class zulip_ops::base { include zulip::base include zulip::apt_repository $org_base_packages = [# Management for our systems "openssh-server", "mosh", # package management "aptitude", # SSL Certificates "letsencrypt", # Monitoring "munin-node", "munin-plugins-extra" , # Security "iptables-persistent", # For managing our current Debian packages "debian-goodies", # Needed for zulip-ec2-configure-network-interfaces 'dhcpcd5', "python3-six", "python-six", # "python3-boto", # missing on trusty "python-boto", # needed for postgres_common too "python3-netifaces", "python-netifaces", # Popular editors "vim", "emacs-nox", "puppet-el", # Prevent accidental reboots "molly-guard", # Useful tools in a production environment "screen", "strace", "host", "git", "nagios-plugins-contrib", ] package { $org_base_packages: ensure => "installed" } # Add system users here $users = [] # Add hosts to monitor here $hosts = [] file { '/etc/apt/apt.conf.d/02periodic': ensure => file, mode => '0644', source => 'puppet:///modules/zulip_ops/apt/apt.conf.d/02periodic', } file { '/etc/apt/apt.conf.d/50unattended-upgrades': ensure => file, mode => '0644', source => 'puppet:///modules/zulip_ops/apt/apt.conf.d/50unattended-upgrades', } file { '/home/zulip/.ssh': ensure => directory, require => User['zulip'], owner => "zulip", group => "zulip", mode => '0600', } # Clear /etc/update-motd.d, to fix load problems with Nagios # caused by Ubuntu's default MOTD tools for things like "checking # for the next release" being super slow. file { '/etc/update-motd.d': ensure => directory, recurse => true, purge => true, } file { '/etc/pam.d/common-session': ensure => file, require => Package['openssh-server'], source => 'puppet:///modules/zulip_ops/common-session', owner => 'root', group => 'root', mode => '0644', } service { 'ssh': ensure => running, } if $zulip::base::release_name == "xenial" { # Our custom sshd_config uses options that don't exist on trusty. file { '/etc/ssh/sshd_config': ensure => file, require => Package['openssh-server'], source => 'puppet:///modules/zulip_ops/sshd_config', owner => 'root', group => 'root', mode => '0644', notify => Service['ssh'], } } file { '/root/.emacs': ensure => file, mode => '0600', owner => "root", group => "root", source => 'puppet:///modules/zulip_ops/dot_emacs.el', } file { '/home/zulip/.emacs': ensure => file, mode => '0600', owner => "zulip", group => "zulip", source => 'puppet:///modules/zulip_ops/dot_emacs.el', require => User['zulip'], } if $zulip::base::release_name == "xenial" { # TODO: Change this condition to something more coherent. file { '/root/.ssh/authorized_keys': ensure => file, mode => '0600', owner => "root", group => "root", source => 'puppet:///modules/zulip_ops/root_authorized_keys', } file { '/home/zulip/.ssh/authorized_keys': ensure => file, require => File['/home/zulip/.ssh'], mode => '0600', owner => "zulip", group => "zulip", source => 'puppet:///modules/zulip_ops/authorized_keys', } file { '/var/lib/nagios/.ssh/authorized_keys': ensure => file, require => File['/var/lib/nagios/.ssh'], mode => '0600', owner => "nagios", group => "nagios", source => 'puppet:///modules/zulip_ops/nagios_authorized_keys', } } if $zulip::base::release_name == "xenial" { # This is a proxy for the fact that our xenial machines are the # ones in EC2. file { '/usr/local/sbin/zulip-ec2-configure-interfaces': ensure => file, mode => '0755', source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces', } file { '/etc/network/if-up.d/zulip-ec2-configure-interfaces_if-up.d.sh': ensure => file, mode => '0755', source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces_if-up.d.sh', } } group { 'nagios': ensure => present, gid => '1050', } user { 'nagios': ensure => present, uid => '1050', gid => '1050', shell => '/bin/bash', home => '/var/lib/nagios', managehome => true, } file { '/var/lib/nagios/': ensure => directory, require => User['nagios'], owner => "nagios", group => "nagios", mode => '0600', } file { '/var/lib/nagios/.ssh': ensure => directory, require => File['/var/lib/nagios/'], owner => "nagios", group => "nagios", mode => '0600', } file { '/home/nagios': ensure => absent, force => true, recurse => true, } if $zulip::base::release_name == "xenial" { # Trusty's puppet doesn't support the include? rule used in rules.v4. file { '/etc/iptables/rules.v4': ensure => file, mode => '0600', content => template('zulip_ops/iptables/rules.v4.erb'), require => Package['iptables-persistent'], } service { 'netfilter-persistent': ensure => running, # Because there is no running process for this service, the normal status # checks fail. Because puppet then thinks the service has been manually # stopped, it won't restart it. This fake status command will trick puppet # into thinking the service is *always* running (which in a way it is, as # iptables is part of the kernel.) hasstatus => true, status => "/bin/true", # Under Debian, the "restart" parameter does not reload the rules, so tell # Puppet to fall back to stop/start, which does work. hasrestart => false, require => Package['iptables-persistent'], subscribe => File['/etc/iptables/rules.v4'], } } }