diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2017-08-24 02:22:17 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2017-08-29 22:46:14 +0200 |
commit | 7fed35a408b9ec37454169425823785b5fc8978b (patch) | |
tree | 28371d43ac304f99fb0a5305124858db69ef2137 /modules/base_installation | |
parent | ba2cf1b5d938810077b0fd73844faf432e8e8f9d (diff) | |
download | Puppet-7fed35a408b9ec37454169425823785b5fc8978b.tar.gz Puppet-7fed35a408b9ec37454169425823785b5fc8978b.tar.zst Puppet-7fed35a408b9ec37454169425823785b5fc8978b.zip |
Refactor base installation module
Diffstat (limited to 'modules/base_installation')
19 files changed, 385 insertions, 0 deletions
diff --git a/modules/base_installation/files/cronie/puppet-post-merge b/modules/base_installation/files/cronie/puppet-post-merge new file mode 100644 index 0000000..ac5e3ff --- /dev/null +++ b/modules/base_installation/files/cronie/puppet-post-merge | |||
@@ -0,0 +1,15 @@ | |||
1 | #!/bin/bash | ||
2 | ## Run Puppet locally using puppet apply | ||
3 | git submodule update --init | ||
4 | /usr/bin/puppet apply `pwd`/manifests/site.pp | ||
5 | |||
6 | ## Log status of the Puppet run | ||
7 | if [ $? -eq 0 ] | ||
8 | then | ||
9 | /usr/bin/logger -i "Puppet has run successfully" -t "puppet-run" | ||
10 | exit 0 | ||
11 | else | ||
12 | /usr/bin/logger -i "Puppet has ran into an error, please run Puppet manually" -t "puppet-run" | ||
13 | exit 1 | ||
14 | fi | ||
15 | |||
diff --git a/modules/base_installation/files/kernel_modules/pcspkr_no_autoload.conf b/modules/base_installation/files/kernel_modules/pcspkr_no_autoload.conf new file mode 100644 index 0000000..b46792e --- /dev/null +++ b/modules/base_installation/files/kernel_modules/pcspkr_no_autoload.conf | |||
@@ -0,0 +1 @@ | |||
blacklist pcspkr | |||
diff --git a/modules/base_installation/files/package_managers/mirrorlist b/modules/base_installation/files/package_managers/mirrorlist new file mode 100644 index 0000000..2ffca7c --- /dev/null +++ b/modules/base_installation/files/package_managers/mirrorlist | |||
@@ -0,0 +1,2 @@ | |||
1 | Server = http://archlinux.mirrors.ovh.net/archlinux/$repo/os/$arch | ||
2 | Server = http://mir.archlinux.fr/$repo/os/$arch | ||
diff --git a/modules/base_installation/files/services/en-dhcp.network b/modules/base_installation/files/services/en-dhcp.network new file mode 100644 index 0000000..6eef0e9 --- /dev/null +++ b/modules/base_installation/files/services/en-dhcp.network | |||
@@ -0,0 +1,8 @@ | |||
1 | [Match] | ||
2 | Name=en* | ||
3 | |||
4 | [Network] | ||
5 | DHCP=yes | ||
6 | |||
7 | [DHCP] | ||
8 | UseMTU=true | ||
diff --git a/modules/base_installation/files/services/getty_conf_override.conf b/modules/base_installation/files/services/getty_conf_override.conf new file mode 100644 index 0000000..52671c7 --- /dev/null +++ b/modules/base_installation/files/services/getty_conf_override.conf | |||
@@ -0,0 +1,2 @@ | |||
1 | [Service] | ||
2 | TTYVTDisallocate=no | ||
diff --git a/modules/base_installation/manifests/cronie.pp b/modules/base_installation/manifests/cronie.pp new file mode 100644 index 0000000..bcdd9a7 --- /dev/null +++ b/modules/base_installation/manifests/cronie.pp | |||
@@ -0,0 +1,21 @@ | |||
1 | class base_installation::cronie inherits base_installation { | ||
2 | ensure_packages(['cronie']) | ||
3 | |||
4 | unless empty($base_installation::puppet_code_path) { | ||
5 | file { 'post-hook': | ||
6 | ensure => file, | ||
7 | path => "$base_installation::puppet_code_path/.git/hooks/post-merge", | ||
8 | source => 'puppet:///modules/base_installation/cronie/puppet-post-merge', | ||
9 | mode => '0755', | ||
10 | owner => root, | ||
11 | group => root, | ||
12 | } | ||
13 | cron { 'puppet-apply': | ||
14 | ensure => present, | ||
15 | command => "cd $base_installation::puppet_code_path ; /usr/bin/git pull", | ||
16 | user => root, | ||
17 | minute => '*/30', | ||
18 | require => File['post-hook'], | ||
19 | } | ||
20 | } | ||
21 | } | ||
diff --git a/modules/base_installation/manifests/firewall.pp b/modules/base_installation/manifests/firewall.pp new file mode 100644 index 0000000..12eeac2 --- /dev/null +++ b/modules/base_installation/manifests/firewall.pp | |||
@@ -0,0 +1,20 @@ | |||
1 | class base_installation::firewall inherits base_installation { | ||
2 | ensure_packages(["whois"], { 'install_options' => '--asdeps' }) | ||
3 | |||
4 | class { 'fail2ban': | ||
5 | logtarget => 'SYSLOG', | ||
6 | backend => 'systemd' | ||
7 | } | ||
8 | |||
9 | fail2ban::jail { 'sshd': | ||
10 | backend => 'systemd', | ||
11 | port => 'ssh', | ||
12 | filter => 'sshd', | ||
13 | maxretry => 10, | ||
14 | bantime => 86400, | ||
15 | logpath => '', | ||
16 | order => 10 | ||
17 | } | ||
18 | |||
19 | contain "fail2ban" | ||
20 | } | ||
diff --git a/modules/base_installation/manifests/grub.pp b/modules/base_installation/manifests/grub.pp new file mode 100644 index 0000000..0a96aa7 --- /dev/null +++ b/modules/base_installation/manifests/grub.pp | |||
@@ -0,0 +1,21 @@ | |||
1 | class base_installation::grub inherits base_installation { | ||
2 | ensure_packages(['grub']) | ||
3 | |||
4 | # unless empty($base_installation::grub_device) { | ||
5 | # exec { 'install GRUB': | ||
6 | # command => "/usr/bin/grub-install --target=i386-pc $base_installation::device", | ||
7 | # subscribe => Package["grub"], | ||
8 | # } | ||
9 | # } | ||
10 | |||
11 | file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX": | ||
12 | path => "/etc/default/grub", | ||
13 | line => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"', | ||
14 | match => '^GRUB_CMDLINE_LINUX=' | ||
15 | } | ||
16 | |||
17 | # exec { 'update GRUB config': | ||
18 | # command => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg", | ||
19 | # refreshonly => true | ||
20 | # } | ||
21 | } | ||
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp new file mode 100644 index 0000000..65c5178 --- /dev/null +++ b/modules/base_installation/manifests/init.pp | |||
@@ -0,0 +1,21 @@ | |||
1 | class base_installation ( | ||
2 | Optional[String] $grub_device = $base_installation::params::grub_device, | ||
3 | Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, | ||
4 | Optional[String] $system_hostname = $base_installation::params::system_hostname, | ||
5 | Optional[Array[String]] $system_locales = $base_installation::params::system_locales, | ||
6 | Optional[String] $system_timezone = $base_installation::params::system_timezone, | ||
7 | Optional[Array[Hash]] $system_users = $base_installation::params::system_users, | ||
8 | ) inherits base_installation::params { | ||
9 | contain ::base_installation::packages | ||
10 | contain ::base_installation::locales | ||
11 | contain ::base_installation::system_config | ||
12 | contain ::base_installation::kernel_modules | ||
13 | contain ::base_installation::grub | ||
14 | contain ::base_installation::firewall | ||
15 | contain ::base_installation::logs | ||
16 | contain ::base_installation::cronie | ||
17 | contain ::base_installation::ssh | ||
18 | contain ::base_installation::services | ||
19 | contain ::base_installation::users | ||
20 | contain ::base_installation::package_managers | ||
21 | } | ||
diff --git a/modules/base_installation/manifests/kernel_modules.pp b/modules/base_installation/manifests/kernel_modules.pp new file mode 100644 index 0000000..afeb30c --- /dev/null +++ b/modules/base_installation/manifests/kernel_modules.pp | |||
@@ -0,0 +1,11 @@ | |||
1 | class base_installation::kernel_modules inherits base_installation { | ||
2 | file { '/etc/modprobe.d/pcspkr_no_autoload.conf': | ||
3 | ensure => "present", | ||
4 | path => "/etc/modprobe.d/pcspkr_no_autoload.conf", | ||
5 | source => 'puppet:///modules/base_installation/kernel_modules/pcspkr_no_autoload.conf', | ||
6 | mode => "0644", | ||
7 | owner => "root", | ||
8 | group => "root" | ||
9 | } | ||
10 | |||
11 | } | ||
diff --git a/modules/base_installation/manifests/locales.pp b/modules/base_installation/manifests/locales.pp new file mode 100644 index 0000000..0f31e0b --- /dev/null +++ b/modules/base_installation/manifests/locales.pp | |||
@@ -0,0 +1,37 @@ | |||
1 | class base_installation::locales inherits base_installation { | ||
2 | # Note: we don't care about other lines, they are not handled in | ||
3 | # Puppet | ||
4 | define locale_line ($locale, $charmap = 'UTF-8') { | ||
5 | file_line { "/etc/locale.gen#$locale": | ||
6 | path => '/etc/locale.gen', | ||
7 | line => "$locale $charmap ", | ||
8 | match => "#?$locale $charmap +$", | ||
9 | notify => Exec["/usr/bin/locale-gen"], | ||
10 | } | ||
11 | } | ||
12 | |||
13 | unless empty($base_installation::system_locales) { | ||
14 | $base_installation::system_locales.each |$locale| { | ||
15 | base_installation::locales::locale_line { "/etc/locale.gen#$locale": | ||
16 | locale => $locale | ||
17 | } | ||
18 | } | ||
19 | |||
20 | $main_locale = $base_installation::system_locales[0] | ||
21 | exec { "set_main_locale": | ||
22 | command => "/usr/bin/systemd-firstboot --locale=$main_locale", | ||
23 | creates => "/etc/locale.conf", | ||
24 | } | ||
25 | } | ||
26 | |||
27 | exec { '/usr/bin/locale-gen': | ||
28 | refreshonly => true, | ||
29 | } | ||
30 | |||
31 | |||
32 | file { "/etc/vconsole.conf": | ||
33 | ensure => "link", | ||
34 | target => "/dev/null", | ||
35 | } | ||
36 | |||
37 | } | ||
diff --git a/modules/base_installation/manifests/logs.pp b/modules/base_installation/manifests/logs.pp new file mode 100644 index 0000000..558182f --- /dev/null +++ b/modules/base_installation/manifests/logs.pp | |||
@@ -0,0 +1,36 @@ | |||
1 | class base_installation::logs inherits base_installation { | ||
2 | class { '::logrotate': | ||
3 | manage_cron_daily => false, | ||
4 | config => { | ||
5 | rotate_every => 'week', | ||
6 | rotate => 4, | ||
7 | create => true, | ||
8 | compress => true, | ||
9 | olddir => '/var/log/old', | ||
10 | tabooext => "+ .pacorig .pacnew .pacsave", | ||
11 | } | ||
12 | } | ||
13 | |||
14 | logrotate::rule { 'wtmp': | ||
15 | path => '/var/log/wtmp', | ||
16 | rotate_every => 'month', | ||
17 | create => true, | ||
18 | create_mode => '0664', | ||
19 | create_owner => 'root', | ||
20 | create_group => 'utmp', | ||
21 | rotate => 1, | ||
22 | minsize => '1M', | ||
23 | } | ||
24 | logrotate::rule { 'btmp': | ||
25 | path => '/var/log/btmp', | ||
26 | missingok => true, | ||
27 | rotate_every => 'month', | ||
28 | create => true, | ||
29 | create_mode => '0600', | ||
30 | create_owner => 'root', | ||
31 | create_group => 'utmp', | ||
32 | rotate => 1, | ||
33 | } | ||
34 | |||
35 | contain "::logrotate" | ||
36 | } | ||
diff --git a/modules/base_installation/manifests/package_managers.pp b/modules/base_installation/manifests/package_managers.pp new file mode 100644 index 0000000..c5c8485 --- /dev/null +++ b/modules/base_installation/manifests/package_managers.pp | |||
@@ -0,0 +1,25 @@ | |||
1 | class base_installation::package_managers inherits base_installation { | ||
2 | file { '/etc/pacman.d/mirrorlist': | ||
3 | ensure => "present", | ||
4 | path => "/etc/pacman.d/mirrorlist", | ||
5 | source => 'puppet:///modules/base_installation/package_managers/mirrorlist', | ||
6 | mode => "0644", | ||
7 | owner => "root", | ||
8 | group => "root" | ||
9 | } | ||
10 | |||
11 | class { 'pacman': | ||
12 | color => true, | ||
13 | usesyslog => true, | ||
14 | } | ||
15 | |||
16 | pacman::repo { 'multilib': | ||
17 | order => 15, | ||
18 | include => '/etc/pacman.d/mirrorlist' | ||
19 | } | ||
20 | |||
21 | class { 'aur': } | ||
22 | |||
23 | contain "pacman" | ||
24 | contain "aur" | ||
25 | } | ||
diff --git a/modules/base_installation/manifests/packages.pp b/modules/base_installation/manifests/packages.pp new file mode 100644 index 0000000..b0824ad --- /dev/null +++ b/modules/base_installation/manifests/packages.pp | |||
@@ -0,0 +1,10 @@ | |||
1 | class base_installation::packages inherits base_installation { | ||
2 | # Preinstalled | ||
3 | ensure_packages(['base']) | ||
4 | |||
5 | # Critical packages | ||
6 | ensure_packages(['openssh', 'grub', 'sudo']) | ||
7 | |||
8 | # Puppet dependencies | ||
9 | ensure_packages(['git', 'puppet']) | ||
10 | } | ||
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp new file mode 100644 index 0000000..5f2e298 --- /dev/null +++ b/modules/base_installation/manifests/params.pp | |||
@@ -0,0 +1,21 @@ | |||
1 | class base_installation::params { | ||
2 | $puppet_code_path = "/etc/puppetlabs/code" | ||
3 | $grub_device = "/dev/sda" | ||
4 | $system_hostname = "new.immae.eu" | ||
5 | $system_locales = ["fr_FR.UTF-8", "en_US.UTF-8"] | ||
6 | $system_timezone = "Europe/Paris" | ||
7 | $system_users = [ | ||
8 | { | ||
9 | userid => 1000, | ||
10 | username => "immae", | ||
11 | groups => ["wheel"], | ||
12 | keys => [ | ||
13 | { | ||
14 | host => "immae.eu", | ||
15 | key => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v", | ||
16 | key_type => "ssh-rsa" | ||
17 | } | ||
18 | ] | ||
19 | } | ||
20 | ] | ||
21 | } | ||
diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp new file mode 100644 index 0000000..b48c3b5 --- /dev/null +++ b/modules/base_installation/manifests/services.pp | |||
@@ -0,0 +1,50 @@ | |||
1 | class base_installation::services inherits base_installation { | ||
2 | |||
3 | service { "sshd": | ||
4 | #ensure => "running", | ||
5 | enable => true, | ||
6 | } | ||
7 | |||
8 | service { "systemd-networkd": | ||
9 | #ensure => "running", | ||
10 | enable => true, | ||
11 | } | ||
12 | |||
13 | service { "systemd-resolved": | ||
14 | #ensure => "running", | ||
15 | enable => true, | ||
16 | } | ||
17 | |||
18 | service { "cronie": | ||
19 | #ensure => "running", | ||
20 | enable => true, | ||
21 | } | ||
22 | |||
23 | file { '/etc/systemd/system/getty@tty1.service.d/': | ||
24 | ensure => "directory", | ||
25 | path => "/etc/systemd/system/getty@tty1.service.d/", | ||
26 | mode => "0755", | ||
27 | owner => "root", | ||
28 | group => "root" | ||
29 | } | ||
30 | |||
31 | file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf': | ||
32 | ensure => "present", | ||
33 | path => "/etc/systemd/system/getty@tty1.service.d/noclear.conf", | ||
34 | source => 'puppet:///modules/base_installation/services/getty_conf_override.conf', | ||
35 | recurse => true, | ||
36 | mode => "0644", | ||
37 | owner => "root", | ||
38 | group => "root" | ||
39 | } | ||
40 | |||
41 | file { '/etc/systemd/network/en-dhcp.network': | ||
42 | ensure => "present", | ||
43 | path => "/etc/systemd/network/en-dhcp.network", | ||
44 | source => 'puppet:///modules/base_installation/services/en-dhcp.network', | ||
45 | mode => "0644", | ||
46 | owner => "root", | ||
47 | group => "root" | ||
48 | } | ||
49 | |||
50 | } | ||
diff --git a/modules/base_installation/manifests/ssh.pp b/modules/base_installation/manifests/ssh.pp new file mode 100644 index 0000000..43769e9 --- /dev/null +++ b/modules/base_installation/manifests/ssh.pp | |||
@@ -0,0 +1,14 @@ | |||
1 | class base_installation::ssh inherits base_installation { | ||
2 | class { 'ssh::server': | ||
3 | storeconfigs_enabled => false, | ||
4 | options => { | ||
5 | 'AcceptEnv' => undef, | ||
6 | 'X11Forwarding' => 'yes', | ||
7 | 'PrintMotd' => 'no', | ||
8 | 'ChallengeResponseAuthentication' => 'no', | ||
9 | 'Subsystem' => 'sftp /usr/lib/openssh/sftp-server', | ||
10 | } | ||
11 | } | ||
12 | |||
13 | contain "ssh::server" | ||
14 | } | ||
diff --git a/modules/base_installation/manifests/system_config.pp b/modules/base_installation/manifests/system_config.pp new file mode 100644 index 0000000..f3325f4 --- /dev/null +++ b/modules/base_installation/manifests/system_config.pp | |||
@@ -0,0 +1,21 @@ | |||
1 | class base_installation::system_config inherits base_installation { | ||
2 | unless empty($base_installation::system_timezone) { | ||
3 | file { "/etc/localtime": | ||
4 | ensure => "link", | ||
5 | target => "../usr/share/zoneinfo/$base_installation::system_timezone" | ||
6 | } | ||
7 | } | ||
8 | |||
9 | unless empty($base_installation::system_hostname) { | ||
10 | file { '/etc/hostname': | ||
11 | content => "$base_installation::system_hostname\n", | ||
12 | } | ||
13 | |||
14 | # TODO: find a way to ensure that /etc/hostname doesn't change | ||
15 | # exec { "set_hostname": | ||
16 | # command => "/usr/bin/systemd-firstboot --hostname=$base_installation::system_hostname", | ||
17 | # creates => "/etc/hostname", | ||
18 | # } | ||
19 | } | ||
20 | |||
21 | } | ||
diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp new file mode 100644 index 0000000..766c0f0 --- /dev/null +++ b/modules/base_installation/manifests/users.pp | |||
@@ -0,0 +1,49 @@ | |||
1 | class base_installation::users ( | ||
2 | $users = $base_installation::system_users, | ||
3 | ) inherits base_installation { | ||
4 | ensure_packages('ruby-shadow') | ||
5 | user { 'root': | ||
6 | password => '!' | ||
7 | } | ||
8 | |||
9 | class { 'sudo': | ||
10 | config_file_replace => false, | ||
11 | # Missing in the sudo package, should no be mandatory | ||
12 | package_ldap => false | ||
13 | } | ||
14 | |||
15 | sudo::conf { 'wheel': | ||
16 | priority => 10, | ||
17 | content => "%wheel ALL=(ALL) ALL" | ||
18 | } | ||
19 | |||
20 | contain "sudo" | ||
21 | |||
22 | $users.each |$user| { | ||
23 | user { "${user[username]}:${user[userid]}": | ||
24 | name => $user[username], | ||
25 | uid => $user[userid], | ||
26 | ensure => "present", | ||
27 | groups => $user[groups], | ||
28 | managehome => true, | ||
29 | home => "/home/${user[username]}", | ||
30 | notify => Exec["remove_password"], | ||
31 | purge_ssh_keys => true | ||
32 | } | ||
33 | |||
34 | exec { "remove_password": | ||
35 | command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}", | ||
36 | refreshonly => true | ||
37 | } | ||
38 | |||
39 | $user[keys].each |$key| { | ||
40 | ssh_authorized_key { "${user[username]}@${key[host]}": | ||
41 | name => "${user[username]}@${key[host]}", | ||
42 | user => $user[username], | ||
43 | type => $key[key_type], | ||
44 | key => $key[key], | ||
45 | } | ||
46 | } | ||
47 | } | ||
48 | |||
49 | } | ||