8 files changed, 166 insertions, 0 deletions
diff --git a/puppet/modules/site_config/lib/facter/ip_interface.rb b/puppet/modules/site_config/lib/facter/ip_interface.rb
new file mode 100644
index 00000000..45764bfc
--- /dev/null
+++ b/puppet/modules/site_config/lib/facter/ip_interface.rb
@@ -0,0 +1,13 @@
+require 'facter/util/ip'
+
+Facter::Util::IP.get_interfaces.each do |interface|
+  ip = Facter.value("ipaddress_#{interface}")
+  if ip != nil
+    Facter.add("interface_" + ip ) do
+      setcode do
+        interface
+      end
+    end
+  end
+end
+
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
new file mode 100644
index 00000000..922c394f
--- /dev/null
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -0,0 +1,41 @@
+class site_config::caching_resolver {
+
+  # Setup a conf.d directory to place additional unbound configuration files.
+  # There must be at least one file in the directory, or unbound will not start,
+  # so create an empty placeholder to ensure this.
+
+  # Note: the version of unbound we are working with does not accept a wildcard
+  # for an include directive, so we are not able to use this. When we can use
+  # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
+  # configuration file
+
+  file {
+    '/etc/unbound/conf.d':
+      ensure => directory,
+      owner  => root, group => root, mode => '0755',
+      require => Package['unbound'];
+
+    '/etc/unbound/conf.d/placeholder':
+      ensure  => present,
+      content => '',
+      owner   => root, group => root, mode => '0644';
+  }
+
+  class { 'unbound':
+    root_hints => false,
+    anchor     => false,
+    ssl        => false,
+    require    => File['/etc/unbound/conf.d/placeholder'],
+    settings   => {
+      server       => {
+        verbosity      => '1',
+        interface      => [ '127.0.0.1', '::1' ],
+        port           => '53',
+        hide-identity  => 'yes',
+        hide-version   => 'yes',
+        harden-glue    => 'yes',
+        access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
+      }
+    }
+  }
+}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
new file mode 100644
index 00000000..2191e9a1
--- /dev/null
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -0,0 +1,36 @@
+class site_config::default {
+  tag 'leap_base'
+
+  $domain_hash = hiera('domain')
+
+  include concat::setup
+
+  # default class, used by all hosts
+
+  include lsb, git
+
+  # configure apt
+  include site_apt
+
+
+  # configure ssh and include ssh-keys
+  include site_config::sshd
+
+  # configure /etc/resolv.conf
+  include site_config::resolvconf
+
+  # configure caching, local resolver
+  include site_config::caching_resolver
+
+  # configure /etc/hosts
+  class { 'site_config::hosts':
+    stage => initial,
+  }
+
+  package { [ 'etckeeper' ]:
+    ensure => installed,
+  }
+
+  # include basic shorewall config
+  include site_shorewall::defaults
+}
diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp
new file mode 100644
index 00000000..6c00f3b6
--- /dev/null
+++ b/puppet/modules/site_config/manifests/hosts.pp
@@ -0,0 +1,22 @@
+class site_config::hosts() {
+
+  $hosts = hiera('hosts','')
+  $hostname = hiera('name')
+
+  $domain_public = $site_config::default::domain_hash['full_suffix']
+
+  file { "/etc/hostname":
+    ensure => present,
+    content => $hostname
+  }
+
+  exec { "/bin/hostname $hostname":
+    subscribe   => [ File['/etc/hostname'], File['/etc/hosts'] ],
+    refreshonly => true;
+  }
+
+  file { '/etc/hosts':
+    content => template('site_config/hosts'),
+    mode    => '0644', owner => root, group => root;
+  }
+}
diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp
new file mode 100644
index 00000000..d73f0b78
--- /dev/null
+++ b/puppet/modules/site_config/manifests/resolvconf.pp
@@ -0,0 +1,24 @@
+class site_config::resolvconf {
+
+  # bind9 purging can be taken out after some time
+  package { 'bind9':
+    ensure => absent,
+  }
+  file { '/etc/default/bind9':
+    ensure    => absent;
+  }
+  file { '/etc/bind/named.conf.options':
+    ensure => absent;
+  }
+
+  $domain_public = $site_config::default::domain_hash['full_suffix']
+
+  # 127.0.0.1:      caching-only local bind
+  # 87.118.100.175: http://server.privacyfoundation.de
+  # 62.141.58.13:   http://www.privacyfoundation.ch/de/service/server.html
+  class { '::resolvconf':
+    domain      => $domain_public,
+    search      => $domain_public,
+    nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ]
+  }
+}
diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp
new file mode 100644
index 00000000..18b22a9c
--- /dev/null
+++ b/puppet/modules/site_config/manifests/slow.pp
@@ -0,0 +1,6 @@
+class site_config::slow {
+  tag 'leap_slow'
+  class { 'site_apt::dist_upgrade':
+    stage => initial,
+  }
+}
diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp
new file mode 100644
index 00000000..944dbce2
--- /dev/null
+++ b/puppet/modules/site_config/manifests/sshd.pp
@@ -0,0 +1,9 @@
+class site_config::sshd {
+  # configure sshd
+  include sshd
+  include site_sshd
+  # no need for configuring authorized_keys as leap_cli cares for that 
+  #$ssh_pubkeys=hiera_hash('ssh_pubkeys')
+  #notice($ssh_pubkeys)
+  #create_resources('site_sshd::ssh_key', $ssh_pubkeys)
+}
diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts
new file mode 100644
index 00000000..00cc6a79
--- /dev/null
+++ b/puppet/modules/site_config/templates/hosts
@@ -0,0 +1,15 @@
+# This file is managed by puppet, any changes will be overwritten!
+
+127.0.0.1    localhost
+127.0.1.1    <%= hostname %>.<%= @domain_public %> <%= hostname %>
+
+<%- if hosts.to_s != '' then -%>
+<%= hosts %>
+<% end -%>
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters