Basic setup in new manifest

2014-04-01 11:35:14 -04:00 · 2014-04-01 11:35:14 -04:00 · dc5d00d959
commit dc5d00d959
parent 59be174027
3 changed files with 95 additions and 0 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ forge "http://forge.puppetlabs.com"
 mod 'camptocamp/augeas', '0.0.1'
 mod 'hunner/wordpress', '0.6.0'
 mod 'puppetlabs/apache', '0.10.0'
+mod 'puppetlabs/firewall', '1.0.2'
 mod 'puppetlabs/mysql', '2.2.3'
 mod 'saz/ssh', '1.2.0'
 mod 'saz/sudo', '2.4.3'
--- a/Puppetfile.lock
+++ b/Puppetfile.lock
@ -11,6 +11,7 @@ FORGE
      puppetlabs/stdlib (>= 2.4.0)
    puppetlabs/concat (1.1.0-rc1)
      puppetlabs/stdlib (>= 3.0.0)
+    puppetlabs/firewall (1.0.2)
    puppetlabs/mysql (2.2.3)
      puppetlabs/stdlib (>= 3.2.0)
    puppetlabs/stdlib (4.1.0)
@ -22,6 +23,7 @@ DEPENDENCIES
  camptocamp/augeas (= 0.0.1)
  hunner/wordpress (= 0.6.0)
  puppetlabs/apache (= 0.10.0)
+  puppetlabs/firewall (= 1.0.2)
  puppetlabs/mysql (= 2.2.3)
  saz/ssh (= 1.2.0)
  saz/sudo (= 2.4.3)
--- a/manifests/final.pp
+++ b/manifests/final.pp
@ -0,0 +1,92 @@
+# Create a non root user with sudo permissions
+# jeff, with password
+user { 'jeff':
+  ensure     => present,
+  groups     => ['sudo'],
+  managehome => true,
+  shell      => '/bin/bash',
+  password   => '$6$.AURF9sE09Q$..S10CFY7G.AVXzSW//w6GoV6yPzBzdvyUl8a7oyYbW/XzBU.o6AdHxTgTkCSWb64zmN3QoKovoUyLJhE/MFP/',
+}
+
+# Logging in with the root user must be disabled
+include augeas
+class { '::ssh::server':
+  require => Class['augeas'],
+}
+ssh::server::configline { 'PermitRootLogin': value => 'no' }
+
+# SSH must be enabled on a non-standard port
+ssh::server::configline { 'Port': value => '22984' }
+
+# Install a working MySQL server
+class { '::mysql::server': }
+
+# A fully functioning Ruby on Rails installation must be present at your domain
+# name or IP address using the Nginx web server (must show the Rails welcome
+# page)
+# You may use any Rails deployment that works with Nginx
+
+# IN PROGRESS
+
+# A working firewall using iptables or another Linux firewall
+resources { 'firewall':
+  purge => true,
+}
+class { '::firewall': }
+firewall { '000 accept all icmp':
+  proto  => 'icmp',
+  action => 'accept',
+} ->
+firewall { '100 accept ssh (non-default port)':
+  proto  => 'tcp',
+  dport  => '22984',
+  action => 'accept',
+} ->
+firewall { '200 accept http':
+  proto  => 'tcp',
+  dport  => '80',
+  action => 'accept',
+} ->
+firewall { '999 drop all':
+  proto  => 'all',
+  action => 'drop',
+  before => undef,
+}
+
+# STUFF OUTSIDE SCOPE OF ASSIGNMENT
+# convenience stuff
+package { 'mosh': }
+package { 'zsh': }
+
+# atomaka, with SSH key
+user { 'atomaka':
+  ensure     => present,
+  groups     => ['sudo'],
+  managehome => true,
+  shell      => '/bin/zsh',
+  require    => [
+    Package['zsh'],
+  ],
+}
+file { '/home/atomaka/.ssh':
+  ensure  => directory,
+  owner   => 'atomaka',
+  group   => 'atomaka',
+  mode    => '0700',
+  require => User['atomaka'],
+}
+file { '/home/atomaka/.ssh/authorized_keys':
+  ensure  => present,
+  owner   => 'atomaka',
+  group   => 'atomaka',
+  mode    => '0600',
+  content => file('/tmp/puppet/files/keys/atomaka'),
+  require => File['/home/atomaka/.ssh'],
+}
+
+# sudo no password
+include sudo
+sudo::conf { 'sudo':
+  priority => 10,
+  content  => "%sudo ALL=(ALL) NOPASSWD: ALL\n",
+}