path: root/modules/base_configuration/manifests/init.pp

class base_configuration (
  $hostname  = undef,
  $username  = "immae",
  $userid    = 1000,
  $code_path = undef,
  $device    = undef,
) {
  unless empty($device) {
    class { 'grub_install':
      device => $device,
    }
  }

  class { 'locales': }

  unless empty($code_path) {
    class { 'cron_puppet':
      code_path => $code_path,
    }
  }

  service { "sshd":
    #ensure => "running",
    enable => true,
  }
  service { "systemd-networkd":
    #ensure => "running",
    enable => true,
  }
  service { "systemd-resolved":
    #ensure => "running",
    enable => true,
  }

  file { "/etc/localtime":
    ensure => "link",
    target => "../usr/share/zoneinfo/Europe/Paris"
  }

  exec { "set_locale":
    command     => "/usr/bin/systemd-firstboot --locale=fr_FR.UTF-8",
    creates     => "/etc/locale.conf",
  }

  unless empty($hostname) {
    exec { "set_hostname":
      command     => "/usr/bin/systemd-firstboot --hostname=$hostname",
      creates     => "/etc/hostname",
    }
  }

  file { "/etc/vconsole.conf":
    ensure => "link",
    target => "/dev/null",
  }

  user { "${username}:${userid}":
    name       => $username,
    uid        => $userid,
    ensure     => "present",
    groups     => "wheel",
    managehome => true,
    notify     => Exec["remove_password"]
  }

  exec { "remove_password":
    command     => "/usr/bin/chage -d 0 $username && /usr/bin/passwd -d $username",
    refreshonly => true
  }

  ssh_authorized_key { $username:
    name => "immae@immae.eu",
    user => $username,
    type => "ssh-rsa",
    key  => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v"
  }

  class { 'sudo':
    config_file_replace => false,
    # Missing in the sudo package, should no be mandatory
    package_ldap        => false
  }

  sudo::conf { 'wheel':
    priority => 10,
    content  => "%wheel ALL=(ALL) ALL"
  }

  class { 'ssh::server':
     storeconfigs_enabled => false,
     options => {
        'AcceptEnv'                       => undef,
        'X11Forwarding'                   => 'yes',
        'PrintMotd'                       => 'no',
        'ChallengeResponseAuthentication' => 'no',
        'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
     }
  }

  ensure_packages('ruby-shadow')
  user { 'root':
    password => '!'
  }

  file { '/etc/modprobe.d/pcspkr_no_autoload.conf':
     ensure => "present",
     path   => "/etc/modprobe.d/pcspkr_no_autoload.conf",
     source => 'puppet:///modules/base_configuration/pcspkr_no_autoload.conf',
     mode   => "0644",
     owner  => "root",
     group  => "root"
  }

  file { '/etc/systemd/system/getty@tty1.service.d/':
    ensure => "directory",
    path   => "/etc/systemd/system/getty@tty1.service.d/",
    mode   => "0755",
    owner  => "root",
    group  => "root"
  }

  file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf':
     ensure  => "present",
     path    => "/etc/systemd/system/getty@tty1.service.d/noclear.conf",
     source  => 'puppet:///modules/base_configuration/getty_conf_override.conf',
     recurse =>  true,
     mode    => "0644",
     owner   => "root",
     group   => "root"
  }

  file { '/etc/systemd/network/en-dhcp.network':
     ensure => "present",
     path   => "/etc/systemd/network/en-dhcp.network",
     source => 'puppet:///modules/base_configuration/en-dhcp.network',
     mode   => "0644",
     owner  => "root",
     group  => "root"
  }

  file { '/etc/pacman.d/mirrorlist':
     ensure  => "present",
     path    => "/etc/pacman.d/mirrorlist",
     source  => 'puppet:///modules/base_configuration/mirrorlist',
     mode    => "0644",
     owner   => "root",
     group   => "root"
  }

  class { 'pacman':
    color     => true,
    usesyslog => true,
  }

  pacman::repo { 'multilib':
    order   => 15,
    include => '/etc/pacman.d/mirrorlist'
  }

  class { '::logrotate':
    manage_cron_daily => false,
    config => {
      rotate_every => 'week',
      rotate       => 4,
      create       => true,
      compress     => true,
      olddir       => '/var/log/old',
      tabooext     => "+ .pacorig .pacnew .pacsave",
    }
  }

  logrotate::rule { 'wtmp':
    path         => '/var/log/wtmp',
    rotate_every => 'month',
    create       => true,
    create_mode  => '0664',
    create_owner => 'root',
    create_group => 'utmp',
    rotate       => 1,
    minsize      => '1M',
  }
  logrotate::rule { 'btmp':
    path         => '/var/log/btmp',
    missingok    => true,
    rotate_every => 'month',
    create       => true,
    create_mode  => '0600',
    create_owner => 'root',
    create_group => 'utmp',
    rotate       => 1,
  }

  ensure_packages(["whois"], { 'install_options' => '--asdeps' })
  class { 'fail2ban':
    logtarget => 'SYSLOG',
    backend   => 'systemd'
  }
  fail2ban::jail { 'sshd':
    backend  => 'systemd',
    port     => 'ssh',
    filter   => 'sshd',
    maxretry => 10,
    bantime  => 86400,
    logpath  => '',
    order    => 10
  }

  class { 'aur': }
}