traylenator · August 26, 2013 09:03
diff --git a/gistfile1.pp b/gistfile1.pp
 /*
 # whitespace
 We need a site.pp to define global class paramerters
 basically.
 */

 /* Set hostgroup variables in top scope. We need
   to set anything that hiera needs very early, in
   particular this will win over any facts present
   on the box. */

 $hostarray = split($::hostgroup,'/')

 #Check if the hostarray has more than 7 members
 if size($hostarray) >= 7 {
  fail("The length of the hostgroup isn't supported. Only 7 layers are supported.")
 }





 if $hostarray[0] {
  $encgroup_0 = $hostarray[0]
 }
 if $hostarray[1] {
  $encgroup_1 = $hostarray[1]
 }
 if $hostarray[2] {
  $encgroup_2 = $hostarray[2]
 }
 if $hostarray[3] {
  $encgroup_3 = $hostarray[3]
 }
 if $hostarray[4] {
  $encgroup_4 = $hostarray[4]
 }
 if $hostarray[5] {
  $encgroup_5 = $hostarray[5]
 }
 if $hostarray[6] {
  $encgroup_6 = $hostarray[6]
 }

 $hostgroup_prefix = hiera('hostgroup_prefix', 'hg_')

 stage { 'osrepos':
      before => Stage['main'],
 }

 stage { 'late':
      require => Stage['main'],
 }

 class { 'osrepos':
    stage => osrepos
 }

 class{ 'base': }

 # If /base is first hostgroup then we ignore and consider
 # the next one the real first hostgroup.

 if $encgroup_0 == 'base' {
   $encgroup_1hg = "${hostgroup_prefix}${encgroup_1}"
   loadclass_ifexists($encgroup_1hg)
   if $encgroup_2 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}")
   }
   if $encgroup_3 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}")
   }
   if $encgroup_4 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
   }
   if $encgroup_5 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
   }
   if $encgroup_6 {
     loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
   }

 } else {
   $encgroup_0hg = "${hostgroup_prefix}${encgroup_0}"
   loadclass_ifexists($encgroup_0hg)
   if $encgroup_1 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}")
   }
   if $encgroup_2 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}")
   }
   if $encgroup_3 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}")
   }
   if $encgroup_4 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
   }
   if $encgroup_5 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
   }
   if $encgroup_6 {
     loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
   }
 }


 # can control things globally.
 # Purge non existing cron jobs.
 resources{'cron':
    purge => true
 }




 ###### Beginning if firewall defaults.
 # See: https://twiki.cern.ch/twiki/bin/view/AgileInfrastructure/PuppetIptables
 case $::writefirewall {
   'false': {
      $firewallnoop     = true
      $firewallloglevel = 'debug'
      $firewallpurge    = false
   }
   'true': {
      $firewallnoop     = false
      $firewallloglevel = 'verbose'
      $firewallpurge    = true
   }
   default:  {
      fail('Variable $writefirewall must be set to true or false, see site.pp')
   }
 }
 # fix for AI-1521, temporarily disabled
 #exec { "blank_iptables_start":
 #    path        => "/usr/bin:/usr/sbin:/bin",
 #    unless      => "/sbin/service iptables status",
 #    command     => '/sbin/iptables -L',
 #}

 # What to do with the collection of firewall instances everywhere.
 if $::writefirewall == 'true' {
  Firewall {
    noop      =>  $firewallnoop,
    loglevel  =>  $firewallloglevel,
    before    => Class['cernfw::post_cernfw'],
    require   => Class['cernfw::pre_cernfw'],
  }
 } else {
  Firewall {
    noop      =>  $firewallnoop,
    loglevel  =>  $firewallloglevel,
    before    => Class['cernfw::post_cernfw'],
    require   => Class['cernfw::pre_cernfw'],
  }
 }

 Firewallchain {
   noop      => $firewallnoop,
   loglevel  => $firewallloglevel
 }
 resources { 'firewall':
    purge    => $firewallpurge
 }
 ###### End of firewall defaults.

 ###### Some defaults for yumrepo typo.
 if $::osfamily == 'RedHat' {
  Yumrepo{
      stage     => 'setup',
      tag       => 'kickstart',
      notify    => Exec[yum-clean-all],
  }
  exec { yum-clean-all:
            command => '/usr/bin/yum clean all',
            refreshonly => true
  }
 }

 # Some defaults for sysctl type, in particular reload sysctl
 # if entries are changed.
 if $::kernel == 'Linux' {
  Sysctl{
    notify => Exec[load-sysctl]
  }
  exec { load-sysctl:
         command => '/sbin/sysctl -e -p /etc/sysctl.conf',
         refreshonly => true
  }
 }

 # End of sysctl.

 #Windows ACL best practise (Owner: LocalSystem, Group: Administrators):
 #https://groups.google.com/d/topic/puppet-users/0mu9E7ttN58/discussion
 $file_owner = $::kernel ? {
  windows => 'S-1-5-18',
  default => 'root'
 }

 $file_group = $::kernel ? {
  windows => 'S-1-5-32-544',
  default => 'root'
 }

 File{
   owner => $file_owner,
   group => $file_group,
 }
	/*
	# whitespace
	We need a site.pp to define global class paramerters
	basically.
	*/

	/* Set hostgroup variables in top scope. We need
	to set anything that hiera needs very early, in
	particular this will win over any facts present
	on the box. */

	$hostarray = split($::hostgroup,'/')

	#Check if the hostarray has more than 7 members
	if size($hostarray) >= 7 {
	fail("The length of the hostgroup isn't supported. Only 7 layers are supported.")
	}





	if $hostarray[0] {
	$encgroup_0 = $hostarray[0]
	}
	if $hostarray[1] {
	$encgroup_1 = $hostarray[1]
	}
	if $hostarray[2] {
	$encgroup_2 = $hostarray[2]
	}
	if $hostarray[3] {
	$encgroup_3 = $hostarray[3]
	}
	if $hostarray[4] {
	$encgroup_4 = $hostarray[4]
	}
	if $hostarray[5] {
	$encgroup_5 = $hostarray[5]
	}
	if $hostarray[6] {
	$encgroup_6 = $hostarray[6]
	}

	$hostgroup_prefix = hiera('hostgroup_prefix', 'hg_')

	stage { 'osrepos':
	before => Stage['main'],
	}

	stage { 'late':
	require => Stage['main'],
	}

	class { 'osrepos':
	stage => osrepos
	}

	class{ 'base': }

	# If /base is first hostgroup then we ignore and consider
	# the next one the real first hostgroup.

	if $encgroup_0 == 'base' {
	$encgroup_1hg = "${hostgroup_prefix}${encgroup_1}"
	loadclass_ifexists($encgroup_1hg)
	if $encgroup_2 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}")
	}
	if $encgroup_3 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}")
	}
	if $encgroup_4 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
	}
	if $encgroup_5 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
	}
	if $encgroup_6 {
	loadclass_ifexists("${encgroup_1hg}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
	}

	} else {
	$encgroup_0hg = "${hostgroup_prefix}${encgroup_0}"
	loadclass_ifexists($encgroup_0hg)
	if $encgroup_1 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}")
	}
	if $encgroup_2 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}")
	}
	if $encgroup_3 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}")
	}
	if $encgroup_4 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}")
	}
	if $encgroup_5 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}")
	}
	if $encgroup_6 {
	loadclass_ifexists("${encgroup_0hg}::${encgroup_1}::${encgroup_2}::${encgroup_3}::${encgroup_4}::${encgroup_5}::${encgroup_6}")
	}
	}


	# can control things globally.
	# Purge non existing cron jobs.
	resources{'cron':
	purge => true
	}




	###### Beginning if firewall defaults.
	# See: https://twiki.cern.ch/twiki/bin/view/AgileInfrastructure/PuppetIptables
	case $::writefirewall {
	'false': {
	$firewallnoop = true
	$firewallloglevel = 'debug'
	$firewallpurge = false
	}
	'true': {
	$firewallnoop = false
	$firewallloglevel = 'verbose'
	$firewallpurge = true
	}
	default: {
	fail('Variable $writefirewall must be set to true or false, see site.pp')
	}
	}
	# fix for AI-1521, temporarily disabled
	#exec { "blank_iptables_start":
	# path => "/usr/bin:/usr/sbin:/bin",
	# unless => "/sbin/service iptables status",
	# command => '/sbin/iptables -L',
	#}

	# What to do with the collection of firewall instances everywhere.
	if $::writefirewall == 'true' {
	Firewall {
	noop => $firewallnoop,
	loglevel => $firewallloglevel,
	before => Class['cernfw::post_cernfw'],
	require => Class['cernfw::pre_cernfw'],
	}
	} else {
	Firewall {
	noop => $firewallnoop,
	loglevel => $firewallloglevel,
	before => Class['cernfw::post_cernfw'],
	require => Class['cernfw::pre_cernfw'],
	}
	}

	Firewallchain {
	noop => $firewallnoop,
	loglevel => $firewallloglevel
	}
	resources { 'firewall':
	purge => $firewallpurge
	}
	###### End of firewall defaults.

	###### Some defaults for yumrepo typo.
	if $::osfamily == 'RedHat' {
	Yumrepo{
	stage => 'setup',
	tag => 'kickstart',
	notify => Exec[yum-clean-all],
	}
	exec { yum-clean-all:
	command => '/usr/bin/yum clean all',
	refreshonly => true
	}
	}

	# Some defaults for sysctl type, in particular reload sysctl
	# if entries are changed.
	if $::kernel == 'Linux' {
	Sysctl{
	notify => Exec[load-sysctl]
	}
	exec { load-sysctl:
	command => '/sbin/sysctl -e -p /etc/sysctl.conf',
	refreshonly => true
	}
	}

	# End of sysctl.

	#Windows ACL best practise (Owner: LocalSystem, Group: Administrators):
	#https://groups.google.com/d/topic/puppet-users/0mu9E7ttN58/discussion
	$file_owner = $::kernel ? {
	windows => 'S-1-5-18',
	default => 'root'
	}

	$file_group = $::kernel ? {
	windows => 'S-1-5-32-544',
	default => 'root'
	}

	File{
	owner => $file_owner,
	group => $file_group,
	}