1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
define sunet::server() {
# fail2ban
class { 'sunet::fail2ban': }
# Set up encrypted swap
sunet::encrypted_swap { 'sunet_encrypted_swap': }
# Add prerequisites for ethernet bonding, if physical server
sunet::ethernet_bonding { 'sunet_ethernet_bonding': }
# Removed until SWAMID hosts can have their ufw module updated / ft
# # Ignore IPv6 multicast
# ufw::deny { 'ignore_v6_multicast':
# ip => 'ff02::1',
# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :(
# }
# # Ignore IPv6 multicast PIM router talk
# ufw::deny { 'ignore_v6_multicast_PIM':
# ip => 'ff02::d',
# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :(
# }
include augeas
augeas { "sshd_config":
context => "/files/etc/ssh/sshd_config",
changes => [
"set PasswordAuthentication no",
"set X11Forwarding no",
"set LogLevel VERBOSE", # log pubkey used for root login
],
notify => Service['ssh'],
} ->
file_line {
'no_sftp_subsystem':
path => '/etc/ssh/sshd_config',
match => 'Subsystem sftp /usr/lib/openssh/sftp-server',
line => '#Subsystem sftp /usr/lib/openssh/sftp-server',
notify => Service['ssh'],
}
# already declared in puppet-cosmos/manifests/ntp.pp
#service { 'ntp':
# ensure => 'running',
#}
# Don't use pool.ntp.org servers, but rather DHCP provided NTP servers
line { 'no_pool_ntp_org_servers':
file => '/etc/ntp.conf',
line => '^server .*\.pool\.ntp\.org',
ensure => 'comment',
notify => Service['ntp'],
}
file { '/var/cache/scriptherder':
ensure => 'directory',
path => '/var/cache/scriptherder',
mode => '1777', # like /tmp, so user-cronjobs can also use scriptherder
}
}
# from http://projects.puppetlabs.com/projects/puppet/wiki/Simple_Text_Patterns/5
define line($file, $line, $ensure = 'present') {
case $ensure {
default : { err ( "unknown ensure value ${ensure}" ) }
present: {
exec { "/bin/echo '${line}' >> '${file}'":
unless => "/bin/grep -qFx '${line}' '${file}'"
}
}
absent: {
exec { "/usr/bin/perl -ni -e 'print unless /^\\Q${line}\\E\$/' '${file}'":
onlyif => "/bin/grep -qFx '${line}' '${file}'"
}
}
uncomment: {
exec { "/bin/sed -i -e'/${line}/s/^#\\+//' '${file}'":
onlyif => "/bin/grep '${line}' '${file}' | /bin/grep '^#' | /usr/bin/wc -l"
}
}
comment: {
exec { "/bin/sed -i -e'/${line}/s/^\\(.\\+\\)$/#\\1/' '${file}'":
onlyif => "/usr/bin/test `/bin/grep '${line}' '${file}' | /bin/grep -v '^#' | /usr/bin/wc -l` -ne 0"
}
}
}
}
|