From: gustavo panizzo Date: Thu, 13 Jun 2019 08:30:27 +0000 (+0800) Subject: manage prosody using puppet X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=a7d417cca7d5ad27c47c2c4627dae06c74b20222 manage prosody using puppet at this stage, just replicate the current configuration using puppet replace tabs by two spaces fix lint warnings and errors in the rtc role --- diff --git a/modules/profile/manifests/prosody.pp b/modules/profile/manifests/prosody.pp new file mode 100644 index 000000000..65ec2debd --- /dev/null +++ b/modules/profile/manifests/prosody.pp @@ -0,0 +1,78 @@ +# Please contact the RTC team about this service at debian-rtc-team@alioth-lists.debian.net +# + +class profile::prosody { + + class { 'prosody': + user => 'prosody', + group => 'prosody', + use_libevent => false, + daemonize => true, + s2s_secure_auth => false, + package_name => 'prosody-modules', + ssl_custom_config => false, + log_sinks => [], + log_advanced => { + 'error' => 'syslog', + }, + authentication => 'ha1', + custom_options => { + 'auth_ha1_file' => '/var/local/rtc-passwords.prosody', + 'auth_ha1_use_ha1b' => true, + 'auth_ha1_realm' => 'rtc.debian.org', + }, + # we override whatever the module decides as a base + modules_base => [ + 'roster', 'saslauth', 'tls', 'dialback', 'disco', 'posix', 'private', + 'vcard', 'version', 'uptime', 'time', 'ping', 'pep', 'register', + ], + # and add the modules we want on top + modules => [ + 'admin_adhoc', 'blocking', 'carbons', 'carbons_adhoc', + 'cloud_notify', 'csi', 'filter_chatstates', 'http', + 'http_upload', 'mam', 'smacks', 'smaks', 'throttle_presence', + ], + } + + -> prosody::virtualhost { + 'debian.org': + ensure => present, + ssl_key => '/etc/ssl/private/debian.org.key', + ssl_cert => '/etc/ssl/debian/certs/debian.org.crt-chained', + ssl_copy => false, + components => { + 'conference.debian.org' => { + 'type' => 'muc', + } + } + } + + -> posix_acl { '/etc/prosody/prosody.cfg.lua': + action => exact, + recursive => false, + provider => posixacl, + permission => [ + 'user::rw', + 'group::r', + 'group:debvoip:rw', + 'group:prosody:r', + 'mask::r', + 'other::', + ], + } + + -> posix_acl { '/etc/prosody/conf.avail/debian.org.cfg.lua': + action => exact, + recursive => false, + provider => posixacl, + permission => [ + 'user::rw', + 'group::r', + 'group:debvoip:rw', + 'group:prosody:r', + 'mask::r', + 'other::', + ], + } + +} diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp index 26a6e52fd..ee4b1885c 100644 --- a/modules/roles/manifests/rtc.pp +++ b/modules/roles/manifests/rtc.pp @@ -1,144 +1,154 @@ +# = Class: roles::rtc +# +# Setup for machines used by the RTC Team +# +# == Sample Usage: +# +# include roles::rtc +# class roles::rtc { - ssl::service { 'debian.org': - tlsaport => [], - notify => Service['repro'], - key => true, - } + include profile::prosody - ssl::service { 'sip-ws.debian.org': - notify => Service['repro'], - key => true, - } + ssl::service { 'debian.org': + tlsaport => [], + notify => Service['repro'], + key => true, + } - dnsextras::tlsa_record{ 'tlsa-xmpp': - zone => 'debian.org', - certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt", - port => [5061, 5222, 5269], - hostname => $::fqdn, - } + ssl::service { 'sip-ws.debian.org': + notify => Service['repro'], + key => true, + } - ferm::rule { 'dsa-xmpp-client-ip4': - domain => 'ip', - description => 'XMPP connections (client to server)', - rule => 'proto tcp dport (5222) ACCEPT' - } - ferm::rule { 'dsa-xmpp-client-ip6': - domain => 'ip6', - description => 'XMPP connections (client to server)', - rule => 'proto tcp dport (5222) ACCEPT' - } - ferm::rule { 'dsa-xmpp-server-ip4': - domain => 'ip', - description => 'XMPP connections (server to server)', - rule => 'proto tcp dport (5269) ACCEPT' - } - ferm::rule { 'dsa-xmpp-server-ip6': - domain => 'ip6', - description => 'XMPP connections (server to server)', - rule => 'proto tcp dport (5269) ACCEPT' - } + dnsextras::tlsa_record{ 'tlsa-xmpp': + zone => 'debian.org', + certfile => '/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt', + port => [5061, 5222, 5269], + hostname => $::fqdn, + } - ferm::rule { 'dsa-sip-ws-ip4': - domain => 'ip', - description => 'SIP connections (WebSocket; for WebRTC)', - rule => 'proto tcp dport (443) ACCEPT' - } - ferm::rule { 'dsa-sip-ws-ip6': - domain => 'ip6', - description => 'SIP connections (WebSocket; for WebRTC)', - rule => 'proto tcp dport (443) ACCEPT' - } - ferm::rule { 'dsa-sip-tls-ip4': - domain => 'ip', - description => 'SIP connections (TLS)', - rule => 'proto tcp dport (5061) ACCEPT' - } - ferm::rule { 'dsa-sip-tls-ip6': - domain => 'ip6', - description => 'SIP connections (TLS)', - rule => 'proto tcp dport (5061) ACCEPT' - } - ferm::rule { 'dsa-turn-ip4': - domain => 'ip', - description => 'TURN connections', - rule => 'proto udp dport (3478) ACCEPT' - } - ferm::rule { 'dsa-turn-ip6': - domain => 'ip6', - description => 'TURN connections', - rule => 'proto udp dport (3478) ACCEPT' - } - ferm::rule { 'dsa-turn-tls-ip4': - domain => 'ip', - description => 'TURN connections (TLS)', - rule => 'proto tcp dport (5349) ACCEPT' - } - ferm::rule { 'dsa-turn-tls-ip6': - domain => 'ip6', - description => 'TURN connections (TLS)', - rule => 'proto tcp dport (5349) ACCEPT' - } - ferm::rule { 'dsa-rtp-ip4': - domain => 'ip', - description => 'RTP streams', - rule => 'proto udp dport (49152:65535) ACCEPT' - } - ferm::rule { 'dsa-rtp-ip6': - domain => 'ip6', - description => 'RTP streams', - rule => 'proto udp dport (49152:65535) ACCEPT' - } + ferm::rule { 'dsa-xmpp-client-ip4': + domain => 'ip', + description => 'XMPP connections (client to server)', + rule => 'proto tcp dport (5222) ACCEPT' + } + ferm::rule { 'dsa-xmpp-client-ip6': + domain => 'ip6', + description => 'XMPP connections (client to server)', + rule => 'proto tcp dport (5222) ACCEPT' + } + ferm::rule { 'dsa-xmpp-server-ip4': + domain => 'ip', + description => 'XMPP connections (server to server)', + rule => 'proto tcp dport (5269) ACCEPT' + } + ferm::rule { 'dsa-xmpp-server-ip6': + domain => 'ip6', + description => 'XMPP connections (server to server)', + rule => 'proto tcp dport (5269) ACCEPT' + } - file { '/etc/monit/monit.d/50rtc': - ensure => absent, - } + ferm::rule { 'dsa-sip-ws-ip4': + domain => 'ip', + description => 'SIP connections (WebSocket; for WebRTC)', + rule => 'proto tcp dport (443) ACCEPT' + } + ferm::rule { 'dsa-sip-ws-ip6': + domain => 'ip6', + description => 'SIP connections (WebSocket; for WebRTC)', + rule => 'proto tcp dport (443) ACCEPT' + } + ferm::rule { 'dsa-sip-tls-ip4': + domain => 'ip', + description => 'SIP connections (TLS)', + rule => 'proto tcp dport (5061) ACCEPT' + } + ferm::rule { 'dsa-sip-tls-ip6': + domain => 'ip6', + description => 'SIP connections (TLS)', + rule => 'proto tcp dport (5061) ACCEPT' + } + ferm::rule { 'dsa-turn-ip4': + domain => 'ip', + description => 'TURN connections', + rule => 'proto udp dport (3478) ACCEPT' + } + ferm::rule { 'dsa-turn-ip6': + domain => 'ip6', + description => 'TURN connections', + rule => 'proto udp dport (3478) ACCEPT' + } + ferm::rule { 'dsa-turn-tls-ip4': + domain => 'ip', + description => 'TURN connections (TLS)', + rule => 'proto tcp dport (5349) ACCEPT' + } + ferm::rule { 'dsa-turn-tls-ip6': + domain => 'ip6', + description => 'TURN connections (TLS)', + rule => 'proto tcp dport (5349) ACCEPT' + } + ferm::rule { 'dsa-rtp-ip4': + domain => 'ip', + description => 'RTP streams', + rule => 'proto udp dport (49152:65535) ACCEPT' + } + ferm::rule { 'dsa-rtp-ip6': + domain => 'ip6', + description => 'RTP streams', + rule => 'proto udp dport (49152:65535) ACCEPT' + } - service { 'repro': - ensure => running, - } - dsa_systemd::override { 'repro': - content => @("EOF"), + file { '/etc/monit/monit.d/50rtc': + ensure => absent, + } + + service { 'repro': + ensure => running, + } + dsa_systemd::override { 'repro': + content => @("EOF"), [Unit] After=network-online.target | EOF - } + } - package { 'freeradius': - ensure => installed, - } - service { 'freeradius': - ensure => running, - } - $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") - file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': - content => template('roles/rtc/freeradius-rtc.erb'), - mode => '0440', - group => freerad, - } - file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org': - ensure => link, - target => '../sites-available/rtc.debian.org', - } - file { '/etc/freeradius/3.0/mods-available/passwd_rtc': - source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc', - mode => '0440', - group => freerad, - } - file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc': - ensure => link, - target => '../mods-available/passwd_rtc', - } - file { '/etc/repro/radius-servers': - content => inline_template('localhost/localhost <%= @radius_password %>'), - mode => '0440', - group => repro, - notify => Service['repro'], - } - file { '/etc/freeradius/3.0/sites-enabled/default': - ensure => absent, - } - file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel': - ensure => absent, - } + package { 'freeradius': + ensure => installed, + } + service { 'freeradius': + ensure => running, + } + $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") + file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': + content => template('roles/rtc/freeradius-rtc.erb'), + mode => '0440', + group => freerad, + } + file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org': + ensure => link, + target => '../sites-available/rtc.debian.org', + } + file { '/etc/freeradius/3.0/mods-available/passwd_rtc': + source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc', + mode => '0440', + group => freerad, + } + file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc': + ensure => link, + target => '../mods-available/passwd_rtc', + } + file { '/etc/repro/radius-servers': + content => inline_template('localhost/localhost <%= @radius_password %>'), + mode => '0440', + group => repro, + notify => Service['repro'], + } + file { '/etc/freeradius/3.0/sites-enabled/default': + ensure => absent, + } + file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel': + ensure => absent, + } }