modules/debian_org/manifests/init.pp

   1 # == Class: debian_org
   2 #
   3 # Stuff common to all debian.org servers
   4 #
   5 class debian_org {
   6         include debian_org::apt
   7
   8         if $systemd {
   9                 include dsa_systemd
  10                 $servicefiles = 'present'
  11         } else {
  12                 $servicefiles = 'absent'
  13         }
  14
  15         # the virtual facter needs virt-what on jessie to work; clean up.
  16         package { 'virt-what': ensure => purged }
  17
  18         $samhain_recipients = hiera('samhain_recipients')
  19         $root_mail_alias = hiera('root_mail_alias')
  20
  21         package { [
  22                         'klogd',
  23                         'sysklogd',
  24                         'rsyslog',
  25                         'os-prober',
  26                         'apt-listchanges',
  27                         'mlocate',
  28                 ]:
  29                 ensure => purged,
  30         }
  31         package { [
  32                         'debian.org',
  33                         'debian.org-recommended',
  34                         'dsa-munin-plugins',
  35                         'userdir-ldap',
  36                 ]:
  37                 ensure => installed,
  38                 tag    => extra_repo,
  39         }
  40
  41         package { [
  42                         'apt-utils',
  43                         'bash-completion',
  44                         'dnsutils',
  45                         'less',
  46                         'lsb-release',
  47                         'ruby-filesystem',
  48                         'mtr-tiny',
  49                         'nload',
  50                         'pciutils',
  51                         'lldpd',
  52                         'ncurses-term',
  53                 ]:
  54                 ensure => installed,
  55         }
  56
  57         munin::check { [
  58                         'cpu',
  59                         'entropy',
  60                         'forks',
  61                         'interrupts',
  62                         'iostat',
  63                         'irqstats',
  64                         'load',
  65                         'memory',
  66                         'open_files',
  67                         'open_inodes',
  68                         'processes',
  69                         'swap',
  70                         'uptime',
  71                         'vmstat',
  72                 ]:
  73         }
  74
  75         package { 'molly-guard':
  76                 ensure => installed,
  77         }
  78         file { '/etc/molly-guard/run.d/10-check-kvm':
  79                 mode    => '0755',
  80                 source  => 'puppet:///modules/debian_org/molly-guard/10-check-kvm',
  81                 require => Package['molly-guard'],
  82         }
  83         file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
  84                 mode    => '0755',
  85                 source  => 'puppet:///modules/debian_org/molly-guard/15-acquire-reboot-lock',
  86                 require => Package['molly-guard'],
  87         }
  88
  89         augeas { 'inittab_replicate':
  90                 context => '/files/etc/inittab',
  91                 changes => [
  92                         'set ud/runlevels 2345',
  93                         'set ud/action respawn',
  94                         'set ud/process "/usr/bin/ud-replicated -d"',
  95                 ],
  96                 notify  => Exec['init q'],
  97         }
  98
  99
 100         file { '/etc/facter':
 101                 ensure  => directory,
 102                 purge   => true,
 103                 force   => true,
 104                 recurse => true,
 105                 source  => 'puppet:///files/empty/',
 106         }
 107         file { '/etc/facter/facts.d':
 108                 ensure => directory,
 109         }
 110         file { '/etc/facter/facts.d/debian_facts.yaml':
 111                 content => template('debian_org/debian_facts.yaml.erb')
 112         }
 113         file { '/etc/timezone':
 114                 content => "Etc/UTC\n",
 115                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 116         }
 117         file { '/etc/localtime':
 118                 ensure => 'link',
 119                 target => '/usr/share/zoneinfo/Etc/UTC',
 120                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 121         }
 122         file { '/etc/puppet/puppet.conf':
 123                 content => template('debian_org/puppet.conf.erb'),
 124                 mode => '0440',
 125                 group => 'puppet',
 126         }
 127         file { '/etc/default/puppet':
 128                 source => 'puppet:///modules/debian_org/puppet.default',
 129         }
 130         file { '/etc/systemd':
 131                 ensure  => directory,
 132                 mode => '0755',
 133         }
 134         file { '/etc/systemd/system':
 135                 ensure  => directory,
 136                 mode => '0755',
 137         }
 138         file { '/etc/systemd/system/ud-replicated.service':
 139                 ensure => $servicefiles,
 140                 source => 'puppet:///modules/debian_org/ud-replicated.service',
 141                 notify => Exec['systemctl daemon-reload'],
 142         }
 143         if $systemd {
 144                 file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
 145                         ensure => 'link',
 146                         target => '../ud-replicated.service',
 147                         notify => Exec['systemctl daemon-reload'],
 148                 }
 149         }
 150         file { '/etc/systemd/system/puppet.service':
 151                 ensure => 'link',
 152                 target => '/dev/null',
 153                 notify => Exec['systemctl daemon-reload'],
 154         }
 155         file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
 156                 ensure => 'link',
 157                 target => '/dev/null',
 158                 notify => Exec['systemctl daemon-reload'],
 159         }
 160
 161         concat { '/etc/cron.d/dsa-puppet-stuff': }
 162         concat::fragment { 'dsa-puppet-stuff---header':
 163                 target => '/etc/cron.d/dsa-puppet-stuff',
 164                 order  => '000',
 165                 content  => @(EOF)
 166                         ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
 167                         SHELL=/bin/bash
 168                         MAILTO=root
 169                         PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/nagios/plugins
 170                         | EOF
 171         }
 172         concat::fragment { 'dsa-puppet-stuff---all':
 173                 target => '/etc/cron.d/dsa-puppet-stuff',
 174                 order  => '010',
 175                 content => template('debian_org/dsa-puppet-stuff.cron.erb'),
 176                 require => Package['debian.org'],
 177         }
 178         file { '/etc/ldap/ldap.conf':
 179                 require => Package['debian.org'],
 180                 content  => template('debian_org/ldap.conf.erb'),
 181         }
 182         file { '/etc/pam.d/common-session':
 183                 require => Package['debian.org'],
 184                 content => template('debian_org/pam.common-session.erb'),
 185         }
 186         file { '/etc/pam.d/common-session-noninteractive':
 187                 require => Package['debian.org'],
 188                 content => template('debian_org/pam.common-session-noninteractive.erb'),
 189         }
 190         file { '/etc/rc.local':
 191                 mode   => '0755',
 192                 content => template('debian_org/rc.local.erb'),
 193                 notify => Exec['service rc.local restart'],
 194         }
 195         file { '/etc/dsa':
 196                 ensure => directory,
 197                 mode   => '0755',
 198         }
 199         file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
 200                 source  => 'puppet:///modules/debian_org/dsa-puppet-stuff.cron.ignore',
 201                 require => Package['debian.org']
 202         }
 203         file { '/etc/nsswitch.conf':
 204                 mode   => '0444',
 205                 source => 'puppet:///modules/debian_org/nsswitch.conf',
 206         }
 207
 208         file { '/etc/profile.d/timeout.sh':
 209                 mode   => '0555',
 210                 source => 'puppet:///modules/debian_org/etc.profile.d/timeout.sh',
 211         }
 212         file { '/etc/zsh':
 213                 ensure => directory,
 214         }
 215         file { '/etc/zsh/zprofile':
 216                 mode   => '0444',
 217                 source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
 218         }
 219         file { '/etc/environment':
 220                 content => "",
 221                 mode => '0440',
 222         }
 223         file { '/etc/default/locale':
 224                 content => "",
 225                 mode => '0444',
 226         }
 227
 228         # set mmap_min_addr to 4096 to mitigate
 229         # Linux NULL-pointer dereference exploits
 230         base::sysctl { 'mmap_min_addr':
 231                 ensure => absent
 232         }
 233         base::sysctl { 'perf_event_paranoid':
 234                 key   => 'kernel.perf_event_paranoid',
 235                 value => '2',
 236         }
 237         base::sysctl { 'puppet-vfs_cache_pressure':
 238                 key   => 'vm.vfs_cache_pressure',
 239                 value => '10',
 240         }
 241         base::alternative { 'editor':
 242                 linkto => '/usr/bin/vim.basic',
 243         }
 244         base::alternative { 'view':
 245                 linkto => '/usr/bin/vim.basic',
 246         }
 247         mailalias { 'samhain-reports':
 248                 ensure    => present,
 249                 recipient => $samhain_recipients,
 250                 require   => Package['debian.org']
 251         }
 252         mailalias { 'root':
 253                 ensure    => present,
 254                 recipient => $root_mail_alias,
 255                 require   => Package['debian.org']
 256         }
 257
 258         file { '/usr/local/bin/check_for_updates':
 259                 source => 'puppet:///modules/debian_org/check_for_updates',
 260                 mode   => '0755',
 261                 owner  => root,
 262                 group  => root,
 263         }
 264         file { '/usr/local/bin/dsa-is-shutdown-scheduled':
 265                 source  => 'puppet:///modules/debian_org/dsa-is-shutdown-scheduled',
 266                 mode    => '0555',
 267         }
 268
 269         exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
 270                 path        => '/usr/bin:/usr/sbin:/bin:/sbin',
 271                 refreshonly => true
 272         }
 273         exec { 'service puppetmaster restart':
 274                 refreshonly => true
 275         }
 276         exec { 'service rc.local restart':
 277                 refreshonly => true
 278         }
 279         exec { 'init q':
 280                 refreshonly => true
 281         }
 282
 283         exec { 'systemctl daemon-reload':
 284                 refreshonly => true,
 285                 onlyif  => "test -x /bin/systemctl"
 286         }
 287
 288         exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
 289                 refreshonly => true,
 290                 onlyif  => "test -x /bin/systemd-tmpfiles"
 291         }
 292
 293         tidy { '/var/lib/puppet/clientbucket/':
 294                 age      => '2w',
 295                 recurse  => 9,
 296                 type     => ctime,
 297                 matches  => [ 'paths', 'contents' ],
 298                 schedule => weekly
 299         }
 300
 301         file { '/root/.bashrc':
 302                 source => 'puppet:///modules/debian_org/root-dotfiles/bashrc',
 303         }
 304         file { '/root/.profile':
 305                 source => 'puppet:///modules/debian_org/root-dotfiles/profile',
 306         }
 307         file { '/root/.selected_editor':
 308                 source => 'puppet:///modules/debian_org/root-dotfiles/selected_editor',
 309         }
 310         file { '/root/.screenrc':
 311                 source => 'puppet:///modules/debian_org/root-dotfiles/screenrc',
 312         }
 313         file { '/root/.tmux.conf':
 314                 source => 'puppet:///modules/debian_org/root-dotfiles/tmux.conf',
 315         }
 316         file { '/root/.vimrc':
 317                 source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
 318         }
 319
 320         if versioncmp($::lsbmajdistrelease, '9') == 0 { # older puppets do facts as strings.
 321                 if $::processorcount > 1 {
 322                         package { 'irqbalance': ensure => installed }
 323                 }
 324         } else {
 325                 # 926967 drops the recommendation on irqbalance in Buster
 326                 package { 'irqbalance': ensure => purged }
 327         }
 328
 329
 330         # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
 331         base::sysctl { 'unprivileged_bpf_disabled':
 332                 key   => 'kernel.unprivileged_bpf_disabled',
 333                 value => '1',
 334         }
 335
 336         # Disable kpartx udev rules
 337         file { '/etc/udev/rules.d/60-kpartx.rules':
 338                 ensure => $has_lib_udev_rules_d_60_kpartx_rules ? { true  => 'present', default => 'absent' },
 339                 content => "",
 340                 mode => '0444',
 341         }
 342
 343         # this is only to avoid warnings, else puppet will complain that we
 344         # have a symlink there, even if we're not replacing it anyhow.
 345         if ! $has_etc_ssh_ssh_known_hosts {
 346                 file { '/etc/ssh/ssh_known_hosts':
 347                         ensure  => 'present',
 348                         replace => 'no',
 349                         content => inline_template('<%= open("/etc/ssh/ssh_known_hosts").read() %>'),
 350                         notify  => Exec['ud-replicate'],
 351                 }
 352         }
 353
 354         exec { 'ud-replicate':
 355                 path => '/usr/bin:/usr/sbin:/bin:/sbin',
 356                 command => '/usr/bin/ud-replicate',
 357                 refreshonly => true,
 358                 require => Package['userdir-ldap']
 359         }
 360
 361         # some changes require rebuilding the initramfs.  Have the common exec here.
 362         exec { 'update-initramfs -u':
 363                 path        => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
 364                 refreshonly => true;
 365         }
 366 }