init

puppet/src/README.md

@@ -0,0 +1,4 @@
+This `src` directory contains Puppet modules only available in this
+Vagrant project. Because Puppet librarian can clean out the `modules`
+directory, we put local modules here, out of librarian's scope, and
+reference them for in the Puppetfile for installation to `modules`.

puppet/src/profiles/files/ssl/apidb-ca-rsa.crt

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGujCCBKKgAwIBAgIJAJ88X2Ge/QNVMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
+VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRl
+bHBoaWExLTArBgNVBAoTJEFwaURCIEJpb2luZm9ybWF0aWNzIFJlc291cmNlIENl
+bnRlcjEOMAwGA1UEAxMFQXBpREIxHTAbBgkqhkiG9w0BCQEWDmhlbHBAYXBpZGIu
+b3JnMB4XDTEyMDgzMTE5MTMyNFoXDTIyMDgyOTE5MTMyNFowgZkxCzAJBgNVBAYT
+AlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcTDFBoaWxhZGVscGhp
+YTEtMCsGA1UEChMkQXBpREIgQmlvaW5mb3JtYXRpY3MgUmVzb3VyY2UgQ2VudGVy
+MQ4wDAYDVQQDEwVBcGlEQjEdMBsGCSqGSIb3DQEJARYOaGVscEBhcGlkYi5vcmcw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDWjz2aYcFph78mYHXI92QG
+RetOwW8Sp8bSaI3j3/MsG/+0zAesAub3qAldizZSnPGT62Ok9CwloKno8xl5k08D
+tdK1PBy1KTcOhpVGDpGpQIWC5cZ3WmLkT9VciE25MSsmBsShqP7jmDy9tBAOQ5mJ
+YeFxnnkiZfNMkeW+fMv/SUIutebUVMi+ZnRqj5DDlgLbcNUzH533SauYXTkehbyY
+Awwx2BtPhjINWn4PFv11NGM8P5mri6+M0l8twCIUKFi9SoCjYAM0uOd3AS3EJxxK
+M3QBYJVrykbqxHF/MaD3z/hbXCrhmIQm96ApnVnmxpc1DtkPKkkfhbnkDbOJqVfe
+6IOHxxzRN1a1Igb12dR+nRAf6vZNCMZ1YFzC01rw1bkKlYrcaX+ZM1El1n1mgHtP
+OrQZLeNzCCl0LACBAC1Ky4/2OdyAP7A3Hrlo4dT8rTC+5ZWn+vuhwZV6KMk7rElf
+n1HpBvKwypSJqc5jHq7f9hTQyktWdg1rfvn+TPPfZHehKsYQrR1oEGJVynouvQMG
+YrDnGTbg12xpMv+zWDpRsuTx6zpSwbS/S3/PnEndhQBx8eRrHbHkV/9zP1qPt7Xl
+mX5XLQz+zJV801rx00Jadfta8SZBohV6uhhwFdBuc1z7+VOhKjKVG5EzfhINY4a/
+3CaoTF51sAHuLl6q67T9FQIDAQABo4IBATCB/jAdBgNVHQ4EFgQUasR0PhZJaGRx
+tVXJleUI6PJXEvUwgc4GA1UdIwSBxjCBw4AUasR0PhZJaGRxtVXJleUI6PJXEvWh
+gZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTAT
+BgNVBAcTDFBoaWxhZGVscGhpYTEtMCsGA1UEChMkQXBpREIgQmlvaW5mb3JtYXRp
+Y3MgUmVzb3VyY2UgQ2VudGVyMQ4wDAYDVQQDEwVBcGlEQjEdMBsGCSqGSIb3DQEJ
+ARYOaGVscEBhcGlkYi5vcmeCCQCfPF9hnv0DVTAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBQUAA4ICAQAgiSwGDZvC9GVErm8m7DNdLU17lP8V1aUXMLbwAm2hwp6C
+snUR3TzJ0MOPSPy67NIMYMWwkRKDILKUXOvfsnE295ZmqmTaUZk+Uv3DoU3xcaIw
+LbAOhlIrgPvGQyWXUwAdGacBTrJM4dzQ+pAPnt9ZVu5X9+BYD7ic0H0WNimurjtk
+4l+X+wxibJB8Mj3zMnkBRm3wNS1teeU3HRjByEX3HoHuxMYWhWX6tOosBIXiV/9c
+12jVPseogPROziiMxqpkyDqUXWiZhzvL/MK0NGYGPlevAodvTWh4CG8Ld1ErFy07
+Sk6YVxBQhz5+HAyHQNLjySh8UeX4EdF9Y1Fpmmy7M2afV+YEjB0ahIGmYfUqt4rj
+KbeRdmqobpzjQ7iH53xBS8JMUw1EOP4Evjsi7/62XqB4MgRQ9EM85T0W3zhiwFF2
+6h7BJ11ElhPjmTzzz12p/MBnnYmrMNwYKzDobfdlDoC4dAz1U5RDI1D7w8RyZbOk
+5FOxGCS2/8Hk8vBL6/ZF5sTD3iqb7YDdEgvkrnAnPk3UAQ6FHPzp7tfC3IBQr7Jf
+BmkZhG9oGg8WIkGPKxUqMJuoQAb5UB6GwE6nz2dCnAM62qUVLljs0XNWK1lgRpYy
+JM0ZtsohoVcerth4vUVwrxATaSJ5N+9e9uitABWEOdkiT6l0Fv8aLrjv/ZkLCA==
+-----END CERTIFICATE-----

puppet/src/profiles/manifests/ebrc_ca_bundle.pp

@@ -0,0 +1,26 @@
+# install EuPathDB BRC's Certificate Authority to filesystem and add to
+# system CA bundle using ca-certificates utilities.
+# Hiera
+#
+#  The following hiera data should be set for use by the underlying
+#  modules. Defaults are set in common.yaml
+#  - ebrc_ca::cacert - filename of certificate
+class profiles::ebrc_ca_bundle {
+
+  include ::trusted_ca
+
+  $ca_name = hiera('ebrc_ca::cacert')
+
+  trusted_ca::ca { $ca_name:
+    source => "puppet:///modules/profiles/ssl/${ca_name}",
+  }
+
+  file { "/etc/pki/tls/certs/${ca_name}":
+    ensure => file,
+    source => "puppet:///modules/profiles/ssl/${ca_name}",
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+}

puppet/src/profiles/manifests/ebrc_ca_keystore.pp

@@ -0,0 +1,40 @@
+# install EuPathDB BRC's Certificate Authority to java keystore.
+# Leverages puppetlabs/java_ks
+#
+# Requirements
+#   - EuPathDB's CA must already be on the file system 
+#     (see profile::ebrc_ca_bundle).
+#   - keytool command must be available (provided by modern Java packages)
+# Hiera
+#
+#  The following hiera data should be set for use by the underlying
+#  modules. Defaults are set in common.yaml
+#  - ebrc_ca::cacert - filename for certificate
+#  - ebrc_java::java_home - java base directory
+#  - java_keystore_target - path for keystore
+#  - java_keystore_passwd - password for keystore
+class profiles::ebrc_ca_keystore {
+
+  $alias = 'eupathdbinternalca'
+  $cacert = hiera('ebrc_ca::cacert')
+  $java_home = hiera('ebrc_java::java_home')
+  $java_ks_target = hiera('java_keystore_target')
+  $java_ks_passwd = hiera('java_keystore_passwd')
+
+  if $::osfamily == 'redhat' {
+    $certdir = '/etc/pki/tls/certs'
+  } else {
+    fail("profiles::ebrc_ca_keystore: Unsupported osfamily: ${::osfamily}")
+  }
+
+  java_ks { $alias:
+    ensure       => latest,
+    path         => ["${java_home}/bin", '/usr/bin'],
+    certificate  => "${certdir}/${cacert}",
+    target       => $java_ks_target,
+    password     => $java_ks_passwd,
+    trustcacerts => true,
+  }
+
+
+}

puppet/src/profiles/manifests/ebrc_java_stack.pp

@@ -0,0 +1,48 @@
+# Full java deployment for EuPathDB BRC servers
+# Includes
+#  - installing one or more Java packages from EuPathDB YUM repo
+#  - adds EuPathDB's certificate authority to cacerts keystore.
+#
+# Hiera
+#
+#  The following hiera data should be set for use by the underlying
+#  modules.
+#
+#  Used by ebrc_java
+#    ebrc_java::packages - an array of Java packages to install, e.g
+#        ebrc_java::packages:
+#          - jdk-1.7.0_80
+#          - jdk-1.8.0_01
+#    ebrc_java::java_home - the full path to $JAVA_HOME, e.g.
+#         ebrc_java::java_home: /usr/java/jdk1.7.0_80
+#
+#  Used by ::profiles::ebrc_ca_keystore
+#   java_keystore_target - the full path to the Java keystore file, e.g.
+#         java_keystore_target: /etc/pki/tls/certs/cacerts
+#   java_keystore_passwd - the keystore password
+#         java_keystore_passwd: graeo5locza
+#
+#  Used by ::profiles::ebrc_ca_bundle
+#    ebrc_ca::cacert - the file name of EBRC's CA
+#       ebrc_ca::cacert: apidb-ca-rsa.crt
+#
+class profiles::ebrc_java_stack {
+
+  include ::ebrc_yum_repo
+  include ::profiles::ebrc_ca_bundle
+  include ::profiles::ebrc_ca_keystore
+
+  $java_home     = hiera('ebrc_java::java_home')
+  $java_packages = hiera('ebrc_java::packages')
+
+  class { '::ebrc_java':
+    packages  => $java_packages,
+    java_home => $java_home,
+  }
+
+  Class['::ebrc_yum_repo'] ->
+  Class['::ebrc_java'] ->
+  Class['::profiles::ebrc_ca_bundle'] ->
+  Class['::profiles::ebrc_ca_keystore']
+
+}

puppet/src/profiles/manifests/ebrc_jenkins.pp

@@ -0,0 +1,44 @@
+# manage requirements for Jenkins server instances
+# for EuPathDB
+class profiles::ebrc_jenkins {
+
+    include ::profiles::ebrc_java_stack
+    include ::profiles::local_home
+    include ::ebrc_jenkins
+
+    Class['::profiles::ebrc_java_stack'] ->
+    Class['::profiles::local_home'] ->
+    Class['::ebrc_jenkins']
+    
+    firewalld::custom_service{ 'Allow jenkins in public zone':
+      short  => 'jenkins',
+      port   => [
+        {
+          'port'     => 9191,
+          'protocol' => 'tcp'
+        },
+        {
+          'port'     => 9181,
+          'protocol' => 'tcp'
+        },
+        {
+          'port'     => 9130,
+          'protocol' => 'tcp'
+        },
+        {
+          'port'     => 9120,
+          'protocol' => 'tcp'
+        },
+      ],
+      before => Firewalld_service['Allow jenkins in public zone'],
+    }
+
+    firewalld_service {'Allow jenkins in public zone':
+        ensure  => 'present',
+        zone    => 'public',
+        service => 'jenkins',
+    }
+
+
+
+}

puppet/src/profiles/manifests/local_home.pp

@@ -0,0 +1,10 @@
+# manage a home that is on a local filesystem
+# as opposed to NFS
+class profiles::local_home {
+
+    $local_home = hiera('local_home')
+
+    file{ [$local_home]:
+      ensure => directory,
+    }
+}

puppet/src/profiles/metadata.json

@@ -0,0 +1,15 @@
+{
+  "name": "local/profiles",
+  "version": "0.0.0",
+  "author": "ebrc",
+  "summary": "Local profiles to install Jenkins master",
+  "license": "Apache-2.0",
+  "source": "",
+  "project_page": null,
+  "issues_url": null,
+  "dependencies": [
+    {"name":"ebrc/ebrc_jenkins"},
+    {"name":"crayfishx/firewalld"}
+  ]
+}
+