From: Ismaƫl Bouya Date: Mon, 14 Aug 2017 17:02:29 +0000 (+0200) Subject: Install OVH vps from scratch X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=ba2cf1b5d938810077b0fd73844faf432e8e8f9d;p=perso%2FImmae%2FProjets%2FPuppet.git Install OVH vps from scratch --- diff --git a/auth.conf b/auth.conf deleted file mode 100644 index bf327a2..0000000 --- a/auth.conf +++ /dev/null @@ -1,124 +0,0 @@ -# This is the default auth.conf file, which implements the default rules -# used by the puppet master. (That is, the rules below will still apply -# even if this file is deleted.) -# -# The ACLs are evaluated in top-down order. More specific stanzas should -# be towards the top of the file and more general ones at the bottom; -# otherwise, the general rules may "steal" requests that should be -# governed by the specific rules. -# -# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html -# for a more complete description of auth.conf's behavior. -# -# Supported syntax: -# Each stanza in auth.conf starts with a path to match, followed -# by optional modifiers, and finally, a series of allow or deny -# directives. -# -# Example Stanza -# --------------------------------- -# path /path/to/resource # simple prefix match -# # path ~ regex # alternately, regex match -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|backreference|*|regex] -# deny [host|backreference|*|regex] -# allow_ip [ip|cidr|ip_wildcard|*] -# deny_ip [ip|cidr|ip_wildcard|*] -# -# The path match can either be a simple prefix match or a regular -# expression. `path /file` would match both `/file_metadata` and -# `/file_content`. Regex matches allow the use of backreferences -# in the allow/deny directives. -# -# The regex syntax is the same as for Ruby regex, and captures backreferences -# for use in the `allow` and `deny` lines of that stanza -# -# Examples: -# -# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). -# -# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. -# -# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. -# -# environment:: restrict an ACL to a comma-separated list of environments -# method:: restrict an ACL to a comma-separated list of HTTP methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -### Authenticated ACLs - these rules apply only when the client -### has a valid certificate and is thus authenticated - -path /puppet/v3/environments -method find -allow * - -# allow nodes to retrieve their own catalog -path ~ ^/puppet/v3/catalog/([^/]+)$ -method find -allow $1 - -# allow nodes to retrieve their own node definition -path ~ ^/puppet/v3/node/([^/]+)$ -method find -allow $1 - -# allow all nodes to store their own reports -path ~ ^/puppet/v3/report/([^/]+)$ -method save -allow $1 - -# Allow all nodes to access all file services; this is necessary for -# pluginsync, file serving from modules, and file serving from custom -# mount points (see fileserver.conf). Note that the `/file` prefix matches -# requests to both the file_metadata and file_content paths. See "Examples" -# above if you need more granular access control for custom mount points. -path /puppet/v3/file -allow * - -path /puppet/v3/status -method find -allow * - -# allow all nodes to access the certificates services -path /puppet-ca/v1/certificate_revocation_list/ca -method find -allow * - -### Unauthenticated ACLs, for clients without valid certificates; authenticated -### clients can also access these paths, though they rarely need to. - -# allow access to the CA certificate; unauthenticated nodes need this -# in order to validate the puppet master's certificate -path /puppet-ca/v1/certificate/ca -auth any -method find -allow * - -# allow nodes to retrieve the certificate they requested earlier -path /puppet-ca/v1/certificate/ -auth any -method find -allow * - -# allow nodes to request a new certificate -path /puppet-ca/v1/certificate_request -auth any -method find, save -allow * - -# deny everything else; this ACL is not strictly necessary, but -# illustrates the default policy. -path / -auth any diff --git a/hiera.yaml b/hiera.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/manifests/install_ovh_from_scratch.pp b/manifests/install_ovh_from_scratch.pp new file mode 100644 index 0000000..4888cfc --- /dev/null +++ b/manifests/install_ovh_from_scratch.pp @@ -0,0 +1,20 @@ +node default { + include stdlib + + stage { 'base_configuration': } + stage { 'base_packages': } + Stage["setup"] + -> Stage['base_packages'] + -> Stage['base_configuration'] + -> Stage['main'] + + class { 'base_packages': + stage => "base_packages" + } + class { 'base_configuration': + stage => "base_configuration", + code_path => "/etc/puppetlabs/code", + device => "/dev/sdb", + hostname => 'new.immae.eu', + } +} diff --git a/modules/base_configuration/files/en-dhcp.network b/modules/base_configuration/files/en-dhcp.network new file mode 100644 index 0000000..6eef0e9 --- /dev/null +++ b/modules/base_configuration/files/en-dhcp.network @@ -0,0 +1,8 @@ +[Match] +Name=en* + +[Network] +DHCP=yes + +[DHCP] +UseMTU=true diff --git a/modules/base_configuration/files/getty_conf_override.conf b/modules/base_configuration/files/getty_conf_override.conf new file mode 100644 index 0000000..52671c7 --- /dev/null +++ b/modules/base_configuration/files/getty_conf_override.conf @@ -0,0 +1,2 @@ +[Service] +TTYVTDisallocate=no diff --git a/modules/base_configuration/files/pcspkr_no_autoload.conf b/modules/base_configuration/files/pcspkr_no_autoload.conf new file mode 100644 index 0000000..b46792e --- /dev/null +++ b/modules/base_configuration/files/pcspkr_no_autoload.conf @@ -0,0 +1 @@ +blacklist pcspkr diff --git a/modules/base_configuration/manifests/init.pp b/modules/base_configuration/manifests/init.pp index a46dd8b..8b2ce4c 100644 --- a/modules/base_configuration/manifests/init.pp +++ b/modules/base_configuration/manifests/init.pp @@ -1,27 +1,59 @@ class base_configuration ( - $hostname = undef, - $username = "immae", - $userid = 1000 + $hostname = undef, + $username = "immae", + $userid = 1000, + $code_path = undef, + $device = undef, ) { + unless empty($device) { + class { 'grub_install': + device => $device, + } + } + + class { 'locales': } + + unless empty($code_path) { + class { 'cron_puppet': + code_path => $code_path, + } + } + service { "sshd": - ensure => "running", + #ensure => "running", enable => true, } - service { "systemd-networkd.socket": - ensure => "running", + service { "systemd-networkd": + #ensure => "running", enable => true, } - service { "systemd-networkd": - ensure => "running", + service { "systemd-resolved": + #ensure => "running", enable => true, } + file { "/etc/localtime": + ensure => "link", + target => "../usr/share/zoneinfo/Europe/Paris" + } + + exec { "set_locale": + command => "/usr/bin/systemd-firstboot --locale=fr_FR.UTF-8", + creates => "/etc/locale.conf", + } + unless empty($hostname) { - class { 'systemd::hostname': - hostname => $hostname + exec { "set_hostname": + command => "/usr/bin/systemd-firstboot --hostname=$hostname", + creates => "/etc/hostname", } } + file { "/etc/vconsole.conf": + ensure => "link", + target => "/dev/null", + } + user { "${username}:${userid}": name => $username, uid => $userid, @@ -70,6 +102,42 @@ class base_configuration ( password => '!' } + file { '/etc/modprobe.d/pcspkr_no_autoload.conf': + ensure => "present", + path => "/etc/modprobe.d/pcspkr_no_autoload.conf", + source => 'puppet:///modules/base_configuration/pcspkr_no_autoload.conf', + mode => "0644", + owner => "root", + group => "root" + } + + file { '/etc/systemd/system/getty@tty1.service.d/': + ensure => "directory", + path => "/etc/systemd/system/getty@tty1.service.d/", + mode => "0755", + owner => "root", + group => "root" + } + + file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf': + ensure => "present", + path => "/etc/systemd/system/getty@tty1.service.d/noclear.conf", + source => 'puppet:///modules/base_configuration/getty_conf_override.conf', + recurse => true, + mode => "0644", + owner => "root", + group => "root" + } + + file { '/etc/systemd/network/en-dhcp.network': + ensure => "present", + path => "/etc/systemd/network/en-dhcp.network", + source => 'puppet:///modules/base_configuration/en-dhcp.network', + mode => "0644", + owner => "root", + group => "root" + } + file { '/etc/pacman.d/mirrorlist': ensure => "present", path => "/etc/pacman.d/mirrorlist", @@ -108,7 +176,7 @@ class base_configuration ( create_mode => '0664', create_owner => 'root', create_group => 'utmp', - rotate => '1', + rotate => 1, minsize => '1M', } logrotate::rule { 'btmp': @@ -119,7 +187,7 @@ class base_configuration ( create_mode => '0600', create_owner => 'root', create_group => 'utmp', - rotate => '1', + rotate => 1, } ensure_packages(["whois"], { 'install_options' => '--asdeps' }) @@ -136,4 +204,6 @@ class base_configuration ( logpath => '', order => 10 } + + class { 'aur': } } diff --git a/modules/base_packages/manifests/init.pp b/modules/base_packages/manifests/init.pp index 269ca58..c4bbec9 100644 --- a/modules/base_packages/manifests/init.pp +++ b/modules/base_packages/manifests/init.pp @@ -1,6 +1,9 @@ class base_packages { # Preinstalled - ensure_packages(['base', 'openssh', 'grub', 'sudo']) + ensure_packages(['base']) + + # Critical packages + ensure_packages(['openssh', 'grub', 'sudo']) # Puppet dependencies ensure_packages(['git', 'puppet']) diff --git a/modules/cron_puppet/files/post-merge b/modules/cron_puppet/files/post-merge index 1ba08fb..ac5e3ff 100644 --- a/modules/cron_puppet/files/post-merge +++ b/modules/cron_puppet/files/post-merge @@ -1,7 +1,7 @@ -#!/bin/bash -e +#!/bin/bash ## Run Puppet locally using puppet apply git submodule update --init -/usr/bin/puppet apply --modulepath=/etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests/site.pp +/usr/bin/puppet apply `pwd`/manifests/site.pp ## Log status of the Puppet run if [ $? -eq 0 ] diff --git a/modules/cron_puppet/manifests/init.pp b/modules/cron_puppet/manifests/init.pp index 1756a06..c9d5a51 100644 --- a/modules/cron_puppet/manifests/init.pp +++ b/modules/cron_puppet/manifests/init.pp @@ -1,7 +1,9 @@ -class cron_puppet { +class cron_puppet ( + $code_path = "/etc/puppetlabs/code" +) { file { 'post-hook': ensure => file, - path => '/etc/puppetlabs/puppet/.git/hooks/post-merge', + path => "$code_path/.git/hooks/post-merge", source => 'puppet:///modules/cron_puppet/post-merge', mode => '0755', owner => root, @@ -12,7 +14,7 @@ class cron_puppet { } cron { 'puppet-apply': ensure => present, - command => "cd /etc/puppetlabs/puppet ; /usr/bin/git pull", + command => "cd $code_path ; /usr/bin/git pull", user => root, minute => '*/30', require => File['post-hook'], diff --git a/modules/etckeeper/manifests/run.pp b/modules/etckeeper/manifests/run.pp index ddbb4e1..8ff4bbf 100644 --- a/modules/etckeeper/manifests/run.pp +++ b/modules/etckeeper/manifests/run.pp @@ -1,7 +1,10 @@ -define etckeeper::run ($stages = [Stage['main']], $refreshonly = true, $reason = 'puppet run') { +define etckeeper::run ( + $refreshonly = true, + $reason = 'puppet run' +) { + exec { "etckeeper::run::${name}": refreshonly => $refreshonly, command => "/usr/bin/etckeeper commit '${reason}' || true", - subscribe => $stages } } diff --git a/modules/fail2ban b/modules/fail2ban index c1495a2..c4f816d 160000 --- a/modules/fail2ban +++ b/modules/fail2ban @@ -1 +1 @@ -Subproject commit c1495a2c2de075863775e4ad191e0f0407fc259f +Subproject commit c4f816ded7245641ab70d553dc27f635f07614fa diff --git a/modules/grub_install/files/config b/modules/grub_install/files/config new file mode 100644 index 0000000..0a2ef57 --- /dev/null +++ b/modules/grub_install/files/config @@ -0,0 +1,47 @@ +GRUB_DEFAULT=0 +GRUB_TIMEOUT=5 +GRUB_DISTRIBUTOR="Arch" +GRUB_CMDLINE_LINUX_DEFAULT="quiet" +GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200" + +# Preload both GPT and MBR modules so that they are not missed +GRUB_PRELOAD_MODULES="part_gpt part_msdos" + +# Uncomment to enable Hidden Menu, and optionally hide the timeout count +#GRUB_HIDDEN_TIMEOUT=5 +#GRUB_HIDDEN_TIMEOUT_QUIET=true + +# Uncomment to use basic console +GRUB_TERMINAL_INPUT=console + +# Uncomment to disable graphical terminal +#GRUB_TERMINAL_OUTPUT=console + +# The resolution used on graphical terminal +# note that you can use only modes which your graphic card supports via VBE +# you can see them in real GRUB with the command `vbeinfo' +GRUB_GFXMODE=auto + +# Uncomment to allow the kernel use the same resolution used by grub +GRUB_GFXPAYLOAD_LINUX=keep + +# Uncomment if you want GRUB to pass to the Linux kernel the old parameter +# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" +#GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +GRUB_DISABLE_RECOVERY=true + +# Uncomment and set to the desired menu colors. Used by normal and wallpaper +# modes only. Entries specified as foreground/background. +#GRUB_COLOR_NORMAL="light-blue/black" +#GRUB_COLOR_HIGHLIGHT="light-cyan/blue" + +# Uncomment one of them for the gfx desired, a image background or a gfxtheme +#GRUB_BACKGROUND="/path/to/wallpaper" +#GRUB_THEME="/path/to/gfxtheme" + +# Uncomment to get a beep at GRUB start +#GRUB_INIT_TUNE="480 440 1" + +#GRUB_SAVEDEFAULT="true" diff --git a/modules/grub_install/manifests/init.pp b/modules/grub_install/manifests/init.pp new file mode 100644 index 0000000..172cf4b --- /dev/null +++ b/modules/grub_install/manifests/init.pp @@ -0,0 +1,32 @@ +class grub_install ( + $device = undef +) { + ensure_packages(['grub']) + + # unless empty($device) { + # exec { 'install GRUB': + # command => "/usr/bin/grub-install --target=i386-pc $device", + # subscribe => Package["grub"], + # } + # } + + file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX": + path => "/etc/default/grub", + line => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"', + match => '^GRUB_CMDLINE_LINUX=' + } + # file { "/etc/default/grub": + # ensure => "present", + # path => "/etc/default/grub", + # source => 'puppet:///modules/grub_install/config', + # mode => "0644", + # owner => "root", + # group => "root", + # # notify => [Exec["install GRUB"], Exec["update GRUB config"]] + # } + + # exec { 'update GRUB config': + # command => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg", + # refreshonly => true + # } +} diff --git a/modules/locales/manifests/init.pp b/modules/locales/manifests/init.pp index 982b48e..1923f26 100644 --- a/modules/locales/manifests/init.pp +++ b/modules/locales/manifests/init.pp @@ -9,8 +9,4 @@ class locales { subscribe => File_line['/etc/locale.gen#fr_FR.UTF-8', '/etc/locale.gen#en_US.UTF-8'], refreshonly => true, } - exec { '/usr/bin/localectl set-locale LANG=fr_FR.UTF-8': - subscribe => File_line['/etc/locale.gen#fr_FR.UTF-8'], - refreshonly => true, - } } diff --git a/puppet.conf b/puppet.conf deleted file mode 100644 index bf48823..0000000 --- a/puppet.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file can be used to override the default puppet settings. -# See the following links for more details on what settings are available: -# - https://docs.puppetlabs.com/puppet/latest/reference/config_important_settings.html -# - https://docs.puppetlabs.com/puppet/latest/reference/config_about_settings.html -# - https://docs.puppetlabs.com/puppet/latest/reference/config_file_main.html -# - https://docs.puppetlabs.com/puppet/latest/reference/configuration.html