modules/debian-org/manifests/init.pp

   1 # == Class: debian-org
   2 #
   3 # Stuff common to all debian.org servers
   4 #
   5 class debian-org {
   6         if $::lsbmajdistrelease <= 8 {
   7                 $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
   8         } else {
   9                 $fallbackmirror = 'http://deb.debian.org/debian/'
  10         }
  11
  12         if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
  13                 $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror ]
  14         } else {
  15                 $mirror = [ $fallbackmirror ]
  16         }
  17
  18         if $::lsbmajdistrelease <= 7 {
  19                 $mungedcodename = $::lsbdistcodename
  20         } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
  21                 $mungedcodename = "${::lsbdistcodename}-kfreebsd"
  22         } else {
  23                 $mungedcodename = $::lsbdistcodename
  24         }
  25
  26         if $systemd {
  27                 include systemd
  28                 $servicefiles = 'present'
  29         } else {
  30                 $servicefiles = 'absent'
  31         }
  32
  33         $debianadmin = [
  34                 'debian-archive-debian-samhain-reports@master.debian.org',
  35                 'debian-admin@ftbfs.de',
  36                 'weasel@debian.org',
  37                 'steve@lobefin.net',
  38                 'zumbi@oron.es'
  39         ]
  40
  41         package { [
  42                         'klogd',
  43                         'sysklogd',
  44                         'rsyslog',
  45                         'os-prober',
  46                         'apt-listchanges',
  47                 ]:
  48                 ensure => purged,
  49         }
  50         package { [
  51                         'debian.org',
  52                         'dsa-munin-plugins',
  53                 ]:
  54                 ensure => installed,
  55                 tag    => extra_repo,
  56         }
  57         file { '/etc/ssh/ssh_known_hosts':
  58                 ensure  => present,
  59                 replace => false,
  60                 mode    => '0644',
  61                 source  => 'puppet:///modules/debian-org/basic-ssh_known_hosts'
  62         }
  63
  64         if ($::lsbmajdistrelease >= 8) {
  65                 $rubyfs_package = 'ruby-filesystem'
  66         } else {
  67                 $rubyfs_package = 'libfilesystem-ruby1.9'
  68         }
  69         package { [
  70                         'apt-utils',
  71                         'bash-completion',
  72                         'dnsutils',
  73                         'less',
  74                         'lsb-release',
  75                         $rubyfs_package,
  76                         'mtr-tiny',
  77                         'nload',
  78                         'pciutils',
  79                 ]:
  80                 ensure => installed,
  81         }
  82
  83         munin::check { [
  84                         'cpu',
  85                         'entropy',
  86                         'forks',
  87                         'interrupts',
  88                         'iostat',
  89                         'irqstats',
  90                         'load',
  91                         'memory',
  92                         'ntp_offset',
  93                         'ntp_states',
  94                         'open_files',
  95                         'open_inodes',
  96                         'processes',
  97                         'swap',
  98                         'uptime',
  99                         'vmstat',
 100                 ]:
 101         }
 102
 103         if getfromhash($site::nodeinfo, 'broken-rtc') {
 104                 package { 'fake-hwclock':
 105                         ensure => installed,
 106                         tag    => extra_repo,
 107                 }
 108         }
 109
 110         package { 'molly-guard':
 111                 ensure => installed,
 112         }
 113         file { '/etc/molly-guard/run.d/10-check-kvm':
 114                 mode    => '0755',
 115                 source  => 'puppet:///modules/debian-org/molly-guard/10-check-kvm',
 116                 require => Package['molly-guard'],
 117         }
 118         file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
 119                 mode    => '0755',
 120                 source  => 'puppet:///modules/debian-org/molly-guard/15-acquire-reboot-lock',
 121                 require => Package['molly-guard'],
 122         }
 123
 124         file { '/etc/apt/trusted-keys.d':
 125                 ensure => absent,
 126                 force  => true,
 127         }
 128
 129         file { '/etc/apt/trusted.gpg':
 130                 mode    => '0600',
 131                 content => "",
 132         }
 133
 134         if ($::lsbmajdistrelease >= 8) {
 135                 site::aptrepo { 'security':
 136                         url        => 'http://security-cdn.debian.org/',
 137                         suite      => "${mungedcodename}/updates",
 138                         components => ['main','contrib','non-free']
 139                 }
 140         } else {
 141                 site::aptrepo { 'security':
 142                         ensure => absent,
 143                 }
 144         }
 145
 146         site::aptrepo { 'debian-lts':
 147                 ensure => absent,
 148         }
 149
 150         site::aptrepo { 'backports.debian.org':
 151                 url        => $mirror,
 152                 suite      => "${::lsbdistcodename}-backports",
 153                 components => ['main','contrib','non-free']
 154         }
 155
 156         site::aptrepo { 'volatile':
 157                 url        => $mirror,
 158                 suite      => "${::lsbdistcodename}-updates",
 159                 components => ['main','contrib','non-free']
 160         }
 161
 162         if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
 163                 site::aptrepo { 'proposed-updates':
 164                         url        => $mirror,
 165                         suite      => "${mungedcodename}-proposed-updates",
 166                         components => ['main','contrib','non-free']
 167                 }
 168         } else {
 169                 site::aptrepo { 'proposed-updates':
 170                         ensure => absent,
 171                 }
 172         }
 173
 174         site::aptrepo { 'db.debian.org':
 175                 url        => 'http://db.debian.org/debian-admin',
 176                 suite      => 'debian-all',
 177                 components => 'main',
 178                 key        => 'puppet:///modules/debian-org/db.debian.org.gpg',
 179         }
 180         site::aptrepo { 'db.debian.org-suite':
 181                 url        => 'http://db.debian.org/debian-admin',
 182                 suite      => $::lsbdistcodename,
 183                 components => 'main',
 184         }
 185
 186         augeas { 'inittab_replicate':
 187                 context => '/files/etc/inittab',
 188                 changes => [
 189                         'set ud/runlevels 2345',
 190                         'set ud/action respawn',
 191                         'set ud/process "/usr/bin/ud-replicated -d"',
 192                 ],
 193                 notify  => Exec['init q'],
 194         }
 195
 196         if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
 197                 site::aptrepo { 'debian':
 198                         url        => getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'),
 199                         suite      => $mungedcodename,
 200                         components => ['main','contrib','non-free']
 201                 }
 202         }
 203
 204         site::aptrepo { 'debian-cdn':
 205                 ensure => absent,
 206         }
 207         site::aptrepo { 'debian.org':
 208                 ensure => absent,
 209         }
 210         site::aptrepo { 'debian2':
 211                 url        => "http://cdn-fastly.deb.debian.org/debian",
 212                 ensure => absent,
 213         }
 214         site::aptrepo { 'backports2.debian.org':
 215                 ensure => absent,
 216         }
 217
 218
 219
 220
 221         file { '/etc/facter':
 222                 ensure  => directory,
 223                 purge   => true,
 224                 force   => true,
 225                 recurse => true,
 226                 source  => 'puppet:///files/empty/',
 227         }
 228         file { '/etc/facter/facts.d':
 229                 ensure => directory,
 230         }
 231         file { '/etc/facter/facts.d/debian_facts.yaml':
 232                 content => template('debian-org/debian_facts.yaml.erb')
 233         }
 234         file { '/etc/apt/preferences':
 235                 source => 'puppet:///modules/debian-org/apt.preferences',
 236         }
 237         file { '/etc/apt/apt.conf.d/local-compression':
 238                 source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
 239         }
 240         file { '/etc/apt/apt.conf.d/local-recommends':
 241                 source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
 242         }
 243         file { '/etc/apt/apt.conf.d/local-pdiffs':
 244                 source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
 245         }
 246         file { '/etc/apt/apt.conf.d/local-langs':
 247                 source => 'puppet:///modules/debian-org/apt.conf.d/local-langs',
 248         }
 249         file { '/etc/timezone':
 250                 source => 'puppet:///modules/debian-org/timezone',
 251                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 252         }
 253         if $::hostname == handel {
 254                 include puppetmaster::db
 255                 $dbpassword = $puppetmaster::db::password
 256         }
 257         file { '/etc/puppet/puppet.conf':
 258                 content => template('debian-org/puppet.conf.erb'),
 259         }
 260         file { '/etc/default/puppet':
 261                 source => 'puppet:///modules/debian-org/puppet.default',
 262         }
 263         file { '/etc/systemd':
 264                 ensure  => directory,
 265                 mode => 0755,
 266         }
 267         file { '/etc/systemd/system':
 268                 ensure  => directory,
 269                 mode => 0755,
 270         }
 271         file { '/etc/systemd/system/ud-replicated.service':
 272                 ensure => $servicefiles,
 273                 source => 'puppet:///modules/debian-org/ud-replicated.service',
 274                 notify => Exec['systemctl daemon-reload'],
 275         }
 276         if $systemd {
 277                 file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
 278                         ensure => 'link',
 279                         target => '../ud-replicated.service',
 280                         notify => Exec['systemctl daemon-reload'],
 281                 }
 282         }
 283         file { '/etc/systemd/system/puppet.service':
 284                 ensure => 'link',
 285                 target => '/dev/null',
 286                 notify => Exec['systemctl daemon-reload'],
 287         }
 288         file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
 289                 ensure => 'link',
 290                 target => '/dev/null',
 291                 notify => Exec['systemctl daemon-reload'],
 292         }
 293
 294         file { '/etc/cron.d/dsa-puppet-stuff':
 295                 content => template('debian-org/dsa-puppet-stuff.cron.erb'),
 296                 require => Package['debian.org'],
 297         }
 298         file { '/etc/ldap/ldap.conf':
 299                 require => Package['debian.org'],
 300                 content  => template('debian-org/ldap.conf.erb'),
 301         }
 302         file { '/etc/pam.d/common-session':
 303                 require => Package['debian.org'],
 304                 content => template('debian-org/pam.common-session.erb'),
 305         }
 306         file { '/etc/pam.d/common-session-noninteractive':
 307                 require => Package['debian.org'],
 308                 content => template('debian-org/pam.common-session-noninteractive.erb'),
 309         }
 310         file { '/etc/rc.local':
 311                 mode   => '0755',
 312                 content => template('debian-org/rc.local.erb'),
 313                 notify => Exec['service rc.local start'],
 314         }
 315         file { '/etc/dsa':
 316                 ensure => directory,
 317                 mode   => '0755',
 318         }
 319         file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
 320                 source  => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
 321                 require => Package['debian.org']
 322         }
 323         file { '/etc/nsswitch.conf':
 324                 mode   => '0755',
 325                 source => 'puppet:///modules/debian-org/nsswitch.conf',
 326         }
 327
 328         file { '/etc/profile.d/timeout.sh':
 329                 mode   => '0555',
 330                 source => 'puppet:///modules/debian-org/etc.profile.d/timeout.sh',
 331         }
 332         file { '/etc/zsh':
 333                 ensure => directory,
 334         }
 335         file { '/etc/zsh/zprofile':
 336                 mode   => '0444',
 337                 source => 'puppet:///modules/debian-org/etc.zsh/zprofile',
 338         }
 339
 340         # set mmap_min_addr to 4096 to mitigate
 341         # Linux NULL-pointer dereference exploits
 342         site::sysctl { 'mmap_min_addr':
 343                 ensure => absent
 344         }
 345         site::sysctl { 'perf_event_paranoid':
 346                 key   => 'kernel.perf_event_paranoid',
 347                 value => '2',
 348         }
 349         site::alternative { 'editor':
 350                 linkto => '/usr/bin/vim.basic',
 351         }
 352         site::alternative { 'view':
 353                 linkto => '/usr/bin/vim.basic',
 354         }
 355         mailalias { 'samhain-reports':
 356                 ensure    => present,
 357                 recipient => $debianadmin,
 358                 require   => Package['debian.org']
 359         }
 360
 361         file { '/usr/local/bin/check_for_updates':
 362                 source => 'puppet:///modules/debian-org/check_for_updates',
 363                 mode   => '0755',
 364                 owner  => root,
 365                 group  => root,
 366         }
 367
 368         exec { 'apt-get update':
 369                 path    => '/usr/bin:/usr/sbin:/bin:/sbin',
 370                 onlyif  => '/usr/local/bin/check_for_updates',
 371                 require => File['/usr/local/bin/check_for_updates']
 372         }
 373         Exec['apt-get update']->Package<| tag == extra_repo |>
 374
 375         exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
 376                 path        => '/usr/bin:/usr/sbin:/bin:/sbin',
 377                 refreshonly => true
 378         }
 379         exec { 'service puppetmaster restart':
 380                 refreshonly => true
 381         }
 382         exec { 'service rc.local start':
 383                 refreshonly => true
 384         }
 385         exec { 'init q':
 386                 refreshonly => true
 387         }
 388
 389         exec { 'systemctl daemon-reload':
 390                 refreshonly => true,
 391                 onlyif  => "test -x /bin/systemctl"
 392         }
 393
 394         exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
 395                 refreshonly => true,
 396                 onlyif  => "test -x /bin/systemd-tmpfiles"
 397         }
 398
 399         tidy { '/var/lib/puppet/clientbucket/':
 400                 age      => '2w',
 401                 recurse  => 9,
 402                 type     => ctime,
 403                 matches  => [ 'paths', 'contents' ],
 404                 schedule => weekly
 405         }
 406
 407         file { '/root/.bashrc':
 408                 source => 'puppet:///modules/debian-org/root-dotfiles/bashrc',
 409         }
 410         file { '/root/.profile':
 411                 source => 'puppet:///modules/debian-org/root-dotfiles/profile',
 412         }
 413         file { '/root/.selected_editor':
 414                 source => 'puppet:///modules/debian-org/root-dotfiles/selected_editor',
 415         }
 416         file { '/root/.screenrc':
 417                 source => 'puppet:///modules/debian-org/root-dotfiles/screenrc',
 418         }
 419         file { '/root/.vimrc':
 420                 source => 'puppet:///modules/debian-org/root-dotfiles/vimrc',
 421         }
 422 }