$servicefiles = 'absent'
}
- $debianadmin = [
- 'debian-archive-debian-samhain-reports@master.debian.org',
- 'debian-admin@ftbfs.de',
- 'weasel@debian.org',
- 'steve@lobefin.net',
- 'zumbi@oron.es'
- ]
+ # the virtual facter needs virt-what on jessie to work
+ if versioncmp($::lsbmajdistrelease, '9') < 0 {
+ package { 'virt-what': ensure => installed }
+ } else {
+ package { 'virt-what': ensure => purged }
+ }
+
+ $samhain_recipients = hiera('samhain_recipients')
+ $root_mail_alias = hiera('root_mail_alias')
package { [
'klogd',
}
package { [
'debian.org',
+ 'debian.org-recommended',
'dsa-munin-plugins',
+ 'userdir-ldap',
]:
ensure => installed,
tag => extra_repo,
}
- file { '/etc/ssh/ssh_known_hosts':
- ensure => present,
- replace => false,
- mode => '0644',
- source => 'puppet:///modules/debian_org/basic-ssh_known_hosts'
- }
- if versioncmp($::lsbmajdistrelease, '8') >= 0 {
- $rubyfs_package = 'ruby-filesystem'
- } else {
- $rubyfs_package = 'libfilesystem-ruby1.9'
- }
package { [
'apt-utils',
'bash-completion',
'dnsutils',
'less',
'lsb-release',
- $rubyfs_package,
+ 'ruby-filesystem',
'mtr-tiny',
'nload',
'pciutils',
notify => Exec['systemctl daemon-reload'],
}
- file { '/etc/cron.d/dsa-puppet-stuff':
+ concat { '/etc/cron.d/dsa-puppet-stuff': }
+ concat::fragment { 'dsa-puppet-stuff---header':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ order => '000',
+ content => @(EOF)
+ ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+ SHELL=/bin/bash
+ MAILTO=root
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/nagios/plugins
+ | EOF
+ }
+ concat::fragment { 'dsa-puppet-stuff---all':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ order => '010',
content => template('debian_org/dsa-puppet-stuff.cron.erb'),
require => Package['debian.org'],
}
mode => '0444',
source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
}
+ file { '/etc/environment':
+ content => "",
+ mode => '0440',
+ }
+ file { '/etc/default/locale':
+ content => "",
+ mode => '0444',
+ }
# set mmap_min_addr to 4096 to mitigate
# Linux NULL-pointer dereference exploits
}
mailalias { 'samhain-reports':
ensure => present,
- recipient => $debianadmin,
+ recipient => $samhain_recipients,
+ require => Package['debian.org']
+ }
+ mailalias { 'root':
+ ensure => present,
+ recipient => $root_mail_alias,
require => Package['debian.org']
}
file { '/root/.vimrc':
source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
}
+
+ if versioncmp($::lsbmajdistrelease, '9') >= 0 { # older puppets do facts as strings.
+ if $::processorcount > 1 {
+ package { 'irqbalance': ensure => installed }
+ }
+ }
+
+
+ # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
+ site::sysctl { 'unprivileged_bpf_disabled':
+ key => 'kernel.unprivileged_bpf_disabled',
+ value => '1',
+ }
+
+ # Disable kpartx udev rules
+ file { '/etc/udev/rules.d/60-kpartx.rules':
+ ensure => $has_lib_udev_rules_d_60_kpartx_rules ? { true => 'present', default => 'absent' },
+ content => "",
+ mode => '0444',
+ }
+
+ # this is only to avoid warnings, else puppet will complain that we
+ # have a symlink there, even if we're not replacing it anyhow.
+ if ! $has_etc_ssh_ssh_known_hosts {
+ file { '/etc/ssh/ssh_known_hosts':
+ ensure => 'present',
+ replace => 'no',
+ content => inline_template('<%= open("/etc/ssh/ssh_known_hosts").read() %>'),
+ notify => Exec['ud-replicate'],
+ }
+ }
+
+ exec { 'ud-replicate':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ command => '/usr/bin/ud-replicate',
+ refreshonly => true,
+ require => Package['userdir-ldap']
+ }
}
projects / mirror / dsa-puppet.git / blobdiff