mirror of https://github.com/zulip/zulip.git
222 lines
6.9 KiB
Puppet
222 lines
6.9 KiB
Puppet
class zulip_ops::base {
|
|
include zulip::base
|
|
include zulip::apt_repository
|
|
|
|
$org_base_packages = [# Management for our systems
|
|
"openssh-server",
|
|
"mosh",
|
|
# package management
|
|
"aptitude",
|
|
# SSL Certificates
|
|
"letsencrypt",
|
|
# Monitoring
|
|
"munin-node",
|
|
"munin-plugins-extra" ,
|
|
# Security
|
|
"iptables-persistent",
|
|
# For managing our current Debian packages
|
|
"debian-goodies",
|
|
# Needed for zulip-ec2-configure-network-interfaces
|
|
'dhcpcd5',
|
|
"python3-six",
|
|
"python-six",
|
|
# "python3-boto", # missing on trusty
|
|
"python-boto", # needed for postgres_common too
|
|
"python3-netifaces",
|
|
"python-netifaces",
|
|
# Popular editors
|
|
"vim",
|
|
"emacs-nox",
|
|
"puppet-el",
|
|
# Prevent accidental reboots
|
|
"molly-guard",
|
|
# Useful tools in a production environment
|
|
"screen",
|
|
"strace",
|
|
"host",
|
|
"git",
|
|
"nagios-plugins-contrib",
|
|
]
|
|
package { $org_base_packages: ensure => "installed" }
|
|
|
|
# Add system users here
|
|
$users = []
|
|
|
|
# Add hosts to monitor here
|
|
$hosts = []
|
|
|
|
file { '/etc/apt/apt.conf.d/02periodic':
|
|
ensure => file,
|
|
mode => '0644',
|
|
source => 'puppet:///modules/zulip_ops/apt/apt.conf.d/02periodic',
|
|
}
|
|
|
|
file { '/etc/apt/apt.conf.d/50unattended-upgrades':
|
|
ensure => file,
|
|
mode => '0644',
|
|
source => 'puppet:///modules/zulip_ops/apt/apt.conf.d/50unattended-upgrades',
|
|
}
|
|
|
|
file { '/home/zulip/.ssh':
|
|
ensure => directory,
|
|
require => User['zulip'],
|
|
owner => "zulip",
|
|
group => "zulip",
|
|
mode => '0600',
|
|
}
|
|
|
|
# Clear /etc/update-motd.d, to fix load problems with Nagios
|
|
# caused by Ubuntu's default MOTD tools for things like "checking
|
|
# for the next release" being super slow.
|
|
file { '/etc/update-motd.d':
|
|
ensure => directory,
|
|
recurse => true,
|
|
purge => true,
|
|
}
|
|
|
|
file { '/etc/pam.d/common-session':
|
|
ensure => file,
|
|
require => Package['openssh-server'],
|
|
source => 'puppet:///modules/zulip_ops/common-session',
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
}
|
|
|
|
service { 'ssh':
|
|
ensure => running,
|
|
}
|
|
|
|
if $zulip::base::release_name == "xenial" {
|
|
# Our custom sshd_config uses options that don't exist on trusty.
|
|
file { '/etc/ssh/sshd_config':
|
|
ensure => file,
|
|
require => Package['openssh-server'],
|
|
source => 'puppet:///modules/zulip_ops/sshd_config',
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
notify => Service['ssh'],
|
|
}
|
|
}
|
|
|
|
file { '/root/.emacs':
|
|
ensure => file,
|
|
mode => '0600',
|
|
owner => "root",
|
|
group => "root",
|
|
source => 'puppet:///modules/zulip_ops/dot_emacs.el',
|
|
}
|
|
|
|
file { '/home/zulip/.emacs':
|
|
ensure => file,
|
|
mode => '0600',
|
|
owner => "zulip",
|
|
group => "zulip",
|
|
source => 'puppet:///modules/zulip_ops/dot_emacs.el',
|
|
require => User['zulip'],
|
|
}
|
|
|
|
if $zulip::base::release_name == "xenial" {
|
|
# TODO: Change this condition to something more coherent.
|
|
file { '/root/.ssh/authorized_keys':
|
|
ensure => file,
|
|
mode => '0600',
|
|
owner => "root",
|
|
group => "root",
|
|
source => 'puppet:///modules/zulip_ops/root_authorized_keys',
|
|
}
|
|
file { '/home/zulip/.ssh/authorized_keys':
|
|
ensure => file,
|
|
require => File['/home/zulip/.ssh'],
|
|
mode => '0600',
|
|
owner => "zulip",
|
|
group => "zulip",
|
|
source => 'puppet:///modules/zulip_ops/authorized_keys',
|
|
}
|
|
file { '/var/lib/nagios/.ssh/authorized_keys':
|
|
ensure => file,
|
|
require => File['/var/lib/nagios/.ssh'],
|
|
mode => '0600',
|
|
owner => "nagios",
|
|
group => "nagios",
|
|
source => 'puppet:///modules/zulip_ops/nagios_authorized_keys',
|
|
}
|
|
}
|
|
|
|
if $zulip::base::release_name == "xenial" {
|
|
# This is a proxy for the fact that our xenial machines are the
|
|
# ones in EC2.
|
|
file { '/usr/local/sbin/zulip-ec2-configure-interfaces':
|
|
ensure => file,
|
|
mode => '0755',
|
|
source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces',
|
|
}
|
|
|
|
file { '/etc/network/if-up.d/zulip-ec2-configure-interfaces_if-up.d.sh':
|
|
ensure => file,
|
|
mode => '0755',
|
|
source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces_if-up.d.sh',
|
|
}
|
|
}
|
|
|
|
group { 'nagios':
|
|
ensure => present,
|
|
gid => '1050',
|
|
}
|
|
user { 'nagios':
|
|
ensure => present,
|
|
uid => '1050',
|
|
gid => '1050',
|
|
shell => '/bin/bash',
|
|
home => '/var/lib/nagios',
|
|
managehome => true,
|
|
}
|
|
file { '/var/lib/nagios/':
|
|
ensure => directory,
|
|
require => User['nagios'],
|
|
owner => "nagios",
|
|
group => "nagios",
|
|
mode => '0600',
|
|
}
|
|
file { '/var/lib/nagios/.ssh':
|
|
ensure => directory,
|
|
require => File['/var/lib/nagios/'],
|
|
owner => "nagios",
|
|
group => "nagios",
|
|
mode => '0600',
|
|
}
|
|
file { '/home/nagios':
|
|
ensure => absent,
|
|
force => true,
|
|
recurse => true,
|
|
}
|
|
if $zulip::base::release_name == "xenial" {
|
|
# Trusty's puppet doesn't support the include? rule used in rules.v4.
|
|
file { '/etc/iptables/rules.v4':
|
|
ensure => file,
|
|
mode => '0600',
|
|
content => template('zulip_ops/iptables/rules.v4.erb'),
|
|
require => Package['iptables-persistent'],
|
|
}
|
|
service { 'netfilter-persistent':
|
|
ensure => running,
|
|
|
|
# Because there is no running process for this service, the normal status
|
|
# checks fail. Because puppet then thinks the service has been manually
|
|
# stopped, it won't restart it. This fake status command will trick puppet
|
|
# into thinking the service is *always* running (which in a way it is, as
|
|
# iptables is part of the kernel.)
|
|
hasstatus => true,
|
|
status => "/bin/true",
|
|
|
|
# Under Debian, the "restart" parameter does not reload the rules, so tell
|
|
# Puppet to fall back to stop/start, which does work.
|
|
hasrestart => false,
|
|
|
|
require => Package['iptables-persistent'],
|
|
subscribe => File['/etc/iptables/rules.v4'],
|
|
}
|
|
}
|
|
}
|