Yep! I do that with some profiles: Base https://github.com/puppetinabox/controlrepo/blob/production/dist/profile/manifests/base.pp calls linuxfw and its pre/post subclasses https://github.com/puppetinabox/controlrepo/blob/production/dist/profile/manifests/linuxfw.pp
https://github.com/puppetinabox/controlrepo/tree/production/dist/profile/manifests/linuxfw to set up the genera rules all bodes have. Component profiles like Apache allows port 80 https://github.com/puppetinabox/controlrepo/blob/production/dist/profile/manifests/apache.pp The names of the firewall rule resources are sorted numerically, so you can have multiple 100 rules in different profiles and it won't cause a problem unless one of them is a deny, in which case you probably want to start the name with 99 - or have unique rules across profiles, though that doesn't scale very well. On Wednesday, May 25, 2016, Alex Samad <a...@samad.com.au> wrote: > Hi > > Thanks for all the input. > > What I have gathered > > Start with GIT from the beginning. Okay I can do that > > /etc/*puppetwhatever*/environments/{production|stage|etc}/ is good > > Look at using / implementing r10k > > > Profiles / roles good. > > No need to reinvent modules - wasn't actually planning on that. > > From the puppet user group meeting I got that it is good to (example ntp) > > 1) reuse forge ntp module > 2) wrap it up with $job defaults > 3) use the new ntp profile > > > Something i was looking at doing was managing the server firewall. > > I was going to produce some sort of a template with places in it where > I can add dynamic content - depending on what apps where installed on > the server. > > > Example > profile - ABC Firewall > this would be basic > > allow related,connected > allow ssh > <Placeholder for access from any where> > reject anything not from company ip address > <Placeholder for access from inside where> > drop broadcast > drop multicast > allow zabbix monitoring > log with limit > reject with limit > drop > > > so if I applied this profile to server A it would get the basic firewall. > > The next step is if I had profile "app A" > if it had something like > rules to add to from anywhere > allow inbound port 80 > allow inbound port 443 > > rules to add to only from local network > allow inbound port 8080 > > > I would hope to get puppet to update the basic firewall with info from > app A and other profiles. > > > Is this possible ? > > A > > On 24 May 2016 at 11:22, Rob Nelson <rnels...@gmail.com <javascript:;>> > wrote: > > I wrote some articles on using Git with puppet and r10k. It's a little > out > > of date in the referenced versions of puppet and r10k, so check to make > sure > > you're using the modern file locations, but otherwise remains accurate. > > > https://rnelson0.com/2014/05/19/puppet-and-git-201-r10k-setup-installation/ > > > > There's a link to a Git 100 series I wrote if you need assistance with > Git > > itself. > > > > > > On Monday, May 23, 2016, Alex Samad <a...@samad.com.au <javascript:;>> > wrote: > >> > >> Hi > >> > >> Is it really that painful to retro fit git. or is the way you think > >> about the DB that different ? > >> > >> Could you point a good starting point to read up on this ? > >> > >> Thanks > >> Alex > >> > >> On 24 May 2016 at 07:16, Christopher Wood <christopher_w...@pobox.com > <javascript:;>> > >> wrote: > >> > On Mon, May 23, 2016 at 03:51:58PM +1000, Alex Samad wrote: > >> >> How hard is it to retro fit SVN / GIT onto a puppet install. > >> >> > >> >> I am building from scratch, working through the doco. > >> >> > >> >> Was thinking once I have a friendly setup then I would look at > putting > >> >> that into SVN/GIT. > >> > > >> > Do yourself a huge favour, use git as the tool you use to construct > the > >> > setup. Use it from the start of the process, not just as what you put > things > >> > into when you're done. > >> > > >> >> Thoughts are > >> >> install puppet > >> >> install puppetDB > >> >> install heira ?? > >> >> > >> >> setup environments, currently thinking > >> >> Prod - all prod env > >> >> SIM - testing for prod > >> >> INF - inf > >> >> NON Prod - anything thats not above > >> >> dev - testing > >> >> alex - personal > >> >> > >> >> Then I was going to create a whole bundle of profiles break up into > >> >> > >> >> OS app > >> >> things like > >> >> smtp > >> >> ssh > >> >> http > >> >> etc > >> >> > >> >> have the default company setup > >> >> > >> >> Company Apps > >> >> things that cover company apps > >> >> > >> >> > >> >> Then build some roles - based solely from profiles. > >> >> > >> >> Then some how dynamically assign nodes to a roles / environment. > >> >> > >> >> > >> >> Sounds okay ?? > >> >> > >> >> A > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> On 23 May 2016 at 10:47, Rilindo Foster <rili...@gmail.com > <javascript:;>> wrote: > >> >> > You can use any VCS with Puppet. I know of one shop that uses > >> >> > Mercurial. > >> >> > > >> >> > Most of the tooling and integration are closely coupled with git > and > >> >> > most of the workflows assumes that you will be using git. So it > would be a > >> >> > good idea to get up to speed with it. > >> >> > > >> >> > Of note that you can use git with svn (which may be helpful if you > >> >> > are getting started: > >> >> > > >> >> > > >> >> > > https://git-scm.com/book/en/v1/Git-and-Other-Systems-Git-and-Subversion > >> >> > > >> >> > - Rilindo > >> >> > > >> >> > -----Original Message----- > >> >> > From: puppet-users@googlegroups.com <javascript:;> > >> >> > [mailto:puppet-users@googlegroups.com <javascript:;>] On Behalf > Of Alex Samad > >> >> > Sent: Sunday, May 22, 2016 7:44 PM > >> >> > To: puppet-users@googlegroups.com <javascript:;> > >> >> > Subject: Re: [Puppet Users] Puppet and SVN > >> >> > > >> >> > Ta > >> >> > > >> >> > I was at the last puppet (sydney ) users group. heard r10k > mentioned > >> >> > a lot. > >> >> > > >> >> > Also I got the impression that git was more closely integrated with > >> >> > puppet. > >> >> > > >> >> > Should I be l looking at git ? > >> >> > > >> >> > A > >> >> > > >> >> > > >> >> > On 23 May 2016 at 10:40, Henrik Lindberg < > henrik.lindb...@puppet.com <javascript:;>> > >> >> > wrote: > >> >> >> On 22/05/16 12:41, Alex Samad wrote: > >> >> >>> > >> >> >>> Hi > >> >> >>> > >> >> >>> just starting out with puppet. > >> >> >>> I found > >> >> >>> this > >> >> >>> > >> >> >>> > http://projects.puppetlabs.com/projects/1/wiki/Puppet_Version_Control > >> >> >>> old page > >> >> >>> > >> >> >>> talks about checking /etc/puppet into svn. > >> >> >>> > >> >> >>> But on my centos install I have /etc/puppetlabs/puppet > >> >> >>> > >> >> >>> do I add /etc/puppetlabs or /etc/puppetlabs/puppet to svn and if > >> >> >>> the > >> >> >>> later what about my codedir ? > >> >> >>> > >> >> >> > >> >> >> You probably want to use the project r10k to manage your > >> >> >> manifests/configurations that are stored in a source code control > >> >> >> repository. > >> >> >> > >> >> >> Here is the page that explains a bit about r10k and SVN: > >> >> >> > >> >> >> > https://github.com/puppetlabs/r10k/blob/master/doc/dynamic-environment > >> >> >> s/svn-environments.mkd > >> >> >> > >> >> >> There is also lots of material available on r10k itsef that is > easy > >> >> >> to > >> >> >> find if you google for it. > >> >> >> > >> >> >> Regards > >> >> >> - henrik > >> >> >> > >> >> >>> Thanks > >> >> >>> > >> >> >>> -- > >> >> >>> You received this message because you are subscribed to the > Google > >> >> >>> Groups "Puppet Users" group. > >> >> >>> To unsubscribe from this group and stop receiving emails from it, > >> >> >>> send an email to puppet-users+unsubscr...@googlegroups.com > <javascript:;> > >> >> >>> <mailto:puppet-users+unsubscr...@googlegroups.com <javascript:;> > >. > >> >> >>> To view this discussion on the web visit > >> >> >>> > >> >> >>> > >> >> >>> > https://groups.google.com/d/msgid/puppet-users/ee63fdad-2d0f-4914-b9c > >> >> >>> a-0dbdb5044dc3%40googlegroups.com > >> >> >>> > >> >> >>> > >> >> >>> < > https://groups.google.com/d/msgid/puppet-users/ee63fdad-2d0f-4914-b9ca-0dbdb5044dc3%40googlegroups.com?utm_medium=email&utm_source=footer > >. > >> >> >>> For more options, visit https://groups.google.com/d/optout. > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> > >> >> >> Visit my Blog "Puppet on the Edge" > >> >> >> http://puppet-on-the-edge.blogspot.se/ > >> >> >> > >> >> >> -- > >> >> >> You received this message because you are subscribed to a topic in > >> >> >> the > >> >> >> Google Groups "Puppet Users" group. > >> >> >> To unsubscribe from this topic, visit > >> >> >> > >> >> >> > https://groups.google.com/d/topic/puppet-users/Q0ke0NzMRjY/unsubscribe. > >> >> >> To unsubscribe from this group and all its topics, send an email > to > >> >> >> puppet-users+unsubscr...@googlegroups.com <javascript:;>. > >> >> >> To view this discussion on the web visit > >> >> >> > >> >> >> > https://groups.google.com/d/msgid/puppet-users/ac7d5df1-1798-e7d2-0215-b05166dc7b71%40puppet.com > . > >> >> >> > >> >> >> For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups "Puppet Users" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send an email to puppet-users+unsubscr...@googlegroups.com > <javascript:;>. > >> >> > To view this discussion on the web visit > >> >> > > https://groups.google.com/d/msgid/puppet-users/CAJ%2BQ1PVrqBsaznadB9z9wTAS6s%3DdEHMZZpwNAqtCtYES7OMCyg%40mail.gmail.com > . > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > You received this message because you are subscribed to a topic in > >> >> > the Google Groups "Puppet Users" group. > >> >> > To unsubscribe from this topic, visit > >> >> > > https://groups.google.com/d/topic/puppet-users/Q0ke0NzMRjY/unsubscribe. > >> >> > To unsubscribe from this group and all its topics, send an email to > >> >> > puppet-users+unsubscr...@googlegroups.com <javascript:;>. > >> >> > To view this discussion on the web visit > >> >> > > https://groups.google.com/d/msgid/puppet-users/00ed01d1b48c%24c1c09560%244541c020%24%40gmail.com > . > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> -- > >> >> You received this message because you are subscribed to the Google > >> >> Groups "Puppet Users" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an email to puppet-users+unsubscr...@googlegroups.com <javascript:;> > . > >> >> To view this discussion on the web visit > >> >> > https://groups.google.com/d/msgid/puppet-users/CAJ%2BQ1PV7FEU9tahp-5hSRqRLH4FXSD4o%3DkhejmjJ%3DoKr9%3DU_1g%40mail.gmail.com > . > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > You received this message because you are subscribed to a topic in the > >> > Google Groups "Puppet Users" group. > >> > To unsubscribe from this topic, visit > >> > > https://groups.google.com/d/topic/puppet-users/Q0ke0NzMRjY/unsubscribe. > >> > To unsubscribe from this group and all its topics, send an email to > >> > puppet-users+unsubscr...@googlegroups.com <javascript:;>. > >> > To view this discussion on the web visit > >> > > https://groups.google.com/d/msgid/puppet-users/20160523211657.GA6621%40iniquitous.heresiarch.ca > . > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to puppet-users+unsubscr...@googlegroups.com <javascript:;>. > >> To view this discussion on the web visit > >> > https://groups.google.com/d/msgid/puppet-users/CAJ%2BQ1PV3%2BTWUZMTvJFE_wBPM9m6eJsdLqSZKj0ZxxMFmqZgNWQ%40mail.gmail.com > . > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > > > Rob Nelson > > rnels...@gmail.com <javascript:;> > > > > -- > > You received this message because you are subscribed to a topic in the > > Google Groups "Puppet Users" group. > > To unsubscribe from this topic, visit > > https://groups.google.com/d/topic/puppet-users/Q0ke0NzMRjY/unsubscribe. > > To unsubscribe from this group and all its topics, send an email to > > puppet-users+unsubscr...@googlegroups.com <javascript:;>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/puppet-users/CAC76iT-TgCx0KbgavCwjXO8Z-J6xpsCBVn5ntueWRUw3wjpWrw%40mail.gmail.com > . > > > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com <javascript:;>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAJ%2BQ1PX9q%2BntHsAXaqWM%2BrXNxJJycdauMhJXDLOpkZ390O75WA%40mail.gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- Rob Nelson rnels...@gmail.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT95uN7J_oDb4yF7h%3D41sD%3DpDfZdShw046O8%3DTrsVVA_zg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
