1 files changed, 86 insertions, 25 deletions

diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index 719fe21..ff3d9e4 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -14,9 +14,7 @@
 #
 # @param rootalias alias that gets emails for root
 #
-# @param crl_job_enable whether to setup the hourly CRL update job
-#
-# @param crl_job_services which services to reload after the CRL update
+# @param crl_job configure the hourly CRL update job
 #
 # @param is_external whether the node is outside of CAcert infrastructure
 #
@@ -36,15 +34,21 @@
 # Copyright
 # ---------
 #
-# Copyright 2016-2021 Jan Dittberner
+# Copyright 2016-2022 Jan Dittberner
 #
 class profiles::base (
-  Array[String] $admins           = [],
-  Hash[String, Data] $users       = {},
-  String $rootalias               = "${trusted['certname']}-admin@cacert.org",
-  Boolean $crl_job_enable         = false,
-  Array[String] $crl_job_services = [],
-  Boolean $is_external            = false,
+  Array[String] $admins     = [],
+  Hash[String, Data] $users = {},
+  String $rootalias         = "${trusted['certname']}-admin@cacert.org",
+  Hash[String, Data] $crl_job             = {
+    'enable'       => false,
+    'hostname'     => $trusted['certname'],
+    'services'     => [],
+    'check_url'    => 'https://monitor.infra.cacert.org:5665/v1/actions/process-check-result',
+    'api_user'     => '',
+    'api_password' => '',
+  },
+  Boolean $is_external      = false,
 ) {
   # ensure admin users for this container
   $admins.each |String $username| {
@@ -99,18 +103,37 @@ class profiles::base (
     source => 'puppet:///modules/profiles/base/apt_periodic.conf',
   }
 
-  package { ['lsb-release', 'distro-info-data', 'sudo']:
+  package { ['lsb-release', 'distro-info-data']:
     ensure => present,
   }
+  class { 'sudo':
+    config_file_replace => false,
+  }
 
   package { ['zsh', 'tmux', 'less', 'vim-nox']:
     ensure => latest,
   }
 
+  if $facts['virtual'] == 'lxc' {
+    file { '/etc/network/interfaces':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => "auto lo\niface lo inet loopback\n",
+    }
+  }
+
   Package['zsh'] -> User <| |>
 
-  package { ['aptitude', 'apticron']:
-    ensure => purged,
+  if !$is_external {
+    package { ['aptitude', 'apticron', 'isc-dhcp-client']:
+      ensure => purged,
+    }
+  } else {
+    package { ['aptitude', 'apticron']:
+      ensure => purged,
+    }
   }
 
   file { '/etc/zsh/newuser.zshrc.recommended':
@@ -153,10 +176,21 @@ class profiles::base (
     repos    => 'main',
     release  => "${::lsbdistcodename}-updates",
   }
-  apt::source { "security.debian.org-${::lsbdistcodename}-security":
-    location => 'http://security.debian.org/debian-security',
-    repos    => 'main',
-    release  => "${::lsbdistcodename}/updates",
+
+  $os_major = Integer($facts['os']['release']['major'])
+
+  if $os_major < 11 {
+    apt::source { "security.debian.org-${::lsbdistcodename}-security":
+      location => 'http://security.debian.org/debian-security',
+      repos    => 'main',
+      release  => "${::lsbdistcodename}/updates",
+    }
+  } else {
+    apt::source { "security.debian.org-${::lsbdistcodename}-security":
+      location => 'http://security.debian.org/',
+      repos    => 'main',
+      release  => "${::lsbdistcodename}-security",
+    }
   }
   apt::source { "ftp.nl.debian.org-${::lsbdistcodename}-backports":
     location => 'http://ftp.nl.debian.org/debian',
@@ -197,23 +231,42 @@ class profiles::base (
     recipient => $rootalias,
   }
 
-  package { ['ca-certificates', 'ca-cacert']:
+  package { 'ca-certificates':
     ensure => installed,
   }
 
-  file { '/usr/local/share/ca-certificates/cacert_class3_2021.crt':
+  $cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
+  $cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
+
+  file { $cacert_class1_file:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
+    require => Package['ca-certificates'],
+  }
+
+  file { $cacert_class3_file:
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
     source  => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
     require => Package['ca-certificates'],
-  } ~>
+  }
+
   exec { '/usr/sbin/update-ca-certificates':
-    require => Package['ca-certificates'],
+    require     => Package['ca-certificates'],
+    refreshonly => true,
+    subscribe   => [File[$cacert_class1_file], File[$cacert_class3_file]],
   }
 
-  if ($crl_job_enable) {
+  if ($crl_job['enable']) {
+    package { 'python3-requests':
+      ensure => installed,
+    }
+
     file { '/var/local/ssl':
       ensure => directory,
       owner  => 'root',
@@ -236,12 +289,20 @@ class profiles::base (
       mode    => '0755',
       content => epp(
         'profiles/base/update-crls.epp',
-        { 'services' => $crl_job_services }),
+        {
+          'services'     => $crl_job['services'],
+          'check_url'    => $crl_job['check_url'],
+          'api_user'     => $crl_job['api_user'],
+          'api_password' => $crl_job['api_password'],
+          'hostname'     => $crl_job['hostname'],
+        },
+      ),
       require => [
         Package['ca-certificates'],
-        Package['ca-cacert'],
+        Package['python3-requests'],
         File['/var/local/ssl/crls'],
-        File['/usr/local/share/ca-certificates/cacert_class3_2021.crt']
+        File[$cacert_class1_file],
+        File[$cacert_class3_file]
       ],
     }
   } else {