include debian_org::apt
if $systemd {
- include systemd
+ include dsa_systemd
$servicefiles = 'present'
} else {
$servicefiles = 'absent'
ensure => installed,
tag => extra_repo,
}
- file { '/etc/ssh/ssh_known_hosts':
- ensure => present,
- replace => false,
- mode => '0644',
- source => 'puppet:///modules/debian_org/basic-ssh_known_hosts'
- }
- if versioncmp($::lsbmajdistrelease, '8') >= 0 {
- $rubyfs_package = 'ruby-filesystem'
- } else {
- $rubyfs_package = 'libfilesystem-ruby1.9'
- }
package { [
'apt-utils',
'bash-completion',
'dnsutils',
'less',
'lsb-release',
- $rubyfs_package,
+ 'ruby-filesystem',
'mtr-tiny',
'nload',
'pciutils',
'lldpd',
+ 'ncurses-term',
]:
ensure => installed,
}
content => template('debian_org/debian_facts.yaml.erb')
}
file { '/etc/timezone':
- source => 'puppet:///modules/debian_org/timezone',
+ content => "Etc/UTC\n",
notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
}
- if $::hostname == handel {
- include puppetmaster::db
- $dbpassword = $puppetmaster::db::password
+ if versioncmp($::lsbmajdistrelease, '9') >= 0 { # jessie has a regular file there, for instance
+ file { '/etc/localtime':
+ ensure => 'link',
+ target => '/usr/share/zoneinfo/Etc/UTC',
+ notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
+ }
}
file { '/etc/puppet/puppet.conf':
content => template('debian_org/puppet.conf.erb'),
notify => Exec['systemctl daemon-reload'],
}
- file { '/etc/cron.d/dsa-puppet-stuff':
+ concat { '/etc/cron.d/dsa-puppet-stuff': }
+ concat::fragment { 'dsa-puppet-stuff---header':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ order => '000',
+ content => @(EOF)
+ ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+ SHELL=/bin/bash
+ MAILTO=root
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/nagios/plugins
+ | EOF
+ }
+ concat::fragment { 'dsa-puppet-stuff---all':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ order => '010',
content => template('debian_org/dsa-puppet-stuff.cron.erb'),
require => Package['debian.org'],
}
require => Package['debian.org']
}
file { '/etc/nsswitch.conf':
- mode => '0755',
+ mode => '0444',
source => 'puppet:///modules/debian_org/nsswitch.conf',
}
}
file { '/etc/default/locale':
content => "",
- mode => '0440',
+ mode => '0444',
}
# set mmap_min_addr to 4096 to mitigate
package { 'irqbalance': ensure => installed }
}
}
+
+
+ # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
+ site::sysctl { 'unprivileged_bpf_disabled':
+ key => 'kernel.unprivileged_bpf_disabled',
+ value => '1',
+ }
+
+ # Disable kpartx udev rules
+ file { '/etc/udev/rules.d/60-kpartx.rules':
+ ensure => $has_lib_udev_rules_d_60_kpartx_rules ? { true => 'present', default => 'absent' },
+ content => "",
+ mode => '0444',
+ }
+
+ # this is only to avoid warnings, else puppet will complain that we
+ # have a symlink there, even if we're not replacing it anyhow.
+ if ! $has_etc_ssh_ssh_known_hosts {
+ file { '/etc/ssh/ssh_known_hosts':
+ ensure => 'present',
+ replace => 'no',
+ content => inline_template('<%= open("/etc/ssh/ssh_known_hosts").read() %>'),
+ notify => Exec['ud-replicate'],
+ }
+ }
+
+ exec { 'ud-replicate':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ command => '/usr/bin/ud-replicate',
+ refreshonly => true,
+ require => Package['userdir-ldap']
+ }
+
+ # some changes require rebuilding the initramfs. Have the common exec here.
+ exec { 'update-initramfs -u':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true;
+ }
}
projects / mirror / dsa-puppet.git / blobdiff