debian_org: remove jessie support

[mirror/dsa-puppet.git] / modules / debian_org / manifests / init.pp
diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp

index 6e1c5da..01cff6e 100644 (file)
--- a/modules/debian_org/manifests/init.pp
+++ b/modules/debian_org/manifests/init.pp
@@ -6,18 +6,14 @@ class debian_org {
         include debian_org::apt
  
         if $systemd {
-               include systemd
+               include dsa_systemd
                 $servicefiles = 'present'
         } else {
                 $servicefiles = 'absent'
         }
  
-       # the virtual facter needs virt-what on jessie to work
-       if versioncmp($::lsbmajdistrelease, '9') < 0 {
-               package { 'virt-what': ensure => installed }
-       } else {
-               package { 'virt-what': ensure => purged }
-       }
+       # the virtual facter needs virt-what on jessie to work; clean up.
+       package { 'virt-what': ensure => purged }
  
         $samhain_recipients = hiera('samhain_recipients')
         $root_mail_alias = hiera('root_mail_alias')
@@ -53,6 +49,7 @@ class debian_org {
                         'nload',
                         'pciutils',
                         'lldpd',
+                       'ncurses-term',
                 ]:
                 ensure => installed,
         }
@@ -75,13 +72,6 @@ class debian_org {
                 ]:
         }
  
-       if getfromhash($site::nodeinfo, 'broken-rtc') {
-               package { 'fake-hwclock':
-                       ensure => installed,
-                       tag    => extra_repo,
-               }
-       }
-
         package { 'molly-guard':
                 ensure => installed,
         }
@@ -124,16 +114,10 @@ class debian_org {
                 content => "Etc/UTC\n",
                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
         }
-       if versioncmp($::lsbmajdistrelease, '9') >= 0 { # jessie has a regular file there, for instance
-               file { '/etc/localtime':
-                       ensure => 'link',
-                       target => '/usr/share/zoneinfo/Etc/UTC',
-                       notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
-               }
-       }
-       if $::hostname == handel {
-               include puppetmaster::db
-               $dbpassword = $puppetmaster::db::password
+       file { '/etc/localtime':
+               ensure => 'link',
+               target => '/usr/share/zoneinfo/Etc/UTC',
+               notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
         }
         file { '/etc/puppet/puppet.conf':
                 content => template('debian_org/puppet.conf.erb'),
@@ -217,7 +201,7 @@ class debian_org {
                 require => Package['debian.org']
         }
         file { '/etc/nsswitch.conf':
-               mode   => '0755',
+               mode   => '0444',
                 source => 'puppet:///modules/debian_org/nsswitch.conf',
         }
  
@@ -243,21 +227,21 @@ class debian_org {
  
         # set mmap_min_addr to 4096 to mitigate
         # Linux NULL-pointer dereference exploits
-       site::sysctl { 'mmap_min_addr':
+       base::sysctl { 'mmap_min_addr':
                 ensure => absent
         }
-       site::sysctl { 'perf_event_paranoid':
+       base::sysctl { 'perf_event_paranoid':
                 key   => 'kernel.perf_event_paranoid',
                 value => '2',
         }
-       site::sysctl { 'puppet-vfs_cache_pressure':
+       base::sysctl { 'puppet-vfs_cache_pressure':
                 key   => 'vm.vfs_cache_pressure',
                 value => '10',
         }
-       site::alternative { 'editor':
+       base::alternative { 'editor':
                 linkto => '/usr/bin/vim.basic',
         }
-       site::alternative { 'view':
+       base::alternative { 'view':
                 linkto => '/usr/bin/vim.basic',
         }
         mailalias { 'samhain-reports':
@@ -333,15 +317,18 @@ class debian_org {
                 source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
         }
  
-       if versioncmp($::lsbmajdistrelease, '9') >= 0 { # older puppets do facts as strings.
+       if versioncmp($::lsbmajdistrelease, '9') == 0 { # older puppets do facts as strings.
                 if $::processorcount > 1 {
                         package { 'irqbalance': ensure => installed }
                 }
+       } else {
+               # 926967 drops the recommendation on irqbalance in Buster
+               package { 'irqbalance': ensure => purged }
         }
  
  
         # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
-       site::sysctl { 'unprivileged_bpf_disabled':
+       base::sysctl { 'unprivileged_bpf_disabled':
                 key   => 'kernel.unprivileged_bpf_disabled',
                 value => '1',
         }
@@ -370,4 +357,10 @@ class debian_org {
                 refreshonly => true,
                 require => Package['userdir-ldap']
         }
+
+       # some changes require rebuilding the initramfs.  Have the common exec here.
+       exec { 'update-initramfs -u':
+               path        => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+               refreshonly => true;
+       }
  }