base.pp

# Base class for team-admin'd systems

class tails::base () {

  #
  # Include external classes
  #

  include bash
  include etckeeper
  include haveged
  include loginrecords
  class { '::molly_guard': always_query_hostname => true }

  class { 'puppet_maint':
    tidy_reports           => true,
    tidy_master_filebucket => true,
    tidy_client_filebucket => true,
  }

  include sudo
  include vim

  #
  # Packages
  #

  $base_packages     = [
    bzip2, ca-certificates, gnupg, htop, iproute, iputils-ping,
    less, pinentry-curses, safe-rm, sash, screen, virt-what, w3m,
  ]
  $physical_packages = [ memlockd, 'memtest86+', parted, ]

  ensure_packages($base_packages)

  package { 'pinentry-gtk2': ensure => absent }

  case $::virtual {
    physical: {
      include smartmontools
      ensure_packages($physical_packages) }
    default:  {
      package { 'smartmontools': ensure => absent }
    }
  }

  #
  # Email settings
  #

  class { '::postfix':
    root_mail_recipient => 'tails-sysadmins@boum.org',
    manage_tls_policy   => 'yes',
  }

  postfix::config {
    'smtp_tls_ciphers':              value => 'high';
    'smtp_tls_mandatory_protocols':  value => 'TLSv1';
    'smtp_tls_mandatory_ciphers':    value => 'high';
    'smtp_tls_mandatory_exclude_ciphers':
      value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA';
    'smtp_tls_protocols':            value => '!SSLv2, SSLv3, TLSv1';
  }
  postfix::tlspolicy_snippet {
    'boum.org:587':
      value => 'fingerprint match=2E:0F:60:F9:68:9B:B5:CE:D1:5C:82:A0:9D:D9:55:A0:8F:41:EC:70';
    '[boum.org]:587':
      value => 'fingerprint match=2E:0F:60:F9:68:9B:B5:CE:D1:5C:82:A0:9D:D9:55:A0:8F:41:EC:70';
  }

  #
  # Host keys
  #

  sshkey { 'git.tails.boum.org':
    ensure => present,
    type   => 'rsa',
    key    => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArI6D2CpMCDEcLS9dne7LVi0iw28TFYis4T9L2q+/IPq6SZxFQvt1J8Kb2Pssmb+JWmi+2tXa6bFGmQ5uD3gCQPexioiV9hzvxBTuKA1FBDeY70RzDULhe1pX22olcuhcMqcnh9m4MTIIlQu97xlcHsBaUfDn/l/x4M6dq1e7nNqCLhdUNlm0F/tYNlJ8g3O5gpDBiokhOve6OqbtX9FJQzMo7b34maNWUw+8D7OKJ36AtpbKw+f6zd3SCeeIOMqXmF0e4UwgOkDSrW+qL03roI59xl3bM+BZi8n7ym5DecZ1JWUbCs3XpKBpzjHhGBdgc9dS5Qfvi0qdmH4gv6eEPw==',
  }

  #
  # Miscellaneous settings
  #

  file { '/root':
    ensure => directory,
    owner  => root,
    group  => staff,
    mode   => '0750',
  }

  augeas { 'rcS-FSCKFIX':
    context => '/files/etc/default/rcS', changes => 'set FSCKFIX yes';
  }

  sudo::sudoer {'sudo-group-sudo': group => sudo, nopasswd => true }

  sysctl::value { 'kernel.panic': value => 10 }
  sysctl::value { 'kernel.perf_event_paranoid': value => 2 }

}