modules/debian-org/manifests/init.pp

   1 # == Class: debian-org
   2 #
   3 # Stuff common to all debian.org servers
   4 #
   5 class debian-org {
   6         if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
   7                 $mirror = getfromhash($site::nodeinfo, 'hoster', 'mirror-debian')
   8         } else {
   9                 $mirror = 'http://ftp.debian.org/debian/'
  10         }
  11         if $::lsbmajdistrelease < 7 {
  12                 $mirror_backports = 'http://backports.debian.org/debian-backports/'
  13         } else {
  14                 $mirror_backports = $mirror
  15         }
  16
  17         if $systemd {
  18                 $servicefiles = 'present'
  19         } else {
  20                 $servicefiles = 'absent'
  21         }
  22
  23         $debianadmin = [
  24                 'debian-archive-debian-samhain-reports@master.debian.org',
  25                 'debian-admin@ftbfs.de',
  26                 'weasel@debian.org',
  27                 'steve@lobefin.net',
  28                 'paravoid@debian.org',
  29                 'zumbi@kos.to'
  30         ]
  31
  32         package { [
  33                         'klogd',
  34                         'sysklogd',
  35                         'rsyslog',
  36                         'os-prober',
  37                         'apt-listchanges',
  38                 ]:
  39                 ensure => purged,
  40         }
  41         package { [
  42                         'debian.org',
  43                         'dsa-munin-plugins',
  44                 ]:
  45                 ensure => installed,
  46                 tag    => extra_repo,
  47         }
  48         file { '/etc/ssh/ssh_known_hosts':
  49                 ensure  => present,
  50                 replace => false,
  51                 mode    => '0644',
  52                 source  => 'puppet:///modules/debian-org/basic-ssh_known_hosts'
  53         }
  54
  55         package { [
  56                         'apt-utils',
  57                         'bash-completion',
  58                         'dnsutils',
  59                         'less',
  60                         'lsb-release',
  61                         'libfilesystem-ruby1.8',
  62                         'mtr-tiny',
  63                         'nload',
  64                         'pciutils',
  65                 ]:
  66                 ensure => installed,
  67         }
  68
  69         if $::lsbmajdistrelease == 7 {
  70                 package { 'libfilesystem-ruby1.9.1':
  71                         ensure => installed,
  72                 }
  73         } elsif $::lsbmajdistrelease >= 8 {
  74                 package { 'ruby-filesystem':
  75                         ensure => installed,
  76                 }
  77         }
  78
  79         munin::check { [
  80                         'cpu',
  81                         'entropy',
  82                         'forks',
  83                         'interrupts',
  84                         'iostat',
  85                         'irqstats',
  86                         'load',
  87                         'memory',
  88                         'ntp_offset',
  89                         'ntp_states',
  90                         'open_files',
  91                         'open_inodes',
  92                         'processes',
  93                         'swap',
  94                         'uptime',
  95                         'vmstat',
  96                 ]:
  97         }
  98
  99         if getfromhash($site::nodeinfo, 'broken-rtc') {
 100                 package { 'fake-hwclock':
 101                         ensure => installed,
 102                         tag    => extra_repo,
 103                 }
 104         }
 105
 106         package { 'molly-guard':
 107                 ensure => installed,
 108         }
 109         file { '/etc/molly-guard/run.d/10-check-kvm':
 110                 mode    => '0755',
 111                 source  => 'puppet:///modules/debian-org/molly-guard/10-check-kvm',
 112                 require => Package['molly-guard'],
 113         }
 114         file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
 115                 mode    => '0755',
 116                 source  => 'puppet:///modules/debian-org/molly-guard/15-acquire-reboot-lock',
 117                 require => Package['molly-guard'],
 118         }
 119
 120         file { '/etc/apt/trusted-keys.d':
 121                 ensure => absent,
 122                 force  => true,
 123         }
 124
 125         file { '/etc/apt/trusted.gpg':
 126                 mode    => '0600',
 127                 content => "",
 128         }
 129
 130         site::aptrepo { 'security':
 131                 url        => 'http://security.debian.org/',
 132                 suite      => "${::lsbdistcodename}/updates",
 133                 components => ['main','contrib','non-free']
 134         }
 135         if $::lsbmajdistrelease < 7 {
 136                 site::aptrepo { 'debian-lts':
 137                         url        => $mirror,
 138                         suite      => "${::lsbdistcodename}-lts",
 139                         components => ['main','contrib','non-free']
 140                 }
 141         } else {
 142                 site::aptrepo { 'debian-lts':
 143                         ensure => absent,
 144                 }
 145         }
 146
 147         site::aptrepo { 'backports.debian.org':
 148                 url        => $mirror_backports,
 149                 suite      => "${::lsbdistcodename}-backports",
 150                 components => ['main','contrib','non-free']
 151         }
 152
 153         site::aptrepo { 'volatile':
 154                 url        => $mirror,
 155                 suite      => "${::lsbdistcodename}-updates",
 156                 components => ['main','contrib','non-free']
 157         }
 158
 159         #if ($::hostname in [ball, corelli, eysler, lucatelli, mayer, mayr, pettersson]) or
 160         #   ($::hoster and ($::hoster in [bytemark, man-da, brown])) {
 161         #       site::aptrepo { 'proposed-updates':
 162         #               url        => $mirror,
 163         #               suite      => "${::lsbdistcodename}-proposed-updates",
 164         #               components => ['main','contrib','non-free']
 165         #       }
 166         #} else {
 167                 site::aptrepo { 'proposed-updates':
 168                         ensure => absent,
 169                 }
 170         #}
 171
 172         site::aptrepo { 'debian.org':
 173                 ensure => absent,
 174         }
 175
 176         site::aptrepo { 'db.debian.org':
 177                 url        => 'http://db.debian.org/debian-admin',
 178                 suite      => 'debian-all',
 179                 components => 'main',
 180                 key        => 'puppet:///modules/debian-org/db.debian.org.gpg',
 181         }
 182         site::aptrepo { 'db.debian.org-suite':
 183                 url        => 'http://db.debian.org/debian-admin',
 184                 suite      => $::lsbdistcodename,
 185                 components => 'main',
 186         }
 187
 188         augeas { 'inittab_replicate':
 189                 context => '/files/etc/inittab',
 190                 changes => [
 191                         'set ud/runlevels 2345',
 192                         'set ud/action respawn',
 193                         'set ud/process "/usr/bin/ud-replicated -d"',
 194                 ],
 195                 notify  => Exec['init q'],
 196         }
 197
 198         if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
 199                 site::aptrepo { 'debian':
 200                         url        => getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'),
 201                         suite      => $::lsbdistcodename,
 202                         components => ['main','contrib','non-free']
 203                 }
 204         }
 205
 206         file { '/etc/facter':
 207                 ensure  => directory,
 208                 purge   => true,
 209                 force   => true,
 210                 recurse => true,
 211                 source  => 'puppet:///files/empty/',
 212         }
 213         file { '/etc/facter/facts.d':
 214                 ensure => directory,
 215         }
 216         file { '/etc/facter/facts.d/debian_facts.yaml':
 217                 content => template('debian-org/debian_facts.yaml.erb')
 218         }
 219         file { '/etc/apt/preferences':
 220                 source => 'puppet:///modules/debian-org/apt.preferences',
 221         }
 222         file { '/etc/apt/apt.conf.d/local-compression':
 223                 source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
 224         }
 225         file { '/etc/apt/apt.conf.d/local-recommends':
 226                 source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
 227         }
 228         file { '/etc/apt/apt.conf.d/local-pdiffs':
 229                 source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
 230         }
 231         file { '/etc/timezone':
 232                 source => 'puppet:///modules/debian-org/timezone',
 233                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 234         }
 235         if $::hostname == handel {
 236                 include puppetmaster::db
 237                 $dbpassword = $puppetmaster::db::password
 238         }
 239         file { '/etc/puppet/puppet.conf':
 240                 content => template('debian-org/puppet.conf.erb'),
 241         }
 242         file { '/etc/default/puppet':
 243                 source => 'puppet:///modules/debian-org/puppet.default',
 244         }
 245         file { '/etc/systemd':
 246                 ensure  => directory,
 247                 mode => 0755,
 248         }
 249         file { '/etc/systemd/system':
 250                 ensure  => directory,
 251                 mode => 0755,
 252         }
 253         file { '/etc/systemd/system/ud-replicated.service':
 254                 ensure => $servicefiles,
 255                 source => 'puppet:///modules/debian-org/ud-replicated.service',
 256                 notify => Exec['systemctl daemon-reload'],
 257         }
 258         if $systemd {
 259                 file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
 260                         ensure => 'link',
 261                         target => '../ud-replicated.service',
 262                         notify => Exec['systemctl daemon-reload'],
 263                 }
 264         }
 265         file { '/etc/systemd/system/puppet.service':
 266                 ensure => 'link',
 267                 target => '/dev/null',
 268                 notify => Exec['systemctl daemon-reload'],
 269         }
 270
 271         file { '/etc/cron.d/dsa-puppet-stuff':
 272                 content => template('debian-org/dsa-puppet-stuff.cron.erb'),
 273                 require => Package['debian.org'],
 274         }
 275         file { '/etc/ldap/ldap.conf':
 276                 require => Package['debian.org'],
 277                 source  => 'puppet:///modules/debian-org/ldap.conf',
 278         }
 279         file { '/etc/pam.d/common-session':
 280                 require => Package['debian.org'],
 281                 content => template('debian-org/pam.common-session.erb'),
 282         }
 283         file { '/etc/pam.d/common-session-noninteractive':
 284                 require => Package['debian.org'],
 285                 content => template('debian-org/pam.common-session-noninteractive.erb'),
 286         }
 287         file { '/etc/rc.local':
 288                 mode   => '0755',
 289                 source => 'puppet:///modules/debian-org/rc.local',
 290                 notify => Exec['service rc.local start'],
 291         }
 292         file { '/etc/dsa':
 293                 ensure => directory,
 294                 mode   => '0755',
 295         }
 296         file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
 297                 source  => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
 298                 require => Package['debian.org']
 299         }
 300         file { '/etc/nsswitch.conf':
 301                 mode   => '0755',
 302                 source => 'puppet:///modules/debian-org/nsswitch.conf',
 303         }
 304
 305         # set mmap_min_addr to 4096 to mitigate
 306         # Linux NULL-pointer dereference exploits
 307         site::sysctl { 'mmap_min_addr':
 308                 ensure => absent
 309         }
 310         site::sysctl { 'perf_event_paranoid':
 311                 key   => 'kernel.perf_event_paranoid',
 312                 value => '2',
 313         }
 314         site::alternative { 'editor':
 315                 linkto => '/usr/bin/vim.basic',
 316         }
 317         site::alternative { 'view':
 318                 linkto => '/usr/bin/vim.basic',
 319         }
 320         mailalias { 'samhain-reports':
 321                 ensure    => present,
 322                 recipient => $debianadmin,
 323                 require   => Package['debian.org']
 324         }
 325
 326         file { '/usr/local/bin/check_for_updates':
 327                 source => 'puppet:///modules/debian-org/check_for_updates',
 328                 mode   => '0755',
 329                 owner  => root,
 330                 group  => root,
 331         }
 332
 333         exec { 'apt-get update':
 334                 path    => '/usr/bin:/usr/sbin:/bin:/sbin',
 335                 onlyif  => '/usr/local/bin/check_for_updates',
 336                 require => File['/usr/local/bin/check_for_updates']
 337         }
 338         Exec['apt-get update']->Package<| tag == extra_repo |>
 339
 340         exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
 341                 path        => '/usr/bin:/usr/sbin:/bin:/sbin',
 342                 refreshonly => true
 343         }
 344         exec { 'service puppetmaster restart':
 345                 refreshonly => true
 346         }
 347         exec { 'service rc.local start':
 348                 refreshonly => true
 349         }
 350         exec { 'init q':
 351                 refreshonly => true
 352         }
 353
 354         exec { 'systemctl daemon-reload':
 355                 refreshonly => true,
 356                 onlyif  => "test -x /bin/systemctl"
 357         }
 358
 359         tidy { '/var/lib/puppet/clientbucket/':
 360                 age      => '2w',
 361                 recurse  => 9,
 362                 type     => ctime,
 363                 matches  => [ 'paths', 'contents' ],
 364                 schedule => weekly
 365         }
 366
 367         file { '/root/.bashrc':
 368                 source => 'puppet:///modules/debian-org/root-dotfiles/bashrc',
 369         }
 370         file { '/root/.profile':
 371                 source => 'puppet:///modules/debian-org/root-dotfiles/profile',
 372         }
 373         file { '/root/.screenrc':
 374                 source => 'puppet:///modules/debian-org/root-dotfiles/screenrc',
 375         }
 376         file { '/root/.vimrc':
 377                 source => 'puppet:///modules/debian-org/root-dotfiles/vimrc',
 378         }
 379 }