Only setup CRL cron job if needed
[cacert-puppet.git] / sitemodules / profiles / manifests / base.pp
1 # Class: profiles::base
2 # =====================
3 #
4 # This class defines the base profile that is valid for all puppet managed
5 # CAcert hosts and should therefore be included in any host role class in the
6 # roles module.
7 #
8 # Parameters
9 # ----------
10 #
11 # @param admins a list of admin users for the node
12 #
13 # @param users a hash containing user information
14 #
15 # @param rootalias alias that gets emails for root
16 #
17 # @param crl_job_enable whether to setup the hourly CRL update job
18 #
19 # @param crl_job_services which services to reload after the CRL update
20 #
21 # Examples
22 # --------
23 #
24 # @example
25 # class roles::myhost {
26 # include profiles::base
27 # }
28 #
29 # Authors
30 # -------
31 #
32 # Jan Dittberner <jandd@cacert.org>
33 #
34 # Copyright
35 # ---------
36 #
37 # Copyright 2016-2018 Jan Dittberner
38 #
39 class profiles::base (
40 Array[String] $admins = [],
41 Hash[String, Data] $users = {},
42 String $rootalias = "${trusted['certname']}-admin@cacert.org",
43 Boolean $crl_job_enable = false,
44 Array[String] $crl_job_services = [],
45 ) {
46 # ensure admin users for this container
47 $admins.each |String $username| {
48 $user = $users[$username]
49 $osusername = $user['username']
50 group { $user['username']:
51 ensure => present,
52 } ->
53 user { $osusername:
54 ensure => present,
55 comment => $user['fullname'],
56 gid => $osusername,
57 groups => ['sudo', 'adm'],
58 password => $user['password'],
59 uid => $user['uid'],
60 home => "/home/${osusername}",
61 shell => $user['shell'],
62 purge_ssh_keys => true,
63 managehome => true,
64 }
65 $user['ssh_keys'].each |Hash[String, Data] $keydata| {
66 $keyname = $keydata['name']
67 ssh_authorized_key { "${osusername}@${keyname}":
68 ensure => present,
69 user => $user['username'],
70 type => $keydata['type'],
71 key => $keydata['key'],
72 require => User[$osusername],
73 }
74 }
75 }
76
77 user { 'root':
78 ensure => present,
79 shell => '/usr/bin/zsh',
80 }
81
82 file { '/etc/init.d/puppet':
83 ensure => file,
84 owner => 'root',
85 group => 'root',
86 mode => '0755',
87 source => 'puppet:///modules/profiles/puppet.init',
88 }
89
90 file { '/etc/apt/apt.conf.d/03proxy':
91 ensure => file,
92 owner => 'root',
93 group => 'root',
94 mode => '0644',
95 source => 'puppet:///modules/profiles/base/apt_proxy.conf',
96 }
97 file { '/etc/apt/apt.conf.d/10periodic':
98 ensure => file,
99 owner => 'root',
100 group => 'root',
101 mode => '0644',
102 source => 'puppet:///modules/profiles/base/apt_periodic.conf',
103 }
104
105 package { 'lsb-release':
106 ensure => present,
107 }
108
109 package { ['zsh', 'tmux', 'less']:
110 ensure => latest,
111 }
112
113 Package["zsh"] -> User <| |>
114
115 package { ['aptitude', 'apticron']:
116 ensure => purged,
117 }
118
119 file { '/etc/zsh/newuser.zshrc.recommended':
120 ensure => file,
121 owner => 'root',
122 group => 'root',
123 mode => '0644',
124 content => epp('profiles/base/zshrc.epp'),
125 require => Package['zsh'],
126 }
127 file { '/root/.zshrc':
128 ensure => file,
129 owner => 'root',
130 group => 'root',
131 mode => '0640',
132 content => epp('profiles/base/zshrc.epp',
133 { 'prompttemplate' => 'fire' }),
134 }
135
136 file { '/etc/apt/sources.list':
137 ensure => file,
138 owner => 'root',
139 group => 'root',
140 mode => '0644',
141 content => epp(
142 'profiles/base/apt_sources.list.epp',
143 { 'oscodename' => $facts['os']['distro']['codename'] }),
144 require => Package['lsb-release'],
145 }
146 file { '/etc/apt/sources.list.d/puppetlabs-pc1.list':
147 ensure => absent,
148 }
149 file { '/etc/apt/sources.list.d/puppet5.list':
150 ensure => file,
151 owner => 'root',
152 group => 'root',
153 mode => '0644',
154 content => epp(
155 'profiles/base/apt_sources_puppet5.list.epp',
156 { 'oscodename' => $facts['os']['distro']['codename'] }),
157 require => Package['lsb-release'],
158 }
159
160 file { '/etc/apt/preferences.d/blacklist_systemd-sysv.pref':
161 ensure => file,
162 owner => 'root',
163 group => 'root',
164 mode => '0644',
165 source => 'puppet:///modules/profiles/base/apt_blacklist_systemd-sysv.pref',
166 }
167
168 file { '/etc/resolv.conf':
169 ensure => file,
170 owner => 'root',
171 group => 'root',
172 mode => '0644',
173 source => 'puppet:///modules/profiles/base/resolv.conf',
174 }
175
176 file { '/etc/update-motd.d/20-puppetinfo':
177 ensure => file,
178 owner => 'root',
179 group => 'root',
180 mode => '0755',
181 source => 'puppet:///modules/profiles/base/motd-puppet.sh',
182 }
183
184 mailalias { 'root':
185 ensure => present,
186 recipient => $rootalias,
187 }
188
189 if ($crl_job_enable) {
190 package { ['ca-certificates', 'ca-cacert']:
191 ensure => installed,
192 }
193
194 file { '/var/local/ssl':
195 ensure => directory,
196 owner => 'root',
197 group => 'root',
198 mode => '0755',
199 }
200
201 file { '/var/local/ssl/crls':
202 ensure => directory,
203 owner => 'root',
204 group => 'root',
205 mode => '0755',
206 require => File['/var/local/ssl'],
207 }
208
209 file { '/etc/cron.hourly/update-crls':
210 ensure => file,
211 owner => 'root',
212 group => 'root',
213 mode => '0755',
214 content => epp(
215 'profiles/base/update-crls.epp',
216 { 'service' => $crl_job_services }),
217 require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
218 }
219 } else {
220 file { '/etc/cron.hourly/update-crls':
221 ensure => absent,
222 }
223 }
224 }