modules/debian-org/manifests/init.pp

   1 # == Class: debian-org
   2 #
   3 # Stuff common to all debian.org servers
   4 #
   5 class debian-org {
   6         if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
   7                 $mirror = getfromhash($site::nodeinfo, 'hoster', 'mirror-debian')
   8         } else {
   9                 $mirror = 'http://ftp.debian.org/debian/'
  10         }
  11         if $::lsbmajdistrelease < 7 {
  12                 $mirror_backports = 'http://backports.debian.org/debian-backports/'
  13         } else {
  14                 $mirror_backports = $mirror
  15         }
  16
  17         if $systemd {
  18                 include systemd
  19                 $servicefiles = 'present'
  20         } else {
  21                 $servicefiles = 'absent'
  22         }
  23
  24         $debianadmin = [
  25                 'debian-archive-debian-samhain-reports@master.debian.org',
  26                 'debian-admin@ftbfs.de',
  27                 'weasel@debian.org',
  28                 'steve@lobefin.net',
  29                 'paravoid@debian.org',
  30                 'zumbi@kos.to'
  31         ]
  32
  33         package { [
  34                         'klogd',
  35                         'sysklogd',
  36                         'rsyslog',
  37                         'os-prober',
  38                         'apt-listchanges',
  39                 ]:
  40                 ensure => purged,
  41         }
  42         package { [
  43                         'debian.org',
  44                         'dsa-munin-plugins',
  45                 ]:
  46                 ensure => installed,
  47                 tag    => extra_repo,
  48         }
  49         file { '/etc/ssh/ssh_known_hosts':
  50                 ensure  => present,
  51                 replace => false,
  52                 mode    => '0644',
  53                 source  => 'puppet:///modules/debian-org/basic-ssh_known_hosts'
  54         }
  55
  56         package { [
  57                         'apt-utils',
  58                         'bash-completion',
  59                         'dnsutils',
  60                         'less',
  61                         'lsb-release',
  62                         'libfilesystem-ruby1.8',
  63                         'mtr-tiny',
  64                         'nload',
  65                         'pciutils',
  66                 ]:
  67                 ensure => installed,
  68         }
  69
  70         if $::lsbmajdistrelease == 7 {
  71                 package { 'libfilesystem-ruby1.9.1':
  72                         ensure => installed,
  73                 }
  74         } elsif $::lsbmajdistrelease >= 8 {
  75                 package { 'ruby-filesystem':
  76                         ensure => installed,
  77                 }
  78         }
  79
  80         munin::check { [
  81                         'cpu',
  82                         'entropy',
  83                         'forks',
  84                         'interrupts',
  85                         'iostat',
  86                         'irqstats',
  87                         'load',
  88                         'memory',
  89                         'ntp_offset',
  90                         'ntp_states',
  91                         'open_files',
  92                         'open_inodes',
  93                         'processes',
  94                         'swap',
  95                         'uptime',
  96                         'vmstat',
  97                 ]:
  98         }
  99
 100         if getfromhash($site::nodeinfo, 'broken-rtc') {
 101                 package { 'fake-hwclock':
 102                         ensure => installed,
 103                         tag    => extra_repo,
 104                 }
 105         }
 106
 107         package { 'molly-guard':
 108                 ensure => installed,
 109         }
 110         file { '/etc/molly-guard/run.d/10-check-kvm':
 111                 mode    => '0755',
 112                 source  => 'puppet:///modules/debian-org/molly-guard/10-check-kvm',
 113                 require => Package['molly-guard'],
 114         }
 115         file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
 116                 mode    => '0755',
 117                 source  => 'puppet:///modules/debian-org/molly-guard/15-acquire-reboot-lock',
 118                 require => Package['molly-guard'],
 119         }
 120
 121         file { '/etc/apt/trusted-keys.d':
 122                 ensure => absent,
 123                 force  => true,
 124         }
 125
 126         file { '/etc/apt/trusted.gpg':
 127                 mode    => '0600',
 128                 content => "",
 129         }
 130
 131         site::aptrepo { 'security':
 132                 url        => 'http://security.debian.org/',
 133                 suite      => "${::lsbdistcodename}/updates",
 134                 components => ['main','contrib','non-free']
 135         }
 136         if $::lsbmajdistrelease < 7 {
 137                 site::aptrepo { 'debian-lts':
 138                         url        => $mirror,
 139                         suite      => "${::lsbdistcodename}-lts",
 140                         components => ['main','contrib','non-free']
 141                 }
 142         } else {
 143                 site::aptrepo { 'debian-lts':
 144                         ensure => absent,
 145                 }
 146         }
 147
 148         site::aptrepo { 'backports.debian.org':
 149                 url        => $mirror_backports,
 150                 suite      => "${::lsbdistcodename}-backports",
 151                 components => ['main','contrib','non-free']
 152         }
 153
 154         site::aptrepo { 'volatile':
 155                 url        => $mirror,
 156                 suite      => "${::lsbdistcodename}-updates",
 157                 components => ['main','contrib','non-free']
 158         }
 159
 160         #if ($::hostname in [ball, corelli, eysler, lucatelli, mayer, mayr, pettersson]) or
 161         #   ($::hoster and ($::hoster in [bytemark, man-da, brown])) {
 162         #       site::aptrepo { 'proposed-updates':
 163         #               url        => $mirror,
 164         #               suite      => "${::lsbdistcodename}-proposed-updates",
 165         #               components => ['main','contrib','non-free']
 166         #       }
 167         #} else {
 168                 site::aptrepo { 'proposed-updates':
 169                         ensure => absent,
 170                 }
 171         #}
 172
 173         site::aptrepo { 'debian.org':
 174                 ensure => absent,
 175         }
 176
 177         site::aptrepo { 'db.debian.org':
 178                 url        => 'http://db.debian.org/debian-admin',
 179                 suite      => 'debian-all',
 180                 components => 'main',
 181                 key        => 'puppet:///modules/debian-org/db.debian.org.gpg',
 182         }
 183         site::aptrepo { 'db.debian.org-suite':
 184                 url        => 'http://db.debian.org/debian-admin',
 185                 suite      => $::lsbdistcodename,
 186                 components => 'main',
 187         }
 188
 189         augeas { 'inittab_replicate':
 190                 context => '/files/etc/inittab',
 191                 changes => [
 192                         'set ud/runlevels 2345',
 193                         'set ud/action respawn',
 194                         'set ud/process "/usr/bin/ud-replicated -d"',
 195                 ],
 196                 notify  => Exec['init q'],
 197         }
 198
 199         if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
 200                 site::aptrepo { 'debian':
 201                         url        => getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'),
 202                         suite      => $::lsbdistcodename,
 203                         components => ['main','contrib','non-free']
 204                 }
 205         }
 206
 207         file { '/etc/facter':
 208                 ensure  => directory,
 209                 purge   => true,
 210                 force   => true,
 211                 recurse => true,
 212                 source  => 'puppet:///files/empty/',
 213         }
 214         file { '/etc/facter/facts.d':
 215                 ensure => directory,
 216         }
 217         file { '/etc/facter/facts.d/debian_facts.yaml':
 218                 content => template('debian-org/debian_facts.yaml.erb')
 219         }
 220         file { '/etc/apt/preferences':
 221                 source => 'puppet:///modules/debian-org/apt.preferences',
 222         }
 223         file { '/etc/apt/apt.conf.d/local-compression':
 224                 source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
 225         }
 226         file { '/etc/apt/apt.conf.d/local-recommends':
 227                 source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
 228         }
 229         file { '/etc/apt/apt.conf.d/local-pdiffs':
 230                 source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
 231         }
 232         file { '/etc/timezone':
 233                 source => 'puppet:///modules/debian-org/timezone',
 234                 notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
 235         }
 236         if $::hostname == handel {
 237                 include puppetmaster::db
 238                 $dbpassword = $puppetmaster::db::password
 239         }
 240         file { '/etc/puppet/puppet.conf':
 241                 content => template('debian-org/puppet.conf.erb'),
 242         }
 243         file { '/etc/default/puppet':
 244                 source => 'puppet:///modules/debian-org/puppet.default',
 245         }
 246         file { '/etc/systemd':
 247                 ensure  => directory,
 248                 mode => 0755,
 249         }
 250         file { '/etc/systemd/system':
 251                 ensure  => directory,
 252                 mode => 0755,
 253         }
 254         file { '/etc/systemd/system/ud-replicated.service':
 255                 ensure => $servicefiles,
 256                 source => 'puppet:///modules/debian-org/ud-replicated.service',
 257                 notify => Exec['systemctl daemon-reload'],
 258         }
 259         if $systemd {
 260                 file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
 261                         ensure => 'link',
 262                         target => '../ud-replicated.service',
 263                         notify => Exec['systemctl daemon-reload'],
 264                 }
 265         }
 266         file { '/etc/systemd/system/puppet.service':
 267                 ensure => 'link',
 268                 target => '/dev/null',
 269                 notify => Exec['systemctl daemon-reload'],
 270         }
 271
 272         file { '/etc/cron.d/dsa-puppet-stuff':
 273                 content => template('debian-org/dsa-puppet-stuff.cron.erb'),
 274                 require => Package['debian.org'],
 275         }
 276         file { '/etc/ldap/ldap.conf':
 277                 require => Package['debian.org'],
 278                 source  => 'puppet:///modules/debian-org/ldap.conf',
 279         }
 280         file { '/etc/pam.d/common-session':
 281                 require => Package['debian.org'],
 282                 content => template('debian-org/pam.common-session.erb'),
 283         }
 284         file { '/etc/pam.d/common-session-noninteractive':
 285                 require => Package['debian.org'],
 286                 content => template('debian-org/pam.common-session-noninteractive.erb'),
 287         }
 288         file { '/etc/rc.local':
 289                 mode   => '0755',
 290                 content => template('debian-org/rc.local.erb'),
 291                 notify => Exec['service rc.local start'],
 292         }
 293         file { '/etc/dsa':
 294                 ensure => directory,
 295                 mode   => '0755',
 296         }
 297         file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
 298                 source  => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
 299                 require => Package['debian.org']
 300         }
 301         file { '/etc/nsswitch.conf':
 302                 mode   => '0755',
 303                 source => 'puppet:///modules/debian-org/nsswitch.conf',
 304         }
 305
 306         # set mmap_min_addr to 4096 to mitigate
 307         # Linux NULL-pointer dereference exploits
 308         site::sysctl { 'mmap_min_addr':
 309                 ensure => absent
 310         }
 311         site::sysctl { 'perf_event_paranoid':
 312                 key   => 'kernel.perf_event_paranoid',
 313                 value => '2',
 314         }
 315         site::alternative { 'editor':
 316                 linkto => '/usr/bin/vim.basic',
 317         }
 318         site::alternative { 'view':
 319                 linkto => '/usr/bin/vim.basic',
 320         }
 321         mailalias { 'samhain-reports':
 322                 ensure    => present,
 323                 recipient => $debianadmin,
 324                 require   => Package['debian.org']
 325         }
 326
 327         file { '/usr/local/bin/check_for_updates':
 328                 source => 'puppet:///modules/debian-org/check_for_updates',
 329                 mode   => '0755',
 330                 owner  => root,
 331                 group  => root,
 332         }
 333
 334         exec { 'apt-get update':
 335                 path    => '/usr/bin:/usr/sbin:/bin:/sbin',
 336                 onlyif  => '/usr/local/bin/check_for_updates',
 337                 require => File['/usr/local/bin/check_for_updates']
 338         }
 339         Exec['apt-get update']->Package<| tag == extra_repo |>
 340
 341         exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
 342                 path        => '/usr/bin:/usr/sbin:/bin:/sbin',
 343                 refreshonly => true
 344         }
 345         exec { 'service puppetmaster restart':
 346                 refreshonly => true
 347         }
 348         exec { 'service rc.local start':
 349                 refreshonly => true
 350         }
 351         exec { 'init q':
 352                 refreshonly => true
 353         }
 354
 355         exec { 'systemctl daemon-reload':
 356                 refreshonly => true,
 357                 onlyif  => "test -x /bin/systemctl"
 358         }
 359
 360         tidy { '/var/lib/puppet/clientbucket/':
 361                 age      => '2w',
 362                 recurse  => 9,
 363                 type     => ctime,
 364                 matches  => [ 'paths', 'contents' ],
 365                 schedule => weekly
 366         }
 367
 368         file { '/root/.bashrc':
 369                 source => 'puppet:///modules/debian-org/root-dotfiles/bashrc',
 370         }
 371         file { '/root/.profile':
 372                 source => 'puppet:///modules/debian-org/root-dotfiles/profile',
 373         }
 374         file { '/root/.screenrc':
 375                 source => 'puppet:///modules/debian-org/root-dotfiles/screenrc',
 376         }
 377         file { '/root/.vimrc':
 378                 source => 'puppet:///modules/debian-org/root-dotfiles/vimrc',
 379         }
 380 }