diff options
Diffstat (limited to 'global/overlay/etc/puppet/modules/sunet/manifests/server.pp')
| -rw-r--r-- | global/overlay/etc/puppet/modules/sunet/manifests/server.pp | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp new file mode 100644 index 0000000..14df323 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -0,0 +1,87 @@ +define sunet::server() { + + # Set up encrypted swap + sunet::encrypted_swap { 'sunet_encrypted_swap': } + + # Add prerequisites for ethernet bonding, if physical server + sunet::ethernet_bonding { 'sunet_ethernet_bonding': } + +# Removed until SWAMID hosts can have their ufw module updated / ft +# # Ignore IPv6 multicast +# ufw::deny { 'ignore_v6_multicast': +# ip => 'ff02::1', +# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( +# } + +# # Ignore IPv6 multicast PIM router talk +# ufw::deny { 'ignore_v6_multicast_PIM': +# ip => 'ff02::d', +# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( +# } + + include augeas + augeas { "sshd_config": + context => "/files/etc/ssh/sshd_config", + changes => [ + "set PasswordAuthentication no", + "set X11Forwarding no", + "set LogLevel VERBOSE", # log pubkey used for root login + ], + notify => Service['ssh'], + } -> + file_line { + 'no_sftp_subsystem': + path => '/etc/ssh/sshd_config', + match => 'Subsystem sftp /usr/lib/openssh/sftp-server', + line => '#Subsystem sftp /usr/lib/openssh/sftp-server', + notify => Service['ssh'], + } + + # already declared in puppet-cosmos/manifests/ntp.pp + #service { 'ntp': + # ensure => 'running', + #} + + # Don't use pool.ntp.org servers, but rather DHCP provided NTP servers + line { 'no_pool_ntp_org_servers': + file => '/etc/ntp.conf', + line => '^server .*\.pool\.ntp\.org', + ensure => 'comment', + notify => Service['ntp'], + } + + file { '/var/cache/scriptherder': + ensure => 'directory', + path => '/var/cache/scriptherder', + mode => '1777', # like /tmp, so user-cronjobs can also use scriptherder + } + + +} + +# from http://projects.puppetlabs.com/projects/puppet/wiki/Simple_Text_Patterns/5 +define line($file, $line, $ensure = 'present') { + case $ensure { + default : { err ( "unknown ensure value ${ensure}" ) } + present: { + exec { "/bin/echo '${line}' >> '${file}'": + unless => "/bin/grep -qFx '${line}' '${file}'" + } + } + absent: { + exec { "/usr/bin/perl -ni -e 'print unless /^\\Q${line}\\E\$/' '${file}'": + onlyif => "/bin/grep -qFx '${line}' '${file}'" + } + } + uncomment: { + exec { "/bin/sed -i -e'/${line}/s/^#\\+//' '${file}'": + onlyif => "/bin/grep '${line}' '${file}' | /bin/grep '^#' | /usr/bin/wc -l" + } + } + comment: { + exec { "/bin/sed -i -e'/${line}/s/^\\(.\\+\\)$/#\\1/' '${file}'": + onlyif => "/usr/bin/test `/bin/grep '${line}' '${file}' | /bin/grep -v '^#' | /usr/bin/wc -l` -ne 0" + } + } + } +} |