modules/debian_org/manifests/init.pp

   1 # == Class: debian_org
   2 #
   3 # Stuff common to all debian.org servers
   4 #
   5 class debian_org {
   6         include debian_org::apt
   7
   8         if $systemd {
   9                 include dsa_systemd
  10                 $servicefiles = 'present'
  11         } else {
  12                 $servicefiles = 'absent'
  13         }
  14
  15         # the virtual facter needs virt-what on jessie to work; clean up.
  16         package { 'virt-what': ensure => purged }
  17
  18         $samhain_recipients = hiera('samhain_recipients')
  19         $root_mail_alias = hiera('root_mail_alias')
  20
  21         package { [
  22                         'klogd',
  23                         'sysklogd',
  24                         'rsyslog',
  25                         'os-prober',
  26                         'apt-listchanges',
  27                         'mlocate',
  28                 ]:
  29                 ensure => purged,
  30         }
  31         package { [
  32                         'debian.org',
  33                         'debian.org-recommended',
  34                         'dsa-munin-plugins',
  35                         'userdir-ldap',
  36                 ]:
  37                 ensure => installed,
  38                 tag    => extra_repo,
  39         }
  40
  41         package { [
  42                         'apt-utils',
  43                         'bash-completion',
  44                         'dnsutils',
  45                         'less',
  46                         'lsb-release',
  47                         'ruby-filesystem',
  48                         'mtr-tiny',
  49                         'nload',
  50                         'pciutils',
  51                         'lldpd',
  52                         'ncurses-term',
  53                 ]:
  54                 ensure => installed,
  55         }
  56
  57         munin::check { [
  58                         'cpu',
  59                         'entropy',
  60                         'forks',
  61                         'interrupts',
  62                         'iostat',
  63                         'irqstats',
  64                         'load',
  65                         'memory',
  66                         'open_files',
  67                         'open_inodes',
  68                         'processes',
  69                         'swap',
  70                         'uptime',
  71                         'vmstat',
  72                 ]:
  73         }
  74
  75         package { 'molly-guard':
  76                 ensure => installed,
  77         }
  78         file { '/etc/molly-guard/run.d/10-check-kvm':
  79                 mode    => '0755',
  80                 source  => 'puppet:///modules/debian_org/molly-guard/10-check-kvm',
  81                 require => Package['molly-guard'],
  82         }
  83         file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
  84                 mode    => '0755',
  85                 source  => 'puppet:///modules/debian_org/molly-guard/15-acquire-reboot-lock',
  86                 require => Package['molly-guard'],
  87         }
  88
  89         augeas { 'inittab_replicate':
  90                 context => '/files/etc/inittab',
  91                 changes => [
  92                         'set ud/runlevels 2345',
  93                         'set ud/action respawn',
  94                         'set ud/process "/usr/bin/ud-replicated -d"',
  95                 ],
  96                 notify  => Exec['init q'],
  97         }
  98
  99
 100         file { '/etc/facter':
 101                 ensure  => directory,
 102                 purge   => true,
 103                 force   => true,
 104                 recurse => true,
 105                 source  => 'puppet:///files/empty/',
 106         }
 107         file { '/etc/facter/facts.d':
 108                 ensure => directory,
 109         }
 110         file { '/etc/facter/facts.d/debian_facts.yaml':
 111                 content => template('debian_org/debian_facts.yaml.erb')
 112         }
 113         file { '/etc/timezone':
 114                 content => "Etc/UTC\n",
 115                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 116         }
 117         file { '/etc/localtime':
 118                 ensure => 'link',
 119                 target => '/usr/share/zoneinfo/Etc/UTC',
 120                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 121         }
 122         file { '/etc/puppet/puppet.conf':
 123                 content => template('debian_org/puppet.conf.erb'),
 124                 mode => '0440',
 125                 group => 'puppet',
 126         }
 127         file { '/etc/default/puppet':
 128                 source => 'puppet:///modules/debian_org/puppet.default',
 129         }
 130         file { '/etc/systemd':
 131                 ensure  => directory,
 132                 mode => '0755',
 133         }
 134         file { '/etc/systemd/system':
 135                 ensure  => directory,
 136                 mode => '0755',
 137         }
 138         file { '/etc/systemd/system/ud-replicated.service':
 139                 ensure => $servicefiles,
 140                 source => 'puppet:///modules/debian_org/ud-replicated.service',
 141                 notify => Exec['systemctl daemon-reload'],
 142         }
 143         if $systemd {
 144                 file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
 145                         ensure => 'link',
 146                         target => '../ud-replicated.service',
 147                         notify => Exec['systemctl daemon-reload'],
 148                 }
 149         }
 150         file { '/etc/systemd/system/puppet.service':
 151                 ensure => 'link',
 152                 target => '/dev/null',
 153                 notify => Exec['systemctl daemon-reload'],
 154         }
 155         file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
 156                 ensure => 'link',
 157                 target => '/dev/null',
 158                 notify => Exec['systemctl daemon-reload'],
 159         }
 160
 161         file { '/etc/cron.d/dsa-puppet-stuff':
 162                 ensure => 'absent',
 163         }
 164         file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
 165                 ensure => 'absent',
 166         }
 167
 168         concat { '/etc/cron.d/puppet-crontab': }
 169         concat::fragment { 'puppet-crontab---header':
 170                 target => '/etc/cron.d/puppet-crontab',
 171                 order  => '000',
 172                 content  => @(EOF)
 173                         ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
 174                         SHELL=/bin/bash
 175                         MAILTO=root
 176                         PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/nagios/plugins
 177                         | EOF
 178         }
 179         concat::fragment { 'puppet-crontab---all':
 180                 target => '/etc/cron.d/puppet-crontab',
 181                 order  => '010',
 182                 content => template('debian_org/puppet-crontab.cron.erb'),
 183                 require => Package['debian.org'],
 184         }
 185         file { '/etc/ldap/ldap.conf':
 186                 require => Package['debian.org'],
 187                 content  => template('debian_org/ldap.conf.erb'),
 188         }
 189         file { '/etc/pam.d/common-session':
 190                 require => Package['debian.org'],
 191                 content => template('debian_org/pam.common-session.erb'),
 192         }
 193         file { '/etc/pam.d/common-session-noninteractive':
 194                 require => Package['debian.org'],
 195                 content => template('debian_org/pam.common-session-noninteractive.erb'),
 196         }
 197         file { '/etc/rc.local':
 198                 mode   => '0755',
 199                 content => template('debian_org/rc.local.erb'),
 200                 notify => Exec['service rc.local restart'],
 201         }
 202         file { '/etc/dsa':
 203                 ensure => directory,
 204                 mode   => '0755',
 205         }
 206         file { '/etc/dsa/cron.ignore.puppet-crontab':
 207                 source  => 'puppet:///modules/debian_org/puppet-crontab.cron.ignore',
 208                 require => Package['debian.org']
 209         }
 210         file { '/etc/nsswitch.conf':
 211                 mode   => '0444',
 212                 source => 'puppet:///modules/debian_org/nsswitch.conf',
 213         }
 214
 215         file { '/etc/profile.d/timeout.sh':
 216                 mode   => '0555',
 217                 source => 'puppet:///modules/debian_org/etc.profile.d/timeout.sh',
 218         }
 219         file { '/etc/zsh':
 220                 ensure => directory,
 221         }
 222         file { '/etc/zsh/zprofile':
 223                 mode   => '0444',
 224                 source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
 225         }
 226         file { '/etc/environment':
 227                 content => "",
 228                 mode => '0440',
 229         }
 230         file { '/etc/default/locale':
 231                 content => "",
 232                 mode => '0444',
 233         }
 234
 235         # set mmap_min_addr to 4096 to mitigate
 236         # Linux NULL-pointer dereference exploits
 237         base::sysctl { 'mmap_min_addr':
 238                 ensure => absent
 239         }
 240         base::sysctl { 'perf_event_paranoid':
 241                 key   => 'kernel.perf_event_paranoid',
 242                 value => '2',
 243         }
 244         base::sysctl { 'puppet-vfs_cache_pressure':
 245                 key   => 'vm.vfs_cache_pressure',
 246                 value => '10',
 247         }
 248         base::alternative { 'editor':
 249                 linkto => '/usr/bin/vim.basic',
 250         }
 251         base::alternative { 'view':
 252                 linkto => '/usr/bin/vim.basic',
 253         }
 254         mailalias { 'samhain-reports':
 255                 ensure    => present,
 256                 recipient => $samhain_recipients,
 257                 require   => Package['debian.org']
 258         }
 259         mailalias { 'root':
 260                 ensure    => present,
 261                 recipient => $root_mail_alias,
 262                 require   => Package['debian.org']
 263         }
 264
 265         file { '/usr/local/bin/check_for_updates':
 266                 source => 'puppet:///modules/debian_org/check_for_updates',
 267                 mode   => '0755',
 268                 owner  => root,
 269                 group  => root,
 270         }
 271         file { '/usr/local/bin/dsa-is-shutdown-scheduled':
 272                 source  => 'puppet:///modules/debian_org/dsa-is-shutdown-scheduled',
 273                 mode    => '0555',
 274         }
 275
 276         exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
 277                 path        => '/usr/bin:/usr/sbin:/bin:/sbin',
 278                 refreshonly => true
 279         }
 280         exec { 'service puppetmaster restart':
 281                 refreshonly => true
 282         }
 283         exec { 'service rc.local restart':
 284                 refreshonly => true
 285         }
 286         exec { 'init q':
 287                 refreshonly => true
 288         }
 289
 290         exec { 'systemctl daemon-reload':
 291                 refreshonly => true,
 292                 onlyif  => "test -x /bin/systemctl"
 293         }
 294
 295         exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
 296                 refreshonly => true,
 297                 onlyif  => "test -x /bin/systemd-tmpfiles"
 298         }
 299
 300         tidy { '/var/lib/puppet/clientbucket/':
 301                 age      => '2w',
 302                 recurse  => 9,
 303                 type     => ctime,
 304                 matches  => [ 'paths', 'contents' ],
 305                 schedule => weekly
 306         }
 307
 308         file { '/root/.bashrc':
 309                 source => 'puppet:///modules/debian_org/root-dotfiles/bashrc',
 310         }
 311         file { '/root/.profile':
 312                 source => 'puppet:///modules/debian_org/root-dotfiles/profile',
 313         }
 314         file { '/root/.selected_editor':
 315                 source => 'puppet:///modules/debian_org/root-dotfiles/selected_editor',
 316         }
 317         file { '/root/.screenrc':
 318                 source => 'puppet:///modules/debian_org/root-dotfiles/screenrc',
 319         }
 320         file { '/root/.tmux.conf':
 321                 source => 'puppet:///modules/debian_org/root-dotfiles/tmux.conf',
 322         }
 323         file { '/root/.vimrc':
 324                 source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
 325         }
 326
 327         if versioncmp($::lsbmajdistrelease, '9') == 0 { # older puppets do facts as strings.
 328                 if $::processorcount > 1 {
 329                         package { 'irqbalance': ensure => installed }
 330                 }
 331         } else {
 332                 # 926967 drops the recommendation on irqbalance in Buster
 333                 package { 'irqbalance': ensure => purged }
 334         }
 335
 336
 337         # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
 338         base::sysctl { 'unprivileged_bpf_disabled':
 339                 key   => 'kernel.unprivileged_bpf_disabled',
 340                 value => '1',
 341         }
 342
 343         # our ipv6 addresses and routes are statically configured.
 344         base::sysctl { 'dsa-accept-ra-default':
 345                 key   => 'net.ipv6.conf.default.accept_ra',
 346                 value => 0,
 347         }
 348         base::sysctl { 'dsa-accept-ra-all':
 349                 key   => 'net.ipv6.conf.all.accept_ra',
 350                 value => 0,
 351         }
 352
 353         # Disable kpartx udev rules
 354         file { '/etc/udev/rules.d/60-kpartx.rules':
 355                 ensure => $has_lib_udev_rules_d_60_kpartx_rules ? { true  => 'present', default => 'absent' },
 356                 content => "",
 357                 mode => '0444',
 358         }
 359
 360         # this is only to avoid warnings, else puppet will complain that we
 361         # have a symlink there, even if we're not replacing it anyhow.
 362         if ! $has_etc_ssh_ssh_known_hosts {
 363                 file { '/etc/ssh/ssh_known_hosts':
 364                         ensure  => 'present',
 365                         replace => 'no',
 366                         content => inline_template('<%= open("/etc/ssh/ssh_known_hosts").read() %>'),
 367                         notify  => Exec['ud-replicate'],
 368                 }
 369         }
 370
 371         exec { 'ud-replicate':
 372                 path => '/usr/bin:/usr/sbin:/bin:/sbin',
 373                 command => '/usr/bin/ud-replicate',
 374                 refreshonly => true,
 375                 require => Package['userdir-ldap']
 376         }
 377
 378         # some changes require rebuilding the initramfs.  Have the common exec here.
 379         exec { 'update-initramfs -u':
 380                 path        => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
 381                 refreshonly => true;
 382         }
 383 }