Commit ae5dbd2d7e04be87c706991d457800bdcda7b782

Authored by root ago
1 parent dee20279c6
Exists in master

firewall policy has added

Showing 13 changed files with 276 additions and 138 deletions Side-by-side Diff

manifests/api-deploy.pp View file @ ae5dbd2
1   -node /^kr-api-\d+$/ {
2   -
3   - class { 'java':
4   - distribution => 'jdk',
5   - }
6   -
7   - class { 'maven::maven':
8   - version => '3.1.1',
9   - }
10   -
11   - vcsrepo { '/tmp/pikicast-new-api':
12   - ensure => latest,
13   - provider => git,
14   - source => 'ssh://git@gitlab.pikicast.com:2222/piki_devops/pikicast-new-api-v1-1.git',
15   - revision => 'master',
16   - }
17   -
18   - exec { 'build_pikicast-new-api':
19   - cwd => '/tmp/pikicast-new-api',
20   - command => 'mvn -U clean compile package -Dmaven.test.skip=true',
21   - path => '/usr/local/bin/:/usr/bin:/bin',
22   - }
23   -}
manifests/bmt-server.pp View file @ ae5dbd2
1   -node 'BMTPIKI-X-DB1' {
2   - include nginx
3   -
4   - file { '/etc/nginx':
5   - ensure => directory,
6   - }
7   -
8   - file { '/etc/nginx/conf.d':
9   - ensure => directory,
10   - recurse => true,
11   - purge => true,
12   - }
13   -
14   - file { 'nginx.conf':
15   - path => '/etc/nginx/nginx.conf',
16   - ensure => present,
17   - source => 'puppet:///modules/nginx/nginx.conf.webproxy.dev',
18   - }
19   -
20   - file { 'fastcgi.conf':
21   - path => '/etc/nginx/fastcgi.conf',
22   - ensure => present,
23   - source => 'puppet:///modules/nginx/fastcgi.conf.webproxy.dev',
24   - }
25   -
26   - file { 'http.conf':
27   - path => '/etc/nginx/conf.d/http.conf',
28   - ensure => present,
29   - source => 'puppet:///modules/nginx/http.conf.webproxy.dev',
30   - }
31   -
32   - include php
33   -
34   - file { ['/etc/php-fpm.d']:
35   - ensure => directory,
36   - }
37   -
38   - file { 'www.conf':
39   - path => '/etc/php-fpm.d/www.conf',
40   - ensure => present,
41   - source => 'puppet:///modules/php/www.conf.webserver.dev',
42   - }
43   -
44   - file { 'php.ini':
45   - path => '/etc/php.ini',
46   - ensure => present,
47   - source => 'puppet:///modules/php/php.ini.webserver.dev',
48   - }
49   -
50   - vcsrepo { '/var/www/pikicast-web-ci':
51   - ensure => latest,
52   - provider => git,
53   - source => 'ssh://git@gitlab.pikicast.com:2222/Owen/pikicast-web-ci.git',
54   - revision => 'master',
55   - }
56   -}
manifests/bmt-server/site.pp View file @ ae5dbd2
  1 +node 'BMTPIKI-X-DB1' {
  2 + include nginx
  3 +
  4 + file { '/etc/nginx':
  5 + ensure => directory,
  6 + }
  7 +
  8 + file { '/etc/nginx/conf.d':
  9 + ensure => directory,
  10 + recurse => true,
  11 + purge => true,
  12 + }
  13 +
  14 + file { 'nginx.conf':
  15 + path => '/etc/nginx/nginx.conf',
  16 + ensure => present,
  17 + source => 'puppet:///modules/nginx/nginx.conf.webproxy.dev',
  18 + }
  19 +
  20 + file { 'fastcgi.conf':
  21 + path => '/etc/nginx/fastcgi.conf',
  22 + ensure => present,
  23 + source => 'puppet:///modules/nginx/fastcgi.conf.webproxy.dev',
  24 + }
  25 +
  26 + file { 'http.conf':
  27 + path => '/etc/nginx/conf.d/http.conf',
  28 + ensure => present,
  29 + source => 'puppet:///modules/nginx/http.conf.webproxy.dev',
  30 + }
  31 +
  32 + include php
  33 +
  34 + file { ['/etc/php-fpm.d']:
  35 + ensure => directory,
  36 + }
  37 +
  38 + file { 'www.conf':
  39 + path => '/etc/php-fpm.d/www.conf',
  40 + ensure => present,
  41 + source => 'puppet:///modules/php/www.conf.webserver.dev',
  42 + }
  43 +
  44 + file { 'php.ini':
  45 + path => '/etc/php.ini',
  46 + ensure => present,
  47 + source => 'puppet:///modules/php/php.ini.webserver.dev',
  48 + }
  49 +
  50 + vcsrepo { '/var/www/pikicast-web-ci':
  51 + ensure => latest,
  52 + provider => git,
  53 + source => 'ssh://git@gitlab.pikicast.com:2222/Owen/pikicast-web-ci.git',
  54 + revision => 'master',
  55 + }
  56 +}
manifests/deploy/api-deploy.pp View file @ ae5dbd2
  1 +node /^kr-api-\d+$/ {
  2 +
  3 + class { 'java':
  4 + distribution => 'jdk',
  5 + }
  6 +
  7 + class { 'maven::maven':
  8 + version => '3.1.1',
  9 + }
  10 +
  11 + vcsrepo { '/tmp/pikicast-new-api':
  12 + ensure => latest,
  13 + provider => git,
  14 + source => 'ssh://git@gitlab.pikicast.com:2222/piki_devops/pikicast-new-api-v1-1.git',
  15 + revision => 'master',
  16 + }
  17 +
  18 + exec { 'build_pikicast-new-api':
  19 + cwd => '/tmp/pikicast-new-api',
  20 + command => 'mvn -U clean compile package -Dmaven.test.skip=true',
  21 + path => '/usr/local/bin/:/usr/bin:/bin',
  22 + }
  23 +}
manifests/deploy/web-deploy.pp View file @ ae5dbd2
  1 +node /^kr-web-\d+$/, /^kr-web-proxy-\d+$/ {
  2 + vcsrepo { '/var/www/pikicast-web-ci':
  3 + ensure => latest,
  4 + provider => git,
  5 + source => 'ssh://git@gitlab.pikicast.com:2222/Owen/pikicast-web-ci.git',
  6 + revision => 'master',
  7 + }
  8 +}
manifests/web-deploy.pp View file @ ae5dbd2
1   -node /^kr-web-\d+$/, /^kr-web-proxy-\d+$/ {
2   - vcsrepo { '/var/www/pikicast-web-ci':
3   - ensure => latest,
4   - provider => git,
5   - source => 'ssh://git@gitlab.pikicast.com:2222/Owen/pikicast-web-ci.git',
6   - revision => 'master',
7   - }
8   -}
manifests/web-proxy.pp View file @ ae5dbd2
1   -node /^kr-web-proxy-\d+$/ {
2   - include nginx
3   -
4   - file { '/etc/nginx':
5   - ensure => directory,
6   - }
7   -
8   - file { 'nginx.conf':
9   - path => '/etc/nginx/nginx.conf',
10   - ensure => present,
11   - source => 'puppet:///modules/nginx/nginx.conf.webproxy.real',
12   - }
13   -
14   - file { 'fastcgi.conf':
15   - path => '/etc/nginx/fastcgi.conf',
16   - ensure => present,
17   - source => 'puppet:///modules/nginx/fastcgi.conf.webproxy.real',
18   - }
19   -
20   - file { '/etc/nginx/conf.d':
21   - ensure => directory,
22   - recurse => true,
23   - purge => true,
24   - before => File['http.conf'],
25   - }
26   -
27   - file { 'http.conf':
28   - path => '/etc/nginx/conf.d/http.conf',
29   - ensure => present,
30   - source => 'puppet:///modules/nginx/http.conf.webproxy.real',
31   - }
32   -}
manifests/web-proxy/post.pp View file @ ae5dbd2
  1 +class my_fw::post {
  2 + firewall { '999 drop all':
  3 + proto => 'all',
  4 + action => 'drop',
  5 + before => undef,
  6 + }
  7 +}
manifests/web-proxy/pre.pp View file @ ae5dbd2
  1 +class my_fw::pre {
  2 + Firewall {
  3 + require => undef,
  4 + }
  5 +
  6 + # Default firewall rules
  7 + firewall { '000 accept all icmp':
  8 + proto => 'icmp',
  9 + action => 'accept',
  10 + }
  11 +
  12 + firewall { '001 accept all to lo interface':
  13 + proto => 'all',
  14 + iniface => 'lo',
  15 + action => 'accept',
  16 + }
  17 +
  18 + firewall { "002 reject local traffic not on loopback interface":
  19 + iniface => '! lo',
  20 + proto => 'all',
  21 + destination => '127.0.0.1/8',
  22 + action => 'reject',
  23 + }
  24 +
  25 + firewall { '003 accept related established rules':
  26 + proto => 'all',
  27 + state => ['RELATED', 'ESTABLISHED'],
  28 + action => 'accept',
  29 + }
  30 +}
manifests/web-proxy/site.pp View file @ ae5dbd2
  1 +node /^kr-web-proxy-\d+$/ {
  2 + include nginx
  3 +
  4 + file { '/etc/nginx':
  5 + ensure => directory,
  6 + }
  7 +
  8 + file { 'nginx.conf':
  9 + path => '/etc/nginx/nginx.conf',
  10 + ensure => present,
  11 + source => 'puppet:///modules/nginx/nginx.conf.webproxy.real',
  12 + }
  13 +
  14 + file { 'fastcgi.conf':
  15 + path => '/etc/nginx/fastcgi.conf',
  16 + ensure => present,
  17 + source => 'puppet:///modules/nginx/fastcgi.conf.webproxy.real',
  18 + }
  19 +
  20 + file { '/etc/nginx/conf.d':
  21 + ensure => directory,
  22 + recurse => true,
  23 + purge => true,
  24 + before => File['http.conf'],
  25 + }
  26 +
  27 + file { 'http.conf':
  28 + path => '/etc/nginx/conf.d/http.conf',
  29 + ensure => present,
  30 + source => 'puppet:///modules/nginx/http.conf.webproxy.real',
  31 + }
  32 +
  33 + firewall { '00020 ssh on port 22':
  34 + chain => 'INPUT',
  35 + proto => 'tcp',
  36 + state => 'NEW',
  37 + action => 'accept',
  38 + dport => 22,
  39 + }
  40 +
  41 + firewall { '00080 http on port 80':
  42 + chain => 'INPUT',
  43 + proto => 'tcp',
  44 + state => 'NEW',
  45 + action => 'accept',
  46 + dport => 80,
  47 + }
  48 +
  49 + firewall { '00443 https on port 443':
  50 + chain => 'INPUT',
  51 + proto => 'tcp',
  52 + state => 'NEW',
  53 + action => 'accept',
  54 + dport => 443,
  55 + }
  56 +}
  57 +
  58 +resources { 'firewall':
  59 + purge => true,
  60 +}
  61 +
  62 +class { 'my_fw::pre' : }
  63 +class { 'firewall': }
  64 +
  65 +class my_fw::pre {
  66 + Firewall {
  67 + require => undef,
  68 + }
  69 +
  70 + # Default firewall rules
  71 + firewall { '00000 accept all icmp':
  72 + proto => 'icmp',
  73 + action => 'accept',
  74 + }
  75 + firewall { '00001 accept all to lo interface':
  76 + proto => 'all',
  77 + iniface => 'lo',
  78 + action => 'accept',
  79 + }
  80 + firewall { '00002 accept related established rules':
  81 + proto => 'all',
  82 + state => ['RELATED', 'ESTABLISHED'],
  83 + action => 'accept',
  84 + }
  85 +}
manifests/web-server.pp View file @ ae5dbd2
1   -node /^kr-web-\d+$/ {
2   - include php
3   -
4   - file { '/etc/php-fpm.d':
5   - ensure => directory,
6   - }
7   -
8   - file { 'www.conf':
9   - path => '/etc/php-fpm.d/www.conf',
10   - ensure => present,
11   - source => 'puppet:///modules/php/www.conf.webserver.real',
12   - }
13   -
14   - file { 'php.ini':
15   - path => '/etc/php.ini',
16   - ensure => present,
17   - source => 'puppet:///modules/php/php.ini.webserver.real',
18   - }
19   -}
manifests/web-server/site.pp View file @ ae5dbd2
  1 +node /^kr-web-\d+$/ {
  2 + include php
  3 +
  4 + file { '/etc/php-fpm.d':
  5 + ensure => directory,
  6 + }
  7 +
  8 + file { 'www.conf':
  9 + path => '/etc/php-fpm.d/www.conf',
  10 + ensure => present,
  11 + source => 'puppet:///modules/php/www.conf.webserver.real',
  12 + }
  13 +
  14 + file { 'php.ini':
  15 + path => '/etc/php.ini',
  16 + ensure => present,
  17 + source => 'puppet:///modules/php/php.ini.webserver.real',
  18 + }
  19 +
  20 + firewall { '00020 ssh on port 22':
  21 + chain => 'INPUT',
  22 + proto => 'tcp',
  23 + state => 'NEW',
  24 + action => 'accept',
  25 + dport => 22,
  26 + }
  27 +
  28 + firewall { '09000 fastcgi on port 9000':
  29 + chain => 'INPUT',
  30 + proto => 'tcp',
  31 + state => 'NEW',
  32 + action => 'accept',
  33 + dport => 9000,
  34 + }
  35 +}
  36 +
  37 +resources { 'firewall':
  38 + purge => true,
  39 +}
  40 +
  41 +class { 'my_fw::pre' : }
  42 +class { 'firewall': }
  43 +
  44 +class my_fw::pre {
  45 + Firewall {
  46 + require => undef,
  47 + }
  48 +
  49 + # Default firewall rules
  50 + firewall { '00000 accept all icmp':
  51 + proto => 'icmp',
  52 + action => 'accept',
  53 + }
  54 + firewall { '00001 accept all to lo interface':
  55 + proto => 'all',
  56 + iniface => 'lo',
  57 + action => 'accept',
  58 + }
  59 + firewall { '00002 accept related established rules':
  60 + proto => 'all',
  61 + state => ['RELATED', 'ESTABLISHED'],
  62 + action => 'accept',
  63 + }
  64 +}
  1 +#!/bin/sh
  2 +
  3 +puppet apply $1 --modulepath=/root/puppet/modules::/etc/puppet/modules --debug