Setup sniproxy and rsyslog

author: Jan Dittberner <jandd@cacert.org> 2017-08-26 21:40:33 +0200
committer: Jan Dittberner <jandd@cacert.org> 2017-08-26 21:40:33 +0200
commit: e2aec367415aec915c077360625e7aadb082d483 (patch)
tree: 6912581f07e33b41176f5a4709b8510afc62e1ea
parent: 094c6ff3231a9900c546cebdde146b5663c738e4 (diff)
download: cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.tar.gz
cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.tar.xz
cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.zip
7 files changed, 164 insertions, 10 deletions
diff --git a/hieradata/nodes/proxyin.yaml b/hieradata/nodes/proxyin.yaml
index 96dd2a3..e5fc006 100644
--- a/hieradata/nodes/proxyin.yaml
+++ b/hieradata/nodes/proxyin.yaml
@@ -4,4 +4,4 @@ classes:
 profiles::base::admins:
   - jandd
 profiles::sniproxy::https_forwards:
-  - "motion\.cacert\.org$ 10.0.0.117:8443"
+  - "motion\\.cacert\\.org$ 10.0.0.117:8443"
diff --git a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy
index b37b083..a43f34d 100644
--- a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy
+++ b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy
@@ -1,4 +1,7 @@
 # Defaults for sniproxy initscript
+#
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
 
 # This file has two functions:
 # 1) to completely disable starting sniproxy,
@@ -9,5 +12,5 @@
 #DAEMON_ARGS="-c /etc/sniproxy.conf"
 
 # Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable.
-ENABLED=0
+ENABLED=1
 
diff --git a/sitemodules/profiles/manifests/rsyslog.pp b/sitemodules/profiles/manifests/rsyslog.pp
new file mode 100644
index 0000000..3a92d9d
--- /dev/null
+++ b/sitemodules/profiles/manifests/rsyslog.pp
@@ -0,0 +1,48 @@
+# Class: profiles::rsyslog.pp
+# =========================
+#
+# This class installs and configures rsyslog
+#
+# Parameters
+# ----------
+#
+# @param enable_klog whether to enable kernel logging
+#
+# Examples
+# --------
+#
+# @example
+#   class roles::myhost {
+#     include profiles::rsyslog
+#   }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2017 Jan Dittberner
+class profiles::rsyslog (
+  Boolean $enable_klog = false,
+) {
+  package { 'rsyslog':
+    ensure => present,
+  } ->
+  file { '/etc/rsyslog.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => epp(
+      'profiles/rsyslog/rsyslog.conf.epp',
+      {'enable_klog' => $enable_klog}
+    ),
+  } ->
+  service { 'rsyslog':
+    ensure => running,
+    enable => true,
+  }
+}
diff --git a/sitemodules/profiles/manifests/sniproxy.pp b/sitemodules/profiles/manifests/sniproxy.pp
index 7cba9b1..e34e93f 100644
--- a/sitemodules/profiles/manifests/sniproxy.pp
+++ b/sitemodules/profiles/manifests/sniproxy.pp
@@ -71,8 +71,9 @@ class profiles::sniproxy (
   }
 
   service { 'sniproxy':
-    ensure  => running,
-    enable  => true,
-    require => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
+    ensure    => running,
+    enable    => true,
+    require   => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
+    subscribe => [File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
   }
 }
diff --git a/sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp b/sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp
new file mode 100644
index 0000000..43fe050
--- /dev/null
+++ b/sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp
@@ -0,0 +1,97 @@
+<%- | Boolean $enable_klog = false | -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+module(load="imuxsock") # provides support for local system logging
+<%- if $enable_klog == true { -%>
+module(load="imklog") # provides kernel logging support
+<% } -%>
+#module(load="immark")  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#module(load="imudp")
+#input(type="imudp" port="514")
+
+# provides TCP syslog reception
+#module(load="imtcp")
+#input(type="imtcp" port="514")
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
index f22c9e2..38d7138 100644
--- a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
+++ b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
@@ -1,5 +1,8 @@
 <%- | Array[String] $https_forwards = [] | -%>
-# sniproxy example configuration file
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+#
+# sniproxy configuration file
 # lines that start with # are comments
 # lines with only white space are ignored
 
@@ -70,11 +73,12 @@ table https_hosts {
 <%- $https_forwards.each |$forward| { %>
     <%= $forward -%>
 <% } %>
+}
 
 # if no table specified the default 'default' table is defined
 #table {
-    # if no port is specified default HTTP (80) and HTTPS (443) ports are
-    # assumed based on the protocol of the listen block using this table
-    #example.com 192.0.2.10
-    #example.net 192.0.2.20
+#    # if no port is specified default HTTP (80) and HTTPS (443) ports are
+#    # assumed based on the protocol of the listen block using this table
+#    example.com 192.0.2.10
+#    example.net 192.0.2.20
 #}
diff --git a/sitemodules/roles/manifests/proxyin.pp b/sitemodules/roles/manifests/proxyin.pp
index d495a41..62f421e 100644
--- a/sitemodules/roles/manifests/proxyin.pp
+++ b/sitemodules/roles/manifests/proxyin.pp
@@ -22,5 +22,6 @@
 #
 class roles::proxyin {
   include profiles::base
+  include profiles::rsyslog
   include profiles::sniproxy
 }
author	Jan Dittberner <jandd@cacert.org>	2017-08-26 21:40:33 +0200
committer	Jan Dittberner <jandd@cacert.org>	2017-08-26 21:40:33 +0200
commit	e2aec367415aec915c077360625e7aadb082d483 (patch)
tree	6912581f07e33b41176f5a4709b8510afc62e1ea
parent	094c6ff3231a9900c546cebdde146b5663c738e4 (diff)
download	cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.tar.gz cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.tar.xz cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.zip