Refactor base installation module

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2017-08-24 02:22:17 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2017-08-29 22:46:14 +0200
commit: 7fed35a408b9ec37454169425823785b5fc8978b (patch)
tree: 28371d43ac304f99fb0a5305124858db69ef2137 /modules/base_installation/manifests
parent: ba2cf1b5d938810077b0fd73844faf432e8e8f9d (diff)
download: Puppet-7fed35a408b9ec37454169425823785b5fc8978b.tar.gz
Puppet-7fed35a408b9ec37454169425823785b5fc8978b.tar.zst
Puppet-7fed35a408b9ec37454169425823785b5fc8978b.zip
14 files changed, 357 insertions, 0 deletions
diff --git a/modules/base_installation/manifests/cronie.pp b/modules/base_installation/manifests/cronie.pp
new file mode 100644
index 0000000..bcdd9a7
--- /dev/null
+++ b/modules/base_installation/manifests/cronie.pp
@@ -0,0 +1,21 @@
+class base_installation::cronie inherits base_installation {
+  ensure_packages(['cronie'])
+  unless empty($base_installation::puppet_code_path) {
+    file { 'post-hook':
+      ensure  => file,
+      path    => "$base_installation::puppet_code_path/.git/hooks/post-merge",
+      source  => 'puppet:///modules/base_installation/cronie/puppet-post-merge',
+      mode    => '0755',
+      owner   => root,
+      group   => root,
+    }
+    cron { 'puppet-apply':
+      ensure  => present,
+      command => "cd $base_installation::puppet_code_path ; /usr/bin/git pull",
+      user    => root,
+      minute  => '*/30',
+      require => File['post-hook'],
+    }
+  }
+}
diff --git a/modules/base_installation/manifests/firewall.pp b/modules/base_installation/manifests/firewall.pp
new file mode 100644
index 0000000..12eeac2
--- /dev/null
+++ b/modules/base_installation/manifests/firewall.pp
@@ -0,0 +1,20 @@
+class base_installation::firewall inherits base_installation {
+  ensure_packages(["whois"], { 'install_options' => '--asdeps' })
+  class { 'fail2ban':
+    logtarget => 'SYSLOG',
+    backend   => 'systemd'
+  }
+  fail2ban::jail { 'sshd':
+    backend  => 'systemd',
+    port     => 'ssh',
+    filter   => 'sshd',
+    maxretry => 10,
+    bantime  => 86400,
+    logpath  => '',
+    order    => 10
+  }
+  contain "fail2ban"
+}
diff --git a/modules/base_installation/manifests/grub.pp b/modules/base_installation/manifests/grub.pp
new file mode 100644
index 0000000..0a96aa7
--- /dev/null
+++ b/modules/base_installation/manifests/grub.pp
@@ -0,0 +1,21 @@
+class base_installation::grub inherits base_installation {
+  ensure_packages(['grub'])
+  # unless empty($base_installation::grub_device) {
+  #   exec { 'install GRUB':
+  #     command   => "/usr/bin/grub-install --target=i386-pc $base_installation::device",
+  #     subscribe => Package["grub"],
+  #   }
+  # }
+  file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
+    path  => "/etc/default/grub",
+    line  => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',
+    match => '^GRUB_CMDLINE_LINUX='
+  }
+  # exec { 'update GRUB config':
+  #   command     => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",
+  #   refreshonly => true
+  # }
+}
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp
new file mode 100644
index 0000000..65c5178
--- /dev/null
+++ b/modules/base_installation/manifests/init.pp
@@ -0,0 +1,21 @@
+class base_installation (
+  Optional[String]        $grub_device      = $base_installation::params::grub_device,
+  Optional[String]        $puppet_code_path = $base_installation::params::puppet_code_path,
+  Optional[String]        $system_hostname  = $base_installation::params::system_hostname,
+  Optional[Array[String]] $system_locales   = $base_installation::params::system_locales,
+  Optional[String]        $system_timezone  = $base_installation::params::system_timezone,
+  Optional[Array[Hash]]   $system_users     = $base_installation::params::system_users,
+) inherits base_installation::params {
+  contain ::base_installation::packages
+  contain ::base_installation::locales
+  contain ::base_installation::system_config
+  contain ::base_installation::kernel_modules
+  contain ::base_installation::grub
+  contain ::base_installation::firewall
+  contain ::base_installation::logs
+  contain ::base_installation::cronie
+  contain ::base_installation::ssh
+  contain ::base_installation::services
+  contain ::base_installation::users
+  contain ::base_installation::package_managers
+}
diff --git a/modules/base_installation/manifests/kernel_modules.pp b/modules/base_installation/manifests/kernel_modules.pp
new file mode 100644
index 0000000..afeb30c
--- /dev/null
+++ b/modules/base_installation/manifests/kernel_modules.pp
@@ -0,0 +1,11 @@
+class base_installation::kernel_modules inherits base_installation {
+  file { '/etc/modprobe.d/pcspkr_no_autoload.conf':
+     ensure => "present",
+     path   => "/etc/modprobe.d/pcspkr_no_autoload.conf",
+     source => 'puppet:///modules/base_installation/kernel_modules/pcspkr_no_autoload.conf',
+     mode   => "0644",
+     owner  => "root",
+     group  => "root"
+  }
+}
diff --git a/modules/base_installation/manifests/locales.pp b/modules/base_installation/manifests/locales.pp
new file mode 100644
index 0000000..0f31e0b
--- /dev/null
+++ b/modules/base_installation/manifests/locales.pp
@@ -0,0 +1,37 @@
+class base_installation::locales inherits base_installation {
+  # Note: we don't care about other lines, they are not handled in
+  # Puppet
+  define locale_line ($locale, $charmap = 'UTF-8') {
+    file_line { "/etc/locale.gen#$locale":
+      path   => '/etc/locale.gen',
+      line   => "$locale $charmap  ",
+      match  => "#?$locale $charmap +$",
+      notify => Exec["/usr/bin/locale-gen"],
+    }
+  }
+  unless empty($base_installation::system_locales) {
+    $base_installation::system_locales.each |$locale| {
+      base_installation::locales::locale_line { "/etc/locale.gen#$locale":
+        locale => $locale
+      }
+    }
+    $main_locale = $base_installation::system_locales[0]
+    exec { "set_main_locale":
+      command => "/usr/bin/systemd-firstboot --locale=$main_locale",
+      creates => "/etc/locale.conf",
+    }
+  }
+  exec { '/usr/bin/locale-gen':
+    refreshonly => true,
+  }
+  file { "/etc/vconsole.conf":
+    ensure => "link",
+    target => "/dev/null",
+  }
+}
diff --git a/modules/base_installation/manifests/logs.pp b/modules/base_installation/manifests/logs.pp
new file mode 100644
index 0000000..558182f
--- /dev/null
+++ b/modules/base_installation/manifests/logs.pp
@@ -0,0 +1,36 @@
+class base_installation::logs inherits base_installation {
+  class { '::logrotate':
+    manage_cron_daily => false,
+    config => {
+      rotate_every => 'week',
+      rotate       => 4,
+      create       => true,
+      compress     => true,
+      olddir       => '/var/log/old',
+      tabooext     => "+ .pacorig .pacnew .pacsave",
+    }
+  }
+  logrotate::rule { 'wtmp':
+    path         => '/var/log/wtmp',
+    rotate_every => 'month',
+    create       => true,
+    create_mode  => '0664',
+    create_owner => 'root',
+    create_group => 'utmp',
+    rotate       => 1,
+    minsize      => '1M',
+  }
+  logrotate::rule { 'btmp':
+    path         => '/var/log/btmp',
+    missingok    => true,
+    rotate_every => 'month',
+    create       => true,
+    create_mode  => '0600',
+    create_owner => 'root',
+    create_group => 'utmp',
+    rotate       => 1,
+  }
+  contain "::logrotate"
+}
diff --git a/modules/base_installation/manifests/package_managers.pp b/modules/base_installation/manifests/package_managers.pp
new file mode 100644
index 0000000..c5c8485
--- /dev/null
+++ b/modules/base_installation/manifests/package_managers.pp
@@ -0,0 +1,25 @@
+class base_installation::package_managers inherits base_installation {
+  file { '/etc/pacman.d/mirrorlist':
+     ensure  => "present",
+     path    => "/etc/pacman.d/mirrorlist",
+     source  => 'puppet:///modules/base_installation/package_managers/mirrorlist',
+     mode    => "0644",
+     owner   => "root",
+     group   => "root"
+  }
+  class { 'pacman':
+    color     => true,
+    usesyslog => true,
+  }
+  pacman::repo { 'multilib':
+    order   => 15,
+    include => '/etc/pacman.d/mirrorlist'
+  }
+  class { 'aur': }
+  contain "pacman"
+  contain "aur"
+}
diff --git a/modules/base_installation/manifests/packages.pp b/modules/base_installation/manifests/packages.pp
new file mode 100644
index 0000000..b0824ad
--- /dev/null
+++ b/modules/base_installation/manifests/packages.pp
@@ -0,0 +1,10 @@
+class base_installation::packages inherits base_installation {
+  # Preinstalled
+  ensure_packages(['base'])
+  # Critical packages
+  ensure_packages(['openssh', 'grub', 'sudo'])
+  # Puppet dependencies
+  ensure_packages(['git', 'puppet'])
+}
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp
new file mode 100644
index 0000000..5f2e298
--- /dev/null
+++ b/modules/base_installation/manifests/params.pp
@@ -0,0 +1,21 @@
+class base_installation::params {
+  $puppet_code_path = "/etc/puppetlabs/code"
+  $grub_device      = "/dev/sda"
+  $system_hostname  = "new.immae.eu"
+  $system_locales   = ["fr_FR.UTF-8", "en_US.UTF-8"]
+  $system_timezone  = "Europe/Paris"
+  $system_users     = [
+    {
+      userid   => 1000,
+      username => "immae",
+      groups   => ["wheel"],
+      keys     => [
+        {
+          host     => "immae.eu",
+          key      => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v",
+          key_type => "ssh-rsa"
+        }
+      ]
+    }
+  ]
+}
diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp
new file mode 100644
index 0000000..b48c3b5
--- /dev/null
+++ b/modules/base_installation/manifests/services.pp
@@ -0,0 +1,50 @@
+class base_installation::services inherits base_installation {
+  service { "sshd":
+    #ensure => "running",
+    enable => true,
+  }
+  service { "systemd-networkd":
+    #ensure => "running",
+    enable => true,
+  }
+  service { "systemd-resolved":
+    #ensure => "running",
+    enable => true,
+  }
+  service { "cronie":
+    #ensure => "running",
+    enable => true,
+  }
+  file { '/etc/systemd/system/getty@tty1.service.d/':
+    ensure => "directory",
+    path   => "/etc/systemd/system/getty@tty1.service.d/",
+    mode   => "0755",
+    owner  => "root",
+    group  => "root"
+  }
+  file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf':
+     ensure  => "present",
+     path    => "/etc/systemd/system/getty@tty1.service.d/noclear.conf",
+     source  => 'puppet:///modules/base_installation/services/getty_conf_override.conf',
+     recurse =>  true,
+     mode    => "0644",
+     owner   => "root",
+     group   => "root"
+  }
+  file { '/etc/systemd/network/en-dhcp.network':
+     ensure => "present",
+     path   => "/etc/systemd/network/en-dhcp.network",
+     source => 'puppet:///modules/base_installation/services/en-dhcp.network',
+     mode   => "0644",
+     owner  => "root",
+     group  => "root"
+  }
+}
diff --git a/modules/base_installation/manifests/ssh.pp b/modules/base_installation/manifests/ssh.pp
new file mode 100644
index 0000000..43769e9
--- /dev/null
+++ b/modules/base_installation/manifests/ssh.pp
@@ -0,0 +1,14 @@
+class base_installation::ssh inherits base_installation {
+  class { 'ssh::server':
+     storeconfigs_enabled => false,
+     options => {
+        'AcceptEnv'                       => undef,
+        'X11Forwarding'                   => 'yes',
+        'PrintMotd'                       => 'no',
+        'ChallengeResponseAuthentication' => 'no',
+        'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
+     }
+  }
+  contain "ssh::server"
+}
diff --git a/modules/base_installation/manifests/system_config.pp b/modules/base_installation/manifests/system_config.pp
new file mode 100644
index 0000000..f3325f4
--- /dev/null
+++ b/modules/base_installation/manifests/system_config.pp
@@ -0,0 +1,21 @@
+class base_installation::system_config inherits base_installation {
+  unless empty($base_installation::system_timezone) {
+    file { "/etc/localtime":
+      ensure => "link",
+      target => "../usr/share/zoneinfo/$base_installation::system_timezone"
+    }
+  }
+  unless empty($base_installation::system_hostname) {
+    file { '/etc/hostname':
+      content => "$base_installation::system_hostname\n",
+    }
+    # TODO: find a way to ensure that /etc/hostname doesn't change
+    # exec { "set_hostname":
+    #   command     => "/usr/bin/systemd-firstboot --hostname=$base_installation::system_hostname",
+    #   creates     => "/etc/hostname",
+    # }
+  }
+}
diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp
new file mode 100644
index 0000000..766c0f0
--- /dev/null
+++ b/modules/base_installation/manifests/users.pp
@@ -0,0 +1,49 @@
+class base_installation::users (
+  $users = $base_installation::system_users,
+) inherits base_installation {
+  ensure_packages('ruby-shadow')
+  user { 'root':
+    password => '!'
+  }
+  class { 'sudo':
+    config_file_replace => false,
+    # Missing in the sudo package, should no be mandatory
+    package_ldap        => false
+  }
+  sudo::conf { 'wheel':
+    priority => 10,
+    content  => "%wheel ALL=(ALL) ALL"
+  }
+  contain "sudo"
+  $users.each |$user| {
+    user { "${user[username]}:${user[userid]}":
+      name           => $user[username],
+      uid            => $user[userid],
+      ensure         => "present",
+      groups         => $user[groups],
+      managehome     => true,
+      home           => "/home/${user[username]}",
+      notify         => Exec["remove_password"],
+      purge_ssh_keys => true
+    }
+    exec { "remove_password":
+      command     => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
+      refreshonly => true
+    }
+    $user[keys].each |$key| {
+      ssh_authorized_key { "${user[username]}@${key[host]}":
+        name => "${user[username]}@${key[host]}",
+        user => $user[username],
+        type => $key[key_type],
+        key  => $key[key],
+      }
+    }
+  }
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2017-08-24 02:22:17 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2017-08-29 22:46:14 +0200
commit	7fed35a408b9ec37454169425823785b5fc8978b (patch)
tree	28371d43ac304f99fb0a5305124858db69ef2137 /modules/base_installation/manifests
parent	ba2cf1b5d938810077b0fd73844faf432e8e8f9d (diff)
download	Puppet-7fed35a408b9ec37454169425823785b5fc8978b.tar.gz Puppet-7fed35a408b9ec37454169425823785b5fc8978b.tar.zst Puppet-7fed35a408b9ec37454169425823785b5fc8978b.zip

diff --git a/modules/base_installation/manifests/cronie.pp b/modules/base_installation/manifests/cronie.pp new file mode 100644 index 0000000..bcdd9a7 --- /dev/null +++ b/modules/base_installation/manifests/cronie.pp
@@ -0,0 +1,21 @@
	1	class base_installation::cronie inherits base_installation {
	2	ensure_packages(['cronie'])
	3
	4	unless empty($base_installation::puppet_code_path) {
	5	file { 'post-hook':
	6	ensure => file,
	7	path => "$base_installation::puppet_code_path/.git/hooks/post-merge",
	8	source => 'puppet:///modules/base_installation/cronie/puppet-post-merge',
	9	mode => '0755',
	10	owner => root,
	11	group => root,
	12	}
	13	cron { 'puppet-apply':
	14	ensure => present,
	15	command => "cd $base_installation::puppet_code_path ; /usr/bin/git pull",
	16	user => root,
	17	minute => '*/30',
	18	require => File['post-hook'],
	19	}
	20	}
	21	}


diff --git a/modules/base_installation/manifests/firewall.pp b/modules/base_installation/manifests/firewall.pp new file mode 100644 index 0000000..12eeac2 --- /dev/null +++ b/modules/base_installation/manifests/firewall.pp
@@ -0,0 +1,20 @@
	1	class base_installation::firewall inherits base_installation {
	2	ensure_packages(["whois"], { 'install_options' => '--asdeps' })
	3
	4	class { 'fail2ban':
	5	logtarget => 'SYSLOG',
	6	backend => 'systemd'
	7	}
	8
	9	fail2ban::jail { 'sshd':
	10	backend => 'systemd',
	11	port => 'ssh',
	12	filter => 'sshd',
	13	maxretry => 10,
	14	bantime => 86400,
	15	logpath => '',
	16	order => 10
	17	}
	18
	19	contain "fail2ban"
	20	}


diff --git a/modules/base_installation/manifests/grub.pp b/modules/base_installation/manifests/grub.pp new file mode 100644 index 0000000..0a96aa7 --- /dev/null +++ b/modules/base_installation/manifests/grub.pp
@@ -0,0 +1,21 @@
	1	class base_installation::grub inherits base_installation {
	2	ensure_packages(['grub'])
	3
	4	# unless empty($base_installation::grub_device) {
	5	# exec { 'install GRUB':
	6	# command => "/usr/bin/grub-install --target=i386-pc $base_installation::device",
	7	# subscribe => Package["grub"],
	8	# }
	9	# }
	10
	11	file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
	12	path => "/etc/default/grub",
	13	line => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',
	14	match => '^GRUB_CMDLINE_LINUX='
	15	}
	16
	17	# exec { 'update GRUB config':
	18	# command => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",
	19	# refreshonly => true
	20	# }
	21	}


diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp new file mode 100644 index 0000000..65c5178 --- /dev/null +++ b/modules/base_installation/manifests/init.pp
@@ -0,0 +1,21 @@
	1	class base_installation (
	2	Optional[String] $grub_device = $base_installation::params::grub_device,
	3	Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path,
	4	Optional[String] $system_hostname = $base_installation::params::system_hostname,
	5	Optional[Array[String]] $system_locales = $base_installation::params::system_locales,
	6	Optional[String] $system_timezone = $base_installation::params::system_timezone,
	7	Optional[Array[Hash]] $system_users = $base_installation::params::system_users,
	8	) inherits base_installation::params {
	9	contain ::base_installation::packages
	10	contain ::base_installation::locales
	11	contain ::base_installation::system_config
	12	contain ::base_installation::kernel_modules
	13	contain ::base_installation::grub
	14	contain ::base_installation::firewall
	15	contain ::base_installation::logs
	16	contain ::base_installation::cronie
	17	contain ::base_installation::ssh
	18	contain ::base_installation::services
	19	contain ::base_installation::users
	20	contain ::base_installation::package_managers
	21	}


diff --git a/modules/base_installation/manifests/kernel_modules.pp b/modules/base_installation/manifests/kernel_modules.pp new file mode 100644 index 0000000..afeb30c --- /dev/null +++ b/modules/base_installation/manifests/kernel_modules.pp
@@ -0,0 +1,11 @@
	1	class base_installation::kernel_modules inherits base_installation {
	2	file { '/etc/modprobe.d/pcspkr_no_autoload.conf':
	3	ensure => "present",
	4	path => "/etc/modprobe.d/pcspkr_no_autoload.conf",
	5	source => 'puppet:///modules/base_installation/kernel_modules/pcspkr_no_autoload.conf',
	6	mode => "0644",
	7	owner => "root",
	8	group => "root"
	9	}
	10
	11	}


diff --git a/modules/base_installation/manifests/locales.pp b/modules/base_installation/manifests/locales.pp new file mode 100644 index 0000000..0f31e0b --- /dev/null +++ b/modules/base_installation/manifests/locales.pp
@@ -0,0 +1,37 @@
	1	class base_installation::locales inherits base_installation {
	2	# Note: we don't care about other lines, they are not handled in
	3	# Puppet
	4	define locale_line ($locale, $charmap = 'UTF-8') {
	5	file_line { "/etc/locale.gen#$locale":
	6	path => '/etc/locale.gen',
	7	line => "$locale $charmap ",
	8	match => "#?$locale $charmap +$",
	9	notify => Exec["/usr/bin/locale-gen"],
	10	}
	11	}
	12
	13	unless empty($base_installation::system_locales) {
	14	$base_installation::system_locales.each \|$locale\| {
	15	base_installation::locales::locale_line { "/etc/locale.gen#$locale":
	16	locale => $locale
	17	}
	18	}
	19
	20	$main_locale = $base_installation::system_locales[0]
	21	exec { "set_main_locale":
	22	command => "/usr/bin/systemd-firstboot --locale=$main_locale",
	23	creates => "/etc/locale.conf",
	24	}
	25	}
	26
	27	exec { '/usr/bin/locale-gen':
	28	refreshonly => true,
	29	}
	30
	31
	32	file { "/etc/vconsole.conf":
	33	ensure => "link",
	34	target => "/dev/null",
	35	}
	36
	37	}


diff --git a/modules/base_installation/manifests/logs.pp b/modules/base_installation/manifests/logs.pp new file mode 100644 index 0000000..558182f --- /dev/null +++ b/modules/base_installation/manifests/logs.pp
@@ -0,0 +1,36 @@
	1	class base_installation::logs inherits base_installation {
	2	class { '::logrotate':
	3	manage_cron_daily => false,
	4	config => {
	5	rotate_every => 'week',
	6	rotate => 4,
	7	create => true,
	8	compress => true,
	9	olddir => '/var/log/old',
	10	tabooext => "+ .pacorig .pacnew .pacsave",
	11	}
	12	}
	13
	14	logrotate::rule { 'wtmp':
	15	path => '/var/log/wtmp',
	16	rotate_every => 'month',
	17	create => true,
	18	create_mode => '0664',
	19	create_owner => 'root',
	20	create_group => 'utmp',
	21	rotate => 1,
	22	minsize => '1M',
	23	}
	24	logrotate::rule { 'btmp':
	25	path => '/var/log/btmp',
	26	missingok => true,
	27	rotate_every => 'month',
	28	create => true,
	29	create_mode => '0600',
	30	create_owner => 'root',
	31	create_group => 'utmp',
	32	rotate => 1,
	33	}
	34
	35	contain "::logrotate"
	36	}


diff --git a/modules/base_installation/manifests/package_managers.pp b/modules/base_installation/manifests/package_managers.pp new file mode 100644 index 0000000..c5c8485 --- /dev/null +++ b/modules/base_installation/manifests/package_managers.pp
@@ -0,0 +1,25 @@
	1	class base_installation::package_managers inherits base_installation {
	2	file { '/etc/pacman.d/mirrorlist':
	3	ensure => "present",
	4	path => "/etc/pacman.d/mirrorlist",
	5	source => 'puppet:///modules/base_installation/package_managers/mirrorlist',
	6	mode => "0644",
	7	owner => "root",
	8	group => "root"
	9	}
	10
	11	class { 'pacman':
	12	color => true,
	13	usesyslog => true,
	14	}
	15
	16	pacman::repo { 'multilib':
	17	order => 15,
	18	include => '/etc/pacman.d/mirrorlist'
	19	}
	20
	21	class { 'aur': }
	22
	23	contain "pacman"
	24	contain "aur"
	25	}


diff --git a/modules/base_installation/manifests/packages.pp b/modules/base_installation/manifests/packages.pp new file mode 100644 index 0000000..b0824ad --- /dev/null +++ b/modules/base_installation/manifests/packages.pp
@@ -0,0 +1,10 @@
	1	class base_installation::packages inherits base_installation {
	2	# Preinstalled
	3	ensure_packages(['base'])
	4
	5	# Critical packages
	6	ensure_packages(['openssh', 'grub', 'sudo'])
	7
	8	# Puppet dependencies
	9	ensure_packages(['git', 'puppet'])
	10	}


diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp new file mode 100644 index 0000000..5f2e298 --- /dev/null +++ b/modules/base_installation/manifests/params.pp
@@ -0,0 +1,21 @@
	1	class base_installation::params {
	2	$puppet_code_path = "/etc/puppetlabs/code"
	3	$grub_device = "/dev/sda"
	4	$system_hostname = "new.immae.eu"
	5	$system_locales = ["fr_FR.UTF-8", "en_US.UTF-8"]
	6	$system_timezone = "Europe/Paris"
	7	$system_users = [
	8	{
	9	userid => 1000,
	10	username => "immae",
	11	groups => ["wheel"],
	12	keys => [
	13	{
	14	host => "immae.eu",
	15	key => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v",
	16	key_type => "ssh-rsa"
	17	}
	18	]
	19	}
	20	]
	21	}


diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp new file mode 100644 index 0000000..b48c3b5 --- /dev/null +++ b/modules/base_installation/manifests/services.pp
@@ -0,0 +1,50 @@
	1	class base_installation::services inherits base_installation {
	2
	3	service { "sshd":
	4	#ensure => "running",
	5	enable => true,
	6	}
	7
	8	service { "systemd-networkd":
	9	#ensure => "running",
	10	enable => true,
	11	}
	12
	13	service { "systemd-resolved":
	14	#ensure => "running",
	15	enable => true,
	16	}
	17
	18	service { "cronie":
	19	#ensure => "running",
	20	enable => true,
	21	}
	22
	23	file { '/etc/systemd/system/getty@tty1.service.d/':
	24	ensure => "directory",
	25	path => "/etc/systemd/system/getty@tty1.service.d/",
	26	mode => "0755",
	27	owner => "root",
	28	group => "root"
	29	}
	30
	31	file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf':
	32	ensure => "present",
	33	path => "/etc/systemd/system/getty@tty1.service.d/noclear.conf",
	34	source => 'puppet:///modules/base_installation/services/getty_conf_override.conf',
	35	recurse => true,
	36	mode => "0644",
	37	owner => "root",
	38	group => "root"
	39	}
	40
	41	file { '/etc/systemd/network/en-dhcp.network':
	42	ensure => "present",
	43	path => "/etc/systemd/network/en-dhcp.network",
	44	source => 'puppet:///modules/base_installation/services/en-dhcp.network',
	45	mode => "0644",
	46	owner => "root",
	47	group => "root"
	48	}
	49
	50	}


diff --git a/modules/base_installation/manifests/ssh.pp b/modules/base_installation/manifests/ssh.pp new file mode 100644 index 0000000..43769e9 --- /dev/null +++ b/modules/base_installation/manifests/ssh.pp
@@ -0,0 +1,14 @@
	1	class base_installation::ssh inherits base_installation {
	2	class { 'ssh::server':
	3	storeconfigs_enabled => false,
	4	options => {
	5	'AcceptEnv' => undef,
	6	'X11Forwarding' => 'yes',
	7	'PrintMotd' => 'no',
	8	'ChallengeResponseAuthentication' => 'no',
	9	'Subsystem' => 'sftp /usr/lib/openssh/sftp-server',
	10	}
	11	}
	12
	13	contain "ssh::server"
	14	}


diff --git a/modules/base_installation/manifests/system_config.pp b/modules/base_installation/manifests/system_config.pp new file mode 100644 index 0000000..f3325f4 --- /dev/null +++ b/modules/base_installation/manifests/system_config.pp
@@ -0,0 +1,21 @@
	1	class base_installation::system_config inherits base_installation {
	2	unless empty($base_installation::system_timezone) {
	3	file { "/etc/localtime":
	4	ensure => "link",
	5	target => "../usr/share/zoneinfo/$base_installation::system_timezone"
	6	}
	7	}
	8
	9	unless empty($base_installation::system_hostname) {
	10	file { '/etc/hostname':
	11	content => "$base_installation::system_hostname\n",
	12	}
	13
	14	# TODO: find a way to ensure that /etc/hostname doesn't change
	15	# exec { "set_hostname":
	16	# command => "/usr/bin/systemd-firstboot --hostname=$base_installation::system_hostname",
	17	# creates => "/etc/hostname",
	18	# }
	19	}
	20
	21	}


diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp new file mode 100644 index 0000000..766c0f0 --- /dev/null +++ b/modules/base_installation/manifests/users.pp
@@ -0,0 +1,49 @@
	1	class base_installation::users (
	2	$users = $base_installation::system_users,
	3	) inherits base_installation {
	4	ensure_packages('ruby-shadow')
	5	user { 'root':
	6	password => '!'
	7	}
	8
	9	class { 'sudo':
	10	config_file_replace => false,
	11	# Missing in the sudo package, should no be mandatory
	12	package_ldap => false
	13	}
	14
	15	sudo::conf { 'wheel':
	16	priority => 10,
	17	content => "%wheel ALL=(ALL) ALL"
	18	}
	19
	20	contain "sudo"
	21
	22	$users.each \|$user\| {
	23	user { "${user[username]}:${user[userid]}":
	24	name => $user[username],
	25	uid => $user[userid],
	26	ensure => "present",
	27	groups => $user[groups],
	28	managehome => true,
	29	home => "/home/${user[username]}",
	30	notify => Exec["remove_password"],
	31	purge_ssh_keys => true
	32	}
	33
	34	exec { "remove_password":
	35	command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
	36	refreshonly => true
	37	}
	38
	39	$user[keys].each \|$key\| {
	40	ssh_authorized_key { "${user[username]}@${key[host]}":
	41	name => "${user[username]}@${key[host]}",
	42	user => $user[username],
	43	type => $key[key_type],
	44	key => $key[key],
	45	}
	46	}
	47	}
	48
	49	}