtmaster.pp create mode 100644 modules/roles/manifests/security_tracker.pp create mode 100644 modules/roles/manifests/sso.pp create mode 100644 modules/roles/manifests/udd.pp create mode 100644 modules/roles/manifests/vote.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index b6a900576..0196d1715 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -4,5 +4,68 @@ searchpaths: [] resolvoptions: [] allow_dns_query: [] roles: + bugsmx: + - buxtehude.debian.org + bugs_mirror: + - beach.debian.org + buildd_master: + - wuiet.debian.org + contributors: + - nono.debian.org + dbmaster: + - draghi.debian.org + extranrpeclient: + - orff.debian.org + ftp.d.o: + - klecker.debian.org + ftp_master: + - franck.debian.org + ftp.upload.d.o: + - franck.debian.org + - ravel.debian.org + keyring: + - kaufmann.debian.org + lists: + - bendel.debian.org + mailrelay: + - mailly.debian.org + - muffat.debian.org + muninmaster: + - menotti.debian.org + nagiosmaster: + - tchaikovsky.debian.org + nm: + - nono.debian.org + packagesmaster: + - picconi.debian.org + packagesqamaster: + - quantz.debian.org + piuparts: + - pejacevic.debian.org + pubsub: + - rainier.debian.org + - rapoport.debian.org puppetmaster: - handel.debian.org + release: + - franck.debian.org + rtmaster: + - reger.debian.org + security_master: + - chopin.debian.org + security_tracker: + - soler.debian.org + sso: + - diabelli.debian.org + syncproxy: + - milanollo.debian.org + udd: + - ullmann.debian.org + vote: + - vento.debian.org + weblog_destination: + - ravel.debian.org + wiki: + - wilder.debian.org + www_master: + - wolkenstein.debian.org diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index ae9f89487..b14d408d7 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -33,6 +33,16 @@ class apache2 { ensure => absent, } + if $::fqdn in $site::roles['buildd_master'] { + $memlimit = 192 * 1024**2 + } elsif $::fqdn in $site::roles['nagiosmaster']{ + $memlimit = 96 * 1024**2 + } elsif $::fqdn in $site::roles['packagesqamaster']{ + $memlimit = 192 * 1024**2 + } else { + $memlimit = 32 * 1024**2 + } + apache2::config { 'resource-limits': content => template('apache2/resource-limits.erb'), } diff --git a/modules/apache2/templates/resource-limits.erb b/modules/apache2/templates/resource-limits.erb index 185db4e4c..895b93ce4 100644 --- a/modules/apache2/templates/resource-limits.erb +++ b/modules/apache2/templates/resource-limits.erb @@ -4,21 +4,5 @@ ## RLimitCPU 180 -<%= -if scope.lookupvar('site::nodeinfo')['buildd_master'] then - # buildd.debian.org - "RLimitMEM "+(192 * 1024**2).to_s -else - case fqdn - when "berlioz.debian.org" then - "" - when "tchaikovsky.debian.org" then - "RLimitMEM "+(96 * 1024**2).to_s - when "quantz.debian.org" then - "RLimitMEM "+(192 * 1024**2).to_s - else - "RLimitMEM "+(32 * 1024**2).to_s - end -end -%> +RLimitMEM <%= @memlimit %> RLimitNPROC 128 diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml index 9210978be..b3cc7946a 100644 --- a/modules/debian-org/misc/local.yaml +++ b/modules/debian-org/misc/local.yaml @@ -151,46 +151,6 @@ footer: dummy: foo #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" -services: - bugsmaster: - bugsmx: - - buxtehude.debian.org - bugs_mirror: - - beach.debian.org - dbmaster: - - draghi.debian.org - ftp_master: - - franck.debian.org - ftp.d.o: - - klecker.debian.org - ftp.upload.d.o: - - franck.debian.org - - ravel.debian.org - mailrelay: - - mailly.debian.org - - muffat.debian.org - muninmaster: - - menotti.debian.org - nagiosmaster: tchaikovsky.debian.org - extranrpeclient: - - orff.debian.org - packagesmaster: picconi.debian.org - packagesqamaster: quantz.debian.org - rtmaster: - - reger.debian.org - security_master: - - chopin.debian.org - syncproxy: - - milanollo.debian.org - www_master: - - wolkenstein.debian.org - keyring: - - kaufmann.debian.org - wiki: - - wilder.debian.org - pubsub: - - rainier.debian.org - - rapoport.debian.org host_settings: heavy_exim: - buxtehude.debian.org diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index 8931ec62e..54f1933b3 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -33,7 +33,7 @@ class exim::mx inherits exim { ensure => installed, } - if getfromhash($site::nodeinfo, 'mailrelay') { + if has_role('mailrelay') { file { '/etc/cron.d/dsa-email-virtualdomains': source => 'puppet:///modules/exim/dsa-email-virtualdomains.cron', } diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index bc847a1a3..b3ef52202 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -32,7 +32,7 @@ # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted # bsmtp_domains - Domains that we deliver locally via bsmtp -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> # mailhubdomains - Domains for which we are the MX, but the mail is relayed # elsewhere. This is designed for use with small volume or # restricted machines that need to use a smarthost for mail @@ -125,7 +125,7 @@ hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts hostlist reservedaddrs = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/24 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5 -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. domainlist mailhubdomains = lsearch;/etc/exim4/manualroute @@ -215,7 +215,7 @@ ports = [] out = "daemon_smtp_ports = " ports << 25 -if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] +if scope.function_has_role('bugsmaster') or scope.function_has_role('bugsmx') ports << 587 end @@ -223,7 +223,7 @@ if not scope.lookupvar('site::nodeinfo')['mail_port'].to_s.empty? ports << scope.lookupvar('site::nodeinfo')['mail_port'] end -if scope.lookupvar('site::nodeinfo')['mailrelay'] +if scope.function_has_role('mailrelay') ports << scope.lookupvar('site::nodeinfo')['smarthost_port'] end @@ -292,7 +292,7 @@ acl_getprofile: hosts = !+debianhosts set acl_m_rprf = localonly -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> warn local_parts = +local_only_users domains = +mailhubdomains hosts = !+debianhosts @@ -301,28 +301,28 @@ acl_getprofile: <%- end -%> accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} -<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> +<%- if scope.function_has_role('rtmaster') -%> warn domains = rt.debian.org set acl_m_rprf = RTMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] -%> +<%- if scope.function_has_role('bugsmaster') or scope.function_has_role('bugsmx') -%> warn domains = bugs.debian.org set acl_m_rprf = BugsMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> +<%- if scope.function_has_role('packagesmaster') -%> warn domains = packages.debian.org set acl_m_rprf = PackagesMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%> +<%- if scope.function_has_role('packagesqamaster') -%> warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org set acl_m_rprf = PTSOwner @@ -394,7 +394,7 @@ check_helo: warn set acl_c_scr = 0 -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> accept verify = certificate <%- end -%> @@ -490,7 +490,7 @@ check_submission: # We do this by testing for an empty sending host field. accept hosts = +debianhosts -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> accept verify = certificate <%- end -%> @@ -511,7 +511,7 @@ check_submission: endpass verify = recipient -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> accept domains = +mailhubdomains endpass verify = recipient/callout=30s,defer_ok,use_sender,no_cache @@ -526,7 +526,7 @@ check_submission: #!!# ACL that is used after the RCPT command check_recipient: -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> accept verify = certificate <%- end -%> @@ -639,7 +639,7 @@ check_recipient: warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} -<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> +<%- if scope.function_has_role('packagesmaster') -%> warn condition = ${if eq {$acl_m_prf}{PackagesMail}} condition = ${if eq {$sender_address}{$local_part@$domain}} message = X-Packages-FromTo-Same: yes @@ -717,7 +717,7 @@ check_recipient: condition = ${if eq{$acl_m_act}{450}{yes}{no}} <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> +<%- if scope.function_has_role('rtmaster') -%> warn condition = ${if eq{$acl_m_prf}{RTMail}} set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}{match{$local_part}{3520}}{match{$local_part}{3645}}} {RTMailRecipientHasSubaddress}}}} # temporary hack because weasel screwed up and gave people an rt-3520@ address, which doesn't really work normally. and rt-3645 @@ -840,7 +840,7 @@ check_recipient: message = "Sender verification failed: $acl_verify_message" <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> accept domains = +mailhubdomains endpass verify = recipient/callout=30s,defer_ok,use_sender,no_cache @@ -899,7 +899,7 @@ check_message: # header. Take their crack pipe away. drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}} -<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> +<%- if scope.function_has_role('rtmaster') -%> deny condition = ${if eq {$acl_m_prf}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ @@ -907,7 +907,7 @@ check_message: message = messages to the Request Tracker system require a subject tag or a subaddress <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%> +<%- if scope.function_has_role('packagesqamaster') -%> deny !hosts = +debianhosts : 5.153.231.21 condition = ${if eq {$acl_m_prf}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} @@ -992,7 +992,7 @@ check_message: !verify = header_sender message = No valid sender found in the From:, Sender: and Reply-to: headers -<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> +<%- if scope.function_has_role('packagesmaster') -%> deny message = Congratulations, you scored $spam_score points. log_message = spam: $spam_score points. condition = ${if eq {$acl_m_prf}{PackagesMail}} @@ -1040,7 +1040,7 @@ begin routers # An address is passed to each in turn until it is accepted. # ###################################################################### -<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> +<%- if scope.function_has_role('mailrelay') -%> relay_manualroute: driver = manualroute domains = +mailhubdomains @@ -1298,7 +1298,7 @@ localuser: # Everything before here should apply only to the local domains with a # domains= rule -<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> +<%- if scope.function_has_role('packagesmaster') -%> # This router delivers for packages.d.o packages: debug_print = "R: packages for $local_part@$domain" @@ -1316,7 +1316,7 @@ packages: no_more <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> +<%- if scope.function_has_role('rtmaster') -%> # This router delivers for rt.d.o rt_force_new_verbose: debug_print = "R: rt for $local_part+new@$domain" @@ -1449,9 +1449,9 @@ virt_users: <%= out = "" -if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] +if scope.function_has_role('bugsmaster') or scope.function_has_role('bugsmx') domain = 'bugs.debian.org' - if scope.lookupvar('site::nodeinfo')['bugsmaster'] + if scope.function_has_role('bugsmaster') domain = 'bugs-master.debian.org' end out = ' @@ -1603,7 +1603,7 @@ bsmtp: {$value}fail}\ }} -<%- if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] -%> +<%- if scope.function_has_role('bugsmaster') or scope.function_has_role('bugsmx') -%> bugs_pipe: driver = pipe command = /org/bugs.debian.org/mail/run-procmail @@ -1616,7 +1616,7 @@ bugs_pipe: user = debbugs <%- end -%> -<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> +<%- if scope.function_has_role('rtmaster') -%> rt_pipe: debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain" driver = pipe diff --git a/modules/exim/templates/manualroute.erb b/modules/exim/templates/manualroute.erb index 10f246ac6..21a194eda 100644 --- a/modules/exim/templates/manualroute.erb +++ b/modules/exim/templates/manualroute.erb @@ -12,7 +12,7 @@ mxmatches = [ scope.lookupvar('::fqdn') ] routes = [] extraroutes = [] -if scope.lookupvar('site::nodeinfo')['mailrelay'] +if scope.function_has_role('mailrelay') mxmatches << 'mailout.debian.org' mxmatches << 'INCOMING-MX' extraroutes = [ "keyring.debian.org:\t\tkaufmann.debian.org" ] diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index f3866c2f8..7e84414b0 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -5,7 +5,7 @@ <%= nodeinfo = scope.lookupvar('site::nodeinfo') - +has_role = scope.function_has_role out = [] restricted_purposes = ['kvm host', 'central syslog server', 'puppet master', 'jumphost'] @@ -45,10 +45,10 @@ if restrict_ssh.include?(hostname) then ssh6allowed << "2001:41c8:1000:21::21:5" # adayevskaya end - if nodeinfo['static_master'] then + if has_role('static_master') then ssh4allowed << '$HOST_STATIC_V4' ssh6allowed << '$HOST_STATIC_V6' - elsif nodeinfo['static_source'] or nodeinfo['static_mirror'] then + elsif has_role('static_source') or has_role('static_mirror') then ssh4allowed << '$HOST_STATICMASTER_V4' ssh6allowed << '$HOST_STATICMASTER_V6' end diff --git a/modules/puppetmaster/lib/puppet/parser/functions/has_role.rb b/modules/puppetmaster/lib/puppet/parser/functions/has_role.rb new file mode 100644 index 000000000..e5f99d507 --- /dev/null +++ b/modules/puppetmaster/lib/puppet/parser/functions/has_role.rb @@ -0,0 +1,10 @@ +module Puppet::Parser::Functions + newfunction(:has_role, :type => :rvalue) do |args| + begin + role = args.shift + roles = lookupvar('site::roles') + fqdn = lookupvar('fqdn') + return fqdn in roles[role] + end + end +end diff --git a/modules/roles/manifests/buildd_master.pp b/modules/roles/manifests/buildd_master.pp new file mode 100644 index 000000000..d80bfab9a --- /dev/null +++ b/modules/roles/manifests/buildd_master.pp @@ -0,0 +1,5 @@ +class roles::buildd_master { + ssl::service { 'buildd.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/contributors.pp b/modules/roles/manifests/contributors.pp new file mode 100644 index 000000000..54863e23c --- /dev/null +++ b/modules/roles/manifests/contributors.pp @@ -0,0 +1,5 @@ +class roles::contributors { + ssl::service { 'contributors.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/dbmaster.pp b/modules/roles/manifests/dbmaster.pp new file mode 100644 index 000000000..537588417 --- /dev/null +++ b/modules/roles/manifests/dbmaster.pp @@ -0,0 +1,5 @@ +class roles::dbmaster { + ssl::service { 'db.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 21559a8bc..261f84f84 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -1,12 +1,10 @@ class roles { - $roles = hiera('roles') - - if $::fqdn in $roles['puppetmaster'] { + if has_role('puppetmaster') { include puppetmaster } - if getfromhash($site::nodeinfo, 'muninmaster') { + if has_role('muninmaster') { include munin::master } @@ -17,159 +15,134 @@ class roles { } } - if getfromhash($site::nodeinfo, 'buildd') { + if has_role('buildd') { include buildd } - if getfromhash($site::nodeinfo, 'porterbox') { + if has_role('porterbox') { include porterbox } - if getfromhash($site::nodeinfo, 'bugs_mirror') { + if has_role('bugs_mirror') { include roles::bugs_mirror } - if getfromhash($site::nodeinfo, 'ftp_master') { + if has_role('ftp_master') { include roles::ftp_master include roles::dakmaster } - if getfromhash($site::nodeinfo, 'apache2_security_mirror') { + if has_role('apache2_security_mirror') { include roles::security_mirror } - if getfromhash($site::nodeinfo, 'apache2_www_mirror') { + if has_role('apache2_www_mirror') { include roles::www_mirror } - if getfromhash($site::nodeinfo, 'ftp.d.o') { + if has_role('ftp.d.o') { include roles::ftp } - if getfromhash($site::nodeinfo, 'ftp.upload.d.o') { + if has_role('ftp.upload.d.o') { include roles::ftp_upload } - if getfromhash($site::nodeinfo, 'security_master') { + if has_role('security_master') { include roles::security_master include roles::dakmaster } - if getfromhash($site::nodeinfo, 'www_master') { + if has_role('www_master') { include roles::www_master } - if getfromhash($site::nodeinfo, 'keyring') { + if has_role('keyring') { include roles::keyring } - if getfromhash($site::nodeinfo, 'wiki') { + if has_role('wiki') { include roles::wiki } - if getfromhash($site::nodeinfo, 'syncproxy') { + if has_role('syncproxy') { include roles::syncproxy } - if getfromhash($site::nodeinfo, 'static_master') { + if has_role('static_master') { include roles::static_master } - if getfromhash($site::nodeinfo, 'static_mirror') { + if has_role('static_mirror') { include roles::static_mirror - } elsif getfromhash($site::nodeinfo, 'static_source') { + } elsif has_role('static_source') { include roles::static_source } - if getfromhash($site::nodeinfo, 'weblog_provider') { + if has_role('weblog_provider') { include roles::weblog_provider } - if getfromhash($site::nodeinfo, 'mailrelay') { + if has_role('mailrelay') { include roles::mailrelay } - if getfromhash($site::nodeinfo, 'pubsub') { + if has_role('pubsub') { include roles::pubsub } - if getfromhash($site::nodeinfo, 'dbmaster') { - ssl::service { 'db.debian.org': - notify => Service['apache2'], - } + if has_role('dbmaster') { + include roles::dbmaster } - if getfromhash($site::nodeinfo, 'dns_primary') { + if has_role('dns_primary') { include named::primary } - if getfromhash($site::nodeinfo, 'dns_secondary') { + if has_role('dns_secondary') { include named::authoritative } - if $::hostname in [ravel] { + if has_role('weblog_destination') { include roles::weblog_destination } - if $::hostname in [vento] { - ssl::service { 'vote.debian.org': - notify => Service['apache2'], - } + if has_role('vote') { + include roles::vote } - if $::hostname in [soler] { - ssl::service { 'security-tracker.debian.org': - notify => Service['apache2'], - } + if has_role('security_tracker') { + include roles::security_tracker } - if $::hostname in [bendel] { - ssl::service { 'lists.debian.org': - notify => Service['apache2'], - } + if has_role('lists') { + include roles::lists } - if $::hostname in [reger] { - ssl::service { 'rt.debian.org': - notify => Service['apache2'], - } + if has_role('rtmaster') { + include roles::rtmaster } - if $::hostname in [diabelli] { - ssl::service { 'sso.debian.org': - notify => Service['apache2'], - } + if has_role('udd') { + include roles::udd } - if $::hostname in [ullmann] { - ssl::service { 'udd.debian.org': - notify => Service['apache2'], - } + if has_role('buildd_master') { + include roles::buildd_master } - - if $::hostname in [wuiet] { - ssl::service { 'buildd.debian.org': - notify => Service['apache2'], - } + + if has_role('piuparts') { + include roles::piuparts } - if $::hostname in [pejacevic] { - ssl::service { 'piuparts.debian.org': - notify => Service['apache2'], - } + if has_role('contributors') { + include roles::contributors } - if $::hostname in [nono] { - ssl::service { 'nm.debian.org': - notify => Service['apache2'], - } - ssl::service { 'contributors.debian.org': - notify => Service['apache2'], - } + if has_role('nm') { + include roles::nm } - if $::hostname in [franck] { - ssl::service { 'release.debian.org': - notify => Service['apache2'], - } + if has_role('release') { + include roles::release } } diff --git a/modules/roles/manifests/lists.pp b/modules/roles/manifests/lists.pp new file mode 100644 index 000000000..e429aba95 --- /dev/null +++ b/modules/roles/manifests/lists.pp @@ -0,0 +1,5 @@ +class roles::lists { + ssl::service { 'lists.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/nm.pp b/modules/roles/manifests/nm.pp new file mode 100644 index 000000000..4cdc3b379 --- /dev/null +++ b/modules/roles/manifests/nm.pp @@ -0,0 +1,5 @@ +class roles::nm { + ssl::service { 'nm.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/piuparts.pp b/modules/roles/manifests/piuparts.pp new file mode 100644 index 000000000..0f3463d8e --- /dev/null +++ b/modules/roles/manifests/piuparts.pp @@ -0,0 +1,5 @@ +class roles::piuparts { + ssl::service { 'piuparts.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/release.pp b/modules/roles/manifests/release.pp new file mode 100644 index 000000000..084e80bac --- /dev/null +++ b/modules/roles/manifests/release.pp @@ -0,0 +1,5 @@ +class roles::release { + ssl::service { 'release.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/rtmaster.pp b/modules/roles/manifests/rtmaster.pp new file mode 100644 index 000000000..b1c74870a --- /dev/null +++ b/modules/roles/manifests/rtmaster.pp @@ -0,0 +1,5 @@ +class roles::rtmaster { + ssl::service { 'rt.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/security_tracker.pp b/modules/roles/manifests/security_tracker.pp new file mode 100644 index 000000000..1210c7ef6 --- /dev/null +++ b/modules/roles/manifests/security_tracker.pp @@ -0,0 +1,5 @@ +class roles::security_tracker { + ssl::service { 'security-tracker.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/sso.pp b/modules/roles/manifests/sso.pp new file mode 100644 index 000000000..890a0baf9 --- /dev/null +++ b/modules/roles/manifests/sso.pp @@ -0,0 +1,5 @@ +class roles::sso { + ssl::service { 'sso.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/udd.pp b/modules/roles/manifests/udd.pp new file mode 100644 index 000000000..73fc80464 --- /dev/null +++ b/modules/roles/manifests/udd.pp @@ -0,0 +1,5 @@ +class roles::udd { + ssl::service { 'udd.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/roles/manifests/vote.pp b/modules/roles/manifests/vote.pp new file mode 100644 index 000000000..a2147032f --- /dev/null +++ b/modules/roles/manifests/vote.pp @@ -0,0 +1,5 @@ +class roles::vote { + ssl::service { 'vote.debian.org': + notify => Service['apache2'], + } +} diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 7cf2709d6..c76164cc0 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -143,7 +143,7 @@ file=/etc/nagios file=/etc/nagios/nrpe.d file=/etc/nagios/obsolete-packages-ignore.d file=/etc/bind/geodns -<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%> +<% if scope.function_has_role('nagiosmaster') -%> file=/etc/nagios3/puppetconf.d <% end -%> file=/etc/puppet @@ -165,7 +165,7 @@ file=/etc/rc.local file=/etc/unbound file=/etc/dsa file=/etc/rabbitmq -<% if scope.lookupvar('site::nodeinfo')['static_mirror'] or scope.lookupvar('site::nodeinfo')['static_source'] or scope.lookupvar('site::nodeinfo')['static_master'] -%> +<% if scope.function_has_role('static_mirror') or scope.function_has_role('static_source') or scope.function_has_role('static_master') -%> file=/etc/ssh/userkeys file=/etc/ssh/userkeys/staticsync <% end -%> @@ -232,7 +232,7 @@ file=/var/log/syslog ## This file might be created or removed by the system sometimes. ## file=/etc/resolv.conf -<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> +<% if scope.function_has_role('buildd') -%> file=/etc/dupload.conf <% end -%> file=/etc/resolv.conf.pcmcia.save @@ -411,7 +411,7 @@ file=/etc/cron.weekly/stunnel-ekey-restart file=/etc/default/schroot file=/etc/schroot/default/nssdatabases -<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%> +<% if scope.function_has_role('nagiosmaster') -%> file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg file=/etc/nagios3/puppetconf.d/auto-hosts.cfg file=/etc/nagios3/puppetconf.d/auto-services.cfg @@ -421,10 +421,10 @@ file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg file=/etc/nagios3/puppetconf.d/contacts.cfg <% end -%> -<% if scope.lookupvar('site::nodeinfo')['muninmaster'] -%> +<% if scope.function_has_role('muninmaster') -%> file=/etc/munin/munin.conf <% end -%> -<% if scope.lookupvar('site::nodeinfo')['puppetmaster'] -%> +<% if scope.function_has_role('puppetmaster') -%> dir=8/etc/puppet <% end -%> <% if classes.include?('named::geodns') -%> @@ -451,7 +451,7 @@ file=/etc/openvpn/deb-mgmt-clients.pool <% end -%> -<% if scope.lookupvar('site::nodeinfo')['puppetmaster'] %> +<% if scope.function_has_role('puppetmaster') %> # Damn you rails apps and your shoddy packaging file=/usr/share/puppet-dashboard/public/stylesheets diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp index 4d09074a9..d40571417 100644 --- a/modules/site/manifests/init.pp +++ b/modules/site/manifests/init.pp @@ -3,6 +3,7 @@ class site { $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml') $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml') $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose') + $roles = hiera('roles') service { 'procps': hasstatus => false, -- 2.20.1