tc362/manifests/final.pp

# Create a non root user with sudo permissions
# jeff, with password
user { 'jeff':
  ensure     => present,
  groups     => ['sudo'],
  managehome => true,
  shell      => '/bin/bash',
  password   => '$6$.AURF9sE09Q$..S10CFY7G.AVXzSW//w6GoV6yPzBzdvyUl8a7oyYbW/XzBU.o6AdHxTgTkCSWb64zmN3QoKovoUyLJhE/MFP/',
}

class { '::ssh::server':
  storeconfigs_enabled => false,
  options              => {
    # Logging in with the root user must be disabled
    'PermitRootLogin'  => 'no',
    # SSH must be enabled on a non-standard port
    'Port'             => [22984],
  },
}

# Install a working MySQL server
class { '::mysql::server': }

# A fully functioning Ruby on Rails installation must be present at your domain
# name or IP address using the Nginx web server (must show the Rails welcome
# page)
# You may use any Rails deployment that works with Nginx

# install nginx
class { 'nginx': }

# install rails
package { 'rails':
  provider => 'gem',
}

# add rails depends
package { ['libsqlite3-dev', 'build-essential', 'nodejs']:
  before => Exec['install rails app']
}

# add rails user and application
user { 'rails':
  ensure     => present,
  groups     => ['sudo'],
  managehome => true,
  shell      => '/bin/bash',
}
exec { 'create rails app':
  command     => 'rails new welcome',
  user        => 'rails',
  environment => ['HOME=/home/rails'],
  path        => '/usr/bin:/usr/local/bin',
  cwd         => '/home/rails',
  creates     => '/home/rails/welcome',
  require     => [
    Package['rails'],
    User['rails'],
  ],
}
exec { 'install rails app':
  command     => 'bundle install --path vendor/bundle',
  user        => 'rails',
  environment => ['HOME=/home/rails'],
  path        => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
  cwd         => '/home/rails/welcome',
  unless      => 'bundle check',
  require     => Exec['create rails app'],
  notify      => Exec['start rails app'],
}
exec { 'start rails app':
  command     => 'rails server -d',
  user        => 'rails',
  environment => ['HOME=/home/rails'],
  path        => '/usr/bin:/usr/local/bin',
  cwd         => '/home/rails/welcome',
  refreshonly => true,
}

# A working firewall using iptables or another Linux firewall
resources { 'firewall':
  purge => true,
}
class { '::firewall': }
firewall { '000 accept all icmp':
  proto  => 'icmp',
  action => 'accept',
} ->
firewall { '100 accept ssh (non-default port)':
  proto  => 'tcp',
  dport  => '22984',
  action => 'accept',
} ->
firewall { '200 accept http':
  proto  => 'tcp',
  dport  => '80',
  action => 'accept',
} ->
firewall { '999 drop all':
  proto  => 'all',
  action => 'drop',
  before => undef,
}

# STUFF OUTSIDE SCOPE OF ASSIGNMENT
# convenience stuff
package { 'mosh': }
package { 'zsh': }

# atomaka, with SSH key
user { 'atomaka':
  ensure     => present,
  groups     => ['sudo'],
  managehome => true,
  shell      => '/bin/zsh',
  require    => [
    Package['zsh'],
  ],
}
file { '/home/atomaka/.ssh':
  ensure  => directory,
  owner   => 'atomaka',
  group   => 'atomaka',
  mode    => '0700',
  require => User['atomaka'],
}
file { '/home/atomaka/.ssh/authorized_keys':
  ensure  => present,
  owner   => 'atomaka',
  group   => 'atomaka',
  mode    => '0600',
  content => file('/tmp/puppet/files/keys/atomaka'),
  require => File['/home/atomaka/.ssh'],
}

# sudo no password
include sudo
sudo::conf { 'sudo':
  priority => 10,
  content  => "%sudo ALL=(ALL) NOPASSWD: ALL\n",
}
Basic setup in new manifest 2014-04-01 11:35:14 -04:00			`# Create a non root user with sudo permissions`
			`# jeff, with password`
			`user { 'jeff':`
			`ensure => present,`
			`groups => ['sudo'],`
			`managehome => true,`
			`shell => '/bin/bash',`
			`password => '$6$.AURF9sE09Q$..S10CFY7G.AVXzSW//w6GoV6yPzBzdvyUl8a7oyYbW/XzBU.o6AdHxTgTkCSWb64zmN3QoKovoUyLJhE/MFP/',`
			`}`

			`class { '::ssh::server':`
Update saz/ssh 2014-04-01 17:14:44 -04:00			`storeconfigs_enabled => false,`
			`options => {`
			`# Logging in with the root user must be disabled`
			`'PermitRootLogin' => 'no',`
			`# SSH must be enabled on a non-standard port`
			`'Port' => [22984],`
			`},`
Basic setup in new manifest 2014-04-01 11:35:14 -04:00			`}`

			`# Install a working MySQL server`
			`class { '::mysql::server': }`

			`# A fully functioning Ruby on Rails installation must be present at your domain`
			`# name or IP address using the Nginx web server (must show the Rails welcome`
			`# page)`
			`# You may use any Rails deployment that works with Nginx`

Install nginx 2014-04-01 11:48:30 -04:00			`# install nginx`
			`class { 'nginx': }`
Basic setup in new manifest 2014-04-01 11:35:14 -04:00
Create, install, and start basic rails app 2014-04-01 12:02:45 -04:00			`# install rails`
			`package { 'rails':`
			`provider => 'gem',`
			`}`

			`# add rails depends`
			`package { ['libsqlite3-dev', 'build-essential', 'nodejs']:`
			`before => Exec['install rails app']`
			`}`

			`# add rails user and application`
			`user { 'rails':`
			`ensure => present,`
			`groups => ['sudo'],`
			`managehome => true,`
			`shell => '/bin/bash',`
			`}`
			`exec { 'create rails app':`
			`command => 'rails new welcome',`
			`user => 'rails',`
			`environment => ['HOME=/home/rails'],`
			`path => '/usr/bin:/usr/local/bin',`
			`cwd => '/home/rails',`
			`creates => '/home/rails/welcome',`
			`require => [`
			`Package['rails'],`
			`User['rails'],`
			`],`
			`}`
			`exec { 'install rails app':`
			`command => 'bundle install --path vendor/bundle',`
			`user => 'rails',`
			`environment => ['HOME=/home/rails'],`
			`path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',`
			`cwd => '/home/rails/welcome',`
			`unless => 'bundle check',`
			`require => Exec['create rails app'],`
			`notify => Exec['start rails app'],`
			`}`
			`exec { 'start rails app':`
			`command => 'rails server -d',`
			`user => 'rails',`
			`environment => ['HOME=/home/rails'],`
			`path => '/usr/bin:/usr/local/bin',`
			`cwd => '/home/rails/welcome',`
			`refreshonly => true,`
			`}`

Basic setup in new manifest 2014-04-01 11:35:14 -04:00			`# A working firewall using iptables or another Linux firewall`
			`resources { 'firewall':`
			`purge => true,`
			`}`
			`class { '::firewall': }`
			`firewall { '000 accept all icmp':`
			`proto => 'icmp',`
			`action => 'accept',`
			`} ->`
			`firewall { '100 accept ssh (non-default port)':`
			`proto => 'tcp',`
			`dport => '22984',`
			`action => 'accept',`
			`} ->`
			`firewall { '200 accept http':`
			`proto => 'tcp',`
			`dport => '80',`
			`action => 'accept',`
			`} ->`
			`firewall { '999 drop all':`
			`proto => 'all',`
			`action => 'drop',`
			`before => undef,`
			`}`

			`# STUFF OUTSIDE SCOPE OF ASSIGNMENT`
			`# convenience stuff`
			`package { 'mosh': }`
			`package { 'zsh': }`

			`# atomaka, with SSH key`
			`user { 'atomaka':`
			`ensure => present,`
			`groups => ['sudo'],`
			`managehome => true,`
			`shell => '/bin/zsh',`
			`require => [`
			`Package['zsh'],`
			`],`
			`}`
			`file { '/home/atomaka/.ssh':`
			`ensure => directory,`
			`owner => 'atomaka',`
			`group => 'atomaka',`
			`mode => '0700',`
			`require => User['atomaka'],`
			`}`
			`file { '/home/atomaka/.ssh/authorized_keys':`
			`ensure => present,`
			`owner => 'atomaka',`
			`group => 'atomaka',`
			`mode => '0600',`
			`content => file('/tmp/puppet/files/keys/atomaka'),`
			`require => File['/home/atomaka/.ssh'],`
			`}`

			`# sudo no password`
			`include sudo`
			`sudo::conf { 'sudo':`
			`priority => 10,`
			`content => "%sudo ALL=(ALL) NOPASSWD: ALL\n",`
			`}`