diff options
Diffstat (limited to 'modules/profiles')
-rwxr-xr-x | modules/profiles/files/passmenu | 29 | ||||
-rw-r--r-- | modules/profiles/files/ssh-agent.service | 13 | ||||
-rw-r--r-- | modules/profiles/lib/facter/pacman_version.rb | 7 | ||||
-rw-r--r-- | modules/profiles/manifests/dolphin.pp | 70 | ||||
-rw-r--r-- | modules/profiles/manifests/imagemagick.pp | 17 | ||||
-rw-r--r-- | modules/profiles/manifests/syncthing.pp | 28 | ||||
-rw-r--r-- | modules/profiles/manifests/synth.pp | 33 | ||||
-rw-r--r-- | modules/profiles/manifests/workstation.pp | 126 | ||||
-rw-r--r-- | modules/profiles/manifests/workstation/archlinux.pp | 53 | ||||
-rw-r--r-- | modules/profiles/manifests/xmonad.pp | 29 | ||||
-rw-r--r-- | modules/profiles/templates/aconnect.epp | 8 | ||||
-rw-r--r-- | modules/profiles/templates/imagemagick-policy.xml.epp | 89 | ||||
-rw-r--r-- | modules/profiles/templates/keyvalue.epp | 4 |
13 files changed, 492 insertions, 14 deletions
diff --git a/modules/profiles/files/passmenu b/modules/profiles/files/passmenu new file mode 100755 index 0000000..653ebda --- /dev/null +++ b/modules/profiles/files/passmenu @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +shopt -s nullglob globstar + +typeit=0 +if [[ $1 == "--type" ]]; then + typeit=1 + shift +fi + +prefix=${PASSWORD_STORE_DIR-~/.password-store} +password_files=( "$prefix"/**/*.gpg ) +password_files=( "${password_files[@]#"$prefix"/}" ) +password_files=( "${password_files[@]%.gpg}" ) + +password=$(printf '%s\n' "${password_files[@]}" | dmenu "$@") + +[[ -n $password ]] || exit + +if [[ "$password" == *-otp ]]; then + otp='otp' +fi + +if [[ $typeit -eq 0 ]]; then + pass $otp show -c "$password" 2>/dev/null +else + pass $otp show "$password" | { IFS= read -r pass; printf %s "$pass"; } | + xdotool type --clearmodifiers --file - +fi diff --git a/modules/profiles/files/ssh-agent.service b/modules/profiles/files/ssh-agent.service new file mode 100644 index 0000000..d49edc6 --- /dev/null +++ b/modules/profiles/files/ssh-agent.service @@ -0,0 +1,13 @@ +# https://unix.stackexchange.com/questions/339840/how-to-start-and-use-ssh-agent-as-systemd-service + +[Unit] +Description=SSH key agent + +[Service] +Type=simple +Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket +# ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK +ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK + +[Install] +WantedBy=default.target diff --git a/modules/profiles/lib/facter/pacman_version.rb b/modules/profiles/lib/facter/pacman_version.rb new file mode 100644 index 0000000..1d17b04 --- /dev/null +++ b/modules/profiles/lib/facter/pacman_version.rb @@ -0,0 +1,7 @@ +Facter.add('pacman-version') do + if File.exists?('/bin/pacman') then + setcode do + `pacman -Qi pacman | awk -F' : ' '/^Version/ { print $2 }'`.strip() + end + end +end diff --git a/modules/profiles/manifests/dolphin.pp b/modules/profiles/manifests/dolphin.pp new file mode 100644 index 0000000..f1fdcf8 --- /dev/null +++ b/modules/profiles/manifests/dolphin.pp @@ -0,0 +1,70 @@ +# Configure the file manager dolphin +class profiles::dolphin { + ensure_packages ([ + 'dolphin', + 'kde-cli-tools', + 'ffmpegthumbs', + 'kdegraphics-thumbnailers', + 'konsole', + 'breeze-icons', + ], { ensure => installed }) + + + $dolphin_settings = { + 'General' => { + 'BrowseThroughArchives' => 'true', + 'GlobalViewProps' => 'false', + 'HomeUrl' => '/usr/net/video', + 'OpenExternallyCalledFolderInNewTab' => 'false', + 'RememberOpenedTabs' => 'false', + 'ShowFullPath' => 'true', + }, + 'MainWindow' => { + 'MenuBar' => 'Disabled', + 'ToolBarsMovable' => 'Disabled', + }, + 'VersionControl' => { + 'enabledPlugins' => [ + 'Dropbox', + 'Git', + ] + }, + 'PreviewSettings' => { + 'Plugins' => [ + 'appimagethumbnail', + 'audiothumbnail', + 'blenderthumbnail', + 'comicbookthumbnail', + 'djvuthumbnail', + 'ebookthumbnail', + 'exrthumbnail', + 'directorythumbnail', + 'fontthumbnail', + 'imagethumbnail', + 'jpegthumbnail', + 'kraorathumbnail', + 'windowsexethumbnail', + 'windowsimagethumbnail', + 'opendocumentthumbnail', + 'gsthumbnail', + 'svgthumbnail', + 'textthumbnail', + 'ffmpegthumbs', + ] + } + } + + $dolphin_settings.map |$category, $group| { + $group.map |$setting, $value| { + ini_setting { "Dolphin [${category}].${setting}": + path => '/etc/xdg/dolphinrc', + section => $category, + setting => $setting, + value => $value ? { + Array => $value.join(','), + String => $value, + } + } + } + } +} diff --git a/modules/profiles/manifests/imagemagick.pp b/modules/profiles/manifests/imagemagick.pp new file mode 100644 index 0000000..7663cf8 --- /dev/null +++ b/modules/profiles/manifests/imagemagick.pp @@ -0,0 +1,17 @@ +class profiles::imagemagick { + package { 'imagemagick': + ensure => installed, + } + + file { '/etc/ImageMagick-7/policy.xml': + content => epp('profiles/imagemagick-policy.xml', { + policies => [ + { + domain => 'coder', + rights => 'read | write', + pattern => 'PDF' + }, + ] + }), + } +} diff --git a/modules/profiles/manifests/syncthing.pp b/modules/profiles/manifests/syncthing.pp new file mode 100644 index 0000000..7d8183e --- /dev/null +++ b/modules/profiles/manifests/syncthing.pp @@ -0,0 +1,28 @@ +class profiles::syncthing ( + Array[String] $enable_for = [] +) { + + # TODO add repo for those systems that need it + + package { 'syncthing': + ensure => installed + } + + systemd::dropin_file { 'nospam.conf': + unit => 'syncthing@.service', + content => @(EOF) + [Service] + ExecStart= + ExecStart=/bin/bash -c 'set -o pipefail; /usr/bin/syncthing -no-browser -no-restart -logflags=0 | grep -v "INFO: "' + | EOF + } + + $enable_for.map |$user| { + service { "syncthing@${user}": + enable => true, + } + } + + # TODO manage synced data + +} diff --git a/modules/profiles/manifests/synth.pp b/modules/profiles/manifests/synth.pp new file mode 100644 index 0000000..eb01f8f --- /dev/null +++ b/modules/profiles/manifests/synth.pp @@ -0,0 +1,33 @@ +class profiles::synth { + + package { 'freepats-general-midi': + ensure => installed, + } + + file { '/etc/conf.d/fluidsynth': + content => @(EOF) + SOUND_FONT=/usr/share/soundfonts/freepats-general-midi.sf2 + OTHER_OPTS='-a alsa' + | EOF + } + + # TODO pull in aur package from + # https://git.hornquist.se/archpkg/aconnect-service/ + + # TODO setup the rest + + # - template: + # dest: ~/.config/aconnect/impact + # source: aconnect + # vars: + # input_unit: Impact LX25 + # output_unit: FLUID Synth + # + # - systemd: + # name: aconnect@{{ impact }} + # scope: user + # enabled: yes + # become: yes + # become_user: hugo + +} diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp index 724a1b5..fe7e1cb 100644 --- a/modules/profiles/manifests/workstation.pp +++ b/modules/profiles/manifests/workstation.pp @@ -3,4 +3,130 @@ class profiles::workstation { include "::profiles::workstation::${os}" include ::profiles::group_profile + + # TODO only if we use systemd + file { 'User ssh-agent service': + path => '/etc/systemd/user/ssh-agent.service', + source => "puppet:///modules/profiles/ssh-agent.service", + } + + file { 'Dvorak A6 TTY keyboard layout': + ensure => file, + path => '/usr/share/kbd/keymaps/i386/dvorak/dvorak-sv-a6.map', + source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/linux-tty/dvorak-sv-a6.map', + } + + file { 'Dvorak A6 X11 keyboard layout': + ensure => file, + path => '/usr/share/X11/xkb/symbols/planck', + source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/X11/planck', + } + + $xkb_layout = 'planck' + $xkb_variant = 'dvorak_a6' + $xkb_options = 'compose:caps' + + file { 'Default X11 keymap': + ensure => file, + path => '/etc/X11/xorg.conf.d/00-keyboard.conf', + content => @("EOF") + Section "InputClass" + Identifier "system-keyboard" + MatchIsKeyboard "on" + Option "XkbLayout" "${xkb_layout}" + Option XkbModel "pc105" + Option "XkbVariant" "${xkb_variant}" + Option "XkbOptions" "${xkb_options}" + EndSection + | EOF + } + + file { 'Model M X11 keymap': + ensure => file, + path => '/etc/X11/xorg.conf.d/01-model-m.conf', + content => @(EOF) + Section "InputClass" + Identifier "Model M" + MathUSBID "17f6:0822" + Option "XkbLayout" "us" + Option "XkbVariant" "dvorak" + EndSection + | EOF + } + + file { 'Setup console': + ensure => file, + path => '/etc/vconsole.conf', + content => epp('profiles/keyvalue.epp', { 'values' => { + 'KEYMAP' => 'dvorak-sv-a6', + 'FONT' => 'lat9v-12', + }}), + } + + $cowpath = [ + '/usr/share/cows', + '/usr/local/share/cows', + ] + + file { '/etc/environment': + content => epp('profiles/keyvalue.epp', { values => { + 'COWPATH' => $cowpath.join(':'), + 'MANWIDTH' => 80, + 'MPD_HOST' => 'jukebox.lysator.liu.se', + 'PAGER' => 'less', + 'EDITOR' => '/usr/bin/vi', + 'VISUAL' => '/usr/bin/vim', + }}) + } + + service { 'systemd-resolved': + enable => mask, + } + + file { 'Passmenu with OTP support': + path => '/usr/local/bin/passmenu', + mode => '0555', + source => 'puppet:///modules/profiles/passmenu', + } + + file { '/etc/sudoers': + validate_cmd => '/usr/bin/visudo -cf %', + content => @(EOF) + Defaults insults + root ALL=(ALL) ALL + %root ALL=(ALL) ALL + %wheel ALL=(ALL) ALL + + @includedir /etc/sudoers.d + | EOF + } + + $locales = [ + 'en_DK.UTF-8 UTF-8', + 'en_US.UTF-8 UTF-8', + 'sv_SE.UTF-8 UTF-8', + 'sv_SE.ISO-8859-1 ISO-8859-1', + '', + ] + + file { '/etc/locale.gen': + content => $locales.join("\n") + } ~> exec { 'locale-gen': + path => [ '/bin', '/usr/bin', ], + } + + file { 'Default locales': + path => '/etc/locale.conf', + content => @(EOF) + LANG=en_US.UTF-8 + LC_TIME=sv_SE.UTF-8 + | EOF + } + + $timezone = 'Europe/Stockholm' + + file { '/etc/localtime': + ensure => link, + target => "/usr/share/zoneinfo/${timezone}", + } } diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp index 963f4df..5274699 100644 --- a/modules/profiles/manifests/workstation/archlinux.pp +++ b/modules/profiles/manifests/workstation/archlinux.pp @@ -1,18 +1,4 @@ class profiles::workstation::archlinux { - # Rebuilt my local xmonad config after an upgrade to xmonad. - # It's required, I think due to something with dynamic linking. - # It's actually pretty ugly that I'm hardcoded in here, but - # something had to be done. - pacman::hook { 'xmonad': - description => 'Rebuild local xmonad config.', - when => 'PostTransaction', - exec => '/bin/sudo -Hu hugo xmonad --recompile', - trigger => { - type => 'Package', - operation => ['Upgrade', 'Install'], - target => 'xmonad*', - }, - } pacman::hook { 'systemd daemon-reload': description => 'Reload systemd user daemon', @@ -24,4 +10,43 @@ class profiles::workstation::archlinux { target => 'usr/lib/systemd/user/*', }, } + + package { 'kernel-modules-hook': + ensure => installed, + } ~> service { 'linux-modules-cleanup': + ensure => running, + enable => true, + } + + $cpus = $facts['processors']['count'] - 1 + file_line { 'Makepkg paralell': + path => '/etc/makepkg.conf', + after => '^#-- Make flags', + line => "MAKEFLAGS='-j${cpus}'" + } + + pacman::repo { 'adrift-space': + ensure => present, + server => 'http://repo.gandalf.adrift.space/arch', + sig_level => 'Optional', + } + + # remove + # - netctl + + # aur-packages +# - pacaur +# - ansible-aur-git +# - cyrus-sasl-xoauth2-git +# - todotxt +# - effitask +# - getmail +# - mu +# # - pacaur +# - pandoc-bin +# - tlclient +# # backups old modules on kernel update +# - kernel-modules-hook + + } diff --git a/modules/profiles/manifests/xmonad.pp b/modules/profiles/manifests/xmonad.pp new file mode 100644 index 0000000..be8d516 --- /dev/null +++ b/modules/profiles/manifests/xmonad.pp @@ -0,0 +1,29 @@ +# Setup xmonad, only tested on arch linux +class profiles::xmonad { + ensure_packages ([ + 'xmonad', + 'xmonad-contrib', + # apparently really needed by xmonad + 'xorg-fonts-misc', + 'ghc', + 'xorg-xmessage', + 'dzen2', + 'dmenu', + 'rofi', + ], { ensure => installed }) + + # Rebuilt my local xmonad config after an upgrade to xmonad. + # It's required, I think due to something with dynamic linking. + # It's actually pretty ugly that I'm hardcoded in here, but + # something had to be done. + pacman::hook { 'xmonad': + description => 'Rebuild local xmonad config.', + when => 'PostTransaction', + exec => '/bin/sudo -Hu hugo xmonad --recompile', + trigger => { + type => 'Package', + operation => ['Upgrade', 'Install'], + target => 'xmonad*', + }, + } +} diff --git a/modules/profiles/templates/aconnect.epp b/modules/profiles/templates/aconnect.epp new file mode 100644 index 0000000..044ada6 --- /dev/null +++ b/modules/profiles/templates/aconnect.epp @@ -0,0 +1,8 @@ +<%- | String $input_unit, + String $output_unit +| -%> +# Where data comes from +INPUT_UNIT='<%= $input_unit %>' +# Where it should go +OUTPUT_UNIT='<%= $output_unit %>' + diff --git a/modules/profiles/templates/imagemagick-policy.xml.epp b/modules/profiles/templates/imagemagick-policy.xml.epp new file mode 100644 index 0000000..cbea9e9 --- /dev/null +++ b/modules/profiles/templates/imagemagick-policy.xml.epp @@ -0,0 +1,89 @@ +<%- | Array[Hash] $policies | -%> +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policymap [ + <!ELEMENT policymap (policy)*> + <!ATTLIST policymap xmlns CDATA #FIXED ''> + <!ELEMENT policy EMPTY> + <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED + name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED + stealth NMTOKEN #IMPLIED value CDATA #IMPLIED> +]> +<!-- + Configure ImageMagick policies. + + Domains include system, delegate, coder, filter, path, or resource. + + Rights include none, read, write, execute and all. Use | to combine them, + for example: "read | write" to permit read from, or write to, a path. + + Use a glob expression as a pattern. + + Suppose we do not want users to process MPEG video images: + + <policy domain="delegate" rights="none" pattern="mpeg:decode" /> + + Here we do not want users reading images from HTTP: + + <policy domain="coder" rights="none" pattern="HTTP" /> + + The /repository file system is restricted to read only. We use a glob + expression to match all paths that start with /repository: + + <policy domain="path" rights="read" pattern="/repository/*" /> + + Lets prevent users from executing any image filters: + + <policy domain="filter" rights="none" pattern="*" /> + + Any large image is cached to disk rather than memory: + + <policy domain="resource" name="area" value="1GP"/> + + Use the default system font unless overwridden by the application: + + <policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/> + + Define arguments for the memory, map, area, width, height and disk resources + with SI prefixes (.e.g 100MB). In addition, resource policies are maximums + for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB + exceeds policy maximum so memory limit is 1GB). + + Rules are processed in order. Here we want to restrict ImageMagick to only + read or write a small subset of proven web-safe image types: + + <policy domain="delegate" rights="none" pattern="*" /> + <policy domain="filter" rights="none" pattern="*" /> + <policy domain="coder" rights="none" pattern="*" /> + <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" /> +--> +<policymap> + <!-- Sample policies --> + <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> --> + <!-- <policy domain="resource" name="memory" value="2GiB"/> --> + <!-- <policy domain="resource" name="map" value="4GiB"/> --> + <!-- <policy domain="resource" name="width" value="10KP"/> --> + <!-- <policy domain="resource" name="height" value="10KP"/> --> + <!-- <policy domain="resource" name="list-length" value="128"/> --> + <!-- <policy domain="resource" name="area" value="100MP"/> --> + <!-- <policy domain="resource" name="disk" value="16EiB"/> --> + <!-- <policy domain="resource" name="file" value="768"/> --> + <!-- <policy domain="resource" name="thread" value="4"/> --> + <!-- <policy domain="resource" name="throttle" value="0"/> --> + <!-- <policy domain="resource" name="time" value="3600"/> --> + <!-- <policy domain="coder" rights="none" pattern="MVG" /> --> + <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> --> + <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> --> + <!-- <policy domain="path" rights="none" pattern="@*" /> --> + <!-- <policy domain="cache" name="memory-map" value="anonymous"/> --> + <!-- <policy domain="cache" name="synchronize" value="True"/> --> + <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> + <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> --> + <!-- <policy domain="system" name="shred" value="2"/> --> + <!-- <policy domain="system" name="precision" value="6"/> --> + <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> --> + <!-- Below policies generated from puppet --> + <% $policies.map |$policy| { %> + <policy domain="<%= $policy['domain'] %>" rights="<%= $policy['rights'] %>" pattern="<%= $policy['pattern'] %>" /> + <%- } %> +</policymap> +<!-- NOTE File managed by puppet, any manual changes will be overwritten. --> diff --git a/modules/profiles/templates/keyvalue.epp b/modules/profiles/templates/keyvalue.epp new file mode 100644 index 0000000..694978a --- /dev/null +++ b/modules/profiles/templates/keyvalue.epp @@ -0,0 +1,4 @@ +<%- | Hash $values | -%> +<% $values.map |$key, $value| { -%> +<%= $key %>=<%= $value %> +<%- } %> |