zulip/puppet/kandra/manifests/profile/base.pp

class kandra::profile::base {
  include zulip::profile::base
  include kandra::ksplice_uptrack
  include kandra::firewall
  include kandra::teleport::node
  include kandra::prometheus::node

  kandra::firewall_allow { 'ssh': order => '10'}
  $is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'

  $org_base_packages = [
    # Standard kernel, not AWS', so ksplice works
    'linux-image-virtual',
    # Management for our systems
    'openssh-server',
    # package management
    'aptitude',
    # SSL certificates
    'certbot',
    # For managing our current Debian packages
    'debian-goodies',
    # Popular editors
    'vim',
    'emacs-nox',
    # Prevent accidental reboots
    'molly-guard',
    # Useful tools in a production environment
    'screen',
    'strace',
    'bind9-host',
    'git',
    'nagios-plugins-contrib',
  ]
  zulip::safepackage { $org_base_packages: ensure => installed }

  # Uninstall the AWS kernel, but only after we install the usual one
  package { ['linux-image-aws', 'linux-headers-aws', 'linux-aws-*', 'linux-image-*-aws', 'linux-modules-*-aws']:
    ensure  => absent,
    require => Package['linux-image-virtual'],
  }

  file { '/etc/apt/apt.conf.d/02periodic':
    ensure => file,
    mode   => '0644',
    source => 'puppet:///modules/kandra/apt/apt.conf.d/02periodic',
  }

  file { '/etc/apt/apt.conf.d/50unattended-upgrades':
    ensure => file,
    mode   => '0644',
    source => 'puppet:///modules/kandra/apt/apt.conf.d/50unattended-upgrades',
  }
  if $facts['os']['distro']['release']['major'] == '22.04' {
    file { '/etc/needrestart/conf.d/zulip.conf':
      ensure => file,
      mode   => '0644',
      source => 'puppet:///modules/kandra/needrestart/zulip.conf',
    }
  }

  user { 'root': }
  kandra::user_dotfiles { 'root':
    home            => '/root',
    keys            => 'internal-read-only-deploy-key',
    authorized_keys => 'common',
    known_hosts     => ['github.com'],
  }

  kandra::user_dotfiles { 'zulip':
    keys            => 'internal-read-only-deploy-key',
    authorized_keys => 'common',
    known_hosts     => ['github.com'],
  }

  service { 'ssh':
    ensure => running,
  }

  include kandra::aws_tools

  if $is_ec2 {
    # EC2 hosts can use the in-VPC timeserver
    file { '/etc/chrony/chrony.conf':
      ensure  => file,
      mode    => '0644',
      source  => "puppet:///modules/kandra/chrony-${facts['os']['distro']['release']['major']}.conf",
      require => Package['chrony'],
      notify  => Service['chrony'],
    }
  }

  group { 'nagios':
    ensure => present,
    gid    => '1050',
  }
  user { 'nagios':
    ensure     => present,
    uid        => '1050',
    gid        => '1050',
    shell      => '/bin/bash',
    home       => '/var/lib/nagios',
    managehome => true,
  }
  file { '/var/lib/nagios':
    ensure  => directory,
    require => User['nagios'],
    owner   => 'nagios',
    group   => 'nagios',
    mode    => '0700',
  }
  kandra::user_dotfiles { 'nagios':
    home            => '/var/lib/nagios',
    authorized_keys => true,
  }
  file { '/home/nagios':
    ensure  => absent,
    force   => true,
    recurse => true,
  }
}
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`class kandra::profile::base {`
puppet: Move top-level zulip deployments into "profile" directory. This moves the puppet configuration closer to the "roles and profiles method"[1] which is suggested for organizing puppet classes. Notably, here it makes clear which classes are meant to be able to stand alone as deployments. Shims are left behind at the previous names, for compatibility with existing `zulip.conf` files when upgrading. [1] https://puppet.com/docs/pe/2019.8/the_roles_and_profiles_method 2020-10-20 02:49:54 +02:00			`include zulip::profile::base`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`include kandra::ksplice_uptrack`
			`include kandra::firewall`
			`include kandra::teleport::node`
			`include kandra::prometheus::node`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`kandra::firewall_allow { 'ssh': order => '10'}`
puppet: Factor out $is_ec2, clarify comments. 2024-01-30 19:40:04 +01:00			`$is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'`
puppet: Use concat fragments to place port allows next to services. This means that services will only open their ports if they are actually run, without having to clutter rules.v4 with a log of `if` statements. This does not go as far as using `puppetlabs/firewall`[1] because that would represent an additional DSL to learn; raw IPtables sections can easily be inserted into the generated iptables file via `concat::fragment` (either inline, or as a separate file), but config can be centralized next to the appropriate service. [1] https://forge.puppet.com/modules/puppetlabs/firewall 2021-05-25 04:12:28 +02:00
puppet: Always install linux-image-virtual, for ksplice support. 2021-05-18 05:36:25 +02:00			`$org_base_packages = [`
			`# Standard kernel, not AWS', so ksplice works`
			`'linux-image-virtual',`
			`# Management for our systems`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'openssh-server',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`# package management`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'aptitude',`
docs: Fix capitalization mistakes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-05-10 07:02:14 +02:00			`# SSL certificates`
puppet: The letsencrypt package is debian is now certbot. It was an alias starting with Ubuntu Xenial, and will eventually be removed. 2020-04-17 02:28:30 +02:00			`'certbot',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`# For managing our current Debian packages`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'debian-goodies',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`# Popular editors`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'vim',`
			`'emacs-nox',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`# Prevent accidental reboots`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'molly-guard',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`# Useful tools in a production environment`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'screen',`
			`'strace',`
puppet: Use actual name for the bind9-host package. Using the `host` virtual package confused Puppet into reporting it was doing work every time one did a puppet run, resulting in unnecessarily spammy output. 2020-05-11 09:51:51 +02:00			`'bind9-host',`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`'git',`
			`'nagios-plugins-contrib',`
puppet-lint: Enforce 2sp_soft_tables puppet-lint check. This cleans up the puppet codebase's whitespace formatting to be more consistent. 2018-08-13 21:27:41 +02:00			`]`
puppet: Remove quotes for enumerable values. https://puppet.com/docs/puppet/7/style_guide.html#style_guide_module_design-quoting “If a string is a value from an enumerable set of options, such as present and absent, it SHOULD NOT be enclosed in quotes at all.” Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-03-16 01:23:53 +01:00			`zulip::safepackage { $org_base_packages: ensure => installed }`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00
puppet: Always install linux-image-virtual, for ksplice support. 2021-05-18 05:36:25 +02:00			`# Uninstall the AWS kernel, but only after we install the usual one`
puppet: Remove all parts of AWS kernels. Otherwise, we just uninstall the meta-package, and still restart into the installed AWS kernel. 2022-01-12 22:57:44 +01:00			`package { ['linux-image-aws', 'linux-headers-aws', 'linux-aws-', 'linux-image--aws', 'linux-modules-*-aws']:`
puppet: Always install linux-image-virtual, for ksplice support. 2021-05-18 05:36:25 +02:00			`ensure => absent,`
			`require => Package['linux-image-virtual'],`
			`}`

puppet: Move our ops repository apt configuration to internal module. (imported from commit 2aca8e8c2edbd87a77fd5f00b3ae250484721fb4) 2013-11-10 15:32:54 +01:00			`file { '/etc/apt/apt.conf.d/02periodic':`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`ensure => file,`
			`mode => '0644',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/apt/apt.conf.d/02periodic',`
puppet: Move our ops repository apt configuration to internal module. (imported from commit 2aca8e8c2edbd87a77fd5f00b3ae250484721fb4) 2013-11-10 15:32:54 +01:00			`}`

zulip_ops: Disable unattended upgrades of security packages. Since Zulip does not handle e.g. postgres server restarts gracefully, it's best for a system administrator to manually trigger security updates. 2016-08-19 17:27:17 +02:00			`file { '/etc/apt/apt.conf.d/50unattended-upgrades':`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`ensure => file,`
			`mode => '0644',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/apt/apt.conf.d/50unattended-upgrades',`
zulip_ops: Disable unattended upgrades of security packages. Since Zulip does not handle e.g. postgres server restarts gracefully, it's best for a system administrator to manually trigger security updates. 2016-08-19 17:27:17 +02:00			`}`
puppet: Switch from top-level fact variables to facts dict, again. These were somehow missed in 57f8b48ff989. 2024-03-25 20:16:16 +01:00			`if $facts['os']['distro']['release']['major'] == '22.04' {`
puppet: Tell needrestart to not default to restarting core services. The `needrestart` tool added in 22.04 is useful in terms of listing which services may need to be restarted to pick up updated libraries. However, it prompts about the current state of services needing restart for every subsequent `apt-get upgrade`, and defaulting core services to restarting requires carefully manually excluding them every time, at risk of causing an unscheduled outage. Build a list of default-off services based on the list in unattended-upgrades. 2022-07-16 03:12:05 +02:00			`file { '/etc/needrestart/conf.d/zulip.conf':`
			`ensure => file,`
			`mode => '0644',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`source => 'puppet:///modules/kandra/needrestart/zulip.conf',`
puppet: Tell needrestart to not default to restarting core services. The `needrestart` tool added in 22.04 is useful in terms of listing which services may need to be restarted to pick up updated libraries. However, it prompts about the current state of services needing restart for every subsequent `apt-get upgrade`, and defaulting core services to restarting requires carefully manually excluding them every time, at risk of causing an unscheduled outage. Build a list of default-off services based on the list in unattended-upgrades. 2022-07-16 03:12:05 +02:00			`}`
			`}`
zulip_ops: Disable unattended upgrades of security packages. Since Zulip does not handle e.g. postgres server restarts gracefully, it's best for a system administrator to manually trigger security updates. 2016-08-19 17:27:17 +02:00
puppet: Factor out creation of basic user dotfiles. 2024-01-31 05:14:59 +01:00			`user { 'root': }`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`kandra::user_dotfiles { 'root':`
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`home => '/root',`
puppet: Rename and limit production key distribution. 2024-02-01 18:31:00 +01:00			`keys => 'internal-read-only-deploy-key',`
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`authorized_keys => 'common',`
kandra: Puppet github.com keys to both root and zulip users. We update to add the ecdsa-sha2-nistp256 key as well. 2024-02-07 18:23:28 +01:00			`known_hosts => ['github.com'],`
bootstrap-aws-installer: Pull all keys from secretsmanager. 2024-01-30 20:58:17 +01:00			`}`
puppet: Factor out creation of basic user dotfiles. 2024-01-31 05:14:59 +01:00
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`kandra::user_dotfiles { 'zulip':`
puppet: Rename and limit production key distribution. 2024-02-01 18:31:00 +01:00			`keys => 'internal-read-only-deploy-key',`
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`authorized_keys => 'common',`
kandra: Puppet github.com keys to both root and zulip users. We update to add the ecdsa-sha2-nistp256 key as well. 2024-02-07 18:23:28 +01:00			`known_hosts => ['github.com'],`
bootstrap-aws-installer: Pull all keys from secretsmanager. 2024-01-30 20:58:17 +01:00			`}`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00
puppet: Move ssh configuration to use notify. This handles more correctly the case where we're using the upstream sshd_config file. 2018-02-10 01:20:26 +01:00			`service { 'ssh':`
puppet: Fix arrow alignment. 2024-04-05 05:37:10 +02:00			`ensure => running,`
puppet: Move ssh configuration to use notify. This handles more correctly the case where we're using the upstream sshd_config file. 2018-02-10 01:20:26 +01:00			`}`

puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`include kandra::aws_tools`
install-aws-cli: Also install and keep up to date using Puppet. We previously only did this install on the developer machine and on initial boot. Also run it from puppet to make sure we keep the binary up-to-date. 2024-01-29 21:34:53 +01:00
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2. 2024-01-31 03:25:40 +01:00			`if $is_ec2 {`
puppet: Factor out $is_ec2, clarify comments. 2024-01-30 19:40:04 +01:00			`# EC2 hosts can use the in-VPC timeserver`
puppet: Configure chrony to use AWS-local NTP sources. This prevents hosts from spewing traffic to random hosts across the Internet. 2022-03-25 20:16:13 +01:00			`file { '/etc/chrony/chrony.conf':`
			`ensure => file,`
			`mode => '0644',`
puppet: Switch from top-level fact variables to facts dict, again. These were somehow missed in 57f8b48ff989. 2024-03-25 20:16:16 +01:00			`source => "puppet:///modules/kandra/chrony-${facts['os']['distro']['release']['major']}.conf",`
puppet: Configure chrony to use AWS-local NTP sources. This prevents hosts from spewing traffic to random hosts across the Internet. 2022-03-25 20:16:13 +01:00			`require => Package['chrony'],`
			`notify => Service['chrony'],`
			`}`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00			`}`

			`group { 'nagios':`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`ensure => present,`
			`gid => '1050',`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00			`}`
			`user { 'nagios':`
			`ensure => present,`
			`uid => '1050',`
			`gid => '1050',`
			`shell => '/bin/bash',`
			`home => '/var/lib/nagios',`
			`managehome => true,`
			`}`
puppet: Factor out creation of basic user dotfiles. 2024-01-31 05:14:59 +01:00			`file { '/var/lib/nagios':`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`ensure => directory,`
			`require => User['nagios'],`
puppet-lint: Enforce double_quoted_strings check. This makes our puppet codebase more consistent by using single-quoted strings consistently. 2018-08-13 21:29:40 +02:00			`owner => 'nagios',`
			`group => 'nagios',`
puppet: Match the `x` bits on directories to what puppet actually does. Puppet _always_ sets the `+x` bit on directories if they have the `r` bit set for that slot[^1]: > When specifying numeric permissions for directories, Puppet sets the > search permission wherever the read permission is set. As such, for instance, `0640` is actually applied as `0750`. Fix what we "want" to match what puppet is applying, by adding the `x` bit. In none of these cases did we actually intend the directory to not be executable. [1] https://www.puppet.com/docs/puppet/5.5/types/file.html#file-attribute-mode 2023-01-26 23:26:51 +01:00			`mode => '0700',`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00			`}`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`kandra::user_dotfiles { 'nagios':`
puppet: Pull authorized_keys from AWS secretsmanager. 2024-01-31 19:25:39 +01:00			`home => '/var/lib/nagios',`
			`authorized_keys => true,`
			`}`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00			`file { '/home/nagios':`
puppet-lint: Enforce arrow_alignment check. This fixes all exceptions in our puppet codebase to this lint rule. 2018-08-13 21:20:34 +02:00			`ensure => absent,`
			`force => true,`
Split our puppet configuration in two The 'zulip' module contains the general setup for any server that will run our app. The 'zulip-internal' module contains configuration that is internal to Zulip the company. (imported from commit 23c99dd889577c2917ddbf76892cf8f6cc66a13e) 2013-10-29 23:53:04 +01:00			`recurse => true,`
			`}`
			`}`