diff options
Diffstat (limited to 'puppet/modules/site_config/manifests')
| -rw-r--r-- | puppet/modules/site_config/manifests/caching_resolver.pp | 41 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/default.pp | 36 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/hosts.pp | 22 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/resolvconf.pp | 24 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/slow.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/sshd.pp | 9 |
6 files changed, 138 insertions, 0 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp new file mode 100644 index 00000000..922c394f --- /dev/null +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -0,0 +1,41 @@ +class site_config::caching_resolver { + + # Setup a conf.d directory to place additional unbound configuration files. + # There must be at least one file in the directory, or unbound will not start, + # so create an empty placeholder to ensure this. + + # Note: the version of unbound we are working with does not accept a wildcard + # for an include directive, so we are not able to use this. When we can use + # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the + # configuration file + + file { + '/etc/unbound/conf.d': + ensure => directory, + owner => root, group => root, mode => '0755', + require => Package['unbound']; + + '/etc/unbound/conf.d/placeholder': + ensure => present, + content => '', + owner => root, group => root, mode => '0644'; + } + + class { 'unbound': + root_hints => false, + anchor => false, + ssl => false, + require => File['/etc/unbound/conf.d/placeholder'], + settings => { + server => { + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] + } + } + } +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp new file mode 100644 index 00000000..2191e9a1 --- /dev/null +++ b/puppet/modules/site_config/manifests/default.pp @@ -0,0 +1,36 @@ +class site_config::default { + tag 'leap_base' + + $domain_hash = hiera('domain') + + include concat::setup + + # default class, used by all hosts + + include lsb, git + + # configure apt + include site_apt + + + # configure ssh and include ssh-keys + include site_config::sshd + + # configure /etc/resolv.conf + include site_config::resolvconf + + # configure caching, local resolver + include site_config::caching_resolver + + # configure /etc/hosts + class { 'site_config::hosts': + stage => initial, + } + + package { [ 'etckeeper' ]: + ensure => installed, + } + + # include basic shorewall config + include site_shorewall::defaults +} diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp new file mode 100644 index 00000000..6c00f3b6 --- /dev/null +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -0,0 +1,22 @@ +class site_config::hosts() { + + $hosts = hiera('hosts','') + $hostname = hiera('name') + + $domain_public = $site_config::default::domain_hash['full_suffix'] + + file { "/etc/hostname": + ensure => present, + content => $hostname + } + + exec { "/bin/hostname $hostname": + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], + refreshonly => true; + } + + file { '/etc/hosts': + content => template('site_config/hosts'), + mode => '0644', owner => root, group => root; + } +} diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp new file mode 100644 index 00000000..d73f0b78 --- /dev/null +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -0,0 +1,24 @@ +class site_config::resolvconf { + + # bind9 purging can be taken out after some time + package { 'bind9': + ensure => absent, + } + file { '/etc/default/bind9': + ensure => absent; + } + file { '/etc/bind/named.conf.options': + ensure => absent; + } + + $domain_public = $site_config::default::domain_hash['full_suffix'] + + # 127.0.0.1: caching-only local bind + # 87.118.100.175: http://server.privacyfoundation.de + # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html + class { '::resolvconf': + domain => $domain_public, + search => $domain_public, + nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] + } +} diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp new file mode 100644 index 00000000..18b22a9c --- /dev/null +++ b/puppet/modules/site_config/manifests/slow.pp @@ -0,0 +1,6 @@ +class site_config::slow { + tag 'leap_slow' + class { 'site_apt::dist_upgrade': + stage => initial, + } +} diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp new file mode 100644 index 00000000..944dbce2 --- /dev/null +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -0,0 +1,9 @@ +class site_config::sshd { + # configure sshd + include sshd + include site_sshd + # no need for configuring authorized_keys as leap_cli cares for that + #$ssh_pubkeys=hiera_hash('ssh_pubkeys') + #notice($ssh_pubkeys) + #create_resources('site_sshd::ssh_key', $ssh_pubkeys) +} |