diff options
author | Jan Dittberner <jandd@cacert.org> | 2017-08-26 21:40:33 +0200 |
---|---|---|
committer | Jan Dittberner <jandd@cacert.org> | 2017-08-26 21:40:33 +0200 |
commit | e2aec367415aec915c077360625e7aadb082d483 (patch) | |
tree | 6912581f07e33b41176f5a4709b8510afc62e1ea | |
parent | 094c6ff3231a9900c546cebdde146b5663c738e4 (diff) | |
download | cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.tar.gz cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.tar.xz cacert-puppet-e2aec367415aec915c077360625e7aadb082d483.zip |
Setup sniproxy and rsyslog
-rw-r--r-- | hieradata/nodes/proxyin.yaml | 2 | ||||
-rw-r--r-- | sitemodules/profiles/files/sniproxy/etc_default_sniproxy | 5 | ||||
-rw-r--r-- | sitemodules/profiles/manifests/rsyslog.pp | 48 | ||||
-rw-r--r-- | sitemodules/profiles/manifests/sniproxy.pp | 7 | ||||
-rw-r--r-- | sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp | 97 | ||||
-rw-r--r-- | sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp | 14 | ||||
-rw-r--r-- | sitemodules/roles/manifests/proxyin.pp | 1 |
7 files changed, 164 insertions, 10 deletions
diff --git a/hieradata/nodes/proxyin.yaml b/hieradata/nodes/proxyin.yaml index 96dd2a3..e5fc006 100644 --- a/hieradata/nodes/proxyin.yaml +++ b/hieradata/nodes/proxyin.yaml @@ -4,4 +4,4 @@ classes: profiles::base::admins: - jandd profiles::sniproxy::https_forwards: - - "motion\.cacert\.org$ 10.0.0.117:8443" + - "motion\\.cacert\\.org$ 10.0.0.117:8443" diff --git a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy index b37b083..a43f34d 100644 --- a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy +++ b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy @@ -1,4 +1,7 @@ # Defaults for sniproxy initscript +# +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. # This file has two functions: # 1) to completely disable starting sniproxy, @@ -9,5 +12,5 @@ #DAEMON_ARGS="-c /etc/sniproxy.conf" # Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable. -ENABLED=0 +ENABLED=1 diff --git a/sitemodules/profiles/manifests/rsyslog.pp b/sitemodules/profiles/manifests/rsyslog.pp new file mode 100644 index 0000000..3a92d9d --- /dev/null +++ b/sitemodules/profiles/manifests/rsyslog.pp @@ -0,0 +1,48 @@ +# Class: profiles::rsyslog.pp +# ========================= +# +# This class installs and configures rsyslog +# +# Parameters +# ---------- +# +# @param enable_klog whether to enable kernel logging +# +# Examples +# -------- +# +# @example +# class roles::myhost { +# include profiles::rsyslog +# } +# +# Authors +# ------- +# +# Jan Dittberner <jandd@cacert.org> +# +# Copyright +# --------- +# +# Copyright 2017 Jan Dittberner +class profiles::rsyslog ( + Boolean $enable_klog = false, +) { + package { 'rsyslog': + ensure => present, + } -> + file { '/etc/rsyslog.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => epp( + 'profiles/rsyslog/rsyslog.conf.epp', + {'enable_klog' => $enable_klog} + ), + } -> + service { 'rsyslog': + ensure => running, + enable => true, + } +} diff --git a/sitemodules/profiles/manifests/sniproxy.pp b/sitemodules/profiles/manifests/sniproxy.pp index 7cba9b1..e34e93f 100644 --- a/sitemodules/profiles/manifests/sniproxy.pp +++ b/sitemodules/profiles/manifests/sniproxy.pp @@ -71,8 +71,9 @@ class profiles::sniproxy ( } service { 'sniproxy': - ensure => running, - enable => true, - require => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']], + ensure => running, + enable => true, + require => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']], + subscribe => [File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']], } } diff --git a/sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp b/sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp new file mode 100644 index 0000000..43fe050 --- /dev/null +++ b/sitemodules/profiles/templates/rsyslog/rsyslog.conf.epp @@ -0,0 +1,97 @@ +<%- | Boolean $enable_klog = false | -%> +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +module(load="imuxsock") # provides support for local system logging +<%- if $enable_klog == true { -%> +module(load="imklog") # provides kernel logging support +<% } -%> +#module(load="immark") # provides --MARK-- message capability + +# provides UDP syslog reception +#module(load="imudp") +#input(type="imudp" port="514") + +# provides TCP syslog reception +#module(load="imtcp") +#input(type="imtcp" port="514") + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp index f22c9e2..38d7138 100644 --- a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp +++ b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp @@ -1,5 +1,8 @@ <%- | Array[String] $https_forwards = [] | -%> -# sniproxy example configuration file +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. +# +# sniproxy configuration file # lines that start with # are comments # lines with only white space are ignored @@ -70,11 +73,12 @@ table https_hosts { <%- $https_forwards.each |$forward| { %> <%= $forward -%> <% } %> +} # if no table specified the default 'default' table is defined #table { - # if no port is specified default HTTP (80) and HTTPS (443) ports are - # assumed based on the protocol of the listen block using this table - #example.com 192.0.2.10 - #example.net 192.0.2.20 +# # if no port is specified default HTTP (80) and HTTPS (443) ports are +# # assumed based on the protocol of the listen block using this table +# example.com 192.0.2.10 +# example.net 192.0.2.20 #} diff --git a/sitemodules/roles/manifests/proxyin.pp b/sitemodules/roles/manifests/proxyin.pp index d495a41..62f421e 100644 --- a/sitemodules/roles/manifests/proxyin.pp +++ b/sitemodules/roles/manifests/proxyin.pp @@ -22,5 +22,6 @@ # class roles::proxyin { include profiles::base + include profiles::rsyslog include profiles::sniproxy } |