diff options
Diffstat (limited to 'modules/profiles/manifests')
| -rw-r--r-- | modules/profiles/manifests/dolphin.pp | 70 | ||||
| -rw-r--r-- | modules/profiles/manifests/firewall.pp | 19 | ||||
| -rw-r--r-- | modules/profiles/manifests/gandalf_web.pp | 102 | ||||
| -rw-r--r-- | modules/profiles/manifests/group_profile.pp | 16 | ||||
| -rw-r--r-- | modules/profiles/manifests/imagemagick.pp | 17 | ||||
| -rw-r--r-- | modules/profiles/manifests/remarkable.pp | 31 | ||||
| -rw-r--r-- | modules/profiles/manifests/syncthing.pp | 28 | ||||
| -rw-r--r-- | modules/profiles/manifests/synth.pp | 33 | ||||
| -rw-r--r-- | modules/profiles/manifests/transmission.pp | 71 | ||||
| -rw-r--r-- | modules/profiles/manifests/webdav_server.pp | 80 | ||||
| -rw-r--r-- | modules/profiles/manifests/workstation.pp | 132 | ||||
| -rw-r--r-- | modules/profiles/manifests/workstation/archlinux.pp | 52 | ||||
| -rw-r--r-- | modules/profiles/manifests/xmonad.pp | 29 |
13 files changed, 680 insertions, 0 deletions
diff --git a/modules/profiles/manifests/dolphin.pp b/modules/profiles/manifests/dolphin.pp new file mode 100644 index 0000000..f1fdcf8 --- /dev/null +++ b/modules/profiles/manifests/dolphin.pp @@ -0,0 +1,70 @@ +# Configure the file manager dolphin +class profiles::dolphin { + ensure_packages ([ + 'dolphin', + 'kde-cli-tools', + 'ffmpegthumbs', + 'kdegraphics-thumbnailers', + 'konsole', + 'breeze-icons', + ], { ensure => installed }) + + + $dolphin_settings = { + 'General' => { + 'BrowseThroughArchives' => 'true', + 'GlobalViewProps' => 'false', + 'HomeUrl' => '/usr/net/video', + 'OpenExternallyCalledFolderInNewTab' => 'false', + 'RememberOpenedTabs' => 'false', + 'ShowFullPath' => 'true', + }, + 'MainWindow' => { + 'MenuBar' => 'Disabled', + 'ToolBarsMovable' => 'Disabled', + }, + 'VersionControl' => { + 'enabledPlugins' => [ + 'Dropbox', + 'Git', + ] + }, + 'PreviewSettings' => { + 'Plugins' => [ + 'appimagethumbnail', + 'audiothumbnail', + 'blenderthumbnail', + 'comicbookthumbnail', + 'djvuthumbnail', + 'ebookthumbnail', + 'exrthumbnail', + 'directorythumbnail', + 'fontthumbnail', + 'imagethumbnail', + 'jpegthumbnail', + 'kraorathumbnail', + 'windowsexethumbnail', + 'windowsimagethumbnail', + 'opendocumentthumbnail', + 'gsthumbnail', + 'svgthumbnail', + 'textthumbnail', + 'ffmpegthumbs', + ] + } + } + + $dolphin_settings.map |$category, $group| { + $group.map |$setting, $value| { + ini_setting { "Dolphin [${category}].${setting}": + path => '/etc/xdg/dolphinrc', + section => $category, + setting => $setting, + value => $value ? { + Array => $value.join(','), + String => $value, + } + } + } + } +} diff --git a/modules/profiles/manifests/firewall.pp b/modules/profiles/manifests/firewall.pp new file mode 100644 index 0000000..6c9d7e6 --- /dev/null +++ b/modules/profiles/manifests/firewall.pp @@ -0,0 +1,19 @@ +class profiles::firewall { + ensure_packages ([ + 'iptables-persistent', + 'fail2ban', + ], { ensure => installed }) + + file { '/etc/iptables/rules.v4': + source => 'puppet:///modules/profiles/firewall/rules.v4', + } ~> exec { 'reload firewall': + command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', + refreshonly => true, + } + + service { 'fail2ban': + ensure => running, + enable => true, + } + +} diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp new file mode 100644 index 0000000..1295d83 --- /dev/null +++ b/modules/profiles/manifests/gandalf_web.pp @@ -0,0 +1,102 @@ +class profiles::gandalf_web ( + String $certname, +) { + + class { '::nginx': + manage_repo => false, + # server_purge => true, + package_name => 'nginx-mainline', + service_config_check => true, + http_cfg_append => { + 'charset' => 'utf-8', + }, + mime_types_preserve_defaults => true, + mime_types => { + 'text/plain' => 'wiki txt', + }, + include_modules_enabled => true, + server_purge => true, + } + + file { '/etc/nginx/modules-enabled': + ensure => directory, + purge => true, + recurse => true, + } + + # TODO this fails at bootstrapping, since letsencrypt requires nginx + # to be enabled, but nginx can't be enabled if any cert file is + # missing + # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |> + + $domains = [ + 'bookmark.gandalf.adrift.space', + 'calendar.gandalf.adrift.space', + 'repo.gandalf.adrift.space', + 'gandalf.adrift.space', + 'hack.adrift.space', + 'adrift.space', + ] + + ensure_packages (['cronie',], { ensure => installed }) + + ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed }) + class { '::letsencrypt': + config => { + email => 'hugo@hornquist.se', + # server => 'https://acme-staging-v02.api.letsencrypt.org/directory', + server => 'https://acme-v02.api.letsencrypt.org/directory', + }, + manage_install => false, + } + + letsencrypt::certonly { $certname: + ensure => present, + domains => $domains, + manage_cron => true, + plugin => 'nginx', + additional_args => [ '--quiet', ], + # pre_hook_commands => [ 'systemctl stop nginx.service', ], + post_hook_commands => [ 'systemctl restart nginx.service', ], + } + + + nginx::resource::server { 'gandalf': + ipv6_enable => true, + listen_options => 'default_server', + ipv6_listen_options => 'default_server', + server_name => [ '_' ], + access_log => absent, + error_log => absent, + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/var/www/adrift.space', + use_default_location => false, + } + + nginx::resource::location { '/': + try_files => ['$uri', '$uri/', '=404'], + index_files => [], + ssl => true, + ssl_only => true, + autoindex => on, + server => 'gandalf', + } + + nginx::resource::server { 'repo.gandalf.adrift.space': + ipv6_enable => true, + ipv6_listen_options => '', + server_name => [ 'repo.gandalf.adrift.space', ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/usr/net/repo/', + use_default_location => true, + } + +} diff --git a/modules/profiles/manifests/group_profile.pp b/modules/profiles/manifests/group_profile.pp new file mode 100644 index 0000000..2025a4b --- /dev/null +++ b/modules/profiles/manifests/group_profile.pp @@ -0,0 +1,16 @@ +class profiles::group_profile { + file { '/etc/profile.d/group-env.sh': + ensure => 'file', + content => @(EOF) + for group in $(groups $(id -nu)) + do + f="/etc/profile.d/group.d/${group}" + test -f "$f" && . $f + done + | EOF + } + + file { '/etc/profile.d/group.d': + ensure => 'directory', + } +} diff --git a/modules/profiles/manifests/imagemagick.pp b/modules/profiles/manifests/imagemagick.pp new file mode 100644 index 0000000..7663cf8 --- /dev/null +++ b/modules/profiles/manifests/imagemagick.pp @@ -0,0 +1,17 @@ +class profiles::imagemagick { + package { 'imagemagick': + ensure => installed, + } + + file { '/etc/ImageMagick-7/policy.xml': + content => epp('profiles/imagemagick-policy.xml', { + policies => [ + { + domain => 'coder', + rights => 'read | write', + pattern => 'PDF' + }, + ] + }), + } +} diff --git a/modules/profiles/manifests/remarkable.pp b/modules/profiles/manifests/remarkable.pp new file mode 100644 index 0000000..73ee5e7 --- /dev/null +++ b/modules/profiles/manifests/remarkable.pp @@ -0,0 +1,31 @@ +define profiles::remarkable ( + String $prefix = '10.11.99', + String $addr = '2', +) { + + file_line { 'remarkable usb': + ensure => present, + path => '/etc/hosts', + line => "${prefix}.1 remarkable.usb", + } + + file_line { 'remarkable usb self': + ensure => present, + path => '/etc/hosts', + line => "${prefix}.${addr} host.usb", + } + + file { '/etc/systemd/network/25-remarkable-usb.network': + ensure => present, + content => @("EOF") + [Match] + Name=enp3s0f0u4 + + [Network] + + Description=Remarkable USB connection + Address=${prefix}.${addr}/29 + | EOF + } + +} diff --git a/modules/profiles/manifests/syncthing.pp b/modules/profiles/manifests/syncthing.pp new file mode 100644 index 0000000..7d8183e --- /dev/null +++ b/modules/profiles/manifests/syncthing.pp @@ -0,0 +1,28 @@ +class profiles::syncthing ( + Array[String] $enable_for = [] +) { + + # TODO add repo for those systems that need it + + package { 'syncthing': + ensure => installed + } + + systemd::dropin_file { 'nospam.conf': + unit => 'syncthing@.service', + content => @(EOF) + [Service] + ExecStart= + ExecStart=/bin/bash -c 'set -o pipefail; /usr/bin/syncthing -no-browser -no-restart -logflags=0 | grep -v "INFO: "' + | EOF + } + + $enable_for.map |$user| { + service { "syncthing@${user}": + enable => true, + } + } + + # TODO manage synced data + +} diff --git a/modules/profiles/manifests/synth.pp b/modules/profiles/manifests/synth.pp new file mode 100644 index 0000000..eb01f8f --- /dev/null +++ b/modules/profiles/manifests/synth.pp @@ -0,0 +1,33 @@ +class profiles::synth { + + package { 'freepats-general-midi': + ensure => installed, + } + + file { '/etc/conf.d/fluidsynth': + content => @(EOF) + SOUND_FONT=/usr/share/soundfonts/freepats-general-midi.sf2 + OTHER_OPTS='-a alsa' + | EOF + } + + # TODO pull in aur package from + # https://git.hornquist.se/archpkg/aconnect-service/ + + # TODO setup the rest + + # - template: + # dest: ~/.config/aconnect/impact + # source: aconnect + # vars: + # input_unit: Impact LX25 + # output_unit: FLUID Synth + # + # - systemd: + # name: aconnect@{{ impact }} + # scope: user + # enabled: yes + # become: yes + # become_user: hugo + +} diff --git a/modules/profiles/manifests/transmission.pp b/modules/profiles/manifests/transmission.pp new file mode 100644 index 0000000..f79517b --- /dev/null +++ b/modules/profiles/manifests/transmission.pp @@ -0,0 +1,71 @@ +class profiles::transmission ( + Optional[String] $nginx_server = undef, + Enum['None', 'Error', 'Info', 'Debug'] $msg_level = 'Error', +) { + + $transmission_url = '/transmission' + $transmission_port = 9091 + + if ($nginx_server) { + require ::nginx + + nginx::resource::location { $transmission_url: + proxy => "http://localhost:${transmission_port}${transmission_url}", + proxy_set_header => [], + server => $nginx_server, + ssl => true, + ssl_only => true, + } + } + + ensure_packages(['transmission-cli'], + { ensure => installed }) + + systemd::dropin_file { 'transmission-after.conf': + unit => 'transmission.service', + content => @(EOF) + [Unit] + After=network-online.target + | EOF + } + + systemd::dropin_file { 'transmission-flags.conf': + unit => 'transmission.service', + content => @(EOF) + [Service] + ExecStart= + ExecStart=/usr/bin/transmission-daemon -f + | EOF + } + + # TODO whitelists are currently disabled, since they don't seem to + # work. Possibly turn them on again some day. + + # https://github.com/transmission/transmission/wiki/Editing-Configuration-File + file { '/var/lib/transmission/.config/transmission-daemon/settings.json': + content => epp('profiles/transmission.json.epp', { + rpc_username => 'hugo', + # '{' + sha1(password + salt) + # But I don't know how I managed to generate it, since + # transmission rolls its own crypto + rpc_password => '{eb43101d3b9aa02223466d7f98c5329c841c7967/Zr2tFpn', + download_dir => '/usr/net/', + rpc_whitelist => ['127.0.0.1', '::1'], + rpc_port => $transmission_port, + rpc_url => "${transmission_url}/", + msg_level => case $msg_level { + 'None': { 0 } + 'Error': { 1 } + 'Info': { 2 } + 'Debug': { 3 } + }, + }), + } ~> exec { '/bin/systemctl reload transmission': + refreshonly => true, + } + + service { 'transmission': + ensure => 'running', + enable => true, + } +} diff --git a/modules/profiles/manifests/webdav_server.pp b/modules/profiles/manifests/webdav_server.pp new file mode 100644 index 0000000..2cd54c1 --- /dev/null +++ b/modules/profiles/manifests/webdav_server.pp @@ -0,0 +1,80 @@ +define profiles::webdav_server ( + String $nginx_server, + String $file_path, + String $location = $name, + String $passwd_file = "${file_path}/.htpasswd", + String $owner = 'http', + String $group = 'share', + Array[Array[String,2,2]] $users = [], + Array[String] $dav_methods = ['PUT', 'DELETE', 'MKCOL', 'COPY', 'MOVE'], + Array[String] $dav_ext_methods = ['PROPFIND', 'OPTIONS'], + Hash[String,String] $dav_access = { + 'user' => 'rw', + 'group' => 'rw', + } +) { + + # TODO install this module somehow + # AUR: nginx-mainline-mod-dav-ext + + require ::nginx + + $modname = 'ngx_http_dav_ext_module' + file { "/etc/nginx/modules-enabled/${modname}.conf": + ensure => file, + content => @("EOF") + load_module /usr/lib/nginx/modules/${modname}.so; + | EOF + } + + file { + default: + owner => $owner, + group => $group, + ; + $file_path: + ensure => 'directory', + mode => '0770', + recurse => 'false', + ; + $passwd_file: + ensure => 'file', + mode => '0660', + ; + } + + # add entries to the htpasswd file through + # $ echo "${user}:$(openssl passwd -apr1 $password)" >> .htpasswd + + + $users.each |$pair| { + $user = $pair[0] + $passwd = $pair[1] + file_line { "Add ${user} to dav passwd file": + ensure => present, + path => $passwd_file, + line => "${user}:${passwd}", + match => "^${user}:" + } + } + + nginx::resource::location { $location: + server => $nginx_server, + location_alias => $file_path, + ssl => true, + ssl_only => true, + + auth_basic => 'Enter password for dav access', + auth_basic_user_file => $passwd_file, + + location_cfg_append => { + 'dav_methods' => $dav_methods.join(' '), + 'dav_ext_methods' => $dav_ext_methods.join(' '), + 'dav_access' => $dav_access.map |$k, $v| { "${k}:${v}" }.join(' '), + 'client_body_temp_path' => "${file_path}/tmp", + 'create_full_put_path' => 'on', + 'autoindex' => 'on', + 'allow' => 'all', + } + } +} diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp new file mode 100644 index 0000000..fe7e1cb --- /dev/null +++ b/modules/profiles/manifests/workstation.pp @@ -0,0 +1,132 @@ +class profiles::workstation { + $os = $facts['os']['name'].downcase() + include "::profiles::workstation::${os}" + + include ::profiles::group_profile + + # TODO only if we use systemd + file { 'User ssh-agent service': + path => '/etc/systemd/user/ssh-agent.service', + source => "puppet:///modules/profiles/ssh-agent.service", + } + + file { 'Dvorak A6 TTY keyboard layout': + ensure => file, + path => '/usr/share/kbd/keymaps/i386/dvorak/dvorak-sv-a6.map', + source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/linux-tty/dvorak-sv-a6.map', + } + + file { 'Dvorak A6 X11 keyboard layout': + ensure => file, + path => '/usr/share/X11/xkb/symbols/planck', + source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/X11/planck', + } + + $xkb_layout = 'planck' + $xkb_variant = 'dvorak_a6' + $xkb_options = 'compose:caps' + + file { 'Default X11 keymap': + ensure => file, + path => '/etc/X11/xorg.conf.d/00-keyboard.conf', + content => @("EOF") + Section "InputClass" + Identifier "system-keyboard" + MatchIsKeyboard "on" + Option "XkbLayout" "${xkb_layout}" + Option XkbModel "pc105" + Option "XkbVariant" "${xkb_variant}" + Option "XkbOptions" "${xkb_options}" + EndSection + | EOF + } + + file { 'Model M X11 keymap': + ensure => file, + path => '/etc/X11/xorg.conf.d/01-model-m.conf', + content => @(EOF) + Section "InputClass" + Identifier "Model M" + MathUSBID "17f6:0822" + Option "XkbLayout" "us" + Option "XkbVariant" "dvorak" + EndSection + | EOF + } + + file { 'Setup console': + ensure => file, + path => '/etc/vconsole.conf', + content => epp('profiles/keyvalue.epp', { 'values' => { + 'KEYMAP' => 'dvorak-sv-a6', + 'FONT' => 'lat9v-12', + }}), + } + + $cowpath = [ + '/usr/share/cows', + '/usr/local/share/cows', + ] + + file { '/etc/environment': + content => epp('profiles/keyvalue.epp', { values => { + 'COWPATH' => $cowpath.join(':'), + 'MANWIDTH' => 80, + 'MPD_HOST' => 'jukebox.lysator.liu.se', + 'PAGER' => 'less', + 'EDITOR' => '/usr/bin/vi', + 'VISUAL' => '/usr/bin/vim', + }}) + } + + service { 'systemd-resolved': + enable => mask, + } + + file { 'Passmenu with OTP support': + path => '/usr/local/bin/passmenu', + mode => '0555', + source => 'puppet:///modules/profiles/passmenu', + } + + file { '/etc/sudoers': + validate_cmd => '/usr/bin/visudo -cf %', + content => @(EOF) + Defaults insults + root ALL=(ALL) ALL + %root ALL=(ALL) ALL + %wheel ALL=(ALL) ALL + + @includedir /etc/sudoers.d + | EOF + } + + $locales = [ + 'en_DK.UTF-8 UTF-8', + 'en_US.UTF-8 UTF-8', + 'sv_SE.UTF-8 UTF-8', + 'sv_SE.ISO-8859-1 ISO-8859-1', + '', + ] + + file { '/etc/locale.gen': + content => $locales.join("\n") + } ~> exec { 'locale-gen': + path => [ '/bin', '/usr/bin', ], + } + + file { 'Default locales': + path => '/etc/locale.conf', + content => @(EOF) + LANG=en_US.UTF-8 + LC_TIME=sv_SE.UTF-8 + | EOF + } + + $timezone = 'Europe/Stockholm' + + file { '/etc/localtime': + ensure => link, + target => "/usr/share/zoneinfo/${timezone}", + } +} diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp new file mode 100644 index 0000000..5274699 --- /dev/null +++ b/modules/profiles/manifests/workstation/archlinux.pp @@ -0,0 +1,52 @@ +class profiles::workstation::archlinux { + + pacman::hook { 'systemd daemon-reload': + description => 'Reload systemd user daemon', + exec => '/bin/sudo systemctl --machine=hugo@.host --user daemon-reload', + when => 'PostTransaction', + trigger => { + operation => 'Upgrade', + type => 'Path', + target => 'usr/lib/systemd/user/*', + }, + } + + package { 'kernel-modules-hook': + ensure => installed, + } ~> service { 'linux-modules-cleanup': + ensure => running, + enable => true, + } + + $cpus = $facts['processors']['count'] - 1 + file_line { 'Makepkg paralell': + path => '/etc/makepkg.conf', + after => '^#-- Make flags', + line => "MAKEFLAGS='-j${cpus}'" + } + + pacman::repo { 'adrift-space': + ensure => present, + server => 'http://repo.gandalf.adrift.space/arch', + sig_level => 'Optional', + } + + # remove + # - netctl + + # aur-packages +# - pacaur +# - ansible-aur-git +# - cyrus-sasl-xoauth2-git +# - todotxt +# - effitask +# - getmail +# - mu +# # - pacaur +# - pandoc-bin +# - tlclient +# # backups old modules on kernel update +# - kernel-modules-hook + + +} diff --git a/modules/profiles/manifests/xmonad.pp b/modules/profiles/manifests/xmonad.pp new file mode 100644 index 0000000..be8d516 --- /dev/null +++ b/modules/profiles/manifests/xmonad.pp @@ -0,0 +1,29 @@ +# Setup xmonad, only tested on arch linux +class profiles::xmonad { + ensure_packages ([ + 'xmonad', + 'xmonad-contrib', + # apparently really needed by xmonad + 'xorg-fonts-misc', + 'ghc', + 'xorg-xmessage', + 'dzen2', + 'dmenu', + 'rofi', + ], { ensure => installed }) + + # Rebuilt my local xmonad config after an upgrade to xmonad. + # It's required, I think due to something with dynamic linking. + # It's actually pretty ugly that I'm hardcoded in here, but + # something had to be done. + pacman::hook { 'xmonad': + description => 'Rebuild local xmonad config.', + when => 'PostTransaction', + exec => '/bin/sudo -Hu hugo xmonad --recompile', + trigger => { + type => 'Package', + operation => ['Upgrade', 'Install'], + target => 'xmonad*', + }, + } +} |