8 files changed, 85 insertions, 18 deletions

diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index 8db58da..382633b 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -67,13 +67,12 @@ class profile::apache {
     install_method  => "package",
     package_name    => "certbot",
     package_command => "certbot",
-    # FIXME
-    email           => 'sites+letsencrypt@mail.immae.eu',
+    email           => lookup('letsencrypt::email'),
   }
 
-  $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+  $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
   unless empty($real_hostname) {
-    if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+    if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
       letsencrypt::certonly { $real_hostname:
         before => Apache::Vhost["default_ssl"];
         default: * => $::profile::apache::letsencrypt_certonly_default;
@@ -110,6 +109,14 @@ class profile::apache {
     }
   }
 
+  lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
+    if ($host != $real_hostname) { # Done above already
+      letsencrypt::certonly { $host: ;
+        default: * => $letsencrypt_certonly_default;
+      }
+    }
+  }
+
   apache::vhost { "redirect_no_ssl":
     port          => '80',
     error_log     => false,
diff --git a/modules/profile/manifests/fstab.pp b/modules/profile/manifests/fstab.pp
new file mode 100644
index 0000000..5f2e58e
--- /dev/null
+++ b/modules/profile/manifests/fstab.pp
@@ -0,0 +1,18 @@
+class profile::fstab (
+  Optional[Array] $mounts = []
+) {
+  $mounts.each |$mount| {
+    unless empty($mount) {
+      $infos = split($mount, ';')
+
+      file { $infos[0]:
+        ensure => directory,
+      } ->
+      mount { $infos[0]:
+        ensure => mounted,
+        device => "UUID=${infos[1]}",
+        fstype => $infos[2]
+      }
+    }
+  }
+}
diff --git a/modules/profile/manifests/known_hosts.pp b/modules/profile/manifests/known_hosts.pp
new file mode 100644
index 0000000..ed9ec8e
--- /dev/null
+++ b/modules/profile/manifests/known_hosts.pp
@@ -0,0 +1,11 @@
+class profile::known_hosts (
+  Optional[Array]  $hosts = []
+) {
+  $hosts.each |$host| {
+    sshkey { $host["name"]:
+      ensure => "present",
+      key    => $host["key"],
+      type   => $host["type"],
+    }
+  }
+}
diff --git a/modules/profile/manifests/mail.pp b/modules/profile/manifests/mail.pp
new file mode 100644
index 0000000..cc47b77
--- /dev/null
+++ b/modules/profile/manifests/mail.pp
@@ -0,0 +1,14 @@
+class profile::mail (
+  String            $mailhub,
+  Optional[Integer] $mailhub_port = 25,
+) {
+  ensure_packages(["s-nail", "ssmtp"])
+
+  $hostname = lookup("base_installation::real_hostname")
+
+  file { "/etc/ssmtp/ssmtp.conf":
+    ensure  => "present",
+    content =>  template("profile/mail/ssmtp.conf.erb"),
+  }
+}
+
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 1024c66..2cd1bcc 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -1,5 +1,5 @@
 class profile::postgresql {
-  $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
+  $password_seed = lookup("base_installation::puppet_pass_seed")
 
   class { '::postgresql::globals':
     encoding             => 'UTF-8',
@@ -32,7 +32,7 @@ class profile::postgresql {
     database    => 'all',
     user        => $pg_user,
     auth_method => 'ident',
-    order       => "a1",
+    order       => "00-01",
   }
   postgresql::server::pg_hba_rule { 'localhost access as postgres user':
     description => 'Allow localhost access to postgres user',
@@ -41,7 +41,7 @@ class profile::postgresql {
     user        => $pg_user,
     address     => "127.0.0.1/32",
     auth_method => 'md5',
-    order       => "a2",
+    order       => "00-02",
   }
   postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
     description => 'Allow localhost access to postgres user',
@@ -50,7 +50,7 @@ class profile::postgresql {
     user        => $pg_user,
     address     => "::1/128",
     auth_method => 'md5',
-    order       => "a3",
+    order       => "00-03",
   }
   postgresql::server::pg_hba_rule { 'deny access to postgresql user':
     description => 'Deny remote access to postgres user',
@@ -59,7 +59,7 @@ class profile::postgresql {
     user        => $pg_user,
     address     => "0.0.0.0/0",
     auth_method => 'reject',
-    order       => "a4",
+    order       => "00-04",
   }
 
   postgresql::server::pg_hba_rule { 'local access':
@@ -68,7 +68,7 @@ class profile::postgresql {
     database    => 'all',
     user        => 'all',
     auth_method => 'md5',
-    order       => "b1",
+    order       => "10-01",
   }
 
   postgresql::server::pg_hba_rule { 'local access with same name':
@@ -77,7 +77,7 @@ class profile::postgresql {
     database    => 'all',
     user        => 'all',
     auth_method => 'ident',
-    order       => "b2",
+    order       => "10-02",
   }
 
 }
diff --git a/modules/profile/manifests/xmr_stak.pp b/modules/profile/manifests/xmr_stak.pp
index e5582eb..ccb6baa 100644
--- a/modules/profile/manifests/xmr_stak.pp
+++ b/modules/profile/manifests/xmr_stak.pp
@@ -1,4 +1,9 @@
-class profile::xmr_stak {
+class profile::xmr_stak (
+  String           $mining_pool,
+  String           $wallet,
+  Optional[String] $cpulimit = "50",
+  Optional[String] $password = "x",
+) {
   ensure_resource('exec', 'systemctl daemon-reload', {
     command     => '/usr/bin/systemctl daemon-reload',
     refreshonly =>  true
@@ -21,15 +26,12 @@ class profile::xmr_stak {
     mode    => "0644",
     owner   => "root",
     group   => "root",
-    source  => "puppet:///modules/profile/xmr_stak/xmr-stak.service",
+    content => template("profile/xmr_stak/xmr-stak.service.erb"),
     require => User["xmr_stak"],
     notify  => Exec["systemctl daemon-reload"]
   }
 
-  $mining_pool = lookup("xmr_stak::mining_pool") |$key| { {} }
-  $wallet = lookup("xmr_stak::wallet") |$key| { {} }
-  $password = lookup("xmr_stak::password") |$key| { "x" }
-  $instance = regsubst($facts["ec2_metadata"]["hostname"], '\.', "_", "G")
+  $instance = regsubst(lookup("base_installation::ldap_cn"), '\.', "_", "G")
 
   file { "/var/lib/xmr_stak/xmr-stak.conf":
     mode    => "0644",
diff --git a/modules/profile/templates/mail/ssmtp.conf.erb b/modules/profile/templates/mail/ssmtp.conf.erb
new file mode 100644
index 0000000..e7a0410
--- /dev/null
+++ b/modules/profile/templates/mail/ssmtp.conf.erb
@@ -0,0 +1,14 @@
+#
+# /etc/ssmtp.conf -- a config file for sSMTP sendmail.
+#
+# The person who gets all mail for userids < 1000
+# Make this empty to disable rewriting.
+root=postmaster
+# The place where the mail goes. The actual machine name is required
+# no MX records are consulted. Commonly mailhosts are named mail.domain.com
+# The example will fit if you are in domain.com and you mailhub is so named.
+mailhub=<%= @mailhub %>:<%= @mailhub_port %>
+# Where will the mail seem to come from?
+#rewriteDomain=y
+# The full hostname
+hostname=<%= @hostname %>
diff --git a/modules/profile/files/xmr_stak/xmr-stak.service b/modules/profile/templates/xmr_stak/xmr-stak.service.erb
index 93ee383..d63103b 100644
--- a/modules/profile/files/xmr_stak/xmr-stak.service
+++ b/modules/profile/templates/xmr_stak/xmr-stak.service.erb
@@ -8,8 +8,9 @@ WorkingDirectory=/var/lib/xmr_stak
 Type=simple
 User=xmr_stak
 Group=xmr_stak
-ExecStart=/usr/bin/cpulimit --limit 90 /usr/bin/xmr-stak -c /var/lib/xmr_stak/xmr-stak.conf
+ExecStart=/usr/bin/cpulimit --limit <%= @cpulimit %> /usr/bin/xmr-stak -c /var/lib/xmr_stak/xmr-stak.conf
 Nice=19
 
 [Install]
 WantedBy=multi-user.target
+