3 # Stuff common to all debian.org servers
6 include debian_org::apt
10 $servicefiles = 'present'
12 $servicefiles = 'absent'
15 # the virtual facter needs virt-what on jessie to work
16 if versioncmp($::lsbmajdistrelease, '9') < 0 {
17 package { 'virt-what': ensure => installed }
19 package { 'virt-what': ensure => purged }
22 $samhain_recipients = hiera('samhain_recipients')
23 $root_mail_alias = hiera('root_mail_alias')
37 'debian.org-recommended',
44 file { '/etc/ssh/ssh_known_hosts':
48 source => 'puppet:///modules/debian_org/basic-ssh_known_hosts'
51 if versioncmp($::lsbmajdistrelease, '8') >= 0 {
52 $rubyfs_package = 'ruby-filesystem'
54 $rubyfs_package = 'libfilesystem-ruby1.9'
89 if getfromhash($site::nodeinfo, 'broken-rtc') {
90 package { 'fake-hwclock':
96 package { 'molly-guard':
99 file { '/etc/molly-guard/run.d/10-check-kvm':
101 source => 'puppet:///modules/debian_org/molly-guard/10-check-kvm',
102 require => Package['molly-guard'],
104 file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
106 source => 'puppet:///modules/debian_org/molly-guard/15-acquire-reboot-lock',
107 require => Package['molly-guard'],
110 augeas { 'inittab_replicate':
111 context => '/files/etc/inittab',
113 'set ud/runlevels 2345',
114 'set ud/action respawn',
115 'set ud/process "/usr/bin/ud-replicated -d"',
117 notify => Exec['init q'],
121 file { '/etc/facter':
126 source => 'puppet:///files/empty/',
128 file { '/etc/facter/facts.d':
131 file { '/etc/facter/facts.d/debian_facts.yaml':
132 content => template('debian_org/debian_facts.yaml.erb')
134 file { '/etc/timezone':
135 source => 'puppet:///modules/debian_org/timezone',
136 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
138 if $::hostname == handel {
139 include puppetmaster::db
140 $dbpassword = $puppetmaster::db::password
142 file { '/etc/puppet/puppet.conf':
143 content => template('debian_org/puppet.conf.erb'),
147 file { '/etc/default/puppet':
148 source => 'puppet:///modules/debian_org/puppet.default',
150 file { '/etc/systemd':
154 file { '/etc/systemd/system':
158 file { '/etc/systemd/system/ud-replicated.service':
159 ensure => $servicefiles,
160 source => 'puppet:///modules/debian_org/ud-replicated.service',
161 notify => Exec['systemctl daemon-reload'],
164 file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
166 target => '../ud-replicated.service',
167 notify => Exec['systemctl daemon-reload'],
170 file { '/etc/systemd/system/puppet.service':
172 target => '/dev/null',
173 notify => Exec['systemctl daemon-reload'],
175 file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
177 target => '/dev/null',
178 notify => Exec['systemctl daemon-reload'],
181 concat { '/etc/cron.d/dsa-puppet-stuff': }
182 concat::fragment { 'dsa-puppet-stuff---header':
183 target => '/etc/cron.d/dsa-puppet-stuff',
186 ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
189 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/nagios/plugins
192 concat::fragment { 'dsa-puppet-stuff---all':
193 target => '/etc/cron.d/dsa-puppet-stuff',
195 content => template('debian_org/dsa-puppet-stuff.cron.erb'),
196 require => Package['debian.org'],
198 file { '/etc/ldap/ldap.conf':
199 require => Package['debian.org'],
200 content => template('debian_org/ldap.conf.erb'),
202 file { '/etc/pam.d/common-session':
203 require => Package['debian.org'],
204 content => template('debian_org/pam.common-session.erb'),
206 file { '/etc/pam.d/common-session-noninteractive':
207 require => Package['debian.org'],
208 content => template('debian_org/pam.common-session-noninteractive.erb'),
210 file { '/etc/rc.local':
212 content => template('debian_org/rc.local.erb'),
213 notify => Exec['service rc.local restart'],
219 file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
220 source => 'puppet:///modules/debian_org/dsa-puppet-stuff.cron.ignore',
221 require => Package['debian.org']
223 file { '/etc/nsswitch.conf':
225 source => 'puppet:///modules/debian_org/nsswitch.conf',
228 file { '/etc/profile.d/timeout.sh':
230 source => 'puppet:///modules/debian_org/etc.profile.d/timeout.sh',
235 file { '/etc/zsh/zprofile':
237 source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
239 file { '/etc/environment':
243 file { '/etc/default/locale':
248 # set mmap_min_addr to 4096 to mitigate
249 # Linux NULL-pointer dereference exploits
250 site::sysctl { 'mmap_min_addr':
253 site::sysctl { 'perf_event_paranoid':
254 key => 'kernel.perf_event_paranoid',
257 site::sysctl { 'puppet-vfs_cache_pressure':
258 key => 'vm.vfs_cache_pressure',
261 site::alternative { 'editor':
262 linkto => '/usr/bin/vim.basic',
264 site::alternative { 'view':
265 linkto => '/usr/bin/vim.basic',
267 mailalias { 'samhain-reports':
269 recipient => $samhain_recipients,
270 require => Package['debian.org']
274 recipient => $root_mail_alias,
275 require => Package['debian.org']
278 file { '/usr/local/bin/check_for_updates':
279 source => 'puppet:///modules/debian_org/check_for_updates',
284 file { '/usr/local/bin/dsa-is-shutdown-scheduled':
285 source => 'puppet:///modules/debian_org/dsa-is-shutdown-scheduled',
289 exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
290 path => '/usr/bin:/usr/sbin:/bin:/sbin',
293 exec { 'service puppetmaster restart':
296 exec { 'service rc.local restart':
303 exec { 'systemctl daemon-reload':
305 onlyif => "test -x /bin/systemctl"
308 exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
310 onlyif => "test -x /bin/systemd-tmpfiles"
313 tidy { '/var/lib/puppet/clientbucket/':
317 matches => [ 'paths', 'contents' ],
321 file { '/root/.bashrc':
322 source => 'puppet:///modules/debian_org/root-dotfiles/bashrc',
324 file { '/root/.profile':
325 source => 'puppet:///modules/debian_org/root-dotfiles/profile',
327 file { '/root/.selected_editor':
328 source => 'puppet:///modules/debian_org/root-dotfiles/selected_editor',
330 file { '/root/.screenrc':
331 source => 'puppet:///modules/debian_org/root-dotfiles/screenrc',
333 file { '/root/.tmux.conf':
334 source => 'puppet:///modules/debian_org/root-dotfiles/tmux.conf',
336 file { '/root/.vimrc':
337 source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
340 if versioncmp($::lsbmajdistrelease, '9') >= 0 { # older puppets do facts as strings.
341 if $::processorcount > 1 {
342 package { 'irqbalance': ensure => installed }
347 # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
348 site::sysctl { 'unprivileged_bpf_disabled':
349 key => 'kernel.unprivileged_bpf_disabled',
353 # Disable kpartx udev rules
354 file { '/etc/udev/rules.d/60-kpartx.rules':
355 ensure => $has_lib_udev_rules_d_60_kpartx_rules ? { true => 'present', default => 'absent' },
projects / mirror / dsa-puppet.git / blob