[puppet] Add port-knocking on koji01
by Xavier Lamien
commit 906f8c084f5be343fd8a601325352d22a5c87e89
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 03:45:45 2013 +0200
Add port-knocking on koji01
manifests/nodes/buildserver.rpmfusion.org.pp | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
---
diff --git a/manifests/nodes/buildserver.rpmfusion.org.pp b/manifests/nodes/buildserver.rpmfusion.org.pp
index e894123..8191463 100644
--- a/manifests/nodes/buildserver.rpmfusion.org.pp
+++ b/manifests/nodes/buildserver.rpmfusion.org.pp
@@ -10,6 +10,12 @@ node 'koji01.rpmfusion.org' {
puppet_server => 'puppet.rpmfusion.org',
}
+ Iptables {
+ knock => true,
+ knockone => '666',
+ knocktwo => '3682',
+ }
+
class { 'koji::hub':
koji_db_host => 'koji01.rpmfusion.org',
koji_db_pass => 'admin',
11 years, 4 months
[puppet] Might be good to add the module dir to the git tree, no?! :/
by Xavier Lamien
commit d28248b55862f1d709c81b9e743804d4b2bb1feb
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 02:40:49 2013 +0200
Might be good to add the module dir to the git tree, no?! :/
modules/default-setup/manifests/init.pp | 76 +++++++++++++++++++++++++++++++
1 files changed, 76 insertions(+), 0 deletions(-)
---
diff --git a/modules/default-setup/manifests/init.pp b/modules/default-setup/manifests/init.pp
new file mode 100644
index 0000000..5a00a7a
--- /dev/null
+++ b/modules/default-setup/manifests/init.pp
@@ -0,0 +1,76 @@
+# This is default post-setup for non-yet managed fas hosts.
+
+class default::setup {
+ # I'm not sure this need to be installed on all hosts.
+ Apache_Httpd {
+ welcome => false,
+ serversignature => 'Off',
+ }
+
+ Iptables {
+ # matthias (ovh + office)
+ hosts_ssh => [ '94.23.230.197', '80.169.244.43' ],
+ knock => true,
+ knockone => '666',
+ knocktwo => '3615',
+ }
+ Ip6tables {
+ # matthias (ovh)
+ hosts_ssh => [ '2001:41d0:2:69c5::bb1e' ],
+ knock => true,
+ knockone => '666',
+ knocktwo => '3615',
+ }
+
+ # Non privileged user we want on all nodes, for various things
+ user { 'rpmfusion':
+ comment => 'RPM Fusion User',
+ managehome => true,
+ }
+ file { '/home/rpmfusion/.ssh':
+ require => User['rpmfusion'],
+ ensure => directory,
+ owner => 'rpmfusion', group => 'rpmfusion', mode => '0700',
+ }
+ file { '/home/rpmfusion/.ssh/authorized_keys':
+ owner => 'rpmfusion', group => 'rpmfusion', mode => '0600',
+ content => '# WARNING: This file is managed by puppet (from site.pp).
+ # WARNING: Do not manually edit it here, all changes will be discarded.
+ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAaEVu8FZ9d9xhJyzohuJU82XN5fZL/6NqbDB4MTVvoDNaS36qp2z52AWoq5KOkFjzz1EaXspbe/fNSqQV7cNHmod6njPCDreC3e8t+GSFKUt1cMSlwGplXi7cYDQpWZdwlHpPpL5gnDcn57KZ8qn8ZoakdSr8/HFva9v934P5aGu0R87u6bIf0iKW56/GgNiT97zLwZjY2uiX1nDlwozJpGMXvTuzWKEoHsKhmP44J0xtK+IYuEiHaZwgmtU+Tes70rXRfIBIWMQkpx3OQjH4r4a0BEJ6OWf0cgF/JRwyuOnPVQN0dY065SOO7Vhe7y0tZzacwMlcYE0iEZ/Q1EdtGk7QJyKb1srho2pi9X8ye8Lw86/BbLdctbNZ4PFTNQyXFT2gSU2h3yNXbjwJEqCXinYtewseZZu/ystXd9r6/FJk3Qs9kzRBnom4mlDlmKy4cAqXVjaVCQI720Gu8sC3kv3iCVta/wUY5v62QwyPrNMN3lI3WVN2/T3GYBZy+YT/3TzHCx5xrxu1hsHp25s9g3k3CVxnOa+9bkeYcj2H6pC8dU= matthias
+ ssh-dss AAAAB3NzaC1kc3MAAACBAOM9F9gGUw/E9vhoW7a/yfgVdKjEnkp6M7DVjl+SDjoDZgfjTY1RV3YnBBRQ9vAk4Cc81hJpY6jVta1RQE6QMEdyu6DHC0vVkPlnWCnco2w2lNAAEnDqrfdGrgCQLUXozToY8y0tu7aRX274MMYmWS3ONkiBvHD9jxBd/ZFd16ilAAAAFQCX0Mp+oAITp2wnOz2pte2OvAF6bwAAAIBxL32Ff5RmTorA86vuUlgYSR1WQ0dUtRsnWTioH8OH4Q1r6kD6J5dAEmEYyf3fBAcRzvY9G0te4UbQ8Yqj+2YnrSsXLz4JRnIRS4BG71FX8zxxwRSM8l3wAYbpD0StnOuFu1lEAVU6gt883fPknhiU4ZcLTL4knyHEvUs2rDbtcQAAAIAZRkzzy/rKAWWEd6QSBDUk6Iaavs2B/VPk2G8rUI51ORJSsJZ+Q7yh4M4bXWXXnrNnHkMUB/2YDyLmWPITr3bGLst7tnzHrg7Qy2WBdWbdlxY2lXWRNzzo6170mBdUXqLyeo+cPg8xXnhd4GumZpdQ42fT347v1nEL+HAGYESCMg== xavier
+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnYiQsnoAJpqmZXzlq5Vv8TbfIQnV8IEYMyWZs0eU2Otec7QbCBJPchDKHVezEIPt+nHgSOg9QSE3OlVA4rhNrkxDnuxO9jwiSQmz8ayvlvig1hjp3C/GJmpM2sjljPA33YVTcOjFSab0GC7EIWF6mWQyDWHTvbdy9R4VRRy5jX4R6Hs3hLtNZs15UYAScLsmFitZKoW3TeIW1fTTuAM2p8h/KaMjMyQSiRrGQ97HTxipahLU2hjYiLMzgg3Xcfnnvi8I2Af8+c11Uy4bxQnMP4Ya40LbTc70oSYdb+VXjCBRXSAw+8K1vvX02ex/Wq5MsDdmQy7JzEb3M8vIMGU7E3I7UI3zRkXmwOKN9Vv8Jn7LxM/sgtixzC6qmwU420r6hRxmXT6H9uZRRX0UteCTxSdu0af+hTdjLd7fxm4L5EVYbm8btqfCpQuXPBesRCNvzvuMsIjdM9PvcTTNO1Sr8Zce+lAZLlddmPguCLIMcNrHl3HO0C+QnGWwQWWijViWsBBkuQs6QyxxKbEOt3RHhSa418te1GthcSzLF1xBoJ2KO8FrWeLQKL6HSq5HlbSQmhymlyRWCnfXhecjqrW+v1poowXPxlcPTRiK5ZCJ0s126IC70ANPQYwMTj5L+gLWGsn/sz0fHEC5b78Dbbuj9LkD2N6KmbqJgM7afx7zDjQ== nchauvet
+ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp9/HaNnRFXbIM83lRhZjAed9TNrK9yKMc+WxeKbJygIW4k4R57VJg0E5hTDEdnNa2tIJI06dQf4LWpu5SoovMHOoLymKXoSLQmuacklEbjvG712JcqV8JVkdFqNYBBxvD5nqjE0stEHSG4YeFvKID8e66tjAb15gy0SDmq/e8/WK6BTQcR239qtHdsnkLnWvKHmPJFtitVjceMUqAWB7ZBx5Q8dn2b6b/bZHBwK4yxOSTCM15AWpv/c+PYpEakcB8GFDAkOl4IsFFngG2LAVRhM5kdFhiLztNN+T0T7Apd+DZYLgwGbJ5zEFLMwIt2xa82ZdNbaIE30ky46q3eKl4Q== nchauvet-old
+ ',
+ }
+
+ # Let's avoid an internal DNS server for now
+ host { 'puppet.ovh.rpmfusion.lan':
+ ip => '192.168.230.11',
+ host_aliases => 'puppet',
+ }
+ host { 'bugzilla.ovh.rpmfusion.lan':
+ ip => '192.168.230.12',
+ host_aliases => 'bugzilla',
+ }
+ host { 'builder1.ovh.rpmfusion.lan':
+ ip => '192.168.230.13',
+ host_aliases => [ 'builder1', 'builder1.rpmfusion.org' ],
+ }
+ host { 'old02.ovh.rpmfusion.lan':
+ ip => '192.168.230.14',
+ host_aliases => 'old02',
+ }
+ host { 'old03.ovh.rpmfusion.lan':
+ ip => '192.168.230.15',
+ host_aliases => [ 'old03', 'buildsys.rpmfusion.org' ],
+ }
+
+ # Common puppet client configuration for all nodes
+ class { 'puppet::agent':
+ forcenoop => true,
+ service => false,
+ cron_enable => true,
+ cron_silent => false,
+ puppet_server => 'puppet.ovh.rpmfusion.lan',
+ }
+}
11 years, 4 months
[puppet] Actually, make a module of default-setup to avoid import conflict in between nodes.
by Xavier Lamien
commit 7cc5f2f04a6bfd343527d87de0fbaa16cd252a9b
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 02:38:39 2013 +0200
Actually, make a module of default-setup to avoid import conflict in between nodes.
manifests/default-setup.pp | 73 --------------------------------------------
manifests/nodes.pp | 8 ++++-
2 files changed, 7 insertions(+), 74 deletions(-)
---
diff --git a/manifests/nodes.pp b/manifests/nodes.pp
index 8d0b752..d438373 100644
--- a/manifests/nodes.pp
+++ b/manifests/nodes.pp
@@ -1,8 +1,8 @@
# Nodes, alphabetically
-import 'default-setup.pp'
node 'builder1.ovh.rpmfusion.lan' {
+ class { 'default::setup': }
$arch = 'i386'
class { 'plague::builder':
build_hostname => 'builder1.rpmfusion.org',
@@ -14,6 +14,7 @@ node 'builder1.ovh.rpmfusion.lan' {
}
node 'bugzilla.ovh.rpmfusion.lan' {
+ class { 'default::setup': }
# Bugzilla
package { 'bugzilla': ensure => installed }
file { '/etc/bugzilla/localconfig':
@@ -64,6 +65,7 @@ node 'scm1.rpmfusion.org' {
}
node 'hv02.ovh.rpmfusion.net' {
+ class { 'default::setup': }
# Manually installed before the puppetmaster
# Web server
class { 'nginx': }
@@ -160,6 +162,7 @@ node 'hv02.ovh.rpmfusion.net' {
}
node 'puppet.ovh.rpmfusion.lan' {
+ class { 'default::setup': }
class { 'puppet::master': }
iptables { '/etc/sysconfig/iptables':
# Open "globally", since private only
@@ -180,6 +183,7 @@ node 'puppet.ovh.rpmfusion.lan' {
}
node 'se01.ovh.rpmfusion.net' {
+ class { 'default::setup': }
# The chroot is a big bind-mount mess with RHEL6...
class { 'bind::server': chroot => false }
# Bind config : Authoritative-only name server for RPM Fusion zones
@@ -319,6 +323,7 @@ node 'se01.ovh.rpmfusion.net' {
}
node 'se02.ovh.rpmfusion.net' {
+ class { 'default::setup': }
# Main web server
# Apache httpd config
apache_httpd { 'worker':
@@ -359,6 +364,7 @@ node 'se02.ovh.rpmfusion.net' {
}
node 'se03.ovh.rpmfusion.net' {
+ class { 'default::setup': }
# Reverse proxying to old02
class { 'nginx': }
nginx::file { 'se03.conf':
11 years, 4 months
[puppet] Moved default configs there.
by Xavier Lamien
commit 931c6215c8b9c76b47425fe299a559205e3432bb
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 01:47:55 2013 +0200
Moved default configs there.
manifests/default-setup.pp | 73 ++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 73 insertions(+), 0 deletions(-)
---
diff --git a/manifests/default-setup.pp b/manifests/default-setup.pp
new file mode 100644
index 0000000..403b54f
--- /dev/null
+++ b/manifests/default-setup.pp
@@ -0,0 +1,73 @@
+# This is default post-setup for non-yet managed fas hosts.
+
+Apache_Httpd {
+ welcome => false,
+ serversignature => 'Off',
+}
+
+Iptables {
+ # matthias (ovh + office)
+ hosts_ssh => [ '94.23.230.197', '80.169.244.43' ],
+ knock => true,
+ knockone => '666',
+ knocktwo => '3615',
+}
+Ip6tables {
+ # matthias (ovh)
+ hosts_ssh => [ '2001:41d0:2:69c5::bb1e' ],
+ knock => true,
+ knockone => '666',
+ knocktwo => '3615',
+}
+
+# Non privileged user we want on all nodes, for various things
+user { 'rpmfusion':
+ comment => 'RPM Fusion User',
+ managehome => true,
+}
+file { '/home/rpmfusion/.ssh':
+ require => User['rpmfusion'],
+ ensure => directory,
+ owner => 'rpmfusion', group => 'rpmfusion', mode => '0700',
+}
+file { '/home/rpmfusion/.ssh/authorized_keys':
+ owner => 'rpmfusion', group => 'rpmfusion', mode => '0600',
+ content => '# WARNING: This file is managed by puppet (from site.pp).
+# WARNING: Do not manually edit it here, all changes will be discarded.
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAaEVu8FZ9d9xhJyzohuJU82XN5fZL/6NqbDB4MTVvoDNaS36qp2z52AWoq5KOkFjzz1EaXspbe/fNSqQV7cNHmod6njPCDreC3e8t+GSFKUt1cMSlwGplXi7cYDQpWZdwlHpPpL5gnDcn57KZ8qn8ZoakdSr8/HFva9v934P5aGu0R87u6bIf0iKW56/GgNiT97zLwZjY2uiX1nDlwozJpGMXvTuzWKEoHsKhmP44J0xtK+IYuEiHaZwgmtU+Tes70rXRfIBIWMQkpx3OQjH4r4a0BEJ6OWf0cgF/JRwyuOnPVQN0dY065SOO7Vhe7y0tZzacwMlcYE0iEZ/Q1EdtGk7QJyKb1srho2pi9X8ye8Lw86/BbLdctbNZ4PFTNQyXFT2gSU2h3yNXbjwJEqCXinYtewseZZu/ystXd9r6/FJk3Qs9kzRBnom4mlDlmKy4cAqXVjaVCQI720Gu8sC3kv3iCVta/wUY5v62QwyPrNMN3lI3WVN2/T3GYBZy+YT/3TzHCx5xrxu1hsHp25s9g3k3CVxnOa+9bkeYcj2H6pC8dU= matthias
+ssh-dss AAAAB3NzaC1kc3MAAACBAOM9F9gGUw/E9vhoW7a/yfgVdKjEnkp6M7DVjl+SDjoDZgfjTY1RV3YnBBRQ9vAk4Cc81hJpY6jVta1RQE6QMEdyu6DHC0vVkPlnWCnco2w2lNAAEnDqrfdGrgCQLUXozToY8y0tu7aRX274MMYmWS3ONkiBvHD9jxBd/ZFd16ilAAAAFQCX0Mp+oAITp2wnOz2pte2OvAF6bwAAAIBxL32Ff5RmTorA86vuUlgYSR1WQ0dUtRsnWTioH8OH4Q1r6kD6J5dAEmEYyf3fBAcRzvY9G0te4UbQ8Yqj+2YnrSsXLz4JRnIRS4BG71FX8zxxwRSM8l3wAYbpD0StnOuFu1lEAVU6gt883fPknhiU4ZcLTL4knyHEvUs2rDbtcQAAAIAZRkzzy/rKAWWEd6QSBDUk6Iaavs2B/VPk2G8rUI51ORJSsJZ+Q7yh4M4bXWXXnrNnHkMUB/2YDyLmWPITr3bGLst7tnzHrg7Qy2WBdWbdlxY2lXWRNzzo6170mBdUXqLyeo+cPg8xXnhd4GumZpdQ42fT347v1nEL+HAGYESCMg== xavier
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnYiQsnoAJpqmZXzlq5Vv8TbfIQnV8IEYMyWZs0eU2Otec7QbCBJPchDKHVezEIPt+nHgSOg9QSE3OlVA4rhNrkxDnuxO9jwiSQmz8ayvlvig1hjp3C/GJmpM2sjljPA33YVTcOjFSab0GC7EIWF6mWQyDWHTvbdy9R4VRRy5jX4R6Hs3hLtNZs15UYAScLsmFitZKoW3TeIW1fTTuAM2p8h/KaMjMyQSiRrGQ97HTxipahLU2hjYiLMzgg3Xcfnnvi8I2Af8+c11Uy4bxQnMP4Ya40LbTc70oSYdb+VXjCBRXSAw+8K1vvX02ex/Wq5MsDdmQy7JzEb3M8vIMGU7E3I7UI3zRkXmwOKN9Vv8Jn7LxM/sgtixzC6qmwU420r6hRxmXT6H9uZRRX0UteCTxSdu0af+hTdjLd7fxm4L5EVYbm8btqfCpQuXPBesRCNvzvuMsIjdM9PvcTTNO1Sr8Zce+lAZLlddmPguCLIMcNrHl3HO0C+QnGWwQWWijViWsBBkuQs6QyxxKbEOt3RHhSa418te1GthcSzLF1xBoJ2KO8FrWeLQKL6HSq5HlbSQmhymlyRWCnfXhecjqrW+v1poowXPxlcPTRiK5ZCJ0s126IC70ANPQYwMTj5L+gLWGsn/sz0fHEC5b78Dbbuj9LkD2N6KmbqJgM7afx7zDjQ== nchauvet
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp9/HaNnRFXbIM83lRhZjAed9TNrK9yKMc+WxeKbJygIW4k4R57VJg0E5hTDEdnNa2tIJI06dQf4LWpu5SoovMHOoLymKXoSLQmuacklEbjvG712JcqV8JVkdFqNYBBxvD5nqjE0stEHSG4YeFvKID8e66tjAb15gy0SDmq/e8/WK6BTQcR239qtHdsnkLnWvKHmPJFtitVjceMUqAWB7ZBx5Q8dn2b6b/bZHBwK4yxOSTCM15AWpv/c+PYpEakcB8GFDAkOl4IsFFngG2LAVRhM5kdFhiLztNN+T0T7Apd+DZYLgwGbJ5zEFLMwIt2xa82ZdNbaIE30ky46q3eKl4Q== nchauvet-old
+',
+}
+
+# Let's avoid an internal DNS server for now
+host { 'puppet.ovh.rpmfusion.lan':
+ ip => '192.168.230.11',
+ host_aliases => 'puppet',
+}
+host { 'bugzilla.ovh.rpmfusion.lan':
+ ip => '192.168.230.12',
+ host_aliases => 'bugzilla',
+}
+host { 'builder1.ovh.rpmfusion.lan':
+ ip => '192.168.230.13',
+ host_aliases => [ 'builder1', 'builder1.rpmfusion.org' ],
+}
+host { 'old02.ovh.rpmfusion.lan':
+ ip => '192.168.230.14',
+ host_aliases => 'old02',
+}
+host { 'old03.ovh.rpmfusion.lan':
+ ip => '192.168.230.15',
+ host_aliases => [ 'old03', 'buildsys.rpmfusion.org' ],
+}
+
+# Common puppet client configuration for all nodes
+class { 'puppet::agent':
+ forcenoop => true,
+ service => false,
+ cron_enable => true,
+ cron_silent => false,
+ puppet_server => 'puppet.ovh.rpmfusion.lan',
+}
11 years, 4 months
[puppet] Move default iptables & port-knocking as well.
by Xavier Lamien
commit 41f45d8bedc40e32852fbf6fcb7a2ed709cdc858
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 01:47:23 2013 +0200
Move default iptables & port-knocking as well.
manifests/site.pp | 19 -------------------
1 files changed, 0 insertions(+), 19 deletions(-)
---
diff --git a/manifests/site.pp b/manifests/site.pp
index e0765a4..3ba72b2 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -2,25 +2,6 @@
# puppet agent --onetime --no-daemonize --logdest=syslog --logdest=console --server=puppet.ovh.rpmfusion.lan
# Useful defaults
-Apache_Httpd {
- welcome => false,
- serversignature => 'Off',
-}
-Iptables {
- # matthias (ovh + office)
- hosts_ssh => [ '94.23.230.197', '80.169.244.43' ],
- knock => true,
- knockone => '666',
- knocktwo => '3615',
-}
-Ip6tables {
- # matthias (ovh)
- hosts_ssh => [ '2001:41d0:2:69c5::bb1e' ],
- knock => true,
- knockone => '666',
- knocktwo => '3615',
-}
-
# Make sure global account emails are sent out to be read
mailalias { [ 'root', 'rpmfusion' ]: recipient => 'root(a)rpmfusion.org' }
11 years, 4 months
[puppet] Make site.pp less intrusive by spliting out some default configs deployments.
by Xavier Lamien
commit 522ed16877e78f46689e7c02afa7704cc464737d
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 01:43:39 2013 +0200
Make site.pp less intrusive by spliting out some default configs deployments.
manifests/nodes.pp | 1 +
manifests/nodes/buildserver.rpmfusion.org.pp | 9 ++++
manifests/site.pp | 52 --------------------------
3 files changed, 10 insertions(+), 52 deletions(-)
---
diff --git a/manifests/nodes.pp b/manifests/nodes.pp
index e56b6c0..8d0b752 100644
--- a/manifests/nodes.pp
+++ b/manifests/nodes.pp
@@ -1,5 +1,6 @@
# Nodes, alphabetically
+import 'default-setup.pp'
node 'builder1.ovh.rpmfusion.lan' {
$arch = 'i386'
diff --git a/manifests/nodes/buildserver.rpmfusion.org.pp b/manifests/nodes/buildserver.rpmfusion.org.pp
index b79d788..e894123 100644
--- a/manifests/nodes/buildserver.rpmfusion.org.pp
+++ b/manifests/nodes/buildserver.rpmfusion.org.pp
@@ -1,6 +1,15 @@
# All Build Server related nodes
node 'koji01.rpmfusion.org' {
+
+ class { 'puppet::agent':
+ forcenoop => false,
+ service => false,
+ cron_enable => true,
+ cron_silent => false,
+ puppet_server => 'puppet.rpmfusion.org',
+ }
+
class { 'koji::hub':
koji_db_host => 'koji01.rpmfusion.org',
koji_db_pass => 'admin',
diff --git a/manifests/site.pp b/manifests/site.pp
index 8755897..e0765a4 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -44,58 +44,6 @@ ssh-dss AAAAB3NzaC1kc3MAAACBAOM9F9gGUw/E9vhoW7a/yfgVdKjEnkp6M7DVjl+SDjoDZgfjTY1R
',
}
-# Non privileged user we want on all nodes, for various things
-user { 'rpmfusion':
- comment => 'RPM Fusion User',
- managehome => true,
-}
-file { '/home/rpmfusion/.ssh':
- require => User['rpmfusion'],
- ensure => directory,
- owner => 'rpmfusion', group => 'rpmfusion', mode => '0700',
-}
-file { '/home/rpmfusion/.ssh/authorized_keys':
- owner => 'rpmfusion', group => 'rpmfusion', mode => '0600',
- content => '# WARNING: This file is managed by puppet (from site.pp).
-# WARNING: Do not manually edit it here, all changes will be discarded.
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAaEVu8FZ9d9xhJyzohuJU82XN5fZL/6NqbDB4MTVvoDNaS36qp2z52AWoq5KOkFjzz1EaXspbe/fNSqQV7cNHmod6njPCDreC3e8t+GSFKUt1cMSlwGplXi7cYDQpWZdwlHpPpL5gnDcn57KZ8qn8ZoakdSr8/HFva9v934P5aGu0R87u6bIf0iKW56/GgNiT97zLwZjY2uiX1nDlwozJpGMXvTuzWKEoHsKhmP44J0xtK+IYuEiHaZwgmtU+Tes70rXRfIBIWMQkpx3OQjH4r4a0BEJ6OWf0cgF/JRwyuOnPVQN0dY065SOO7Vhe7y0tZzacwMlcYE0iEZ/Q1EdtGk7QJyKb1srho2pi9X8ye8Lw86/BbLdctbNZ4PFTNQyXFT2gSU2h3yNXbjwJEqCXinYtewseZZu/ystXd9r6/FJk3Qs9kzRBnom4mlDlmKy4cAqXVjaVCQI720Gu8sC3kv3iCVta/wUY5v62QwyPrNMN3lI3WVN2/T3GYBZy+YT/3TzHCx5xrxu1hsHp25s9g3k3CVxnOa+9bkeYcj2H6pC8dU= matthias
-ssh-dss AAAAB3NzaC1kc3MAAACBAOM9F9gGUw/E9vhoW7a/yfgVdKjEnkp6M7DVjl+SDjoDZgfjTY1RV3YnBBRQ9vAk4Cc81hJpY6jVta1RQE6QMEdyu6DHC0vVkPlnWCnco2w2lNAAEnDqrfdGrgCQLUXozToY8y0tu7aRX274MMYmWS3ONkiBvHD9jxBd/ZFd16ilAAAAFQCX0Mp+oAITp2wnOz2pte2OvAF6bwAAAIBxL32Ff5RmTorA86vuUlgYSR1WQ0dUtRsnWTioH8OH4Q1r6kD6J5dAEmEYyf3fBAcRzvY9G0te4UbQ8Yqj+2YnrSsXLz4JRnIRS4BG71FX8zxxwRSM8l3wAYbpD0StnOuFu1lEAVU6gt883fPknhiU4ZcLTL4knyHEvUs2rDbtcQAAAIAZRkzzy/rKAWWEd6QSBDUk6Iaavs2B/VPk2G8rUI51ORJSsJZ+Q7yh4M4bXWXXnrNnHkMUB/2YDyLmWPITr3bGLst7tnzHrg7Qy2WBdWbdlxY2lXWRNzzo6170mBdUXqLyeo+cPg8xXnhd4GumZpdQ42fT347v1nEL+HAGYESCMg== xavier
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnYiQsnoAJpqmZXzlq5Vv8TbfIQnV8IEYMyWZs0eU2Otec7QbCBJPchDKHVezEIPt+nHgSOg9QSE3OlVA4rhNrkxDnuxO9jwiSQmz8ayvlvig1hjp3C/GJmpM2sjljPA33YVTcOjFSab0GC7EIWF6mWQyDWHTvbdy9R4VRRy5jX4R6Hs3hLtNZs15UYAScLsmFitZKoW3TeIW1fTTuAM2p8h/KaMjMyQSiRrGQ97HTxipahLU2hjYiLMzgg3Xcfnnvi8I2Af8+c11Uy4bxQnMP4Ya40LbTc70oSYdb+VXjCBRXSAw+8K1vvX02ex/Wq5MsDdmQy7JzEb3M8vIMGU7E3I7UI3zRkXmwOKN9Vv8Jn7LxM/sgtixzC6qmwU420r6hRxmXT6H9uZRRX0UteCTxSdu0af+hTdjLd7fxm4L5EVYbm8btqfCpQuXPBesRCNvzvuMsIjdM9PvcTTNO1Sr8Zce+lAZLlddmPguCLIMcNrHl3HO0C+QnGWwQWWijViWsBBkuQs6QyxxKbEOt3RHhSa418te1GthcSzLF1xBoJ2KO8FrWeLQKL6HSq5HlbSQmhymlyRWCnfXhecjqrW+v1poowXPxlcPTRiK5ZCJ0s126IC70ANPQYwMTj5L+gLWGsn/sz0fHEC5b78Dbbuj9LkD2N6KmbqJgM7afx7zDjQ== nchauvet
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp9/HaNnRFXbIM83lRhZjAed9TNrK9yKMc+WxeKbJygIW4k4R57VJg0E5hTDEdnNa2tIJI06dQf4LWpu5SoovMHOoLymKXoSLQmuacklEbjvG712JcqV8JVkdFqNYBBxvD5nqjE0stEHSG4YeFvKID8e66tjAb15gy0SDmq/e8/WK6BTQcR239qtHdsnkLnWvKHmPJFtitVjceMUqAWB7ZBx5Q8dn2b6b/bZHBwK4yxOSTCM15AWpv/c+PYpEakcB8GFDAkOl4IsFFngG2LAVRhM5kdFhiLztNN+T0T7Apd+DZYLgwGbJ5zEFLMwIt2xa82ZdNbaIE30ky46q3eKl4Q== nchauvet-old
-',
-}
-
-# Let's avoid an internal DNS server for now
-host { 'puppet.ovh.rpmfusion.lan':
- ip => '192.168.230.11',
- host_aliases => 'puppet',
-}
-host { 'bugzilla.ovh.rpmfusion.lan':
- ip => '192.168.230.12',
- host_aliases => 'bugzilla',
-}
-host { 'builder1.ovh.rpmfusion.lan':
- ip => '192.168.230.13',
- host_aliases => [ 'builder1', 'builder1.rpmfusion.org' ],
-}
-host { 'old02.ovh.rpmfusion.lan':
- ip => '192.168.230.14',
- host_aliases => 'old02',
-}
-host { 'old03.ovh.rpmfusion.lan':
- ip => '192.168.230.15',
- host_aliases => [ 'old03', 'buildsys.rpmfusion.org' ],
-}
-
-# Common puppet client configuration for all nodes
-class { 'puppet::agent':
- forcenoop => true,
- service => false,
- cron_enable => true,
- cron_silent => false,
- puppet_server => 'puppet.ovh.rpmfusion.lan',
-}
-
# Minimal installs don't have restorecond running by default
include selinux
11 years, 4 months
[puppet] Fix path typo.
by Xavier Lamien
commit 6c8656ad9e38c76e0ce7d5bad70a1fa6c952b0b9
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 00:29:11 2013 +0200
Fix path typo.
modules/koji/manifests/init.pp | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/modules/koji/manifests/init.pp b/modules/koji/manifests/init.pp
index 83d2cf5..59d5e1f 100644
--- a/modules/koji/manifests/init.pp
+++ b/modules/koji/manifests/init.pp
@@ -62,7 +62,7 @@ class koji {
}
file { '/etc/kojiweb/web.conf':
- content => template('koji/web/web/conf.erb'),
+ content => template('koji/web/web.conf.erb'),
mode => 640,
owner => 'root',
group => 'root',
11 years, 4 months
[puppet] Update kojihub as well.
by Xavier Lamien
commit 2755feb451106330447241fd1eaf7158b4c46f33
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Sat Sep 7 00:27:52 2013 +0200
Update kojihub as well.
manifests/nodes/buildserver.rpmfusion.org.pp | 6 +++-
modules/koji/files/hub/kojihub.conf | 28 +++++++++++++------------
modules/koji/manifests/init.pp | 2 +-
3 files changed, 20 insertions(+), 16 deletions(-)
---
diff --git a/manifests/nodes/buildserver.rpmfusion.org.pp b/manifests/nodes/buildserver.rpmfusion.org.pp
index 6a53ab3..b79d788 100644
--- a/manifests/nodes/buildserver.rpmfusion.org.pp
+++ b/manifests/nodes/buildserver.rpmfusion.org.pp
@@ -18,7 +18,9 @@ node 'koji01.rpmfusion.org' {
],
}
- class { 'koji::web': }
+ class { 'koji::web':
+ kojiSecret => '04321114'
+ }
class { 'koji::kojira': }
$tcpports = [ '80', '443' ]
@@ -27,5 +29,5 @@ node 'koji01.rpmfusion.org' {
}
class { 'fas::client':
- $fas_groups = [ 'sysadmin-main', 'sysadmin-build' ] }
+ group => [ 'sysadmin-main', 'sysadmin-build' ] }
}
diff --git a/modules/koji/files/hub/kojihub.conf b/modules/koji/files/hub/kojihub.conf
index 3f1911c..b86df22 100644
--- a/modules/koji/files/hub/kojihub.conf
+++ b/modules/koji/files/hub/kojihub.conf
@@ -2,23 +2,25 @@
# koji-hub is an xmlrpc interface to the Koji database
#
-Alias /kojihub "/usr/share/koji-hub/XMLRPC"
+Alias /kojihub /usr/share/koji-hub/kojixmlrpc.py
-<Directory /usr/share/koji-hub>
- SetHandler mod_python
- PythonHandler kojixmlrpc
-
- PythonOption ConfigFile /etc/koji-hub/hub.conf
-
- PythonDebug Off
- # autoreload is mostly useless to us (it would only reload kojixmlrpc.py)
- PythonAutoReload Off
+<Directory "/usr/share/koji-hub">
+ Options ExecCGI
+ SetHandler wsgi-script
+ Order allow,deny
+ Allow from all
</Directory>
-# uncomment this to enable authentication via SSL client certificates
-<Location /kojihub>
- SSLOptions +StdEnvVars
+<Location /kojihub/ssllogin>
+ SSLVerifyClient require
+ SSLVerifyDepth 10
+ SSLOptions +StdEnvVars
</Location>
+
+# uncomment this to enable authentication via SSL client certificates
+#<Location /kojihub>
+# SSLOptions +StdEnvVars
+#</Location>
# these options must be enabled globally (in ssl.conf)
# SSLVerifyClient require
# SSLVerifyDepth 10
diff --git a/modules/koji/manifests/init.pp b/modules/koji/manifests/init.pp
index ef221e0..83d2cf5 100644
--- a/modules/koji/manifests/init.pp
+++ b/modules/koji/manifests/init.pp
@@ -41,7 +41,7 @@ class koji {
}
}
- class web ( $koji_secret = $kojiSecret ) inherits koji {
+ class web ( $kojiSecret = $koji_secret ) inherits koji {
include apache_httpd::service::ssl
11 years, 4 months
[puppet] User WSGI for koji-web.
by Xavier Lamien
commit b57686b28d9253f122b15167490f04e72d6db4eb
Author: Xavier Lamien <laxathom(a)lxtnow.net>
Date: Fri Sep 6 23:46:24 2013 +0200
User WSGI for koji-web.
manifests/nodes/buildserver.rpmfusion.org.pp | 5 +-
modules/koji/files/web/kojiweb.conf | 71 ++++++++++++--------------
modules/koji/manifests/init.pp | 16 +++++-
modules/koji/templates/web/web.conf.erb | 20 +++++++
4 files changed, 68 insertions(+), 44 deletions(-)
---
diff --git a/manifests/nodes/buildserver.rpmfusion.org.pp b/manifests/nodes/buildserver.rpmfusion.org.pp
index bba213a..6a53ab3 100644
--- a/manifests/nodes/buildserver.rpmfusion.org.pp
+++ b/manifests/nodes/buildserver.rpmfusion.org.pp
@@ -13,9 +13,8 @@ node 'koji01.rpmfusion.org' {
'alias',
'rewrite',
'cgi',
- 'python',
- 'authz_host',
- 'include'
+ 'wsgi',
+ 'authz_host'
],
}
diff --git a/modules/koji/files/web/kojiweb.conf b/modules/koji/files/web/kojiweb.conf
index e44bca3..2059d1e 100644
--- a/modules/koji/files/web/kojiweb.conf
+++ b/modules/koji/files/web/kojiweb.conf
@@ -1,44 +1,20 @@
-Alias /koji "/usr/share/koji-web/scripts/"
-Alias /koji-packages /srv/koji/packages/
-Alias /koji-repos /srv/koji/repos/
+RewriteEngine On
+RewriteRule ^/$ /koji/ [R,L]
+
+Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
<Directory "/usr/share/koji-web/scripts/">
- # Config for the publisher handler
- SetHandler mod_python
- # Use kojiweb's publisher (which handles errors more gracefully)
- # You can also use mod_python.publisher, but you will lose the pretty tracebacks
- PythonHandler kojiweb.publisher
-
- # General settings
- PythonDebug On
- PythonOption SiteName "RPM Fusion Build System"
- PythonOption KojiHubURL http://koji01.rpmfusion.org/kojihub
- PythonOption KojiPackagesURL http://koji01.rpmfusion.org/koji-packages
- PythonOption KojiImagesURL http://koji01.rpmfusion.org/koji/images
- PythonOption DNUsernameComponent CN
- PythonOption ProxyDNs "/C=ES/ST=Barcelona/O=RPM Fusion/CN=kojiweb"
-
-# PythonOption WebPrincipal koji/web(a)EXAMPLE.COM
-# PythonOption WebKeytab /etc/httpd.keytab
- PythonOption WebCCache /var/tmp/kojiweb.ccache
- PythonOption WebCert /etc/pki/koji/kojiweb.pem
- PythonOption ClientCA /etc/pki/koji/rpmfusion_ca_cert.crt
- PythonOption KojiHubCA /etc/pki/koji/rpmfusion_ca_cert.crt
- PythonOption LoginTimeout 72
- # This must be changed before deployment
- PythonOption Secret CHANGE_ME123
- PythonPath "sys.path + ['/usr/share/koji-web/lib']"
- PythonCleanupHandler kojiweb.handlers::cleanup
- PythonAutoReload Off
+ Options ExecCGI
+ SetHandler wsgi-script
+ Order allow,deny
+ Allow from all
</Directory>
-# uncomment this to enable authentication via SSL client certificates
<Location /koji/login>
+ SSLVerifyClient require
+ SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Location>
-# these options must be enabled globally (in ssl.conf)
-# SSLVerifyClient require
-# SSLVerifyDepth 10
Alias /koji-static/ "/usr/share/koji-web/static/"
@@ -49,9 +25,28 @@ Alias /koji-static/ "/usr/share/koji-web/static/"
Allow from all
</Directory>
+Alias /repos "/srv/koji/repos/"
+
<Directory "/srv/koji/repos/">
- Options +Indexes
- AllowOverride None
- Order Allow,Deny
- Allow from All
+ Options Indexes FollowSymLinks
+</Directory>
+
+Alias /scratch "/srv/koji/scratch/"
+
+<Directory "/srv/koji/scratch/">
+ Options Indexes
</Directory>
+
+Alias /work "/srv/koji/work/"
+
+<Directory "/srv/koji/work/">
+ Options Indexes
+</Directory>
+
+Alias /buildgroups "/srv/koji/buildgroups/"
+
+<Directory "/srv/koji/buildgroups/">
+ Options Indexes FollowSymLinks
+</Directory>
+
+RewriteRule ^/packages(.+) http://kojipkgs.rpmfusion.org/packages$1 [R=301,L]
diff --git a/modules/koji/manifests/init.pp b/modules/koji/manifests/init.pp
index 0b5b6aa..ef221e0 100644
--- a/modules/koji/manifests/init.pp
+++ b/modules/koji/manifests/init.pp
@@ -35,13 +35,13 @@ class koji {
owner => apache, #TODO: move this to variable if we manage more than one webserver app.
group => apache,
mode => 600,
- require => Package[koji-hub],
+ require => Package['koji-hub'],
content => template('koji/hub-server/hub.conf.erb'),
notify => Service['httpd'] #TODO: same as above.
}
}
- class web inherits koji {
+ class web ( $koji_secret = $kojiSecret ) inherits koji {
include apache_httpd::service::ssl
@@ -61,6 +61,16 @@ class koji {
require => Package['httpd']
}
+ file { '/etc/kojiweb/web.conf':
+ content => template('koji/web/web/conf.erb'),
+ mode => 640,
+ owner => 'root',
+ group => 'root',
+ ensure => file,
+ notify => Service['httpd'],
+ require => Package['koji-web']
+ }
+
file { "/etc/pki/koji":
replace => false,
ensure => directory
@@ -101,7 +111,7 @@ class koji {
owner => root,
group => root,
mode => 644,
- require => Package[koji-builder],
+ require => Package['koji-builder'],
notify => Service['kojid']
}
diff --git a/modules/koji/templates/web/web.conf.erb b/modules/koji/templates/web/web.conf.erb
new file mode 100644
index 0000000..a81147a
--- /dev/null
+++ b/modules/koji/templates/web/web.conf.erb
@@ -0,0 +1,20 @@
+[web]
+SiteName = koji
+#KojiTheme = mytheme
+
+# Key urls
+KojiHubURL = http://koji01.rpmfusion.org/kojihub
+KojiFilesURL = http://kojipkgs.rpmfusion.org/
+
+# SSL authentication options
+WebCert = /etc/pki/koji/kojiweb.pem
+ClientCA = /etc/pki/koji/rpmfusion_ca_cert.crt
+KojiHubCA = /etc/pki/koji/rpmfusion_ca_cert.crt
+
+
+LoginTimeout = 72
+
+# This must be changed and uncommented before deployment
+Secret = <%= kojiSecret %>
+
+LibPath = /usr/share/koji-web/lib
11 years, 4 months
[puppet] Add allowed fas group to koji01. Fix path on python-fedora hotfix.
by Xavier Lamien
commit 1e30715ecaedb3f9ae83a642e6f59ddc9bb13a4d
Author: Xavier Lamien <laxathom(a)scm1.rpmfusion.org>
Date: Fri Sep 6 01:33:17 2013 +0200
Add allowed fas group to koji01.
Fix path on python-fedora hotfix.
manifests/nodes/buildserver.rpmfusion.org.pp | 14 ++++++++++++--
modules/fas/manifests/init.pp | 2 +-
2 files changed, 13 insertions(+), 3 deletions(-)
---
diff --git a/manifests/nodes/buildserver.rpmfusion.org.pp b/manifests/nodes/buildserver.rpmfusion.org.pp
index 8ac67eb..bba213a 100644
--- a/manifests/nodes/buildserver.rpmfusion.org.pp
+++ b/manifests/nodes/buildserver.rpmfusion.org.pp
@@ -7,7 +7,16 @@ node 'koji01.rpmfusion.org' {
}
apache_httpd { 'worker':
- modules => [ 'dir', 'mime', 'alias', 'rewrite', 'cgi', 'python' ],
+ modules => [
+ 'dir',
+ 'mime',
+ 'alias',
+ 'rewrite',
+ 'cgi',
+ 'python',
+ 'authz_host',
+ 'include'
+ ],
}
class { 'koji::web': }
@@ -18,5 +27,6 @@ node 'koji01.rpmfusion.org' {
tcpports => $tcpports,
}
- class { 'fas::client': }
+ class { 'fas::client':
+ $fas_groups = [ 'sysadmin-main', 'sysadmin-build' ] }
}
diff --git a/modules/fas/manifests/init.pp b/modules/fas/manifests/init.pp
index 81af6af..0ab9097 100644
--- a/modules/fas/manifests/init.pp
+++ b/modules/fas/manifests/init.pp
@@ -54,7 +54,7 @@ class fas {
source => "puppet:///fas/hotfix/fasClient",
require => Package["python-fedora"],
}
- file { "/usr/lib/python-2.6/site-packages/fedora/client/fas2.py":
+ file { "/usr/lib/python2.6/site-packages/fedora/client/fas2.py":
owner => "root",
group => "root",
source => "puppet:///fas/hotfix/python-fedora_fas2.py",
11 years, 4 months