g-server

Bits and pieces to configure base of your servers in opinionated way with power of Puppet.

When submodule codebase size exceeds common sense it will be moved to its own puppet module.

Features

Interface Sides

You can specify which interfaces are external and which internal.

Other modules/classes can use this information to eg. listen on only some interfaces or create firewall rules.

Configurable as g_server parameters.

Usage:

g_server::get_interfaces($side).each | $iface | { }
g_server::get_side($iface) # => one of G_server::Side

Classes

Accounts

• Handles root account password and its ssh keys
• Marks admin users to allow sudo usage
• Creates user accounts and sets ssh keys

Hiera usage

g_server::accounts::root_password_hash: "$6$9OBVSpVQDgHsldz8$BmiwDh3XGC4qgDL/Qdh5DQPhJ4haNqBvB1KV0BqZwA4w8ZEr3ljcE9YmcVvtkxXqb4uMtl4V3Gk7n0vI2T2NH0"

g_server::accounts::users:
  glorpen:
    ssh_authorized_keys:
      "example.glorpen": "<ssh pub key>"
    admin: true

Cron

Simple cron job wrapper.

• Setting environment variables
• Uses ::cron::job
• Allows using templates with custom variables

Hiera usage

g_server::cron::jobs:
  "example-job":
    minute: "0"
    hour: "10" # "*/5", "1-5", ...
    template_source: "example/job-example.sh.epp"
    #template_content: "puppet://..."
    vars:
      var1: "example"

Firewall

Setups base rules for firewall.

See glorpen/g_firewall for more.

Network

• Supports differnating between external and internal facing interfaces
• Sets internal host names
• Supports creating macvlan interfaces
• Sets hostname
• Allows setting routes, dns, dhcp, gateway, mac per interface
• Supports IPv6

Hiera usage

g_server::network::interfaces:
  eth0:
    ipv4addr: "192.168.1.12"
    ipv4netmask: "255.255.255.0"
    ipv4gw: "192.168.1.1"
    nameservers:
      - "8.8.8.8"

Repos

Configures package manager and installs Puppet repository.

Base Services

Setups base services.

SSH

• sets up to date ciphers
• creates ssh users group
• sets host keys
• configures firewall (supports _[Interface Sides]{.title-ref})

Fail2Ban

Basic fail2ban configuration.

Volumes

Manages LVM volumes, mountpoints and filesystems.

Supports managing:

• volume groups
• logical volumes
• thin pools
• thin provisioned volumes
• filesystems with options
• mountpoints (with chmod/chown)
• lvm raids

Hiera usage

g_server::volumes::groups:
  "example0":
    devices:
      - /dev/sda2
    volumes:
      root:
        mountpoint: /
        size: 10G
        mount_options: errors=remount-ro,noatime,nodiratime
        pass: 1
      other:
        mountpoint: /example
        size: 1G

Reference

Table of Contents

Classes

• g_server: Setups server in opinionated way.
• g_server::accounts:
• g_server::cron:
• g_server::firewall:
• g_server::network: Setups network interfaces and hosts.
• g_server::network::gentoo::iface:
• g_server::network::gentoo::network:
• g_server::network::hostname:
• g_server::repos:
• g_server::repos::glorpen:
• g_server::repos::puppet:
• g_server::services::fail2ban:
• g_server::services::ntp:
• g_server::services::ssh:
• g_server::sudo:
• g_server::volumes:

Defined types

• g_server::accounts::user:
• g_server::cron::job:
• g_server::network::iface:
• g_server::network::tuntap:
• g_server::volumes::group: Manages LVM volume group.
• g_server::volumes::mountpoint:
• g_server::volumes::raid:
• g_server::volumes::thinpool:
• g_server::volumes::vol:

Functions

• g_server::get_interfaces:
• g_server::get_side:
• g_server::params:
• g_server_cidr2netmask:

Data types

• G_server::Side:

Classes

g_server

Setups server in opinionated way.

Parameters

The following parameters are available in the g_server class.

external_ifaces

Data type: Array

Default value: []

internal_ifaces

Data type: Array

Default value: []

hostname

Data type: Optional[String]

Default value: $::trusted['certname']

manage_ssh

Data type: Variant[Boolean, Hash, Undef]

Default value: undef

manage_network

Data type: Variant[Boolean, Hash, Undef]

Default value: undef

manage_firewall

Data type: Boolean

Default value: true

manage_repos

Data type: Boolean

Default value: true

manage_sudo

Data type: Boolean

Default value: true

manage_cron

Data type: Boolean

Default value: true

manage_accounts

Data type: Variant[Boolean, Hash, Undef]

Default value: undef

manage_volumes

Data type: Variant[Boolean, Hash, Undef]

Default value: undef

manage_ntp

Data type: Variant[Boolean, Hash, Undef]

Default value: undef

default_packages

Data type: Boolean

Default value: true

g_server::accounts

The g_server::accounts class.

Parameters

The following parameters are available in the g_server::accounts class.

root_password_hash

Data type: Optional[String]

Default value: undef

root_ssh_keys

Data type: Hash

Default value: {}

root_ssh_authorized_keys

Data type: Hash

Default value: {}

admin_groups

Data type: Any

Default value: ['wheel']

users

Data type: Hash

Default value: {}

root_selinux_role

Data type: Variant[Boolean, String]

Default value: 'sysadm_r'

root_selinux_type

Data type: Variant[Boolean, String]

Default value: 'sysadm_t'

g_server::cron

The g_server::cron class.

Parameters

The following parameters are available in the g_server::cron class.

jobs

Data type: Hash[String, Hash]

Default value: {}

service_name

Data type: Optional[String]

Default value: undef

g_server::firewall

The g_server::firewall class.

g_server::network

Setups network interfaces and hosts.

Parameters

The following parameters are available in the g_server::network class.

internal_tld

Data type: String

Domain used for hostname on internal interfaces

Default value: 'internal'

additional_hosts

Data type: Array

Additional hosts passed to ::hosts

Default value: []

interfaces

Data type: Hash[String, Optional[Hash]]

Sets interfaces using g_server::network::iface

Default value: {}

enable_macvlan

Data type: Boolean

Enables or disables installing scripts for macvlan interfaces support

Default value: false

g_server::network::gentoo::iface

The g_server::network::gentoo::iface class.

Parameters

The following parameters are available in the g_server::network::gentoo::iface class.

config

Data type: String

modules

Data type: Optional[String]

Default value: undef

g_server::network::gentoo::network

The g_server::network::gentoo::network class.

g_server::network::hostname

The g_server::network::hostname class.

Parameters

The following parameters are available in the g_server::network::hostname class.

hostname

Data type: Any

g_server::repos

The g_server::repos class.

g_server::repos::glorpen

The g_server::repos::glorpen class.

Parameters

The following parameters are available in the g_server::repos::glorpen class.

ensure

Data type: Any

Default value: present

priority

Data type: Any

Default value: 99

g_server::repos::puppet

The g_server::repos::puppet class.

Parameters

The following parameters are available in the g_server::repos::puppet class.

ensure

Data type: Any

Default value: present

version

Data type: Any

Default value: 5

priority

Data type: Any

Default value: 99

g_server::services::fail2ban

The g_server::services::fail2ban class.

Parameters

The following parameters are available in the g_server::services::fail2ban class.

sshd

Data type: Boolean

Default value: false

g_server::services::ntp

The g_server::services::ntp class.

Parameters

The following parameters are available in the g_server::services::ntp class.

side

Data type: G_server::Side

Default value: 'none'

servers

Data type: Array[String]

Default value: ['pool.ntp.org']

g_server::services::ssh

The g_server::services::ssh class.

Parameters

The following parameters are available in the g_server::services::ssh class.

side

Data type: G_server::Side

Default value: 'both'

group

Data type: Any

Default value: 'ssh-users'

ports

Data type: Any

Default value: [22]

host_keys

Data type: Hash

Default value: {}

ciphers

Data type: Array[String]

Default value: [ 'chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr' ]

macs

Data type: Array[String]

Default value: [ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256', 'umac-128@openssh.com' ]

kex_algorithms

Data type: Array[String]

Default value: [ 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256', 'diffie-hellman-group-exchange-sha256' ]

accept_env

Data type: Array[String]

Default value: [ 'LANG', 'LC_CTYPE', 'LC_NUMERIC', 'LC_TIME', 'LC_COLLATE', 'LC_MONETARY', 'LC_MESSAGES', 'LC_PAPER', 'LC_NAME', 'LC_ADDRESS', 'LC_TELEPHONE', 'LC_MEASUREMENT', 'LC_IDENTIFICATION', 'LC_ALL LANGUAGE', 'XMODIFIERS' ]

password_authentication

Data type: Boolean

Default value: true

x11_forwarding

Data type: Boolean

Default value: false

server_options

Data type: Hash

Default value: {}

g_server::sudo

The g_server::sudo class.

g_server::volumes

The g_server::volumes class.

Parameters

The following parameters are available in the g_server::volumes class.

groups

Data type: Hash

Default value: {}

Defined types

g_server::accounts::user

The g_server::accounts::user class.

Parameters

The following parameters are available in the g_server::accounts::user defined type.

username

Data type: String

Default value: $title

ssh_authorized_keys

Data type: Hash

Default value: {}

ssh_keys

Data type: Hash

Default value: {}

admin

Data type: Boolean

Default value: false

groups

Data type: Array

Default value: []

home

Data type: Optional[String]

Default value: undef

password_hash

Data type: Optional[String]

Default value: undef

shell

Data type: String

Default value: '/bin/bash'

ssh_login

Data type: Boolean

Default value: true

g_server::cron::job

The g_server::cron::job class.

Parameters

The following parameters are available in the g_server::cron::job defined type.

ensure

Data type: String

Default value: 'present'

minute

Data type: String

Default value: '*'

hour

Data type: String

Default value: '*'

date

Data type: String

Default value: '*'

month

Data type: String

Default value: '*'

weekday

Data type: String

Default value: '*'

special

Data type: Optional[String]

Default value: undef

user

Data type: String

Default value: 'root'

environment

Data type: Hash[String, String]

Default value: {}

description

Data type: Optional[String]

Default value: undef

vars

Data type: Hash[String, Any]

Default value: {}

source

Data type: Optional[String]

Default value: undef

template_content

Data type: Optional[String]

Default value: undef

template_source

Data type: Optional[String]

Default value: undef

g_server::network::iface

The g_server::network::iface class.

Parameters

The following parameters are available in the g_server::network::iface defined type.

ipv4addr

Data type: Any

Default value: undef

ipv4netmask

Data type: Any

Default value: undef

ipv4gw

Data type: Any

Default value: undef

ipv4dhcp

Data type: Any

Default value: true

ipv6addr

Data type: Any

Default value: undef

ipv6gw

Data type: Any

Default value: undef

scope

Data type: String

Default value: 'internal'

macvlan_parent

Data type: Optional[String]

Default value: undef

mac_addr

Data type: Optional[String]

Default value: undef

dns

Data type: Boolean

Default value: true

routes

Data type: Array[Struct[{ ipaddress => Stdlib::IP::Address::Nosubnet, cidr => Variant[Integer, Stdlib::IP::Address::Nosubnet], gateway => Optional[Stdlib::IP::Address::Nosubnet], metric => Optional[Integer], scope => Optional[String], source => Optional[Stdlib::IP::Address::Nosubnet], table => Optional[String] }]]

Default value: []

nameservers

Data type: Array[String, 0, 2]

Default value: []

g_server::network::tuntap

The g_server::network::tuntap class.

Parameters

The following parameters are available in the g_server::network::tuntap defined type.

ensure

Data type: Enum['present', 'absent']

Default value: 'present'

ipv4addr

Data type: Any

Default value: undef

ipv4netmask

Data type: Any

Default value: undef

ipv6addr

Data type: Any

Default value: undef

ipv6gw

Data type: Any

Default value: undef

g_server::volumes::group

Manages LVM volume group.

Parameters

The following parameters are available in the g_server::volumes::group defined type.

devices

Data type: Array[String]

Block devices to use for this VG.

vg_name

Data type: String

Name of LVM VG to use.

Default value: $title

volumes

Data type: Hash

Creates volumes with g_server::volumes::vol type.

Default value: {}

thin_pools

Data type: Hash

Creates thinly provisioned pools (not volumes) with g_server::volumes::thinpool type.

Default value: {}

raids

Data type: Hash

Creates lvm raids with g_server::volumes::raid type.

Default value: {}

g_server::volumes::mountpoint

The g_server::volumes::mountpoint class.

Parameters

The following parameters are available in the g_server::volumes::mountpoint defined type.

ensure

Data type: String

mountpoint

Data type: String

Default value: $name

user

Data type: Variant[String,Integer,Undef]

Default value: undef

group

Data type: Variant[String,Integer,Undef]

Default value: undef

mode

Data type: Optional[String]

Default value: undef

manage

Data type: Boolean

Default value: true

g_server::volumes::raid

The g_server::volumes::raid class.

Parameters

The following parameters are available in the g_server::volumes::raid defined type.

vg_name

Data type: String

mountpoint

Data type: String

size

Data type: String

lv_name

Data type: String

Default value: $title

mirrors

Data type: Optional[Integer]

Default value: undef

stripes

Data type: Optional[Integer]

Default value: undef

level

Data type: Integer

Default value: 1

ensure

Data type: Enum['present','absent']

Default value: 'present'

fs

Data type: String

Default value: 'ext4'

fs_options

Data type: String

Default value: ''

mount_options

Data type: String

Default value: 'noatime,nodiratime'

pass

Data type: Integer

Default value: 0

mountpoint_user

Data type: Variant[String,Integer,Undef]

Default value: undef

mountpoint_group

Data type: Variant[String,Integer,Undef]

Default value: undef

mountpoint_mode

Data type: Optional[String]

Default value: undef

manage_mountpoint

Data type: Boolean

Default value: true

g_server::volumes::thinpool

The g_server::volumes::thinpool class.

Parameters

The following parameters are available in the g_server::volumes::thinpool defined type.

vg_name

Data type: String

size

Data type: String

lv_name

Data type: String

Default value: $title

ensure

Data type: Enum['present','absent']

Default value: 'present'

metadata_size

Data type: Optional[String]

Default value: undef

g_server::volumes::vol

The g_server::volumes::vol class.

Parameters

The following parameters are available in the g_server::volumes::vol defined type.

vg_name

Data type: String

mountpoint

Data type: String

size

Data type: String

lv_name

Data type: String

Default value: $title

ensure

Data type: Enum['present','absent']

Default value: 'present'

fs

Data type: String

Default value: 'ext4'

fs_options

Data type: String

Default value: ''

mount_options

Data type: String

Default value: 'noatime,nodiratime'

pass

Data type: Integer

Default value: 0

thinpool

Data type: Optional[String]

Default value: undef

mountpoint_user

Data type: Variant[String,Integer,Undef]

Default value: undef

mountpoint_group

Data type: Variant[String,Integer,Undef]

Default value: undef

mountpoint_mode

Data type: Optional[String]

Default value: undef

manage_mountpoint

Data type: Boolean

Default value: true

Functions

g_server::get_interfaces

Type: Puppet Language

The g_server::get_interfaces function.

g_server::get_interfaces(G_server::Side $side)

The g_server::get_interfaces function.

Returns: Array

side

Data type: G_server::Side

g_server::get_side

Type: Puppet Language

The g_server::get_side function.

g_server::get_side(String $interface)

The g_server::get_side function.

Returns: G_server::Side

interface

Data type: String

g_server::params

Type: Puppet Language

The g_server::params function.

g_server::params(Hash $options, Puppet::LookupContext $context)

The g_server::params function.

Returns: Any

options

Data type: Hash

context

Data type: Puppet::LookupContext

g_server_cidr2netmask

Type: Ruby 3.x API

The g_server_cidr2netmask function.

g_server_cidr2netmask()

The g_server_cidr2netmask function.

Returns: Any

Data types

G_server::Side

The G_server::Side data type.

Alias of Enum['internal', 'external', 'both', 'none']