]> git.immae.eu Git - perso/Immae/Projets/Puppet.git/blob - modules/base_configuration/manifests/init.pp
projects / perso / Immae / Projets / Puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Install OVH vps from scratch
[perso/Immae/Projets/Puppet.git] / modules / base_configuration / manifests / init.pp
1 class base_configuration (
2 $hostname = undef,
3 $username = "immae",
4 $userid = 1000,
5 $code_path = undef,
6 $device = undef,
7 ) {
8 unless empty($device) {
9 class { 'grub_install':
10 device => $device,
11 }
12 }
13
14 class { 'locales': }
15
16 unless empty($code_path) {
17 class { 'cron_puppet':
18 code_path => $code_path,
19 }
20 }
21
22 service { "sshd":
23 #ensure => "running",
24 enable => true,
25 }
26 service { "systemd-networkd":
27 #ensure => "running",
28 enable => true,
29 }
30 service { "systemd-resolved":
31 #ensure => "running",
32 enable => true,
33 }
34
35 file { "/etc/localtime":
36 ensure => "link",
37 target => "../usr/share/zoneinfo/Europe/Paris"
38 }
39
40 exec { "set_locale":
41 command => "/usr/bin/systemd-firstboot --locale=fr_FR.UTF-8",
42 creates => "/etc/locale.conf",
43 }
44
45 unless empty($hostname) {
46 exec { "set_hostname":
47 command => "/usr/bin/systemd-firstboot --hostname=$hostname",
48 creates => "/etc/hostname",
49 }
50 }
51
52 file { "/etc/vconsole.conf":
53 ensure => "link",
54 target => "/dev/null",
55 }
56
57 user { "${username}:${userid}":
58 name => $username,
59 uid => $userid,
60 ensure => "present",
61 groups => "wheel",
62 managehome => true,
63 notify => Exec["remove_password"]
64 }
65
66 exec { "remove_password":
67 command => "/usr/bin/chage -d 0 $username && /usr/bin/passwd -d $username",
68 refreshonly => true
69 }
70
71 ssh_authorized_key { $username:
72 name => "immae@immae.eu",
73 user => $username,
74 type => "ssh-rsa",
75 key => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v"
76 }
77
78 class { 'sudo':
79 config_file_replace => false,
80 # Missing in the sudo package, should no be mandatory
81 package_ldap => false
82 }
83
84 sudo::conf { 'wheel':
85 priority => 10,
86 content => "%wheel ALL=(ALL) ALL"
87 }
88
89 class { 'ssh::server':
90 storeconfigs_enabled => false,
91 options => {
92 'AcceptEnv' => undef,
93 'X11Forwarding' => 'yes',
94 'PrintMotd' => 'no',
95 'ChallengeResponseAuthentication' => 'no',
96 'Subsystem' => 'sftp /usr/lib/openssh/sftp-server',
97 }
98 }
99
100 ensure_packages('ruby-shadow')
101 user { 'root':
102 password => '!'
103 }
104
105 file { '/etc/modprobe.d/pcspkr_no_autoload.conf':
106 ensure => "present",
107 path => "/etc/modprobe.d/pcspkr_no_autoload.conf",
108 source => 'puppet:///modules/base_configuration/pcspkr_no_autoload.conf',
109 mode => "0644",
110 owner => "root",
111 group => "root"
112 }
113
114 file { '/etc/systemd/system/getty@tty1.service.d/':
115 ensure => "directory",
116 path => "/etc/systemd/system/getty@tty1.service.d/",
117 mode => "0755",
118 owner => "root",
119 group => "root"
120 }
121
122 file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf':
123 ensure => "present",
124 path => "/etc/systemd/system/getty@tty1.service.d/noclear.conf",
125 source => 'puppet:///modules/base_configuration/getty_conf_override.conf',
126 recurse => true,
127 mode => "0644",
128 owner => "root",
129 group => "root"
130 }
131
132 file { '/etc/systemd/network/en-dhcp.network':
133 ensure => "present",
134 path => "/etc/systemd/network/en-dhcp.network",
135 source => 'puppet:///modules/base_configuration/en-dhcp.network',
136 mode => "0644",
137 owner => "root",
138 group => "root"
139 }
140
141 file { '/etc/pacman.d/mirrorlist':
142 ensure => "present",
143 path => "/etc/pacman.d/mirrorlist",
144 source => 'puppet:///modules/base_configuration/mirrorlist',
145 mode => "0644",
146 owner => "root",
147 group => "root"
148 }
149
150 class { 'pacman':
151 color => true,
152 usesyslog => true,
153 }
154
155 pacman::repo { 'multilib':
156 order => 15,
157 include => '/etc/pacman.d/mirrorlist'
158 }
159
160 class { '::logrotate':
161 manage_cron_daily => false,
162 config => {
163 rotate_every => 'week',
164 rotate => 4,
165 create => true,
166 compress => true,
167 olddir => '/var/log/old',
168 tabooext => "+ .pacorig .pacnew .pacsave",
169 }
170 }
171
172 logrotate::rule { 'wtmp':
173 path => '/var/log/wtmp',
174 rotate_every => 'month',
175 create => true,
176 create_mode => '0664',
177 create_owner => 'root',
178 create_group => 'utmp',
179 rotate => 1,
180 minsize => '1M',
181 }
182 logrotate::rule { 'btmp':
183 path => '/var/log/btmp',
184 missingok => true,
185 rotate_every => 'month',
186 create => true,
187 create_mode => '0600',
188 create_owner => 'root',
189 create_group => 'utmp',
190 rotate => 1,
191 }
192
193 ensure_packages(["whois"], { 'install_options' => '--asdeps' })
194 class { 'fail2ban':
195 logtarget => 'SYSLOG',
196 backend => 'systemd'
197 }
198 fail2ban::jail { 'sshd':
199 backend => 'systemd',
200 port => 'ssh',
201 filter => 'sshd',
202 maxretry => 10,
203 bantime => 86400,
204 logpath => '',
205 order => 10
206 }
207
208 class { 'aur': }
209 }
My infrastructure configuration - Deprecated, replaced with Nix