First commit

LICENSE.txt

@@ -0,0 +1,27 @@
+Freeware License, some rights reserved
+
+Copyright (c) 2011 James Turnbull and Jeffrey  McCune
+
+Permission is hereby granted, free of charge, to anyone obtaining a copy 
+of this software and associated documentation files (the "Software"), 
+to work with the Software within the limits of freeware distribution and fair use. 
+This includes the rights to use, copy, and modify the Software for personal use. 
+Users are also allowed and encouraged to submit corrections and modifications 
+to the Software for the benefit of other users.
+
+It is not allowed to reuse,  modify, or redistribute the Software for 
+commercial use in any way, or for a user�s educational materials such as books 
+or blog articles without prior permission from the copyright holder. 
+
+The above copyright notice and this permission notice need to be included 
+in all copies or substantial portions of the software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS OR APRESS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+

Pro Puppet/03_load_balanced_apache_configuration_with_centralized_ca/40_puppetmaster_worker_18140.conf

@@ -0,0 +1,15 @@
+Listen 18140
+<VirtualHost 127.0.0.1:18140>
+  SSLEngine off
+  # Obtain Authentication Information from Client Request Headers
+  SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
+  SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
+  RackAutoDetect On
+  DocumentRoot /etc/puppet/rack/puppetmaster_18140/public/
+  <Directory /etc/puppet/rack/puppetmaster_18140/>
+    Options None
+    AllowOverride None
+    Order allow,deny
+    allow from all
+  </Directory>
+</VirtualHost>

Pro Puppet/03_load_balanced_apache_configuration_with_centralized_ca/41_puppetmaster_worker_18141.conf

@@ -0,0 +1,15 @@
+Listen 18141
+<VirtualHost 127.0.0.1:18141>
+  SSLEngine off
+  # Obtain Authentication Information from Client Request Headers
+  SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
+  SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
+  RackAutoDetect On
+  DocumentRoot /etc/puppet/rack/puppetmaster_18141/public/
+  <Directory /etc/puppet/rack/puppetmaster_18141/>
+    Options None
+    AllowOverride None
+    Order allow,deny
+    allow from all
+  </Directory>
+</VirtualHost>

Pro Puppet/03_load_balanced_apache_configuration_with_centralized_ca/42_puppetmasterca_primary_18142.conf

@@ -0,0 +1,15 @@
+Listen 18142
+<VirtualHost 127.0.0.1:18142>
+  SSLEngine off
+  # Obtain Authentication Information from Client Request Headers
+  SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
+  SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
+  RackAutoDetect On
+  DocumentRoot /etc/puppet/rack/puppetmaster_18142/public/
+  <Directory /etc/puppet/rack/puppetmaster_18142/>
+    Options None
+    AllowOverride None
+    Order allow,deny
+    allow from all
+  </Directory>
+</VirtualHost>

Pro Puppet/03_load_balanced_apache_configuration_with_centralized_ca/43_puppetmasterca_standby_18143.conf

@@ -0,0 +1,15 @@
+Listen 18143
+<VirtualHost 127.0.0.1:18143>
+  SSLEngine off
+  # Obtain Authentication Information from Client Request Headers
+  SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
+  SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
+  RackAutoDetect On
+  DocumentRoot /etc/puppet/rack/puppetmaster_18143/public/
+  <Directory /etc/puppet/rack/puppetmaster_18143/>
+    Options None
+    AllowOverride None
+    Order allow,deny
+    allow from all
+  </Directory>
+</VirtualHost>

Pro Puppet/chapter04/03_load_balanced_apache_configuration_with_centralized_ca/30_puppetmaster_frontend.conf

@@ -0,0 +1,56 @@
+# Available back-end worker virtual hosts
+# NOTE the use of cleartext unencrypted HTTP.
+
+# vim 30_puppetmaster_frontend_8140.conf
+<Proxy balancer://puppetmaster>
+  BalancerMember http://127.0.0.1:18140
+  BalancerMember http://127.0.0.1:18141
+</Proxy>
+
+<Proxy balancer://puppetmasterca>
+  # Puppet CA Active Worker
+  BalancerMember http://127.0.0.1:18142
+  # Puppet CA Hot Standby
+  BalancerMember http://127.0.0.1:18143 status=+H
+</Proxy>
+
+Listen 8140
+<VirtualHost *:8140>
+  SSLEngine on
+  # SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
+  SSLProtocol -ALL +SSLv3 +TLSv1
+  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
+  # Puppet master should generate initial CA certificate.
+  # ensure certs are located in /var/lib/puppet/ssl
+  SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.com.pem
+  SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.com.pem
+  SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
+  SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
+  # CRL checking should be enabled
+  # disable next line if Apache complains about CRL
+  SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
+  # This is optional to allow CSR request, required if certificates distributed to client during provisioning.
+  SSLVerifyClient optional
+  SSLVerifyDepth 1
+  SSLOptions +StdEnvVars
+  # The following client headers record authentication information for down stream workers.
+  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+  <Location />
+    SetHandler balancer-manager
+    Order allow,deny
+    Allow from all
+  </Location>
+
+  # Ordering of ProxyPass directives is important
+  # Direct all Puppet agent CA requests to a specific set of workers.
+  ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
+  ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
+  # Direct all other Puppet agent requests to the default set of workers.
+  ProxyPass / balancer://puppetmaster/
+  ProxyPassReverse / balancer://puppetmaster/
+  ProxyPreserveHost On
+
+</VirtualHost>
+

Pro Puppet/source/chapter02/apache/manifests/init.pp

@@ -0,0 +1,3 @@
+class apache {
+  include apache::install, apache::service
+}

Pro Puppet/source/chapter02/apache/manifests/install.pp

@@ -0,0 +1,5 @@
+class apache::install {
+  package { [ "apache2" ]:
+    ensure => present,
+  }
+}

Pro Puppet/source/chapter02/apache/manifests/service.pp

@@ -0,0 +1,9 @@
+class apache::service {
+  service { "apache2":
+    ensure => running,
+    hasstatus => true,
+    hasrestart => true,
+    enable => true,
+    require => Class["apache::install"],
+  }
+}

Pro Puppet/source/chapter02/apache/manifests/vhost.pp

@@ -0,0 +1,13 @@
+define apache::vhost( $port, $docroot, $ssl=true, $template='apache/vhost.conf.erb', $priority, $serveraliases = '' ) {
+
+  include apache
+
+  file {"/etc/apache2/sites-enabled/${priority}-${name}":
+    content => template($template),
+    owner => 'root',
+    group => 'root',
+    mode => '777',
+    require => Class["apache::install"],
+    notify => Class["apache::service"],
+  }
+}

Pro Puppet/source/chapter02/apache/templates/vhost.conf.erb

@@ -0,0 +1,20 @@
+NameVirtualHost *:<%= port %>
+<VirtualHost *:<%= port %>>
+  ServerName <%= name %>
+<%if serveraliases.is_a? Array -%>
+<% serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
+<% elsif serveraliases != '' -%>
+<%= "  ServerAlias #{serveraliases}" -%>
+<% end -%>
+  DocumentRoot <%= docroot %>
+  <Directory <%= docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Order allow,deny
+    allow from all
+  </Directory>
+  ErrorLog /var/log/apache2/<%= name %>_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/<%= name %>_access.log combined
+  ServerSignature On
+</VirtualHost>

Pro Puppet/source/chapter02/mysql/manifests/config.pp

@@ -0,0 +1,17 @@
+class mysql::config {
+  file { "/opt/csw/mysql5/my.cnf":
+    ensure = > present,
+    source => "puppet:///modules/mysql/my.cnf",
+    owner => "mysql",
+    group => "mysql",
+    require => Class["mysql::install"],
+    notify => Class["mysql::service"],
+  }
+
+  file { "/opt/csw/mysql5/var":
+    group => "mysql",
+    owner => "mysql",
+    recurse => true,
+    require => File["/opt/csw/mysql5/my.cnf"],
+  }
+}

Pro Puppet/source/chapter02/mysql/manifests/init.pp

@@ -0,0 +1,3 @@
+class mysql {
+  include mysql::install, mysql::config, mysql::service
+}

Pro Puppet/source/chapter02/mysql/manifests/install.pp

@@ -0,0 +1,18 @@
+class mysql::install {
+  package { [ "mysql5", "mysql5client", "mysql5rt", "mysql5test", "mysql5devel" ]:
+    ensure => present,
+    require => User["mysql"],  
+}
+
+  user { "mysql":
+    ensure => present,
+    comment => "MySQL user",
+    gid => "mysql",
+    shell => "/bin/false",
+    require => Group["mysql"],
+}
+
+  group { "mysql":
+    ensure => present,
+  }
+}

Pro Puppet/source/chapter02/mysql/manifests/service.pp

@@ -0,0 +1,9 @@
+class mysql::service {
+  service { "cswmysql5":
+    ensure => running,
+    hasstatus => true,
+    hasrestart => true,
+    enabled => true,
+    require => Class["mysql::config"],
+  }
+}

Pro Puppet/source/chapter02/nodes.pp

@@ -0,0 +1,28 @@
+class base {
+  include sudo, ssh, puppet
+}
+
+node puppet.example.com {
+  include base
+  include puppet::master
+}
+
+node web.example.com {
+  include base, apache
+
+  apache::vhost { 'www.example.com':
+    port => 80,
+    docroot => '/var/www/www.example.com',
+    ssl => false,
+    priority => 10,
+    serveraliases => 'home.example.com',
+  }    
+}
+
+node db.example.com {
+  include base, mysql
+}
+
+node mail.example.com {
+  include base, postfix
+}

Pro Puppet/source/chapter02/postfix/files/master.cf

@@ -0,0 +1,89 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+submission inet n       -       n       -       -       smtpd
+  -o smtpd_enforce_tls=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+smtps     inet  n       -       n       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#628      inet  n       -       n       -       -       qmqpd
+pickup    fifo  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+smtp      unix  -       -       n       -       -       smtp
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+relay     unix  -       -       n       -       -       smtp
+	-o fallback_relay=
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache	  unix	-	-	n	-	1	scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# The Cyrus deliver program has changed incompatibly, multiple times.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+#
+#scalemail-backend unix -       n       n       -       2       pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+#  ${nexthop} ${user} ${extension}
+#
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
+proxywrite unix -       -       n       -       1       proxymap

Pro Puppet/source/chapter02/postfix/manifests/config.pp

@@ -0,0 +1,21 @@
+class postfix::config {
+  File {
+    owner => "postfix",
+    group => "postfix",
+    mode => 0644,
+  }
+
+  file { "/etc/postfix/master.cf":
+    ensure = > present,
+    source => "puppet:///modules/postfix/master.cf",
+    require => Class["postfix::install"],
+    notify => Class["postfix::service"],
+  }
+
+  file { "/etc/postfix/main.cf":
+    ensure = > present,
+    content => template("postfix/main.cf.erb"),
+    require => Class["postfix::install"],
+    notify => Class["postfix::service"],
+  }
+}