zulip/puppet/kandra/manifests/profile/zmirror_personals.pp

class kandra::profile::zmirror_personals inherits kandra::profile::base {

  include zulip::supervisor

  Kandra::User_Dotfiles['zulip'] {
    authorized_keys => [
      'common',
      'production-write-ccache',
    ],
  }

  $zmirror_packages = [ # Packages needed to run the mirror
    'libzephyr4-krb5',
    'zephyr-clients',
    'krb5-config',
    'krb5-user',
    # Packages needed to for ctypes access to Zephyr
    'python3-dev',
    'python3-typing-extensions',
    'restricted-ssh-commands',
  ]
  package { $zmirror_packages:
    ensure => installed,
  }

  # The production-write-ccache key uses
  # `command="/usr/lib/restricted-ssh-commands"` which allows us to
  # limit the commands it can run.
  file { '/etc/restricted-ssh-commands':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  file { '/etc/restricted-ssh-commands/zulip':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => join([
      '^/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache ',
      '[a-z0-9_.-]+ ',
      '[A-Za-z0-9]{32} ',
      '[-A-Za-z0-9+/]*={0,3}$',
      "\n",
    ], ''),
  }

  file { '/etc/krb5.conf':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => 'puppet:///modules/kandra/krb5.conf',
  }

  concat::fragment { '01-supervisor-zmirror':
    order   => '10',
    target  => $zulip::common::supervisor_conf_file,
    content => " ${zulip::common::supervisor_system_conf_dir}/zmirror/*.conf",
  }

  file { ['/home/zulip/api-keys', '/home/zulip/zephyr_sessions', '/home/zulip/ccache',
          '/home/zulip/mirror_status', "${zulip::common::supervisor_system_conf_dir}/zmirror"]:
    ensure => directory,
    mode   => '0755',
    owner  => 'zulip',
    group  => 'zulip',
  }

  file { '/etc/cron.d/test_zephyr_personal_mirrors':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => 'puppet:///modules/kandra/cron.d/test_zephyr_personal_mirrors',
  }

  file { '/usr/lib/nagios/plugins/zulip_zephyr_mirror':
    require => Package[$zulip::common::nagios_plugins],
    recurse => true,
    purge   => true,
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
    source  => 'puppet:///modules/kandra/nagios_plugins/zulip_zephyr_mirror',
  }

  # Allow the relevant UDP ports
  concat::fragment { 'iptables-zmirror.v4':
    target => '/etc/iptables/rules.v4',
    source => 'puppet:///modules/kandra/iptables/zmirror.v4',
    order  => '20',
  }
  concat::fragment { 'iptables-zmirror.v6':
    target => '/etc/iptables/rules.v6',
    source => 'puppet:///modules/kandra/iptables/zmirror.v6',
    order  => '20',
  }
}
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`class kandra::profile::zmirror_personals inherits kandra::profile::base {`
puppet: Allow profiles to override zulip_ops::profile::base. 2024-02-02 15:08:49 +01:00
puppet: Switch puppet to using include-style class declarations This allows us to declare classes more than once, which we need as we're making our class dependency graph more complicated. See http://docs.puppetlabs.com/puppet/2.7/reference/lang_classes.html#aside-history-the-future-and-best-practices (imported from commit d4199b0df0d92d166fbc3559957f67ee9cf2ecdc) 2013-11-01 20:28:03 +01:00			`include zulip::supervisor`
puppet: Add zmirror_personals machine type. (imported from commit 3712d4ac1c2faa53cd9211441cc52da98de19e9b) 2013-08-23 23:38:39 +02:00
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`Kandra::User_Dotfiles['zulip'] {`
puppet: Add key to allow prod to write ccache on zmirrorp. 2024-02-02 19:39:26 +01:00			`authorized_keys => [`
			`'common',`
			`'production-write-ccache',`
			`],`
			`}`

			`$zmirror_packages = [ # Packages needed to run the mirror`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'libzephyr4-krb5',`
			`'zephyr-clients',`
			`'krb5-config',`
			`'krb5-user',`
puppet: Update declared zmirror dependencies. Following zulip/python-zulip-api/pull/758/, we're no longer using python-zephyr, and don't need to build it from source. Additionally, we no longer need to build a forked Zephyr package, since ZLoadSession and ZDumpSession were merged in https://github.com/zephyr-im/zephyr/commit/e6a545e75963456834f120cfc62983eb4d001490. 2022-09-14 00:56:55 +02:00			`# Packages needed to for ctypes access to Zephyr`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'python3-dev',`
puppet: Update declared zmirror dependencies. Following zulip/python-zulip-api/pull/758/, we're no longer using python-zephyr, and don't need to build it from source. Additionally, we no longer need to build a forked Zephyr package, since ZLoadSession and ZDumpSession were merged in https://github.com/zephyr-im/zephyr/commit/e6a545e75963456834f120cfc62983eb4d001490. 2022-09-14 00:56:55 +02:00			`'python3-typing-extensions',`
puppet: Add key to allow prod to write ccache on zmirrorp. 2024-02-02 19:39:26 +01:00			`'restricted-ssh-commands',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`]`
puppet/zulip_ops: Replace apt::source with setup-apt-repo-debathena. Tweaked by tabbott to use a clearer name. 2018-12-06 02:56:46 +01:00			`package { $zmirror_packages:`
puppet: Fix arrow alignment. 2024-04-05 05:37:10 +02:00			`ensure => installed,`
puppet: Add zmirror_personals machine type. (imported from commit 3712d4ac1c2faa53cd9211441cc52da98de19e9b) 2013-08-23 23:38:39 +02:00			`}`
puppet/zulip_ops: Replace apt::source with setup-apt-repo-debathena. Tweaked by tabbott to use a clearer name. 2018-12-06 02:56:46 +01:00
puppet: Add key to allow prod to write ccache on zmirrorp. 2024-02-02 19:39:26 +01:00			`# The production-write-ccache key uses`
			# `command="/usr/lib/restricted-ssh-commands"` which allows us to
			`# limit the commands it can run.`
			`file { '/etc/restricted-ssh-commands':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0755',`
			`}`
			`file { '/etc/restricted-ssh-commands/zulip':`
			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
			`content => join([`
			`'^/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache ',`
			`'[a-z0-9_.-]+ ',`
			`'[A-Za-z0-9]{32} ',`
			`'[-A-Za-z0-9+/]*={0,3}$',`
			`"\n",`
			`], ''),`
			`}`

puppet: Replace debathena krb5 package with equivalent puppet file. 2022-01-13 02:27:30 +01:00			`file { '/etc/krb5.conf':`
			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/krb5.conf',`
puppet: Replace debathena krb5 package with equivalent puppet file. 2022-01-13 02:27:30 +01:00			`}`

puppet: Create zmirror supervisor subdirectory. To not change the `supervisor.conf` file, which requires a restart of supervisor (and thus all services running under it, which is extremely disruptive) we carefully leave the contents unchanged for most installs, and append a new piece to the file, only for the zmirror configuration, using `concat`. 2023-04-05 23:26:40 +02:00			`concat::fragment { '01-supervisor-zmirror':`
			`order => '10',`
			`target => $zulip::common::supervisor_conf_file,`
			`content => " ${zulip::common::supervisor_system_conf_dir}/zmirror/*.conf",`
			`}`

[manual] Rename /home/humbug to /home/zulip. This may require just doing an mv on the home directory, plus changing the home directory in /etc/passwd. It should of course be done carefully. (imported from commit 660997d897ee6d33563af74f0fc5d4267a911755) 2013-10-04 19:19:57 +02:00			`file { ['/home/zulip/api-keys', '/home/zulip/zephyr_sessions', '/home/zulip/ccache',`
puppet: Create zmirror supervisor subdirectory. To not change the `supervisor.conf` file, which requires a restart of supervisor (and thus all services running under it, which is extremely disruptive) we carefully leave the contents unchanged for most installs, and append a new piece to the file, only for the zmirror configuration, using `concat`. 2023-04-05 23:26:40 +02:00			`'/home/zulip/mirror_status', "${zulip::common::supervisor_system_conf_dir}/zmirror"]:`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`ensure => directory,`
puppet: Match the `x` bits on directories to what puppet actually does. Puppet _always_ sets the `+x` bit on directories if they have the `r` bit set for that slot[^1]: > When specifying numeric permissions for directories, Puppet sets the > search permission wherever the read permission is set. As such, for instance, `0640` is actually applied as `0750`. Fix what we "want" to match what puppet is applying, by adding the `x` bit. In none of these cases did we actually intend the directory to not be executable. [1] https://www.puppet.com/docs/puppet/5.5/types/file.html#file-attribute-mode 2023-01-26 23:26:51 +01:00			`mode => '0755',`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`owner => 'zulip',`
			`group => 'zulip',`
puppet: Add zmirror_personals machine type. (imported from commit 3712d4ac1c2faa53cd9211441cc52da98de19e9b) 2013-08-23 23:38:39 +02:00			`}`

puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`file { '/etc/cron.d/test_zephyr_personal_mirrors':`
zmirror: Add monitoring for personals mirrors. (imported from commit acb7f2222076d2f3884a2e52c7032cb48fde1757) 2013-08-26 21:43:29 +02:00			`ensure => file,`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`owner => 'root',`
			`group => 'root',`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`mode => '0644',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/cron.d/test_zephyr_personal_mirrors',`
zmirror: Add monitoring for personals mirrors. (imported from commit acb7f2222076d2f3884a2e52c7032cb48fde1757) 2013-08-26 21:43:29 +02:00			`}`

puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`file { '/usr/lib/nagios/plugins/zulip_zephyr_mirror':`
puppet: nagios-plugins-basic is replaced by monitoring-plugins-basic. In Bionic, nagios-plugins-basic is a transitional package which depends on monitoring-plugins-basic. In Focal, it is a virtual package, which means that every time puppet runs, it tries to re-install the nagios-plugins-basic package. Switch all instances to referring to `$zulip::common::nagios_plugins`, and repoint that to monitoring-plugins-basic. 2020-06-29 23:15:37 +02:00			`require => Package[$zulip::common::nagios_plugins],`
Migrate Zephyr mirror Nagios plugins to subdirectory. 2016-04-04 04:23:57 +02:00			`recurse => true,`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`purge => true,`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`owner => 'root',`
			`group => 'root',`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`mode => '0755',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/nagios_plugins/zulip_zephyr_mirror',`
Migrate Zephyr mirror Nagios plugins to subdirectory. 2016-04-04 04:23:57 +02:00			`}`

puppet: Use concat fragments to place port allows next to services. This means that services will only open their ports if they are actually run, without having to clutter rules.v4 with a log of `if` statements. This does not go as far as using `puppetlabs/firewall`[1] because that would represent an additional DSL to learn; raw IPtables sections can easily be inserted into the generated iptables file via `concat::fragment` (either inline, or as a separate file), but config can be centralized next to the appropriate service. [1] https://forge.puppet.com/modules/puppetlabs/firewall 2021-05-25 04:12:28 +02:00			`# Allow the relevant UDP ports`
puppet: Be explicit that existing iptables are only ipv4. 2021-08-24 20:43:23 +02:00			`concat::fragment { 'iptables-zmirror.v4':`
puppet: Use concat fragments to place port allows next to services. This means that services will only open their ports if they are actually run, without having to clutter rules.v4 with a log of `if` statements. This does not go as far as using `puppetlabs/firewall`[1] because that would represent an additional DSL to learn; raw IPtables sections can easily be inserted into the generated iptables file via `concat::fragment` (either inline, or as a separate file), but config can be centralized next to the appropriate service. [1] https://forge.puppet.com/modules/puppetlabs/firewall 2021-05-25 04:12:28 +02:00			`target => '/etc/iptables/rules.v4',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/iptables/zmirror.v4',`
puppet: Use concat fragments to place port allows next to services. This means that services will only open their ports if they are actually run, without having to clutter rules.v4 with a log of `if` statements. This does not go as far as using `puppetlabs/firewall`[1] because that would represent an additional DSL to learn; raw IPtables sections can easily be inserted into the generated iptables file via `concat::fragment` (either inline, or as a separate file), but config can be centralized next to the appropriate service. [1] https://forge.puppet.com/modules/puppetlabs/firewall 2021-05-25 04:12:28 +02:00			`order => '20',`
			`}`
puppet: Configure ip6tables in parallel to ipv4. Previously, IPv6 firewalls were left at the default all-open. Configure IPv6 equivalently to IPv4. 2021-08-24 23:11:36 +02:00			`concat::fragment { 'iptables-zmirror.v6':`
			`target => '/etc/iptables/rules.v6',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/iptables/zmirror.v6',`
puppet: Configure ip6tables in parallel to ipv4. Previously, IPv6 firewalls were left at the default all-open. Configure IPv6 equivalently to IPv4. 2021-08-24 23:11:36 +02:00			`order => '20',`
			`}`
puppet: Add zmirror_personals machine type. (imported from commit 3712d4ac1c2faa53cd9211441cc52da98de19e9b) 2013-08-23 23:38:39 +02:00			`}`