From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 7 Sep 2019 17:15:46 +0000 (+0200)
Subject: Try to retire the site module: move sysctl to base
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=83a1f108c2b7df3e8c3bc5c7918e2a8612e83d0b;p=mirror%2Fdsa-puppet.git

Try to retire the site module: move sysctl to base
---

diff --git a/modules/base/manifests/procps.pp b/modules/base/manifests/procps.pp
new file mode 100644
index 000000000..748c76d33
--- /dev/null
+++ b/modules/base/manifests/procps.pp
@@ -0,0 +1,7 @@
+# This class defines the procps service which is notified by base::sysctl
+class base::procps {
+  service { 'procps':
+    hasstatus => false,
+    status    => '/bin/true',
+  }
+}
diff --git a/modules/base/manifests/sysctl.pp b/modules/base/manifests/sysctl.pp
new file mode 100644
index 000000000..3cee048a1
--- /dev/null
+++ b/modules/base/manifests/sysctl.pp
@@ -0,0 +1,21 @@
+define base::sysctl ($key='', $value='', $target='Linux', $ensure = present) {
+	include base::procps
+
+	case $ensure {
+		present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} }
+		absent:  {}
+		default: { fail ( "Unknown ensure value: '$ensure'" ) }
+	}
+
+	if $::kernel == $target {
+		file {
+			"/etc/sysctl.d/${name}.conf":
+				ensure  => $ensure,
+				owner   => root,
+				group   => root,
+				mode    => '0644',
+				content => "${key} = ${value}\n",
+				notify  => Service['procps']
+		}
+	}
+}
diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp
index 6e0ea3193..02c8c7ace 100644
--- a/modules/debian_org/manifests/init.pp
+++ b/modules/debian_org/manifests/init.pp
@@ -240,14 +240,14 @@ class debian_org {
 
 	# set mmap_min_addr to 4096 to mitigate
 	# Linux NULL-pointer dereference exploits
-	site::sysctl { 'mmap_min_addr':
+	base::sysctl { 'mmap_min_addr':
 		ensure => absent
 	}
-	site::sysctl { 'perf_event_paranoid':
+	base::sysctl { 'perf_event_paranoid':
 		key   => 'kernel.perf_event_paranoid',
 		value => '2',
 	}
-	site::sysctl { 'puppet-vfs_cache_pressure':
+	base::sysctl { 'puppet-vfs_cache_pressure':
 		key   => 'vm.vfs_cache_pressure',
 		value => '10',
 	}
@@ -338,7 +338,7 @@ class debian_org {
 
 
 	# https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
-	site::sysctl { 'unprivileged_bpf_disabled':
+	base::sysctl { 'unprivileged_bpf_disabled':
 		key   => 'kernel.unprivileged_bpf_disabled',
 		value => '1',
 	}
diff --git a/modules/debian_org/manifests/radvd.pp b/modules/debian_org/manifests/radvd.pp
index 29be0ed86..d783b705c 100644
--- a/modules/debian_org/manifests/radvd.pp
+++ b/modules/debian_org/manifests/radvd.pp
@@ -1,9 +1,9 @@
 class debian_org::radvd {
-	site::sysctl { 'dsa-accept-ra-default':
+	base::sysctl { 'dsa-accept-ra-default':
 		key   => 'net.ipv6.conf.default.accept_ra',
 		value => 0,
 	}
-	site::sysctl { 'dsa-accept-ra-all':
+	base::sysctl { 'dsa-accept-ra-all':
 		key   => 'net.ipv6.conf.all.accept_ra',
 		value => 0,
 	}
diff --git a/modules/huge_mem/manifests/init.pp b/modules/huge_mem/manifests/init.pp
index 2cbfc1852..938303492 100644
--- a/modules/huge_mem/manifests/init.pp
+++ b/modules/huge_mem/manifests/init.pp
@@ -3,11 +3,11 @@ class huge_mem {
 	# so filtering needs to happen here.
 
 	if $::hostname in [grnet-node01,grnet-node02] {
-		site::sysctl { 'puppet-vm_dirty_bytes':
+		base::sysctl { 'puppet-vm_dirty_bytes':
 			key   => 'vm.dirty_bytes',
 			value => '1073741824',
 		}
-		site::sysctl { 'puppet-vm_dirty_background_bytes':
+		base::sysctl { 'puppet-vm_dirty_background_bytes':
 			key   => 'vm.dirty_background_bytes',
 			value => '268435456',
 		}
diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp
index 2f9dc6941..dc9b9479b 100644
--- a/modules/site/manifests/init.pp
+++ b/modules/site/manifests/init.pp
@@ -4,10 +4,4 @@ class site {
 	$nodeinfo  = nodeinfo($::fqdn)
 	$allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose')
         $roles = hiera('roles')
-
-	service { 'procps':
-		hasstatus   => false,
-		status      => '/bin/true',
-	}
-
 }
diff --git a/modules/site/manifests/sysctl.pp b/modules/site/manifests/sysctl.pp
deleted file mode 100644
index b9e343479..000000000
--- a/modules/site/manifests/sysctl.pp
+++ /dev/null
@@ -1,20 +0,0 @@
-define site::sysctl ($key='', $value='', $target='Linux', $ensure = present) {
-	include site
-	case $ensure {
-		present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} }
-		absent:  {}
-		default: { fail ( "Unknown ensure value: '$ensure'" ) }
-	}
-
-	if $::kernel == $target {
-		file {
-			"/etc/sysctl.d/${name}.conf":
-				ensure  => $ensure,
-				owner   => root,
-				group   => root,
-				mode    => '0644',
-				content => "${key} = ${value}\n",
-				notify  => Service['procps']
-		}
-	}
-}