base.pp 2.58 KB
Newer Older
intrigeri's avatar
intrigeri committed
1
2
3
4
5
6
7
# Base class for team-admin'd systems

class tails::base () {

  #
  # Include external classes
  #
intrigeri's avatar
intrigeri committed
8

intrigeri's avatar
intrigeri committed
9
10
11
12
  include bash
  include etckeeper
  include haveged
  include loginrecords
13
  class { '::molly_guard': always_query_hostname => true }
14
15
16
17
18
19
20

  class { 'puppet_maint':
    tidy_reports           => true,
    tidy_master_filebucket => true,
    tidy_client_filebucket => true,
  }

intrigeri's avatar
intrigeri committed
21
22
23
24
25
26
27
  include sudo
  include vim

  #
  # Packages
  #

intrigeri's avatar
intrigeri committed
28
29
  $base_packages     = [
    bzip2, ca-certificates, gnupg, htop, iproute, iputils-ping,
30
    less, pinentry-curses, safe-rm, sash, screen, virt-what, w3m,
intrigeri's avatar
intrigeri committed
31
  ]
intrigeri's avatar
intrigeri committed
32
  $physical_packages = [ memlockd, 'memtest86+', parted, ]
intrigeri's avatar
intrigeri committed
33

34
  ensure_packages($base_packages)
intrigeri's avatar
intrigeri committed
35

intrigeri's avatar
intrigeri committed
36
37
  package { 'pinentry-gtk2': ensure => absent }

38
39
40
41
42
  case $::virtual {
    physical: {
      include smartmontools
      ensure_packages($physical_packages) }
    default:  {
43
      package { 'smartmontools': ensure => absent }
44
    }
intrigeri's avatar
intrigeri committed
45
46
47
48
49
50
  }

  #
  # Email settings
  #

51
52
53
54
55
  class { '::postfix':
    root_mail_recipient => 'tails-sysadmins@boum.org',
    manage_tls_policy   => 'yes',
  }

intrigeri's avatar
intrigeri committed
56
57
58
59
60
61
62
63
  postfix::config {
    'smtp_tls_ciphers':              value => 'high';
    'smtp_tls_mandatory_protocols':  value => 'TLSv1';
    'smtp_tls_mandatory_ciphers':    value => 'high';
    'smtp_tls_mandatory_exclude_ciphers':
      value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA';
    'smtp_tls_protocols':            value => '!SSLv2, SSLv3, TLSv1';
  }
64
  postfix::tlspolicy_snippet {
intrigeri's avatar
intrigeri committed
65
    'boum.org:587':
66
      value => 'fingerprint match=2E:0F:60:F9:68:9B:B5:CE:D1:5C:82:A0:9D:D9:55:A0:8F:41:EC:70';
intrigeri's avatar
intrigeri committed
67
    '[boum.org]:587':
68
      value => 'fingerprint match=2E:0F:60:F9:68:9B:B5:CE:D1:5C:82:A0:9D:D9:55:A0:8F:41:EC:70';
69
  }
intrigeri's avatar
intrigeri committed
70

71
72
73
74
75
76
77
78
79
80
  #
  # Host keys
  #

  sshkey { 'git.tails.boum.org':
    ensure => present,
    type   => 'rsa',
    key    => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArI6D2CpMCDEcLS9dne7LVi0iw28TFYis4T9L2q+/IPq6SZxFQvt1J8Kb2Pssmb+JWmi+2tXa6bFGmQ5uD3gCQPexioiV9hzvxBTuKA1FBDeY70RzDULhe1pX22olcuhcMqcnh9m4MTIIlQu97xlcHsBaUfDn/l/x4M6dq1e7nNqCLhdUNlm0F/tYNlJ8g3O5gpDBiokhOve6OqbtX9FJQzMo7b34maNWUw+8D7OKJ36AtpbKw+f6zd3SCeeIOMqXmF0e4UwgOkDSrW+qL03roI59xl3bM+BZi8n7ym5DecZ1JWUbCs3XpKBpzjHhGBdgc9dS5Qfvi0qdmH4gv6eEPw==',
  }

intrigeri's avatar
intrigeri committed
81
82
83
  #
  # Miscellaneous settings
  #
intrigeri's avatar
intrigeri committed
84

intrigeri's avatar
intrigeri committed
85
86
  file { '/root':
    ensure => directory,
intrigeri's avatar
intrigeri committed
87
88
89
    owner  => root,
    group  => staff,
    mode   => '0750',
intrigeri's avatar
intrigeri committed
90
91
92
  }

  augeas { 'rcS-FSCKFIX':
intrigeri's avatar
intrigeri committed
93
    context => '/files/etc/default/rcS', changes => 'set FSCKFIX yes';
intrigeri's avatar
intrigeri committed
94
95
  }

96
  sudo::sudoer {'sudo-group-sudo': group => sudo, nopasswd => true }
intrigeri's avatar
intrigeri committed
97
98

  sysctl::value { 'kernel.panic': value => 10 }
99
  sysctl::value { 'kernel.perf_event_paranoid': value => 2 }
intrigeri's avatar
intrigeri committed
100
101

}