init.pp 6.39 KB
Newer Older
Hugo Hörnquist's avatar
Hugo Hörnquist committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
class profiles::datorhandbok {
  ensure_packages([
    'apache2', 
    'mysql-server',
    'mediawiki',
    'imagemagick',
    # squid is needed for pam_auth binary
    'squid3',
    'certbot',
    ],
    { ensule => installed, })

  service { 'apache2':
    ensure    => running,
    enabled   => true,
    hasstatus => true,
    require   => Package['apache2'],
  }

  service { 'mysql':
    ensure    => running,
    enabled   => true,
    hasstatus => true,
    require   => Package['mysql-server'],
  }

  service { 'squid':
    ensure    => stopped,
    enabled   => false,
    require   => Package['squid3'],
  }


  #  ┌───────────────────────────────┤ Configuring mariadb-server-10.1 ├───────────────────────────────┐
  #  │                                                                                                 │
  #  │ Important note for NIS/YP users                                                                 │
  #  │                                                                                                 │
  #  │ Using MariaDB under NIS/YP requires a mysql user account to be added on the local system with:  │
  #  │                                                                                                 │
  #  │  adduser --system --group --home /var/lib/mysql mysql                                           │
  #  │                                                                                                 │
  #  │                                                                                                 │
  #  │ You should also check the permissions and ownership of the /var/lib/mysql directory:            │
  #  │                                                                                                 │
  #  │  /var/lib/mysql: drwxr-xr-x   mysql    mysql                                                    │
  #  │                                                                                                 │
  #  │                                             <Ok>                                                │
  #  │                                                                                                 │
  #  └─────────────────────────────────────────────────────────────────────────────────────────────────┘

  cron { 'backup-mysql':
    command => 'TMPFILE=`/bin/mktemp /var/tmp/fulldump.sql.XXX` && /usr/bin/mysqldump --all-databases --events > "$      TMPFILE" && mv "$TMPFILE" /var/lib/mysql-dump/fulldump.sql',
    user    => 'root',
    hour    => 3,
    minute  => 11;

  }

  file { '/etc/apache2/mods-enabled/rewrite.load':
      ensure  => symlink,
      target  => '/etc/apache2/mods-available/rewrite.load',
      owner   => root,
      group   => root,
      notify  => Service['apache2'],
      require => Package['apache2'],
  }

  file { '/etc/apache2/mods-enabled/ssl.load':
      ensure  => symlink,
      target  => '/etc/apache2/mods-available/ssl.load',
      owner   => root,
      group   => root,
      notify  => Service['apache2'],
      require => Package['apache2'],
  }

  lyscert::letsencrypt { 'letsencrypt-certonly':
    email     => 'root@lysator.liu.se',
    webserver => 'apache2',
  }

  file { '/etc/apache2/sites-available/datorhandbok.lysator.liu.se.conf':
      ensure  => file,
      owner   => root,
      group   => root,
      mode    => '0444',
      notify  => Service['apache2'],
      require => Package['apache2'],
      content  => epp('datorhandbok/datorhandbok.lysator.liu.se',
        {
          # 'SSLCertificateFile'      => '/etc/ssl/certs/datorhandbok.lysator.liu.se/datorhandbok.lysator.liu.se.pem',
          # 'SSLCertificateKeyFile'   => '/etc/ssl/certs/datorhandbok.lysator.liu.se/datorhandbok.lysator.liu.se.key',
          # 'SSLCertificateChainFile' => '/etc/ssl/certs/DigiCertCA.crt',
          'SSLCertificateFile'      => "/etc/letsencrypt/live/${facts['networking']['fqdn']}/fullchain.pem",
          'SSLCertificateKeyFile'   => "/etc/letsencrypt/live/${facts['networking']['fqdn']}/privkey.pem",
          'SSLCertificateChainFile' => "/etc/letsencrypt/live/${facts['networking']['fqdn']}/fullchain.pem",
        }),
  }

  file { '/etc/apache2/sites-enabled/datorhandbok.lysator.liu.se.conf':
    ensure  => symlink,
    target  => '/etc/apache2/sites-available/datorhandbok.lysator.liu.se.conf',
    owner   => root,
    group   => root,
    notify  => Service['apache2'],
    require => File['/etc/apache2/sites-available/datorhandbok.lysator.liu.se.conf'],
  }

  file { '/etc/apache2/sites-enabled/000-default':
    ensure => absent,
    notify => Service['apache2'],
  }

  # TODO the file requires @pupsecrets.
  # reenable once figured out
  # file { '/etc/mediawiki/LocalSettings.php':
  #   ensure  => file,
  #   owner   => root,
  #   group   => www-data,
  #   mode    => '0440',
  #   content => template("datorhandbok/LocalSettings.php.erb"),
  #   require => Package['mediawiki'],
  # }

  file { '/var/lib/mediawiki/skins/lyslogo-liten.png':
    ensure  => file,
    owner   => www-data,
    group   => www-data,
    source  => "puppet:///modules/datorhandbok/lyslogo-liten.png",
    require => Package['mediawiki'],
  }

  file { '/var/lib/mediawiki/favicon.ico':
    ensure  => file,
    owner   => root,
    group   => root,
    source  => "puppet:///modules/datorhandbok/favicon.ico",
    require => Package['mediawiki'],
  }

  file { '/var/lib/mediawiki/extensions/AuthPAM.php':
    ensure  => file,
    owner   => www-data,
    group   => www-data,
    source  => "puppet:///modules/datorhandbok/AuthPAM.php",
    require => Package['mediawiki'],
  }

  file { '/etc/pam.d/datorhandbok':
    ensure => file,
    owner  => root,
    group  => root,
    mode   => '0444',
    source => "puppet:///modules/datorhandbok/pam",
  }

  file { '/etc/mediawiki-extensions/extensions-enabled/RSSReader.php':
    ensure  => symlink,
    target  => '/etc/mediawiki-extensions/extensions-available/RSSReader.php',
    require => Package['mediawiki'],
  }

  file { '/usr/lib/squid3/basic_pam_auth':
    ensure  => file,
    mode    => '2755',
    require => Package['squid3'],
  }
}