These are my Puppet manifests managing a couple Ubuntu 12.04 LTS servers. Utilizes librarian-puppet for module setup, puppet-catalog-test for manifest testing, and Travis CI for continuous integration.
I use Hiera because, with the deep_merge
gem installed, and the
deeper
merge behavior, Puppet's built-in function create_resources
becomes incredibly handy for merging together and creating resources
from across multiple YAML files (e.g. hostname, operating system,
release). I finally figured out an easier way to test, and it looks
like this:
hiera -h -d -c test/hiera.yaml ubuntu::sources ::hostname=krikkit ::operatingsystem=Ubuntu ::operatingsystemrelease=12.04
Additionally, because of
HI-118, there's no way
to set resolution_type when using data bindings. That is, when using a
class parameter, because Puppet doesn't know it needs a class (since
parameters are untyped), Hiera silently falls back to native
mode
instead of deeper
(since that can only be done on hashes, a type),
thus causing unexpected lack of merging in modules that don't account
for this. The fix I discovered a while ago is this: use the function
hiera_hash('data::source')
, which provides the type (hash, but could
similarly be array), and thus gives proper merging. Example:
create_resources('apt::source', hiera_hash('ubuntu::sources', {}))
- check status
sudo swapon -s
- create swapfile
sudo dd if=/dev/zero of=/swapfile bs=1024 count=512k
('count' number of blocks of size 'bs' bytes) - prepare
sudo mkswap /swapfile
- activate
sudo swapon /swapfile
- sudo
echo "/swapfile none swap sw 0 0" >> /etc/fstab
- set swappiness
7.
echo 0 | sudo tee /proc/sys/vm/swappiness
8.echo vm.swappiness = 0 | sudo tee -a /etc/sysctl.conf
9. orsysctl -w vm.swappiness=30
- secure swapfile
sudo chown root:root /swapfile; sudo chmod 0600 /swapfile
sudo swapoff -a
- continue at step 2 above
The latest version of GitLab now uses the Redis socket, which meant updating a few GitLab configuration files manually which have not yet been updated in the module (and are templated).
nginx
module without conflicting domain- SSL needs CSR, bundle scped
usermod -aG git nginx
redis
modulepostgresql
module- patched into (new) init class with
create_resources('server::dbs', $dbs = {})
postgresql::server
classpostgresql::dbs
database with matching user, name, database strings (e.g. 'git')- patched into
server::db
: password can now be passed as string and will get hashed libpq-dev
needs manual aptitude dependency downgrading- patched into client:
postgresql-client
package conflicted
- patched into (new) init class with
gitlab
modulegit_email
gitlab_(dbtype, dbname, dbuser, dbpwd, domain)
- possible manual steps
bundle update
in git/gitlab- rake 10.1.0
bundle install --without development aws test mysql --deployment
in git/gitlabyes yes | bundle exec rake gitlab:setup RAILS_ENV=production
in git/gitlab
ufw::allows
rules for ports 80, 443- rbenv module
- patches into gitlab
rbenv::install
- compile
ruby1.9.3-v484
for$git_user
rbenv::gem
forcharlock_holmes
instead of gem package~git/.rbenv/shims
in front of exec_path
- patches into gitlab
Manual steps needed to setup virtual users:
- Install
db-util
- Create user/pass alternating list at
/etc/vsftpd/virtual_users
db_load -T -t hash -f virtual_users virtual_users.db
chmod 600 virtual_users.db
chown -R ftp:ftp /var/www/virtual
- Set
/etc/pam.d/vsftpd
to:
auth required pam_userdb.so db=/etc/vsftpd/virtual_users
account required pam_userdb.so db=/etc/vsftpd/virtual_users
session required pam_loginuid.so
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
cat www_yourdomain_com.crt ComodoHigh-AssuranceSecureServerCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt
These are sane aliases from the DigitalOcean guide, with root being forwarded to my email.
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
webmaster: root
www: root
ftp: root
abuse: root
root: andrew
Execute newaliases -oAhash:file
to generate file.db
; owned by root.
Setting up Amavis meant following the included readme for Postfix; it is quite detailed and worked perfectly. Michael's modules installed the necessary packages for Amavis with SpamAssassin. The latter also has an integration with Postfix guide.
Should always test that SpamAssassin is working with spamassassin --lint
.
The latest version of Pyzor should be installed from the Python package repositories, as the Ubuntu/Debian package is woefully out of date. This is done by Puppet for my mailhost.
I (sadly) do not have SpamAssassin Puppetized further than installation, so for setup, add the following lines (from the Wiki):
use_pyzor 1
pyzor_path /usr/local/bin/pyzor
pyzor_options --homedir /etc/mail/spamassassin
score PYZOR_CHECK 2.500
Then test with spamassassin -t -D pyzor < /usr/share/doc/spamassassin/examples/sample-spam.txt
.
Unfortunately although this is free to use, it is not FOSS, see license. However, I am still receiving about a spam or two a day, so hopefully DCC will help.
Used bits of this guide to install and setup. Requires that firewall allows DCC reply packets on UDP port 6277.
wget http://www.rhyolite.com/dcc/source/dcc.tar.Z
tar xzf dcc.tar.Z
cd dcc
./configure --with-uid=amavis --disable-dccm --without-X
make
make install
chown -R amavis:amavis /var/dcc
ln -s /var/dcc/libexec/dccifd /usr/local/bin/dccifd
DCCM is unnecessary as I do not use sendmail. I am unsure if the final linking is required, but would rather not test and find out.
Add to /etc/mail/spamassassin/local.cf
:
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
dcc_timeout 10
add_header all DCC _DCCB_: _DCCR_
score DCC_CHECK 4.000
Enable in /etc/mail/spamassassin/v310.pre
by uncommenting relevant
line.
Test with cdcc info
.
Setting up LogWatch is as simple as installing the package. DigitalOcean has a guide for configuration; however, the defaults are practically perfect.
There is a reported bug with the Dovecot service, resulting in many unmatched entries.
After backing up /usr/share/logwatch/scripts/services/dovecot
, apply
the patch via curl https://launchpadlibrarian.net/117816434/dovecot.patch | sudo patch
.
Tiger is the Unix security audit and
intrusion detection tool, and is "setup" by installing the
package. The default configuration enables periodic audit emails. I
have found that I also needed to add the following lines to
/etc/tiger/tiger.ignore
:
The process `smtpd' is listening on socket 25 \(TCP on every interface\) is run by postfix\.
The process `imap-login' is listening on socket (143|993) \(TCP on every interface\) is run by dovenull\.
The process `avahi-daemon' is listening on socket \d+ \(UDP on every interface\) is run by avahi\.
This ignores frequently repeated messages about smtpd
, imap-login
,
and avahi-daemon
.