16 files changed, 208 insertions, 154 deletions
diff --git a/auth.conf b/auth.conf
deleted file mode 100644
index bf327a2..0000000
--- a/auth.conf
+++ /dev/null
@@ -1,124 +0,0 @@
-# This is the default auth.conf file, which implements the default rules
-# used by the puppet master. (That is, the rules below will still apply
-# even if this file is deleted.)
-#
-# The ACLs are evaluated in top-down order. More specific stanzas should
-# be towards the top of the file and more general ones at the bottom;
-# otherwise, the general rules may "steal" requests that should be
-# governed by the specific rules.
-#
-# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html
-# for a more complete description of auth.conf's behavior.
-#
-# Supported syntax:
-# Each stanza in auth.conf starts with a path to match, followed
-# by optional modifiers, and finally, a series of allow or deny
-# directives.
-#
-# Example Stanza
-# ---------------------------------
-# path /path/to/resource     # simple prefix match
-# # path ~ regex             # alternately, regex match
-# [environment envlist]
-# [method methodlist]
-# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|backreference|*|regex]
-# deny [host|backreference|*|regex]
-# allow_ip [ip|cidr|ip_wildcard|*]
-# deny_ip [ip|cidr|ip_wildcard|*]
-#
-# The path match can either be a simple prefix match or a regular
-# expression. `path /file` would match both `/file_metadata` and
-# `/file_content`. Regex matches allow the use of backreferences
-# in the allow/deny directives.
-#
-# The regex syntax is the same as for Ruby regex, and captures backreferences
-# for use in the `allow` and `deny` lines of that stanza
-#
-# Examples:
-#
-# path ~ ^/puppet/v3/path/to/resource    # Equivalent to `path /puppet/v3/path/to/resource`.
-# allow *                                # Allow all authenticated nodes (since auth
-#                                        # defaults to `yes`).
-#
-# path ~ ^/puppet/v3/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
-# allow $1                               # certname), but not any other node's catalog.
-#
-# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/  # Only allow certain nodes to
-# auth yes                                                 # access the "extra_files"
-# allow /^(.+)\.example\.com$/                             # mount point; note this must
-# allow_ip 192.168.100.0/24                                # go ABOVE the "/file" rule,
-#                                                          # since it is more specific.
-#
-# environment:: restrict an ACL to a comma-separated list of environments
-# method:: restrict an ACL to a comma-separated list of HTTP methods
-# auth:: restrict an ACL to an authenticated or unauthenticated request
-# the default when unspecified is to restrict the ACL to authenticated requests
-# (ie exactly as if auth yes was present).
-#
-### Authenticated ACLs - these rules apply only when the client
-### has a valid certificate and is thus authenticated
-path /puppet/v3/environments
-method find
-allow *
-# allow nodes to retrieve their own catalog
-path ~ ^/puppet/v3/catalog/([^/]+)$
-method find
-allow $1
-# allow nodes to retrieve their own node definition
-path ~ ^/puppet/v3/node/([^/]+)$
-method find
-allow $1
-# allow all nodes to store their own reports
-path ~ ^/puppet/v3/report/([^/]+)$
-method save
-allow $1
-# Allow all nodes to access all file services; this is necessary for
-# pluginsync, file serving from modules, and file serving from custom
-# mount points (see fileserver.conf). Note that the `/file` prefix matches
-# requests to both the file_metadata and file_content paths. See "Examples"
-# above if you need more granular access control for custom mount points.
-path /puppet/v3/file
-allow *
-path /puppet/v3/status
-method find
-allow *
-# allow all nodes to access the certificates services
-path /puppet-ca/v1/certificate_revocation_list/ca
-method find
-allow *
-### Unauthenticated ACLs, for clients without valid certificates; authenticated
-### clients can also access these paths, though they rarely need to.
-# allow access to the CA certificate; unauthenticated nodes need this
-# in order to validate the puppet master's certificate
-path /puppet-ca/v1/certificate/ca
-auth any
-method find
-allow *
-# allow nodes to retrieve the certificate they requested earlier
-path /puppet-ca/v1/certificate/
-auth any
-method find
-allow *
-# allow nodes to request a new certificate
-path /puppet-ca/v1/certificate_request
-auth any
-method find, save
-allow *
-# deny everything else; this ACL is not strictly necessary, but
-# illustrates the default policy.
-path /
-auth any
diff --git a/hiera.yaml b/hiera.yaml
deleted file mode 100644
index e69de29..0000000
--- a/hiera.yaml
+++ /dev/null
diff --git a/manifests/install_ovh_from_scratch.pp b/manifests/install_ovh_from_scratch.pp
new file mode 100644
index 0000000..4888cfc
--- /dev/null
+++ b/manifests/install_ovh_from_scratch.pp
@@ -0,0 +1,20 @@
+node default {
+    include stdlib
+    stage { 'base_configuration': }
+    stage { 'base_packages': }
+    Stage["setup"]
+      -> Stage['base_packages']
+      -> Stage['base_configuration']
+      -> Stage['main']
+ 
+    class { 'base_packages':
+      stage => "base_packages"
+    }
+    class { 'base_configuration':
+      stage     => "base_configuration",
+      code_path => "/etc/puppetlabs/code",
+      device    => "/dev/sdb",
+      hostname  => 'new.immae.eu',
+    }
+}
diff --git a/modules/base_configuration/files/en-dhcp.network b/modules/base_configuration/files/en-dhcp.network
new file mode 100644
index 0000000..6eef0e9
--- /dev/null
+++ b/modules/base_configuration/files/en-dhcp.network
@@ -0,0 +1,8 @@
+[Match]
+Name=en*
+[Network]
+DHCP=yes
+[DHCP]
+UseMTU=true
diff --git a/modules/base_configuration/files/getty_conf_override.conf b/modules/base_configuration/files/getty_conf_override.conf
new file mode 100644
index 0000000..52671c7
--- /dev/null
+++ b/modules/base_configuration/files/getty_conf_override.conf
@@ -0,0 +1,2 @@
+[Service]
+TTYVTDisallocate=no
diff --git a/modules/base_configuration/files/pcspkr_no_autoload.conf b/modules/base_configuration/files/pcspkr_no_autoload.conf
new file mode 100644
index 0000000..b46792e
--- /dev/null
+++ b/modules/base_configuration/files/pcspkr_no_autoload.conf
@@ -0,0 +1 @@
+blacklist pcspkr
diff --git a/modules/base_configuration/manifests/init.pp b/modules/base_configuration/manifests/init.pp
index a46dd8b..8b2ce4c 100644
--- a/modules/base_configuration/manifests/init.pp
+++ b/modules/base_configuration/manifests/init.pp
@@ -1,27 +1,59 @@
 class base_configuration (
-  $hostname = undef,
+  $hostname  = undef,
-  $username = "immae",
+  $username  = "immae",
-  $userid   = 1000
+  $userid    = 1000,
+  $code_path = undef,
+  $device    = undef,
 ) {
+  unless empty($device) {
+    class { 'grub_install':
+      device => $device,
+    }
+  }
+  class { 'locales': }
+  unless empty($code_path) {
+    class { 'cron_puppet':
+      code_path => $code_path,
+    }
+  }
  service { "sshd":
-    ensure => "running",
+    #ensure => "running",
    enable => true,
  }
-  service { "systemd-networkd.socket":
+  service { "systemd-networkd":
-    ensure => "running",
+    #ensure => "running",
    enable => true,
  }
-  service { "systemd-networkd":
+  service { "systemd-resolved":
-    ensure => "running",
+    #ensure => "running",
    enable => true,
  }
+  file { "/etc/localtime":
+    ensure => "link",
+    target => "../usr/share/zoneinfo/Europe/Paris"
+  }
+  exec { "set_locale":
+    command     => "/usr/bin/systemd-firstboot --locale=fr_FR.UTF-8",
+    creates     => "/etc/locale.conf",
+  }
  unless empty($hostname) {
-    class { 'systemd::hostname':
+    exec { "set_hostname":
-      hostname => $hostname
+      command     => "/usr/bin/systemd-firstboot --hostname=$hostname",
+      creates     => "/etc/hostname",
    }
  }
+  file { "/etc/vconsole.conf":
+    ensure => "link",
+    target => "/dev/null",
+  }
  user { "${username}:${userid}":
    name       => $username,
    uid        => $userid,
@@ -70,6 +102,42 @@ class base_configuration (
    password => '!'
  }
+  file { '/etc/modprobe.d/pcspkr_no_autoload.conf':
+     ensure => "present",
+     path   => "/etc/modprobe.d/pcspkr_no_autoload.conf",
+     source => 'puppet:///modules/base_configuration/pcspkr_no_autoload.conf',
+     mode   => "0644",
+     owner  => "root",
+     group  => "root"
+  }
+  file { '/etc/systemd/system/getty@tty1.service.d/':
+    ensure => "directory",
+    path   => "/etc/systemd/system/getty@tty1.service.d/",
+    mode   => "0755",
+    owner  => "root",
+    group  => "root"
+  }
+  file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf':
+     ensure  => "present",
+     path    => "/etc/systemd/system/getty@tty1.service.d/noclear.conf",
+     source  => 'puppet:///modules/base_configuration/getty_conf_override.conf',
+     recurse =>  true,
+     mode    => "0644",
+     owner   => "root",
+     group   => "root"
+  }
+  file { '/etc/systemd/network/en-dhcp.network':
+     ensure => "present",
+     path   => "/etc/systemd/network/en-dhcp.network",
+     source => 'puppet:///modules/base_configuration/en-dhcp.network',
+     mode   => "0644",
+     owner  => "root",
+     group  => "root"
+  }
  file { '/etc/pacman.d/mirrorlist':
     ensure  => "present",
     path    => "/etc/pacman.d/mirrorlist",
@@ -108,7 +176,7 @@ class base_configuration (
    create_mode  => '0664',
    create_owner => 'root',
    create_group => 'utmp',
-    rotate       => '1',
+    rotate       => 1,
    minsize      => '1M',
  }
  logrotate::rule { 'btmp':
@@ -119,7 +187,7 @@ class base_configuration (
    create_mode  => '0600',
    create_owner => 'root',
    create_group => 'utmp',
-    rotate       => '1',
+    rotate       => 1,
  }
  ensure_packages(["whois"], { 'install_options' => '--asdeps' })
@@ -136,4 +204,6 @@ class base_configuration (
    logpath  => '',
    order    => 10
  }
+  class { 'aur': }
 }
diff --git a/modules/base_packages/manifests/init.pp b/modules/base_packages/manifests/init.pp
index 269ca58..c4bbec9 100644
--- a/modules/base_packages/manifests/init.pp
+++ b/modules/base_packages/manifests/init.pp
@@ -1,6 +1,9 @@
 class base_packages {
    # Preinstalled
-    ensure_packages(['base', 'openssh', 'grub', 'sudo'])
+    ensure_packages(['base'])
+    # Critical packages
+    ensure_packages(['openssh', 'grub', 'sudo'])
    # Puppet dependencies
    ensure_packages(['git', 'puppet'])
diff --git a/modules/cron_puppet/files/post-merge b/modules/cron_puppet/files/post-merge
index 1ba08fb..ac5e3ff 100644
--- a/modules/cron_puppet/files/post-merge
+++ b/modules/cron_puppet/files/post-merge
@@ -1,7 +1,7 @@
-#!/bin/bash -e
+#!/bin/bash
 ## Run Puppet locally using puppet apply
 git submodule update --init
-/usr/bin/puppet apply --modulepath=/etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests/site.pp
+/usr/bin/puppet apply `pwd`/manifests/site.pp
 ## Log status of the Puppet run
 if [ $? -eq 0 ]
diff --git a/modules/cron_puppet/manifests/init.pp b/modules/cron_puppet/manifests/init.pp
index 1756a06..c9d5a51 100644
--- a/modules/cron_puppet/manifests/init.pp
+++ b/modules/cron_puppet/manifests/init.pp
@@ -1,7 +1,9 @@
-class cron_puppet {
+class cron_puppet (
+  $code_path = "/etc/puppetlabs/code"
+) {
    file { 'post-hook':
        ensure  => file,
-        path    => '/etc/puppetlabs/puppet/.git/hooks/post-merge',
+        path    => "$code_path/.git/hooks/post-merge",
        source  => 'puppet:///modules/cron_puppet/post-merge',
        mode    => '0755',
        owner   => root,
@@ -12,7 +14,7 @@ class cron_puppet {
    }
    cron { 'puppet-apply':
        ensure  => present,
-        command => "cd /etc/puppetlabs/puppet ; /usr/bin/git pull",
+        command => "cd $code_path ; /usr/bin/git pull",
        user    => root,
        minute  => '*/30',
        require => File['post-hook'],
diff --git a/modules/etckeeper/manifests/run.pp b/modules/etckeeper/manifests/run.pp
index ddbb4e1..8ff4bbf 100644
--- a/modules/etckeeper/manifests/run.pp
+++ b/modules/etckeeper/manifests/run.pp
@@ -1,7 +1,10 @@
-define etckeeper::run ($stages = [Stage['main']], $refreshonly = true, $reason = 'puppet run') {
+define etckeeper::run (
+  $refreshonly = true,
+  $reason = 'puppet run'
+) {
  exec { "etckeeper::run::${name}":
    refreshonly => $refreshonly,
    command     => "/usr/bin/etckeeper commit '${reason}' || true",
-    subscribe   => $stages
  }
 }
diff --git a/modules/fail2ban b/modules/fail2ban
-Subproject c1495a2c2de075863775e4ad191e0f0407fc259
+Subproject c4f816ded7245641ab70d553dc27f635f07614f
diff --git a/modules/grub_install/files/config b/modules/grub_install/files/config
new file mode 100644
index 0000000..0a2ef57
--- /dev/null
+++ b/modules/grub_install/files/config
@@ -0,0 +1,47 @@
+GRUB_DEFAULT=0
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="Arch"
+GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"
+# Preload both GPT and MBR modules so that they are not missed
+GRUB_PRELOAD_MODULES="part_gpt part_msdos"
+# Uncomment to enable Hidden Menu, and optionally hide the timeout count
+#GRUB_HIDDEN_TIMEOUT=5
+#GRUB_HIDDEN_TIMEOUT_QUIET=true
+# Uncomment to use basic console
+GRUB_TERMINAL_INPUT=console
+# Uncomment to disable graphical terminal
+#GRUB_TERMINAL_OUTPUT=console
+# The resolution used on graphical terminal
+# note that you can use only modes which your graphic card supports via VBE
+# you can see them in real GRUB with the command `vbeinfo'
+GRUB_GFXMODE=auto
+# Uncomment to allow the kernel use the same resolution used by grub
+GRUB_GFXPAYLOAD_LINUX=keep
+# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
+# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
+#GRUB_DISABLE_LINUX_UUID=true
+# Uncomment to disable generation of recovery mode menu entries
+GRUB_DISABLE_RECOVERY=true
+# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
+# modes only.  Entries specified as foreground/background.
+#GRUB_COLOR_NORMAL="light-blue/black"
+#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
+# Uncomment one of them for the gfx desired, a image background or a gfxtheme
+#GRUB_BACKGROUND="/path/to/wallpaper"
+#GRUB_THEME="/path/to/gfxtheme"
+# Uncomment to get a beep at GRUB start
+#GRUB_INIT_TUNE="480 440 1"
+#GRUB_SAVEDEFAULT="true"
diff --git a/modules/grub_install/manifests/init.pp b/modules/grub_install/manifests/init.pp
new file mode 100644
index 0000000..172cf4b
--- /dev/null
+++ b/modules/grub_install/manifests/init.pp
@@ -0,0 +1,32 @@
+class grub_install (
+  $device = undef
+) {
+  ensure_packages(['grub'])
+  # unless empty($device) {
+  #   exec { 'install GRUB':
+  #     command   => "/usr/bin/grub-install --target=i386-pc $device",
+  #     subscribe => Package["grub"],
+  #   }
+  # }
+  file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
+    path  => "/etc/default/grub",
+    line  => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',
+    match => '^GRUB_CMDLINE_LINUX='
+  }
+  # file { "/etc/default/grub":
+  #   ensure => "present",
+  #   path   => "/etc/default/grub",
+  #   source => 'puppet:///modules/grub_install/config',
+  #   mode   => "0644",
+  #   owner  => "root",
+  #   group  => "root",
+  #   #  notify => [Exec["install GRUB"], Exec["update GRUB config"]]
+  # }
+  # exec { 'update GRUB config':
+  #   command     => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",
+  #   refreshonly => true
+  # }
+}
diff --git a/modules/locales/manifests/init.pp b/modules/locales/manifests/init.pp
index 982b48e..1923f26 100644
--- a/modules/locales/manifests/init.pp
+++ b/modules/locales/manifests/init.pp
@@ -9,8 +9,4 @@ class locales {
    subscribe   => File_line['/etc/locale.gen#fr_FR.UTF-8', '/etc/locale.gen#en_US.UTF-8'],
    refreshonly => true,
  }
-  exec { '/usr/bin/localectl set-locale LANG=fr_FR.UTF-8':
-    subscribe   => File_line['/etc/locale.gen#fr_FR.UTF-8'],
-    refreshonly => true,
-  }
 }
diff --git a/puppet.conf b/puppet.conf
deleted file mode 100644
index bf48823..0000000
--- a/puppet.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# This file can be used to override the default puppet settings.
-# See the following links for more details on what settings are available:
-# - https://docs.puppetlabs.com/puppet/latest/reference/config_important_settings.html
-# - https://docs.puppetlabs.com/puppet/latest/reference/config_about_settings.html
-# - https://docs.puppetlabs.com/puppet/latest/reference/config_file_main.html
-# - https://docs.puppetlabs.com/puppet/latest/reference/configuration.html