path: root/modules/profiles/manifests
diff options
authorHugo Hörnquist <>2021-12-29 20:13:55 +0100
committerHugo Hörnquist <>2021-12-29 20:13:55 +0100
commitd04542e000b8f8fadce45af96d93fb904ca99115 (patch)
treee85ee2bb0472d9f83f051f31d2629bf4c96bb755 /modules/profiles/manifests
parentSetup new site.pp. (diff)
parentMigrate stuff from ansible. (diff)
Merge branch 'master' of /home/hugo/puppet into production
Diffstat (limited to '')
13 files changed, 680 insertions, 0 deletions
diff --git a/modules/profiles/manifests/dolphin.pp b/modules/profiles/manifests/dolphin.pp
new file mode 100644
index 0000000..f1fdcf8
--- /dev/null
+++ b/modules/profiles/manifests/dolphin.pp
@@ -0,0 +1,70 @@
+# Configure the file manager dolphin
+class profiles::dolphin {
+ ensure_packages ([
+ 'dolphin',
+ 'kde-cli-tools',
+ 'ffmpegthumbs',
+ 'kdegraphics-thumbnailers',
+ 'konsole',
+ 'breeze-icons',
+ ], { ensure => installed })
+ $dolphin_settings = {
+ 'General' => {
+ 'BrowseThroughArchives' => 'true',
+ 'GlobalViewProps' => 'false',
+ 'HomeUrl' => '/usr/net/video',
+ 'OpenExternallyCalledFolderInNewTab' => 'false',
+ 'RememberOpenedTabs' => 'false',
+ 'ShowFullPath' => 'true',
+ },
+ 'MainWindow' => {
+ 'MenuBar' => 'Disabled',
+ 'ToolBarsMovable' => 'Disabled',
+ },
+ 'VersionControl' => {
+ 'enabledPlugins' => [
+ 'Dropbox',
+ 'Git',
+ ]
+ },
+ 'PreviewSettings' => {
+ 'Plugins' => [
+ 'appimagethumbnail',
+ 'audiothumbnail',
+ 'blenderthumbnail',
+ 'comicbookthumbnail',
+ 'djvuthumbnail',
+ 'ebookthumbnail',
+ 'exrthumbnail',
+ 'directorythumbnail',
+ 'fontthumbnail',
+ 'imagethumbnail',
+ 'jpegthumbnail',
+ 'kraorathumbnail',
+ 'windowsexethumbnail',
+ 'windowsimagethumbnail',
+ 'opendocumentthumbnail',
+ 'gsthumbnail',
+ 'svgthumbnail',
+ 'textthumbnail',
+ 'ffmpegthumbs',
+ ]
+ }
+ }
+ $ |$category, $group| {
+ $ |$setting, $value| {
+ ini_setting { "Dolphin [${category}].${setting}":
+ path => '/etc/xdg/dolphinrc',
+ section => $category,
+ setting => $setting,
+ value => $value ? {
+ Array => $value.join(','),
+ String => $value,
+ }
+ }
+ }
+ }
diff --git a/modules/profiles/manifests/firewall.pp b/modules/profiles/manifests/firewall.pp
new file mode 100644
index 0000000..6c9d7e6
--- /dev/null
+++ b/modules/profiles/manifests/firewall.pp
@@ -0,0 +1,19 @@
+class profiles::firewall {
+ ensure_packages ([
+ 'iptables-persistent',
+ 'fail2ban',
+ ], { ensure => installed })
+ file { '/etc/iptables/rules.v4':
+ source => 'puppet:///modules/profiles/firewall/rules.v4',
+ } ~> exec { 'reload firewall':
+ command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart',
+ refreshonly => true,
+ }
+ service { 'fail2ban':
+ ensure => running,
+ enable => true,
+ }
diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp
new file mode 100644
index 0000000..1295d83
--- /dev/null
+++ b/modules/profiles/manifests/gandalf_web.pp
@@ -0,0 +1,102 @@
+class profiles::gandalf_web (
+ String $certname,
+) {
+ class { '::nginx':
+ manage_repo => false,
+ # server_purge => true,
+ package_name => 'nginx-mainline',
+ service_config_check => true,
+ http_cfg_append => {
+ 'charset' => 'utf-8',
+ },
+ mime_types_preserve_defaults => true,
+ mime_types => {
+ 'text/plain' => 'wiki txt',
+ },
+ include_modules_enabled => true,
+ server_purge => true,
+ }
+ file { '/etc/nginx/modules-enabled':
+ ensure => directory,
+ purge => true,
+ recurse => true,
+ }
+ # TODO this fails at bootstrapping, since letsencrypt requires nginx
+ # to be enabled, but nginx can't be enabled if any cert file is
+ # missing
+ # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |>
+ $domains = [
+ '',
+ '',
+ '',
+ '',
+ '',
+ '',
+ ]
+ ensure_packages (['cronie',], { ensure => installed })
+ ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed })
+ class { '::letsencrypt':
+ config => {
+ email => '',
+ # server => '',
+ server => '',
+ },
+ manage_install => false,
+ }
+ letsencrypt::certonly { $certname:
+ ensure => present,
+ domains => $domains,
+ manage_cron => true,
+ plugin => 'nginx',
+ additional_args => [ '--quiet', ],
+ # pre_hook_commands => [ 'systemctl stop nginx.service', ],
+ post_hook_commands => [ 'systemctl restart nginx.service', ],
+ }
+ nginx::resource::server { 'gandalf':
+ ipv6_enable => true,
+ listen_options => 'default_server',
+ ipv6_listen_options => 'default_server',
+ server_name => [ '_' ],
+ access_log => absent,
+ error_log => absent,
+ ssl => true,
+ ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+ ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem",
+ ssl_redirect => true,
+ index_files => [ 'index.html', ],
+ www_root => '/var/www/',
+ use_default_location => false,
+ }
+ nginx::resource::location { '/':
+ try_files => ['$uri', '$uri/', '=404'],
+ index_files => [],
+ ssl => true,
+ ssl_only => true,
+ autoindex => on,
+ server => 'gandalf',
+ }
+ nginx::resource::server { '':
+ ipv6_enable => true,
+ ipv6_listen_options => '',
+ server_name => [ '', ],
+ ssl => true,
+ ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+ ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem",
+ ssl_redirect => true,
+ index_files => [ 'index.html', ],
+ www_root => '/usr/net/repo/',
+ use_default_location => true,
+ }
diff --git a/modules/profiles/manifests/group_profile.pp b/modules/profiles/manifests/group_profile.pp
new file mode 100644
index 0000000..2025a4b
--- /dev/null
+++ b/modules/profiles/manifests/group_profile.pp
@@ -0,0 +1,16 @@
+class profiles::group_profile {
+ file { '/etc/profile.d/':
+ ensure => 'file',
+ content => @(EOF)
+ for group in $(groups $(id -nu))
+ do
+ f="/etc/profile.d/group.d/${group}"
+ test -f "$f" && . $f
+ done
+ | EOF
+ }
+ file { '/etc/profile.d/group.d':
+ ensure => 'directory',
+ }
diff --git a/modules/profiles/manifests/imagemagick.pp b/modules/profiles/manifests/imagemagick.pp
new file mode 100644
index 0000000..7663cf8
--- /dev/null
+++ b/modules/profiles/manifests/imagemagick.pp
@@ -0,0 +1,17 @@
+class profiles::imagemagick {
+ package { 'imagemagick':
+ ensure => installed,
+ }
+ file { '/etc/ImageMagick-7/policy.xml':
+ content => epp('profiles/imagemagick-policy.xml', {
+ policies => [
+ {
+ domain => 'coder',
+ rights => 'read | write',
+ pattern => 'PDF'
+ },
+ ]
+ }),
+ }
diff --git a/modules/profiles/manifests/remarkable.pp b/modules/profiles/manifests/remarkable.pp
new file mode 100644
index 0000000..73ee5e7
--- /dev/null
+++ b/modules/profiles/manifests/remarkable.pp
@@ -0,0 +1,31 @@
+define profiles::remarkable (
+ String $prefix = '10.11.99',
+ String $addr = '2',
+) {
+ file_line { 'remarkable usb':
+ ensure => present,
+ path => '/etc/hosts',
+ line => "${prefix}.1 remarkable.usb",
+ }
+ file_line { 'remarkable usb self':
+ ensure => present,
+ path => '/etc/hosts',
+ line => "${prefix}.${addr} host.usb",
+ }
+ file { '/etc/systemd/network/':
+ ensure => present,
+ content => @("EOF")
+ [Match]
+ Name=enp3s0f0u4
+ [Network]
+ Description=Remarkable USB connection
+ Address=${prefix}.${addr}/29
+ | EOF
+ }
diff --git a/modules/profiles/manifests/syncthing.pp b/modules/profiles/manifests/syncthing.pp
new file mode 100644
index 0000000..7d8183e
--- /dev/null
+++ b/modules/profiles/manifests/syncthing.pp
@@ -0,0 +1,28 @@
+class profiles::syncthing (
+ Array[String] $enable_for = []
+) {
+ # TODO add repo for those systems that need it
+ package { 'syncthing':
+ ensure => installed
+ }
+ systemd::dropin_file { 'nospam.conf':
+ unit => 'syncthing@.service',
+ content => @(EOF)
+ [Service]
+ ExecStart=
+ ExecStart=/bin/bash -c 'set -o pipefail; /usr/bin/syncthing -no-browser -no-restart -logflags=0 | grep -v "INFO: "'
+ | EOF
+ }
+ $ |$user| {
+ service { "syncthing@${user}":
+ enable => true,
+ }
+ }
+ # TODO manage synced data
diff --git a/modules/profiles/manifests/synth.pp b/modules/profiles/manifests/synth.pp
new file mode 100644
index 0000000..eb01f8f
--- /dev/null
+++ b/modules/profiles/manifests/synth.pp
@@ -0,0 +1,33 @@
+class profiles::synth {
+ package { 'freepats-general-midi':
+ ensure => installed,
+ }
+ file { '/etc/conf.d/fluidsynth':
+ content => @(EOF)
+ SOUND_FONT=/usr/share/soundfonts/freepats-general-midi.sf2
+ OTHER_OPTS='-a alsa'
+ | EOF
+ }
+ # TODO pull in aur package from
+ #
+ # TODO setup the rest
+ # - template:
+ # dest: ~/.config/aconnect/impact
+ # source: aconnect
+ # vars:
+ # input_unit: Impact LX25
+ # output_unit: FLUID Synth
+ #
+ # - systemd:
+ # name: aconnect@{{ impact }}
+ # scope: user
+ # enabled: yes
+ # become: yes
+ # become_user: hugo
diff --git a/modules/profiles/manifests/transmission.pp b/modules/profiles/manifests/transmission.pp
new file mode 100644
index 0000000..f79517b
--- /dev/null
+++ b/modules/profiles/manifests/transmission.pp
@@ -0,0 +1,71 @@
+class profiles::transmission (
+ Optional[String] $nginx_server = undef,
+ Enum['None', 'Error', 'Info', 'Debug'] $msg_level = 'Error',
+) {
+ $transmission_url = '/transmission'
+ $transmission_port = 9091
+ if ($nginx_server) {
+ require ::nginx
+ nginx::resource::location { $transmission_url:
+ proxy => "http://localhost:${transmission_port}${transmission_url}",
+ proxy_set_header => [],
+ server => $nginx_server,
+ ssl => true,
+ ssl_only => true,
+ }
+ }
+ ensure_packages(['transmission-cli'],
+ { ensure => installed })
+ systemd::dropin_file { 'transmission-after.conf':
+ unit => 'transmission.service',
+ content => @(EOF)
+ [Unit]
+ | EOF
+ }
+ systemd::dropin_file { 'transmission-flags.conf':
+ unit => 'transmission.service',
+ content => @(EOF)
+ [Service]
+ ExecStart=
+ ExecStart=/usr/bin/transmission-daemon -f
+ | EOF
+ }
+ # TODO whitelists are currently disabled, since they don't seem to
+ # work. Possibly turn them on again some day.
+ #
+ file { '/var/lib/transmission/.config/transmission-daemon/settings.json':
+ content => epp('profiles/transmission.json.epp', {
+ rpc_username => 'hugo',
+ # '{' + sha1(password + salt)
+ # But I don't know how I managed to generate it, since
+ # transmission rolls its own crypto
+ rpc_password => '{eb43101d3b9aa02223466d7f98c5329c841c7967/Zr2tFpn',
+ download_dir => '/usr/net/',
+ rpc_whitelist => ['', '::1'],
+ rpc_port => $transmission_port,
+ rpc_url => "${transmission_url}/",
+ msg_level => case $msg_level {
+ 'None': { 0 }
+ 'Error': { 1 }
+ 'Info': { 2 }
+ 'Debug': { 3 }
+ },
+ }),
+ } ~> exec { '/bin/systemctl reload transmission':
+ refreshonly => true,
+ }
+ service { 'transmission':
+ ensure => 'running',
+ enable => true,
+ }
diff --git a/modules/profiles/manifests/webdav_server.pp b/modules/profiles/manifests/webdav_server.pp
new file mode 100644
index 0000000..2cd54c1
--- /dev/null
+++ b/modules/profiles/manifests/webdav_server.pp
@@ -0,0 +1,80 @@
+define profiles::webdav_server (
+ String $nginx_server,
+ String $file_path,
+ String $location = $name,
+ String $passwd_file = "${file_path}/.htpasswd",
+ String $owner = 'http',
+ String $group = 'share',
+ Array[Array[String,2,2]] $users = [],
+ Array[String] $dav_methods = ['PUT', 'DELETE', 'MKCOL', 'COPY', 'MOVE'],
+ Array[String] $dav_ext_methods = ['PROPFIND', 'OPTIONS'],
+ Hash[String,String] $dav_access = {
+ 'user' => 'rw',
+ 'group' => 'rw',
+ }
+) {
+ # TODO install this module somehow
+ # AUR: nginx-mainline-mod-dav-ext
+ require ::nginx
+ $modname = 'ngx_http_dav_ext_module'
+ file { "/etc/nginx/modules-enabled/${modname}.conf":
+ ensure => file,
+ content => @("EOF")
+ load_module /usr/lib/nginx/modules/${modname}.so;
+ | EOF
+ }
+ file {
+ default:
+ owner => $owner,
+ group => $group,
+ ;
+ $file_path:
+ ensure => 'directory',
+ mode => '0770',
+ recurse => 'false',
+ ;
+ $passwd_file:
+ ensure => 'file',
+ mode => '0660',
+ ;
+ }
+ # add entries to the htpasswd file through
+ # $ echo "${user}:$(openssl passwd -apr1 $password)" >> .htpasswd
+ $users.each |$pair| {
+ $user = $pair[0]
+ $passwd = $pair[1]
+ file_line { "Add ${user} to dav passwd file":
+ ensure => present,
+ path => $passwd_file,
+ line => "${user}:${passwd}",
+ match => "^${user}:"
+ }
+ }
+ nginx::resource::location { $location:
+ server => $nginx_server,
+ location_alias => $file_path,
+ ssl => true,
+ ssl_only => true,
+ auth_basic => 'Enter password for dav access',
+ auth_basic_user_file => $passwd_file,
+ location_cfg_append => {
+ 'dav_methods' => $dav_methods.join(' '),
+ 'dav_ext_methods' => $dav_ext_methods.join(' '),
+ 'dav_access' => $ |$k, $v| { "${k}:${v}" }.join(' '),
+ 'client_body_temp_path' => "${file_path}/tmp",
+ 'create_full_put_path' => 'on',
+ 'autoindex' => 'on',
+ 'allow' => 'all',
+ }
+ }
diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp
new file mode 100644
index 0000000..fe7e1cb
--- /dev/null
+++ b/modules/profiles/manifests/workstation.pp
@@ -0,0 +1,132 @@
+class profiles::workstation {
+ $os = $facts['os']['name'].downcase()
+ include "::profiles::workstation::${os}"
+ include ::profiles::group_profile
+ # TODO only if we use systemd
+ file { 'User ssh-agent service':
+ path => '/etc/systemd/user/ssh-agent.service',
+ source => "puppet:///modules/profiles/ssh-agent.service",
+ }
+ file { 'Dvorak A6 TTY keyboard layout':
+ ensure => file,
+ path => '/usr/share/kbd/keymaps/i386/dvorak/',
+ source => '',
+ }
+ file { 'Dvorak A6 X11 keyboard layout':
+ ensure => file,
+ path => '/usr/share/X11/xkb/symbols/planck',
+ source => '',
+ }
+ $xkb_layout = 'planck'
+ $xkb_variant = 'dvorak_a6'
+ $xkb_options = 'compose:caps'
+ file { 'Default X11 keymap':
+ ensure => file,
+ path => '/etc/X11/xorg.conf.d/00-keyboard.conf',
+ content => @("EOF")
+ Section "InputClass"
+ Identifier "system-keyboard"
+ MatchIsKeyboard "on"
+ Option "XkbLayout" "${xkb_layout}"
+ Option XkbModel "pc105"
+ Option "XkbVariant" "${xkb_variant}"
+ Option "XkbOptions" "${xkb_options}"
+ EndSection
+ | EOF
+ }
+ file { 'Model M X11 keymap':
+ ensure => file,
+ path => '/etc/X11/xorg.conf.d/01-model-m.conf',
+ content => @(EOF)
+ Section "InputClass"
+ Identifier "Model M"
+ MathUSBID "17f6:0822"
+ Option "XkbLayout" "us"
+ Option "XkbVariant" "dvorak"
+ EndSection
+ | EOF
+ }
+ file { 'Setup console':
+ ensure => file,
+ path => '/etc/vconsole.conf',
+ content => epp('profiles/keyvalue.epp', { 'values' => {
+ 'KEYMAP' => 'dvorak-sv-a6',
+ 'FONT' => 'lat9v-12',
+ }}),
+ }
+ $cowpath = [
+ '/usr/share/cows',
+ '/usr/local/share/cows',
+ ]
+ file { '/etc/environment':
+ content => epp('profiles/keyvalue.epp', { values => {
+ 'COWPATH' => $cowpath.join(':'),
+ 'MANWIDTH' => 80,
+ 'MPD_HOST' => '',
+ 'PAGER' => 'less',
+ 'EDITOR' => '/usr/bin/vi',
+ 'VISUAL' => '/usr/bin/vim',
+ }})
+ }
+ service { 'systemd-resolved':
+ enable => mask,
+ }
+ file { 'Passmenu with OTP support':
+ path => '/usr/local/bin/passmenu',
+ mode => '0555',
+ source => 'puppet:///modules/profiles/passmenu',
+ }
+ file { '/etc/sudoers':
+ validate_cmd => '/usr/bin/visudo -cf %',
+ content => @(EOF)
+ Defaults insults
+ root ALL=(ALL) ALL
+ %root ALL=(ALL) ALL
+ %wheel ALL=(ALL) ALL
+ @includedir /etc/sudoers.d
+ | EOF
+ }
+ $locales = [
+ 'en_DK.UTF-8 UTF-8',
+ 'en_US.UTF-8 UTF-8',
+ 'sv_SE.UTF-8 UTF-8',
+ 'sv_SE.ISO-8859-1 ISO-8859-1',
+ '',
+ ]
+ file { '/etc/locale.gen':
+ content => $locales.join("\n")
+ } ~> exec { 'locale-gen':
+ path => [ '/bin', '/usr/bin', ],
+ }
+ file { 'Default locales':
+ path => '/etc/locale.conf',
+ content => @(EOF)
+ LANG=en_US.UTF-8
+ | EOF
+ }
+ $timezone = 'Europe/Stockholm'
+ file { '/etc/localtime':
+ ensure => link,
+ target => "/usr/share/zoneinfo/${timezone}",
+ }
diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp
new file mode 100644
index 0000000..5274699
--- /dev/null
+++ b/modules/profiles/manifests/workstation/archlinux.pp
@@ -0,0 +1,52 @@
+class profiles::workstation::archlinux {
+ pacman::hook { 'systemd daemon-reload':
+ description => 'Reload systemd user daemon',
+ exec => '/bin/sudo systemctl --user daemon-reload',
+ when => 'PostTransaction',
+ trigger => {
+ operation => 'Upgrade',
+ type => 'Path',
+ target => 'usr/lib/systemd/user/*',
+ },
+ }
+ package { 'kernel-modules-hook':
+ ensure => installed,
+ } ~> service { 'linux-modules-cleanup':
+ ensure => running,
+ enable => true,
+ }
+ $cpus = $facts['processors']['count'] - 1
+ file_line { 'Makepkg paralell':
+ path => '/etc/makepkg.conf',
+ after => '^#-- Make flags',
+ line => "MAKEFLAGS='-j${cpus}'"
+ }
+ pacman::repo { 'adrift-space':
+ ensure => present,
+ server => '',
+ sig_level => 'Optional',
+ }
+ # remove
+ # - netctl
+ # aur-packages
+# - pacaur
+# - ansible-aur-git
+# - cyrus-sasl-xoauth2-git
+# - todotxt
+# - effitask
+# - getmail
+# - mu
+# # - pacaur
+# - pandoc-bin
+# - tlclient
+# # backups old modules on kernel update
+# - kernel-modules-hook
diff --git a/modules/profiles/manifests/xmonad.pp b/modules/profiles/manifests/xmonad.pp
new file mode 100644
index 0000000..be8d516
--- /dev/null
+++ b/modules/profiles/manifests/xmonad.pp
@@ -0,0 +1,29 @@
+# Setup xmonad, only tested on arch linux
+class profiles::xmonad {
+ ensure_packages ([
+ 'xmonad',
+ 'xmonad-contrib',
+ # apparently really needed by xmonad
+ 'xorg-fonts-misc',
+ 'ghc',
+ 'xorg-xmessage',
+ 'dzen2',
+ 'dmenu',
+ 'rofi',
+ ], { ensure => installed })
+ # Rebuilt my local xmonad config after an upgrade to xmonad.
+ # It's required, I think due to something with dynamic linking.
+ # It's actually pretty ugly that I'm hardcoded in here, but
+ # something had to be done.
+ pacman::hook { 'xmonad':
+ description => 'Rebuild local xmonad config.',
+ when => 'PostTransaction',
+ exec => '/bin/sudo -Hu hugo xmonad --recompile',
+ trigger => {
+ type => 'Package',
+ operation => ['Upgrade', 'Install'],
+ target => 'xmonad*',
+ },
+ }