Setup hourly cron job to update CRLs
[cacert-puppet.git] / sitemodules / profiles / manifests / base.pp
1 # Class: profiles::base
2 # =====================
3 #
4 # This class defines the base profile that is valid for all puppet managed
5 # CAcert hosts and should therefore be included in any host role class in the
6 # roles module.
7 #
8 # Parameters
9 # ----------
10 #
11 # @param admins a list of admin users for the node
12 #
13 # @param users a hash containing user information
14 #
15 # @param rootalias alias that gets emails for root
16 #
17 # Examples
18 # --------
19 #
20 # @example
21 # class roles::myhost {
22 # include profiles::base
23 # }
24 #
25 # Authors
26 # -------
27 #
28 # Jan Dittberner <jandd@cacert.org>
29 #
30 # Copyright
31 # ---------
32 #
33 # Copyright 2016-2018 Jan Dittberner
34 #
35 class profiles::base (
36 Array[String] $admins = [],
37 Hash[String, Data] $users = {},
38 String $rootalias = "${trusted['certname']}-admin@cacert.org",
39 ) {
40 # ensure admin users for this container
41 $admins.each |String $username| {
42 $user = $users[$username]
43 $osusername = $user['username']
44 group { $user['username']:
45 ensure => present,
46 } ->
47 user { $osusername:
48 ensure => present,
49 comment => $user['fullname'],
50 gid => $osusername,
51 groups => ['sudo', 'adm'],
52 password => $user['password'],
53 uid => $user['uid'],
54 home => "/home/${osusername}",
55 shell => $user['shell'],
56 purge_ssh_keys => true,
57 managehome => true,
58 }
59 $user['ssh_keys'].each |Hash[String, Data] $keydata| {
60 $keyname = $keydata['name']
61 ssh_authorized_key { "${osusername}@${keyname}":
62 ensure => present,
63 user => $user['username'],
64 type => $keydata['type'],
65 key => $keydata['key'],
66 require => User[$osusername],
67 }
68 }
69 }
70
71 user { 'root':
72 ensure => present,
73 shell => '/usr/bin/zsh',
74 }
75
76 file { '/etc/init.d/puppet':
77 ensure => file,
78 owner => 'root',
79 group => 'root',
80 mode => '0755',
81 source => 'puppet:///modules/profiles/puppet.init',
82 }
83
84 file { '/etc/apt/apt.conf.d/03proxy':
85 ensure => file,
86 owner => 'root',
87 group => 'root',
88 mode => '0644',
89 source => 'puppet:///modules/profiles/base/apt_proxy.conf',
90 }
91 file { '/etc/apt/apt.conf.d/10periodic':
92 ensure => file,
93 owner => 'root',
94 group => 'root',
95 mode => '0644',
96 source => 'puppet:///modules/profiles/base/apt_periodic.conf',
97 }
98
99 package { 'lsb-release':
100 ensure => present,
101 }
102
103 package { ['zsh', 'tmux', 'less']:
104 ensure => latest,
105 }
106
107 Package["zsh"] -> User <| |>
108
109 package { ['aptitude', 'apticron']:
110 ensure => purged,
111 }
112
113 file { '/etc/zsh/newuser.zshrc.recommended':
114 ensure => file,
115 owner => 'root',
116 group => 'root',
117 mode => '0644',
118 content => epp('profiles/base/zshrc.epp'),
119 require => Package['zsh'],
120 }
121 file { '/root/.zshrc':
122 ensure => file,
123 owner => 'root',
124 group => 'root',
125 mode => '0640',
126 content => epp('profiles/base/zshrc.epp',
127 { 'prompttemplate' => 'fire' }),
128 }
129
130 file { '/etc/apt/sources.list':
131 ensure => file,
132 owner => 'root',
133 group => 'root',
134 mode => '0644',
135 content => epp(
136 'profiles/base/apt_sources.list.epp',
137 { 'oscodename' => $facts['os']['distro']['codename'] }),
138 require => Package['lsb-release'],
139 }
140 file { '/etc/apt/sources.list.d/puppetlabs-pc1.list':
141 ensure => absent,
142 }
143 file { '/etc/apt/sources.list.d/puppet5.list':
144 ensure => file,
145 owner => 'root',
146 group => 'root',
147 mode => '0644',
148 content => epp(
149 'profiles/base/apt_sources_puppet5.list.epp',
150 { 'oscodename' => $facts['os']['distro']['codename'] }),
151 require => Package['lsb-release'],
152 }
153
154 file { '/etc/apt/preferences.d/blacklist_systemd-sysv.pref':
155 ensure => file,
156 owner => 'root',
157 group => 'root',
158 mode => '0644',
159 source => 'puppet:///modules/profiles/base/apt_blacklist_systemd-sysv.pref',
160 }
161
162 file { '/etc/resolv.conf':
163 ensure => file,
164 owner => 'root',
165 group => 'root',
166 mode => '0644',
167 source => 'puppet:///modules/profiles/base/resolv.conf',
168 }
169
170 file { '/etc/update-motd.d/20-puppetinfo':
171 ensure => file,
172 owner => 'root',
173 group => 'root',
174 mode => '0755',
175 source => 'puppet:///modules/profiles/base/motd-puppet.sh',
176 }
177
178 mailalias { 'root':
179 ensure => present,
180 recipient => $rootalias,
181 }
182
183 package { ['ca-certificates', 'ca-cacert']:
184 ensure => installed,
185 }
186
187 file { '/var/local/ssl/crls':
188 ensure => directory,
189 owner => 'root',
190 group => 'root',
191 mode => '0755',
192 }
193
194 file { '/etc/cron.hourly/update-crls':
195 ensure => file,
196 owner => 'root',
197 group => 'root',
198 mode => '0755',
199 source => 'puppet:///modules/profiles/base/update-crls',
200 require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
201 }
202 }