From 74f508b9bba9ebbccc891307ee90c357c82e4f4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 29 Jun 2021 18:41:59 +0200 Subject: Initial commit. --- modules/cgit/files/filters/hugo-authentication.lua | 331 +++++++++++++++++++++ modules/cgit/files/filters/hugo-highlighting.sh | 138 +++++++++ modules/cgit/files/filters/hugo-pre.sh | 15 + modules/cgit/files/logo.png | Bin 0 -> 16244 bytes modules/cgit/files/logo_large.png | Bin 0 -> 105311 bytes modules/cgit/files/root_readme | 17 ++ modules/cgit/manifests/init.pp | 62 ++++ modules/cgit/templates/cgitrc.epp | 64 ++++ 8 files changed, 627 insertions(+) create mode 100644 modules/cgit/files/filters/hugo-authentication.lua create mode 100755 modules/cgit/files/filters/hugo-highlighting.sh create mode 100755 modules/cgit/files/filters/hugo-pre.sh create mode 100644 modules/cgit/files/logo.png create mode 100644 modules/cgit/files/logo_large.png create mode 100644 modules/cgit/files/root_readme create mode 100644 modules/cgit/manifests/init.pp create mode 100644 modules/cgit/templates/cgitrc.epp (limited to 'modules') diff --git a/modules/cgit/files/filters/hugo-authentication.lua b/modules/cgit/files/filters/hugo-authentication.lua new file mode 100644 index 0000000..df97579 --- /dev/null +++ b/modules/cgit/files/filters/hugo-authentication.lua @@ -0,0 +1,331 @@ +-- This script may be used with the auth-filter. Be sure to configure it as you wish. +-- +-- Requirements: +-- luaossl +-- +-- luaposix +-- +-- +local sysstat = require("posix.sys.stat") +local unistd = require("posix.unistd") +local rand = require("openssl.rand") +local hmac = require("openssl.hmac") + +-- +-- +-- Configure these variables for your settings. +-- +-- + +-- A list of password protected repositories along with the users who can access them. +local protected_repos = { + glouglou = { laurent = true, jason = true }, + qt = { jason = true, bob = true } +} + +local public_repos = {} +public_repos["wiki-public" ] = true +public_repos["lyslib" ] = true +public_repos["calp" ] = true +public_repos["texttv" ] = true +public_repos["scheme-monad" ] = true +public_repos["scheme/math-parse" ] = true +public_repos["file-descriptor-graph"] = true + +-- A list of users and hashes, generated with `mkpasswd -m sha-512 -R 300000`. +local users = { + hugo = "$6$13z1Pf.U8itrCRX6$g2BZpaMk1CLiT6117paWXB2qdQFRc3rsGWL4iF5h5QbHo27oljTdHk69oQWAvqlVf13aLTUF3nYw65lEp88r/1" +} + +-- Set this to a path this script can write to for storing a persistent +-- cookie secret, which should be guarded. +local secret_filename = "/var/cache/cgit/auth-secret" + +-- +-- +-- Authentication functions follow below. Swap these out if you want different authentication semantics. +-- +-- + +-- Sets HTTP cookie headers based on post and sets up redirection. +function authenticate_post() + local hash = users[post["username"]] + local redirect = validate_value("redirect", post["redirect"]) + + if redirect == nil then + not_found() + return 0 + end + + redirect_to(redirect) + + if hash == nil or hash ~= unistd.crypt(post["password"], hash) then + set_cookie("cgitauth", "") + else + -- One week expiration time + local username = secure_value("username", post["username"], os.time() + 604800) + set_cookie("cgitauth", username) + end + + html("\n") + return 0 +end + + +-- Returns 1 if the cookie is valid and 0 if it is not. +function authenticate_cookie() + + -- Everyone has access to the index page. + -- printenv(os.getenv("CGIT_REPO_NAME")); + if cgit["repo"] == "" then + return 1 + end + + ispublic = public_repos[cgit["repo"]] + -- accepted_users = protected_repos[cgit["repo"]] + if ispublic == true then + -- We return as valid if the repo is public + return 1 + end + + local username = validate_value("username", get_cookie(http["cookie"], "cgitauth")) + if username == nil then + return 0 + else + return 1 + end +end + +-- Prints the html for the login form. +function body() + html("

Authentication Required

") + -- html("HTML = ") + -- html(tostring(cgit["repo"] == "")) + html("
") + html("") + html("") + html("") + html("") + html("") + html("
") + + return 0 +end + + + +-- +-- +-- Wrapper around filter API, exposing the http table, the cgit table, and the post table to the above functions. +-- +-- + +local actions = {} +actions["authenticate-post"] = authenticate_post +actions["authenticate-cookie"] = authenticate_cookie +actions["body"] = body + +function filter_open(...) + action = actions[select(1, ...)] + + http = {} + http["cookie"] = select(2, ...) + http["method"] = select(3, ...) + http["query"] = select(4, ...) + http["referer"] = select(5, ...) + http["path"] = select(6, ...) + http["host"] = select(7, ...) + http["https"] = select(8, ...) + + cgit = {} + cgit["repo"] = select(9, ...) + cgit["page"] = select(10, ...) + cgit["url"] = select(11, ...) + cgit["login"] = select(12, ...) + +end + +function filter_close() + return action() +end + +function filter_write(str) + post = parse_qs(str) +end + + +-- +-- +-- Utility functions based on keplerproject/wsapi. +-- +-- + +function url_decode(str) + if not str then + return "" + end + str = string.gsub(str, "+", " ") + str = string.gsub(str, "%%(%x%x)", function(h) return string.char(tonumber(h, 16)) end) + str = string.gsub(str, "\r\n", "\n") + return str +end + +function url_encode(str) + if not str then + return "" + end + str = string.gsub(str, "\n", "\r\n") + str = string.gsub(str, "([^%w ])", function(c) return string.format("%%%02X", string.byte(c)) end) + str = string.gsub(str, " ", "+") + return str +end + +function parse_qs(qs) + local tab = {} + for key, val in string.gmatch(qs, "([^&=]+)=([^&=]*)&?") do + tab[url_decode(key)] = url_decode(val) + end + return tab +end + +function get_cookie(cookies, name) + cookies = string.gsub(";" .. cookies .. ";", "%s*;%s*", ";") + return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) +end + +function tohex(b) + local x = "" + for i = 1, #b do + x = x .. string.format("%.2x", string.byte(b, i)) + end + return x +end + +-- +-- +-- Cookie construction and validation helpers. +-- +-- + +local secret = nil + +-- Loads a secret from a file, creates a secret, or returns one from memory. +function get_secret() + if secret ~= nil then + return secret + end + local secret_file = io.open(secret_filename, "r") + if secret_file == nil then + local old_umask = sysstat.umask(63) + local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) + local temporary_file = io.open(temporary_filename, "w") + if temporary_file == nil then + os.exit(177) + end + temporary_file:write(tohex(rand.bytes(32))) + temporary_file:close() + unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. + unistd.unlink(temporary_filename) + sysstat.umask(old_umask) + secret_file = io.open(secret_filename, "r") + end + if secret_file == nil then + os.exit(177) + end + secret = secret_file:read() + secret_file:close() + if secret:len() ~= 64 then + os.exit(177) + end + return secret +end + +-- Returns value of cookie if cookie is valid. Otherwise returns nil. +function validate_value(expected_field, cookie) + local i = 0 + local value = "" + local field = "" + local expiration = 0 + local salt = "" + local chmac = "" + + if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then + return nil + end + + for component in string.gmatch(cookie, "[^|]+") do + if i == 0 then + field = component + elseif i == 1 then + value = component + elseif i == 2 then + expiration = tonumber(component) + if expiration == nil then + expiration = -1 + end + elseif i == 3 then + salt = component + elseif i == 4 then + chmac = component + else + break + end + i = i + 1 + end + + if chmac == nil or chmac:len() == 0 then + return nil + end + + -- Lua hashes strings, so these comparisons are time invariant. + if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then + return nil + end + + if expiration == -1 or (expiration ~= 0 and expiration <= os.time()) then + return nil + end + + if url_decode(field) ~= expected_field then + return nil + end + + return url_decode(value) +end + +function secure_value(field, value, expiration) + if value == nil or value:len() <= 0 then + return "" + end + + local authstr = "" + local salt = tohex(rand.bytes(16)) + value = url_encode(value) + field = url_encode(field) + authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt + authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) + return authstr +end + +function set_cookie(cookie, value) + html("Set-Cookie: " .. cookie .. "=" .. value .. "; HttpOnly") + if http["https"] == "yes" or http["https"] == "on" or http["https"] == "1" then + html("; secure") + end + html("\n") +end + +function redirect_to(url) + html("Status: 302 Redirect\n") + html("Cache-Control: no-cache, no-store\n") + html("Location: " .. url .. "\n") +end + +function not_found() + html("Status: 404 Not Found\n") + html("Cache-Control: no-cache, no-store\n\n") +end diff --git a/modules/cgit/files/filters/hugo-highlighting.sh b/modules/cgit/files/filters/hugo-highlighting.sh new file mode 100755 index 0000000..603b8ab --- /dev/null +++ b/modules/cgit/files/filters/hugo-highlighting.sh @@ -0,0 +1,138 @@ +#!/bin/bash +# This script can be used to implement syntax highlighting in the cgit +# tree-view by refering to this file with the source-filter or repo.source- +# filter options in cgitrc. +# +# This script requires a shell supporting the ${var##pattern} syntax. +# It is supported by at least dash and bash, however busybox environments +# might have to use an external call to sed instead. +# +# Note: the highlight command (http://www.andre-simon.de/) uses css for syntax +# highlighting, so you'll probably want something like the following included +# in your css file: +# +# Style definition file generated by highlight 2.4.8, http://www.andre-simon.de/ +# +# table.blob .num { color:#2928ff; } +# table.blob .esc { color:#ff00ff; } +# table.blob .str { color:#ff0000; } +# table.blob .dstr { color:#818100; } +# table.blob .slc { color:#838183; font-style:italic; } +# table.blob .com { color:#838183; font-style:italic; } +# table.blob .dir { color:#008200; } +# table.blob .sym { color:#000000; } +# table.blob .kwa { color:#000000; font-weight:bold; } +# table.blob .kwb { color:#830000; } +# table.blob .kwc { color:#000000; font-weight:bold; } +# table.blob .kwd { color:#010181; } +# +# +# Style definition file generated by highlight 2.6.14, http://www.andre-simon.de/ +# +# body.hl { background-color:#ffffff; } +# pre.hl { color:#000000; background-color:#ffffff; font-size:10pt; font-family:'Courier New';} +# .hl.num { color:#2928ff; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#ff0000; } +# .hl.dstr { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.dir { color:#008200; } +# .hl.sym { color:#000000; } +# .hl.line { color:#555555; } +# .hl.mark { background-color:#ffffbb;} +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#830000; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# Style definition file generated by highlight 3.8, http://www.andre-simon.de/ +# +# body.hl { background-color:#e0eaee; } +# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New';} +# .hl.num { color:#b07e00; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#bf0303; } +# .hl.pps { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.ppc { color:#008200; } +# .hl.opt { color:#000000; } +# .hl.lin { color:#555555; } +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#0057ae; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# Style definition file generated by highlight 3.13, http://www.andre-simon.de/ +# +# body.hl { background-color:#e0eaee; } +# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New',monospace;} +# .hl.num { color:#b07e00; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#bf0303; } +# .hl.pps { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.ppc { color:#008200; } +# .hl.opt { color:#000000; } +# .hl.ipl { color:#0057ae; } +# .hl.lin { color:#555555; } +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#0057ae; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# The following environment variables can be used to retrieve the configuration +# of the repository for which this script is called: +# CGIT_REPO_URL ( = repo.url setting ) +# CGIT_REPO_NAME ( = repo.name setting ) +# CGIT_REPO_PATH ( = repo.path setting ) +# CGIT_REPO_OWNER ( = repo.owner setting ) +# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting ) +# CGIT_REPO_SECTION ( = section setting ) +# CGIT_REPO_CLONE_URL ( = repo.clone-url setting ) +# + +# store filename and extension in local vars +BASENAME="$1" +EXTENSION="${BASENAME##*.}" + +[ "${BASENAME}" = "${EXTENSION}" ] && EXTENSION=txt +[ -z "${EXTENSION}" ] && EXTENSION=txt + +# map Makefile and Makefile.* to .mk +[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk + +# highlight versions 2 and 3 have different commandline options. Specifically, +# the -X option that is used for version 2 is replaced by the -O xhtml option +# for version 3. +# +# Version 2 can be found (for example) on EPEL 5, while version 3 can be +# found (for example) on EPEL 6. +# +# This is for version 2 +#exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# env + +extension=${REQUEST_URI: -3} + +case $extension in + org) + temp=$(mktemp) + cat - > $temp.org + emacs $temp.org \ + --quick \ + --batch \ + --funcall org-html-export-to-html \ + --kill + tail -n+10 $temp.html + exit 0 + ;; +esac + +exec highlight --force -f -I -O xhtml -S "$EXTENSION" # 2>/dev/null diff --git a/modules/cgit/files/filters/hugo-pre.sh b/modules/cgit/files/filters/hugo-pre.sh new file mode 100755 index 0000000..de94b26 --- /dev/null +++ b/modules/cgit/files/filters/hugo-pre.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +name=$1 + +extension=${1: -3} + +case $extension in + .md) markdown ;; + *) + cat <<- EOF + 
$(cat -)
+ EOF + ;; +esac + diff --git a/modules/cgit/files/logo.png b/modules/cgit/files/logo.png new file mode 100644 index 0000000..5c39e4a Binary files /dev/null and b/modules/cgit/files/logo.png differ diff --git a/modules/cgit/files/logo_large.png b/modules/cgit/files/logo_large.png new file mode 100644 index 0000000..bbfa2b5 Binary files /dev/null and b/modules/cgit/files/logo_large.png differ diff --git a/modules/cgit/files/root_readme b/modules/cgit/files/root_readme new file mode 100644 index 0000000..aabf4df --- /dev/null +++ b/modules/cgit/files/root_readme @@ -0,0 +1,17 @@ + _______________________ +< Den som gör bestämmer > + ----------------------- +\ . . + \ / `. .' " + \ .---. < > < > .---. + \ | \ \ - ~ ~ - / / | + _____ ..-~ ~-..-~ + | | \~~~\.' `./~~~/ + --------- \__/ \__/ + .' O \ / / \ " + (_____, `._.' | } \/~~~/ + `----. / } | / \__/ + `-. | / | / `. ,~~| + ~-.__| /_ - ~ ^| /- _ `..-' + | / | / ~-. `-. _ _ _ + |_____| |_____| ~ - . _ _ _ _ _> diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp new file mode 100644 index 0000000..c1a981b --- /dev/null +++ b/modules/cgit/manifests/init.pp @@ -0,0 +1,62 @@ +class cgit ( + String $root = '/var/www/cgit', + String $filterpath = '/usr/lib/cgit/extra-filters', + String $root_title, + String $root_desc, + String $about_filter, + String $auth_filter, + String $source_filter, + String $scan_path, + Array[String] $clone_url, +) { + + # TODO figure out where CSS comes from + + ensure_packages([ + 'cgit', + ], { ensure => installed }) + + file { '/etc/cgitrc': + ensure => file, + content => epp('cgit/cgitrc.epp'), + } + + file { "${root}/logo": + ensure => directory, + } + + file { "${root}/logo/logo.png": + ensure => file, + source => 'puppet:///modules/cgit/logo.png', + } + + file { "${root}/logo/logo_large.png": + ensure => file, + source => 'puppet:///modules/cgit/logo_large.png', + } + + file { "${root}/root_readme": + ensure => file, + source => 'puppet:///modules/cgit/root_readme', + } + + file { dirname($filterpath): + ensure => directory, + } + + file { $filterpath: + ensure => directory, + } + + [$about_filter, $source_filter, $auth_filter].each |$f| { + file { "${filterpath}/${f}": + ensure => file, + source => "puppet:///modules/cgit/filters/${f}", + mode => stdlib::extname($f) ? { + '.lua' => '0444', + default => '0555', + }, + } + } + +} diff --git a/modules/cgit/templates/cgitrc.epp b/modules/cgit/templates/cgitrc.epp new file mode 100644 index 0000000..9434213 --- /dev/null +++ b/modules/cgit/templates/cgitrc.epp @@ -0,0 +1,64 @@ +# +# cgit config +# see cgitrc(5) for details +# +# FILE MANAGED BY PUPPET +# + +# css=/cgit.css +logo=/logo/logo.png +# favicon=/favicon.ico + +enable-index-owner=1 + +root-title=<%= $cgit::root_title %> +#root-desc=Tändes endast mot lådans plån +root-desc=<%= $cgit::root_desc %> +# Also causes the `about' page to exist +# /usr/lib/cgit/readme +root-readme=<%= $cgit::root %>/root_readme + +#source-filter=/srv/filters/dispatch.sh + +# about-filter=/usr/local/lib/cgit/filters/hugo-pre.sh +# auth-filter=lua:/usr/local/lib/cgit/filters/hugo-authentication.lua +# source-filter=/usr/local/lib/cgit/filters/hugo-highlighting.sh +about-filter=<%= $cgit::filterpath %>/<%= $cgit::about_filter %> +auth-filter=<% if stdlib::extname($cgit::auth_filter) == '.lua' { + -%>lua:<% + } -%><%= $cgit::filterpath %>/<%= $cgit::auth_filter %> +source-filter=<%= $cgit::filterpath %>/<%= $cgit::source_filter %> + +enable-follow-links=1 +enable-subject-links=1 # show commit summary for parrent + +#side-by-side-diffs=1 +enable-commit-graph=1 +enable-index-links=1 +enable-remote-branches=1 +local-time=1 + +case-sensative-sort=0 + +max-repo-count=100 + +enable-http-clone=1 +clone-url=<%= $cgit::clone_url.join(' ') %> + +readme=:README +readme=:README.md +readme=:README.txt +readme=:readme +readme=:readme.md +readme=:readme.txt + +virtual-root= +remove-suffix=1 +section-from-path=1 +enable-git-config=1 + +# section=~/git +snapshots=tar.gz tar.xz +scan-path=<%= $cgit::scan_path %> + +#scan-path=/var/www/git/repositories/ -- cgit v1.2.3 From c4550e854d78c4e79da20d31b2a4ca0311b46857 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 29 Jun 2021 22:29:16 +0200 Subject: Blog working. --- modules/blog/files/footers/about.md | 11 +++++ modules/blog/files/footers/contact.md | 12 ++++++ modules/blog/files/footers/legal.md | 28 +++++++++++++ modules/blog/files/footers/qna.md | 13 ++++++ modules/blog/manifests/init.pp | 78 +++++++++++++++++++++++++++++++++++ 5 files changed, 142 insertions(+) create mode 100644 modules/blog/files/footers/about.md create mode 100644 modules/blog/files/footers/contact.md create mode 100644 modules/blog/files/footers/legal.md create mode 100644 modules/blog/files/footers/qna.md create mode 100644 modules/blog/manifests/init.pp (limited to 'modules') diff --git a/modules/blog/files/footers/about.md b/modules/blog/files/footers/about.md new file mode 100644 index 0000000..ffec622 --- /dev/null +++ b/modules/blog/files/footers/about.md @@ -0,0 +1,11 @@ +#About + +This is a blog and website written and maintained by Hugo Hornquist (me). + +I will primarily post computer related information, and mostly in Swedish. +Some entries might however be written in English to allow for a temporary larger audience. +The about pages are written in English for that reason (Hello! Non Swedes!). + +--- + +A (hopefully) up to date version of the source code for the website is available [here](//github.com/HugoNikanor/website-blog-2). However, be aware that any blog entries, the four files in the bottom bar as well as some other parts of the website are not included in that repository. diff --git a/modules/blog/files/footers/contact.md b/modules/blog/files/footers/contact.md new file mode 100644 index 0000000..651fec4 --- /dev/null +++ b/modules/blog/files/footers/contact.md @@ -0,0 +1,12 @@ +#Contact + +There are many ways to contact me, and most of them serve different purposes. + +All regular blog entries should have a comment field where you are more than welcome to write your thoughts. I do however reserve the full right to moderate the comments, and remove comments of an unacceptable nature (you are however free to disagree with me). + +I have an email address for other general contact at . + +A Twitter account is also present for twittery stuff. [@hugonikanor](//twitter.com/hugonikanor) + +Feel free to contact me in another way if you find out how, I can't however guarantee that I will answer your queries regardless of communications method. + diff --git a/modules/blog/files/footers/legal.md b/modules/blog/files/footers/legal.md new file mode 100644 index 0000000..87966c7 --- /dev/null +++ b/modules/blog/files/footers/legal.md @@ -0,0 +1,28 @@ +#Legal + +Website built by Hugo Hornquist (me), however, some parts are made by other people with their permission. + +###[Parsedown](//parsedown.org) +Parsedown is used for tracing the markdown files the entries are written in into proper html. +It is used under the MIT License, readable [here](https://raw.githubusercontent.com/erusev/parsedown/master/LICENSE.txt) + +###[imgur](//imgur.com) +Most images are hosted by imgur. You can read the appropriate terms of service [here](//imgur.com/tos). + +### [RSS Logo](//www.mozilla.org/en-US/foundation/feed-icon-guidelines/) +This is my public statement that I try to follow these guidelines. + +--- + +##Disclaimer + +Any text on this website is subject to change at any time. Everything that I write is in some way shape or form connected to me. Please refrain from being majorly offended by my opinions and remember that I have moderation capabilities. + +--- + +Upon pressing the following button you agree to give your soul to whatever form of devil you believe in. If a deity of required sort isn't available then you instead surrender your legally owned land to the former communist state. + +
+ +
+
diff --git a/modules/blog/files/footers/qna.md b/modules/blog/files/footers/qna.md new file mode 100644 index 0000000..baa611a --- /dev/null +++ b/modules/blog/files/footers/qna.md @@ -0,0 +1,13 @@ +#Questions and Answers + +**Q: Who are you?** +A: *Who knows, but I have a blog that you can read [here](https://www.youtube.com/watch?v=dQw4w9WgXcQ).* + +**Q: What comment system are you using?** +A: *My own comment system, available [here](//github.com/hugonikanor/website-comment-system)* + +**Q: Do you have an RSS feed?** +A: *[I do now!](./rss.php)* + +##Have a question? +If you have a question of your own you would like to see answered, [contact me](./?filename=contact.md). diff --git a/modules/blog/manifests/init.pp b/modules/blog/manifests/init.pp new file mode 100644 index 0000000..a639311 --- /dev/null +++ b/modules/blog/manifests/init.pp @@ -0,0 +1,78 @@ +define blog ( + String $root, +) { + vcsrepo { $root: + ensure => latest, + provider => git, + source => 'https://github.com/HugoNikanor/website-blog-2.git', + revision => 'master', + # keep_local_changes => true, + owner => 'hugo', + group => 'www-data', + } + + vcsrepo { "${root}/entries": + ensure => latest, + provider => git, + source => '/home/git/git/blog-entries.git', + revision => 'master', + owner => 'hugo', + group => 'www-data', + } + + file { "${root}/settings.php": + ensure => file, + content => @(EOF) + directory, + recurse => true, + } + + $foot_files = [ + ['about.md', 'About'], + ['contact.md', 'Contact'], + ['legal.md', 'Legal'], + ['qna.md', '"Q&A"'], + ] + + $foot_files.each |$item| { + file { "${root}/footnote/${item[0]}": + source => "puppet:///modules/blog/footers/${item[0]}", + } + } + + + $files_ini = join($foot_files.map |$item| { + @("EOF") + files[] = ${item[0]} + title[] = ${item[1]} + | EOF + }) + + file { "${root}/special-files.ini": + ensure => file, + content => @("EOF") + ; FILE MANAGED BY PUPPET + ; + ; Which files on the website that are "special" + ; This basicly means that they shouldn't have comments + [footnote] + ${files_ini} + + [other] + files[] = list + files[] = entry-not-found.md + | EOF + } +} -- cgit v1.2.3 From 916b1f0f97288db063cc8cec23a54d4253940d0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 29 Jun 2021 22:43:52 +0200 Subject: Firewall. --- modules/profiles/files/firewall/rules.v4 | 15 +++++++++++++++ modules/profiles/manifests/firewall.pp | 19 +++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 modules/profiles/files/firewall/rules.v4 create mode 100644 modules/profiles/manifests/firewall.pp (limited to 'modules') diff --git a/modules/profiles/files/firewall/rules.v4 b/modules/profiles/files/firewall/rules.v4 new file mode 100644 index 0000000..bdc63cc --- /dev/null +++ b/modules/profiles/files/firewall/rules.v4 @@ -0,0 +1,15 @@ +# Generated by iptables-save v1.8.4 on Thu Jun 3 20:27:52 2021 +*filter +:INPUT DROP [120:97784] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [526:114637] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -p udp -m udp --dport 53 -j ACCEPT +COMMIT +# Completed on Thu Jun 3 20:27:52 2021 diff --git a/modules/profiles/manifests/firewall.pp b/modules/profiles/manifests/firewall.pp new file mode 100644 index 0000000..6c9d7e6 --- /dev/null +++ b/modules/profiles/manifests/firewall.pp @@ -0,0 +1,19 @@ +class profiles::firewall { + ensure_packages ([ + 'iptables-persistent', + 'fail2ban', + ], { ensure => installed }) + + file { '/etc/iptables/rules.v4': + source => 'puppet:///modules/profiles/firewall/rules.v4', + } ~> exec { 'reload firewall': + command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', + refreshonly => true, + } + + service { 'fail2ban': + ensure => running, + enable => true, + } + +} -- cgit v1.2.3 From 4df780796ecdb85158add0d6bfcb9350e4ecf60d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 4 Jul 2021 23:11:51 +0200 Subject: Add gandalf with remarkable conf. --- modules/profiles/manifests/remarkable.pp | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 modules/profiles/manifests/remarkable.pp (limited to 'modules') diff --git a/modules/profiles/manifests/remarkable.pp b/modules/profiles/manifests/remarkable.pp new file mode 100644 index 0000000..73ee5e7 --- /dev/null +++ b/modules/profiles/manifests/remarkable.pp @@ -0,0 +1,31 @@ +define profiles::remarkable ( + String $prefix = '10.11.99', + String $addr = '2', +) { + + file_line { 'remarkable usb': + ensure => present, + path => '/etc/hosts', + line => "${prefix}.1 remarkable.usb", + } + + file_line { 'remarkable usb self': + ensure => present, + path => '/etc/hosts', + line => "${prefix}.${addr} host.usb", + } + + file { '/etc/systemd/network/25-remarkable-usb.network': + ensure => present, + content => @("EOF") + [Match] + Name=enp3s0f0u4 + + [Network] + + Description=Remarkable USB connection + Address=${prefix}.${addr}/29 + | EOF + } + +} -- cgit v1.2.3 From 85eecfe470274e746df7d776f357fdba2c5de44f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 13 Jul 2021 19:26:14 +0200 Subject: Add way to manage pacman hooks. --- modules/pacman/manifests/hook.pp | 68 +++++++++++++++++++++++++++++++++++++++ modules/pacman/manifests/init.pp | 20 ++++++++++++ modules/pacman/templates/hook.epp | 31 ++++++++++++++++++ 3 files changed, 119 insertions(+) create mode 100644 modules/pacman/manifests/hook.pp create mode 100644 modules/pacman/manifests/init.pp create mode 100644 modules/pacman/templates/hook.epp (limited to 'modules') diff --git a/modules/pacman/manifests/hook.pp b/modules/pacman/manifests/hook.pp new file mode 100644 index 0000000..940ae5f --- /dev/null +++ b/modules/pacman/manifests/hook.pp @@ -0,0 +1,68 @@ + +type Pacman::Operation = Enum['Install', 'Upgrade', 'Remove'] +# type Variant[Type, Array[Type, 1]] = Variant[Type, Array[Type, 1]] + +type Pacman::Trigger = Struct[{ + type => Enum['Path', 'Package'], + operation => Variant[Pacman::Operation, Array[Pacman::Operation, 1]], + target => Variant[String, Array[String, 1]], +}] + +define pacman::hook ( + Integer $priority = 50, + Optional[String] $description = undef, + Enum['PreTransation', 'PostTransaction'] $when, + String $exec, + Optional[Variant[String, Array[String, 1]]] $depends = undef, + Boolean $abortOnFail = false, # only for PreTransation + Boolean $needsTargets = false, + Variant[Pacman::Trigger, Array[Pacman::Trigger, 1]] $trigger, +) { + + require ::pacman + + if ($abortOnFail and $when != 'PreTransation') { + fail('abortOnFail only valid when "when" => "PreTransation"') + } + + $triggers = $trigger ? { + Array => $trigger, + default => [$trigger], + } + + $str = epp('pacman/hook.epp', { + description => $description, + depends => $depends ? { + Optional => [], + Array => $depends, + default => [$depends], + }, + triggers => $triggers.map |$trigger| { + { + type => $trigger['type'], + operation => $trigger['operation'] ? { + Array => $trigger['operation'], + default => [$trigger['operation']], + }, + target => $trigger['target'] ? { + Array => $trigger['target'], + default => [$trigger['target']], + } + } + }, + exec => $exec, + when => $when, + abortOnFail => $abortOnFail, + needsTargets => $needsTargets, + }) + + $chksum = $str.md5() + + file { $chksum: + ensure => 'present', + content => $str, + path => "${pacman::hooks_path}/${priority}-${name}.hook", + checksum => 'md5', + checksum_value => $chksum, + } +} diff --git a/modules/pacman/manifests/init.pp b/modules/pacman/manifests/init.pp new file mode 100644 index 0000000..eadc1c2 --- /dev/null +++ b/modules/pacman/manifests/init.pp @@ -0,0 +1,20 @@ +class pacman ( + String $hooks_path = '/etc/pacman.d/hooks-puppet', + String $conf_path = '/etc/pacman.conf', +) { + + # TODO ability to set multiple settings + ini_setting { 'Pacman HookDir': + path => $conf_path, + section => 'options', + setting => 'HookDir', + value => $hooks_path, + + } + + file { $hooks_path: + ensure => directory, + recurse => true, + purge => true, + } +} diff --git a/modules/pacman/templates/hook.epp b/modules/pacman/templates/hook.epp new file mode 100644 index 0000000..08377d9 --- /dev/null +++ b/modules/pacman/templates/hook.epp @@ -0,0 +1,31 @@ +<%- | Array[Pacman::Trigger] $triggers, + Optional[String] $description, + String $exec, + Enum['PreTransation', 'PostTransaction'] $when, + Array[String] $depends, + Boolean $abortOnFail, + Boolean $needsTargets, + +| -%> +# Managed by Puppet + +[Trigger] +<%- $triggers.each |$trigger| { -%> +Type = <%= $trigger['type'] %> +<%- $trigger['operation'].each |$op| { -%> +Operation = <%= $op %> +<%- } -%> +<% $trigger['target'].each |$target| { -%> +Target = <%= $target %> +<%- } -%> +<%- } %> + +[Action] +<%- if ($description) { -%>Description = <%= $description %><% } %> +Exec = <%= $exec %> +When = <%= $when %> +<%- $depends.each |$depend| { -%> +Depends = <%= $depend %> +<%- } -%> +<%- if ($abortOnFail) { -%>AbortOnFail<% } %> +<%- if ($needsTargets) { -%>NeedsTargets<% } %> -- cgit v1.2.3 From 08035d33995737db3e4178a5201da462011d3483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 13 Jul 2021 19:42:18 +0200 Subject: workstation by os. --- modules/profiles/manifests/workstation.pp | 4 ++++ .../profiles/manifests/workstation/archlinux.pp | 27 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 modules/profiles/manifests/workstation.pp create mode 100644 modules/profiles/manifests/workstation/archlinux.pp (limited to 'modules') diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp new file mode 100644 index 0000000..f276957 --- /dev/null +++ b/modules/profiles/manifests/workstation.pp @@ -0,0 +1,4 @@ +class profiles::workstation { + $os = $facts['os']['name'].downcase() + include "::profiles::workstation::${os}" +} diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp new file mode 100644 index 0000000..29ef380 --- /dev/null +++ b/modules/profiles/manifests/workstation/archlinux.pp @@ -0,0 +1,27 @@ +class profiles::workstation::archlinux { + # Rebuilt my local xmonad config after an upgrade to xmonad. + # It's required, I think due to something with dynamic linking. + # It's actually pretty ugly that I'm hardcoded in here, but + # something had to be done. + pacman::hook { 'xmonad': + description => 'Rebuild local xmonad config.', + when => 'PostTransaction', + exec => '/bin/sudo -Hu hugo xmonad --recompile', + trigger => { + type => 'Package', + operation => ['Upgrade', 'Install'], + target => 'xmonad*', + }, + } + + pacman::hook { 'systemd daemon-reload': + description => 'Reload systemd user daemon', + exec => '/bin/sudo -Hu hugo systemctl --user daemon-reload', + when => 'PostTransaction', + trigger => { + operation => 'Upgrade', + type => 'Path', + target => '/usr/lib/systemd/user/*', + }, + } +} -- cgit v1.2.3 From 3fef36594a309dc94ca6325aebacae31e38c7aa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Wed, 14 Jul 2021 01:01:35 +0200 Subject: Configure gandalf root webserver. --- modules/profiles/manifests/gandalf_web.pp | 38 +++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 modules/profiles/manifests/gandalf_web.pp (limited to 'modules') diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp new file mode 100644 index 0000000..7aabf2c --- /dev/null +++ b/modules/profiles/manifests/gandalf_web.pp @@ -0,0 +1,38 @@ +class profiles::gandalf_web { + + class { '::nginx': + manage_repo => false, + # server_purge => true, + package_name => 'nginx', + service_config_check => true, + } + + $certname = 'bookmark.gandalf.adrift.space' + + + nginx::resource::server { 'gandalf': + ipv6_enable => true, + listen_options => 'default_server', + ipv6_listen_options => 'default_server', + server_name => [ '_' ], + access_log => absent, + error_log => absent, + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/var/www/adrift.space', + use_default_location => false, + } + + nginx::resource::location { '/': + try_files => ['$uri', '$uri/', '=404'], + index_files => [], + ssl => true, + ssl_only => true, + autoindex => on, + server => 'gandalf', + } + +} -- cgit v1.2.3 From 2f0497639c157a58b80a515d0df6612d7bb2c8b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Wed, 14 Jul 2021 01:01:42 +0200 Subject: Configure shiori server. --- modules/profiles/manifests/transmission.pp | 71 ++++++++++++++++++++++ modules/profiles/templates/transmission.json.epp | 77 ++++++++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 modules/profiles/manifests/transmission.pp create mode 100644 modules/profiles/templates/transmission.json.epp (limited to 'modules') diff --git a/modules/profiles/manifests/transmission.pp b/modules/profiles/manifests/transmission.pp new file mode 100644 index 0000000..f79517b --- /dev/null +++ b/modules/profiles/manifests/transmission.pp @@ -0,0 +1,71 @@ +class profiles::transmission ( + Optional[String] $nginx_server = undef, + Enum['None', 'Error', 'Info', 'Debug'] $msg_level = 'Error', +) { + + $transmission_url = '/transmission' + $transmission_port = 9091 + + if ($nginx_server) { + require ::nginx + + nginx::resource::location { $transmission_url: + proxy => "http://localhost:${transmission_port}${transmission_url}", + proxy_set_header => [], + server => $nginx_server, + ssl => true, + ssl_only => true, + } + } + + ensure_packages(['transmission-cli'], + { ensure => installed }) + + systemd::dropin_file { 'transmission-after.conf': + unit => 'transmission.service', + content => @(EOF) + [Unit] + After=network-online.target + | EOF + } + + systemd::dropin_file { 'transmission-flags.conf': + unit => 'transmission.service', + content => @(EOF) + [Service] + ExecStart= + ExecStart=/usr/bin/transmission-daemon -f + | EOF + } + + # TODO whitelists are currently disabled, since they don't seem to + # work. Possibly turn them on again some day. + + # https://github.com/transmission/transmission/wiki/Editing-Configuration-File + file { '/var/lib/transmission/.config/transmission-daemon/settings.json': + content => epp('profiles/transmission.json.epp', { + rpc_username => 'hugo', + # '{' + sha1(password + salt) + # But I don't know how I managed to generate it, since + # transmission rolls its own crypto + rpc_password => '{eb43101d3b9aa02223466d7f98c5329c841c7967/Zr2tFpn', + download_dir => '/usr/net/', + rpc_whitelist => ['127.0.0.1', '::1'], + rpc_port => $transmission_port, + rpc_url => "${transmission_url}/", + msg_level => case $msg_level { + 'None': { 0 } + 'Error': { 1 } + 'Info': { 2 } + 'Debug': { 3 } + }, + }), + } ~> exec { '/bin/systemctl reload transmission': + refreshonly => true, + } + + service { 'transmission': + ensure => 'running', + enable => true, + } +} diff --git a/modules/profiles/templates/transmission.json.epp b/modules/profiles/templates/transmission.json.epp new file mode 100644 index 0000000..885ad5e --- /dev/null +++ b/modules/profiles/templates/transmission.json.epp @@ -0,0 +1,77 @@ +<%- | String $rpc_username, + String $rpc_password, + String $download_dir, + Integer $rpc_port, + String $rpc_url, + Integer $msg_level = 1, + Optional[String] $incomplete_dir = undef, + Optional[Array[String]] $rpc_whitelist = undef, +| -%> +{ + "alt-speed-down": 50, + "alt-speed-enabled": false, + "alt-speed-time-begin": 540, + "alt-speed-time-day": 127, + "alt-speed-time-enabled": false, + "alt-speed-time-end": 1020, + "alt-speed-up": 50, + "bind-address-ipv4": "0.0.0.0", + "bind-address-ipv6": "::", + "blocklist-enabled": false, + "blocklist-url": "http://www.example.com/blocklist", + "cache-size-mb": 4, + "dht-enabled": true, + "download-dir": "<%= $download_dir -%>", + "download-queue-enabled": true, + "download-queue-size": 5, + "encryption": 1, + "idle-seeding-limit": 30, + "idle-seeding-limit-enabled": false, + "incomplete-dir": "<%= $incomplete_dir -%>", + "incomplete-dir-enabled": <%= if ($incomplete_dir) { 'true' } else { 'false' } -%>, + "lpd-enabled": false, + "message-level": <%= $msg_level -%>, + "peer-congestion-algorithm": "", + "peer-id-ttl-hours": 6, + "peer-limit-global": 200, + "peer-limit-per-torrent": 50, + "peer-port": 51413, + "peer-port-random-high": 65535, + "peer-port-random-low": 49152, + "peer-port-random-on-start": false, + "peer-socket-tos": "default", + "pex-enabled": true, + "port-forwarding-enabled": true, + "preallocation": 1, + "prefetch-enabled": true, + "queue-stalled-enabled": true, + "queue-stalled-minutes": 30, + "ratio-limit": 2, + "ratio-limit-enabled": false, + "rename-partial-files": true, + "rpc-authentication-required": true, + "rpc-bind-address": "::", + "rpc-enabled": true, + "rpc-host-whitelist": "", + "rpc-host-whitelist-enabled": false, + "rpc-password": "<%= $rpc_password -%>", + "rpc-port": <%= $rpc_port -%>, + "rpc-url": "<%= $rpc_url -%>", + "rpc-username": "<%= $rpc_username -%>", + "rpc-whitelist": "<%= $rpc_whitelist.join(',') -%>", + "rpc-whitelist-enabled": <%= if ($rpc_whitelist) { 'false' } else { 'false' }-%>, + "scrape-paused-torrents-enabled": true, + "script-torrent-done-enabled": false, + "script-torrent-done-filename": "", + "seed-queue-enabled": false, + "seed-queue-size": 10, + "speed-limit-down": 100, + "speed-limit-down-enabled": false, + "speed-limit-up": 100, + "speed-limit-up-enabled": false, + "start-added-torrents": true, + "trash-original-torrent-files": false, + "umask": 18, + "upload-slots-per-torrent": 14, + "utp-enabled": true +} -- cgit v1.2.3 From 739dd06c9c90ce00d1bc7f6dea91aa1723da40d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 18 Jul 2021 22:36:58 +0200 Subject: Pacman hook paths shouldn't start with '/'. --- modules/pacman/manifests/hook.pp | 40 ++++++++++++++-------- .../profiles/manifests/workstation/archlinux.pp | 2 +- 2 files changed, 27 insertions(+), 15 deletions(-) (limited to 'modules') diff --git a/modules/pacman/manifests/hook.pp b/modules/pacman/manifests/hook.pp index 940ae5f..f8478e6 100644 --- a/modules/pacman/manifests/hook.pp +++ b/modules/pacman/manifests/hook.pp @@ -25,9 +25,33 @@ define pacman::hook ( fail('abortOnFail only valid when "when" => "PreTransation"') } - $triggers = $trigger ? { + # Normalize triggers to list + $triggers = ($trigger ? { Array => $trigger, default => [$trigger], + }).map |$trigger| { + # Normalize contents of each trigger, making + { + type => $trigger['type'], + operation => $trigger['operation'] ? { + Array => $trigger['operation'], + default => [$trigger['operation']], + }, + target => $trigger['target'] ? { + Array => $trigger['target'], + default => [$trigger['target']], + } + } + } + + $triggers.each |$trigger| { + if $trigger['type'] == 'Path' { + $trigger['target'].each |$target| { + if $target[0] == '/' { + fail("Target paths shouldn't start with '/' ${target} in trigger ${name}") + } + } + } } $str = epp('pacman/hook.epp', { @@ -37,19 +61,7 @@ define pacman::hook ( Array => $depends, default => [$depends], }, - triggers => $triggers.map |$trigger| { - { - type => $trigger['type'], - operation => $trigger['operation'] ? { - Array => $trigger['operation'], - default => [$trigger['operation']], - }, - target => $trigger['target'] ? { - Array => $trigger['target'], - default => [$trigger['target']], - } - } - }, + triggers => $triggers, exec => $exec, when => $when, abortOnFail => $abortOnFail, diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp index 29ef380..8534da0 100644 --- a/modules/profiles/manifests/workstation/archlinux.pp +++ b/modules/profiles/manifests/workstation/archlinux.pp @@ -21,7 +21,7 @@ class profiles::workstation::archlinux { trigger => { operation => 'Upgrade', type => 'Path', - target => '/usr/lib/systemd/user/*', + target => 'usr/lib/systemd/user/*', }, } } -- cgit v1.2.3 From 19887a00a378d8dcef1d8e82c38a3ae4fe2da12c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 19 Jul 2021 22:17:49 +0200 Subject: Export varselklotet through regular webserver. --- modules/profiles/manifests/gandalf_web.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'modules') diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp index 7aabf2c..e29e360 100644 --- a/modules/profiles/manifests/gandalf_web.pp +++ b/modules/profiles/manifests/gandalf_web.pp @@ -5,6 +5,13 @@ class profiles::gandalf_web { # server_purge => true, package_name => 'nginx', service_config_check => true, + http_cfg_append => { + 'charset' => 'utf-8', + }, + mime_types_preserve_defaults => true, + mime_types => { + 'text/plain' => 'wiki txt', + } } $certname = 'bookmark.gandalf.adrift.space' -- cgit v1.2.3 From 9fc40be324e3998968995a3419d77f4dff21b28e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 27 Jul 2021 21:59:38 +0200 Subject: Enabled loading of nginx-modules. --- modules/profiles/manifests/gandalf_web.pp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp index e29e360..810064b 100644 --- a/modules/profiles/manifests/gandalf_web.pp +++ b/modules/profiles/manifests/gandalf_web.pp @@ -3,7 +3,7 @@ class profiles::gandalf_web { class { '::nginx': manage_repo => false, # server_purge => true, - package_name => 'nginx', + package_name => 'nginx-mainline', service_config_check => true, http_cfg_append => { 'charset' => 'utf-8', @@ -11,7 +11,14 @@ class profiles::gandalf_web { mime_types_preserve_defaults => true, mime_types => { 'text/plain' => 'wiki txt', - } + }, + include_modules_enabled => true, + } + + file { '/etc/nginx/modules-enabled': + ensure => directory, + purge => true, + recurse => true, } $certname = 'bookmark.gandalf.adrift.space' -- cgit v1.2.3 From 706235bc526ed3228dd7307dc737f9415ab4b841 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 27 Jul 2021 22:00:14 +0200 Subject: Set up webdav server. --- modules/pass/lib/puppet/functions/pass.rb | 21 ++++++++ modules/profiles/manifests/webdav_server.pp | 80 +++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 modules/pass/lib/puppet/functions/pass.rb create mode 100644 modules/profiles/manifests/webdav_server.pp (limited to 'modules') diff --git a/modules/pass/lib/puppet/functions/pass.rb b/modules/pass/lib/puppet/functions/pass.rb new file mode 100644 index 0000000..176e7e9 --- /dev/null +++ b/modules/pass/lib/puppet/functions/pass.rb @@ -0,0 +1,21 @@ +# require 'open3' + +Puppet::Functions.create_function(:pass) do + dispatch :method do + param 'String', :path + optional_param 'String', :salt + end + + def method(path, salt = path) + # Salt was an attempt to not regenerate the entry every run. + # This however failed, since the command is still run, and puppet + # doesn't diff betwen runs + # -salt #{salt} + # + # TODO fetch passwords in some slightly more portable way + `openssl passwd -apr1 $(sudo -Hu hugo pass #{path})` + # Open3.popen3("sudo -Hu hugo pass #{path}") do |stdin, stdout, stderr, thread| + # stdout.read.chomp + # end + end +end diff --git a/modules/profiles/manifests/webdav_server.pp b/modules/profiles/manifests/webdav_server.pp new file mode 100644 index 0000000..2cd54c1 --- /dev/null +++ b/modules/profiles/manifests/webdav_server.pp @@ -0,0 +1,80 @@ +define profiles::webdav_server ( + String $nginx_server, + String $file_path, + String $location = $name, + String $passwd_file = "${file_path}/.htpasswd", + String $owner = 'http', + String $group = 'share', + Array[Array[String,2,2]] $users = [], + Array[String] $dav_methods = ['PUT', 'DELETE', 'MKCOL', 'COPY', 'MOVE'], + Array[String] $dav_ext_methods = ['PROPFIND', 'OPTIONS'], + Hash[String,String] $dav_access = { + 'user' => 'rw', + 'group' => 'rw', + } +) { + + # TODO install this module somehow + # AUR: nginx-mainline-mod-dav-ext + + require ::nginx + + $modname = 'ngx_http_dav_ext_module' + file { "/etc/nginx/modules-enabled/${modname}.conf": + ensure => file, + content => @("EOF") + load_module /usr/lib/nginx/modules/${modname}.so; + | EOF + } + + file { + default: + owner => $owner, + group => $group, + ; + $file_path: + ensure => 'directory', + mode => '0770', + recurse => 'false', + ; + $passwd_file: + ensure => 'file', + mode => '0660', + ; + } + + # add entries to the htpasswd file through + # $ echo "${user}:$(openssl passwd -apr1 $password)" >> .htpasswd + + + $users.each |$pair| { + $user = $pair[0] + $passwd = $pair[1] + file_line { "Add ${user} to dav passwd file": + ensure => present, + path => $passwd_file, + line => "${user}:${passwd}", + match => "^${user}:" + } + } + + nginx::resource::location { $location: + server => $nginx_server, + location_alias => $file_path, + ssl => true, + ssl_only => true, + + auth_basic => 'Enter password for dav access', + auth_basic_user_file => $passwd_file, + + location_cfg_append => { + 'dav_methods' => $dav_methods.join(' '), + 'dav_ext_methods' => $dav_ext_methods.join(' '), + 'dav_access' => $dav_access.map |$k, $v| { "${k}:${v}" }.join(' '), + 'client_body_temp_path' => "${file_path}/tmp", + 'create_full_put_path' => 'on', + 'autoindex' => 'on', + 'allow' => 'all', + } + } +} -- cgit v1.2.3 From cee86e5049af5a8dae713e4d93b7e2c64a1eb7ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 31 Aug 2021 14:23:51 +0200 Subject: Fix systemd command. --- modules/profiles/manifests/workstation/archlinux.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp index 8534da0..963f4df 100644 --- a/modules/profiles/manifests/workstation/archlinux.pp +++ b/modules/profiles/manifests/workstation/archlinux.pp @@ -16,7 +16,7 @@ class profiles::workstation::archlinux { pacman::hook { 'systemd daemon-reload': description => 'Reload systemd user daemon', - exec => '/bin/sudo -Hu hugo systemctl --user daemon-reload', + exec => '/bin/sudo systemctl --machine=hugo@.host --user daemon-reload', when => 'PostTransaction', trigger => { operation => 'Upgrade', -- cgit v1.2.3 From da4bf1c1a9ac30f87241ea06a96aca582a1bcf3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 28 Sep 2021 04:15:43 +0200 Subject: Add group profiles. --- modules/profiles/manifests/group_profile.pp | 16 ++++++++++++++++ modules/profiles/manifests/workstation.pp | 2 ++ 2 files changed, 18 insertions(+) create mode 100644 modules/profiles/manifests/group_profile.pp (limited to 'modules') diff --git a/modules/profiles/manifests/group_profile.pp b/modules/profiles/manifests/group_profile.pp new file mode 100644 index 0000000..2025a4b --- /dev/null +++ b/modules/profiles/manifests/group_profile.pp @@ -0,0 +1,16 @@ +class profiles::group_profile { + file { '/etc/profile.d/group-env.sh': + ensure => 'file', + content => @(EOF) + for group in $(groups $(id -nu)) + do + f="/etc/profile.d/group.d/${group}" + test -f "$f" && . $f + done + | EOF + } + + file { '/etc/profile.d/group.d': + ensure => 'directory', + } +} diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp index f276957..724a1b5 100644 --- a/modules/profiles/manifests/workstation.pp +++ b/modules/profiles/manifests/workstation.pp @@ -1,4 +1,6 @@ class profiles::workstation { $os = $facts['os']['name'].downcase() include "::profiles::workstation::${os}" + + include ::profiles::group_profile } -- cgit v1.2.3 From e62ccde573c969a16cee5e54cf8b8442b3936eb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 28 Sep 2021 04:16:03 +0200 Subject: Configure shiori. --- modules/shiori/files/shiori.service | 13 +++++ modules/shiori/manifests/init.pp | 97 +++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 modules/shiori/files/shiori.service create mode 100644 modules/shiori/manifests/init.pp (limited to 'modules') diff --git a/modules/shiori/files/shiori.service b/modules/shiori/files/shiori.service new file mode 100644 index 0000000..6c8de29 --- /dev/null +++ b/modules/shiori/files/shiori.service @@ -0,0 +1,13 @@ +[Unit] +Description=Bookmark server + +[Service] +User=shiori +Environment=SHIORI_DIR=/var/www/shiori +Environment=PORT=8080 +EnvironmentFile=-/etc/conf.d/shiori +ExecStart=shiori serve -p $PORT +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/modules/shiori/manifests/init.pp b/modules/shiori/manifests/init.pp new file mode 100644 index 0000000..a8622e8 --- /dev/null +++ b/modules/shiori/manifests/init.pp @@ -0,0 +1,97 @@ +class shiori ( + $port = 8080, + Array[String] $group_members = [], + Optional[Hash] $nginx = undef, +) { + + # on arch this is available through the aur + package { 'shiori-bin': + ensure => installed, + } + + user { 'shiori': + ensure => present, + system => true, + home => '/var/www/shiori', + } + + group { 'shiori': + ensure => present, + members => $group_members, + } + + file { '/var/www/shiori': + ensure => directory, + owner => shiori, + group => shiori, + mode => '0750', + } + + file { [ + '/var/www/shiori/archive', + '/var/www/shiori/thumb', + ] : + ensure => directory, + owner => shiori, + group => shiori, + mode => '0770', + } + + file { '/var/www/shiori/shiori.db': + owner => 'shiori', + group => 'shiori', + mode => '0660', + } + + file { '/etc/systemd/system/shiori.service': + ensure => file, + source => 'puppet:///modules/shiori/shiori.service', + } + + file { '/etc/conf.d/shiori': + ensure => 'file', + content => @("EOF") + # This file is managed by Puppet. + # Editing it might also lead to inconsistencies with nginx + PORT=${port} + | EOF + } + + service { 'shiori': + ensure => running, + enable => true, + require => [ + File['/etc/systemd/system/shiori.service'], + File['/etc/conf.d/shiori'], + ], + } + + # TODO only run this if Class['profiles::group_profile'] is loaded + file { '/etc/profile.d/group.d/shiori': + ensure => file, + content => "export SHIORI_DIR=/var/www/shiori\n", + } + + if ($nginx) { + $certname = $nginx['certname'] + nginx::resource::server { $nginx['server_name']: + ipv6_enable => true, + ipv6_listen_options => '', + ssl => true, + ssl_redirect => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + www_root => '/var/www/shiori', + use_default_location => false, + } + + nginx::resource::location { 'shiori /': + location => '/', + proxy => "http://[::]:$port", + index_files => [], + ssl => true, + ssl_only => true, + server => $nginx['server_name'], + } + } +} -- cgit v1.2.3 From 08a9ff658f14b6ccd0d396711304b74e51307c0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 31 Oct 2021 01:11:18 +0200 Subject: Work on netbooting raspberry pis. --- modules/exports/manifests/init.pp | 19 +++++ modules/overlay/manifests/init.pp | 17 +++++ modules/raspi/manifests/init.pp | 143 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 179 insertions(+) create mode 100644 modules/exports/manifests/init.pp create mode 100644 modules/overlay/manifests/init.pp create mode 100644 modules/raspi/manifests/init.pp (limited to 'modules') diff --git a/modules/exports/manifests/init.pp b/modules/exports/manifests/init.pp new file mode 100644 index 0000000..ce75b29 --- /dev/null +++ b/modules/exports/manifests/init.pp @@ -0,0 +1,19 @@ +define exports ( + Hash[String,Array[String]] $options, + String $dir = $name, + String $exports_file = '/etc/exports', +) { + + $fixed_opts = $options.map |$key, $val| { + $joined_vals = $val.join(',') + "${key}(${joined_vals})" + }.join(' ') + + file_line { "Export ${exports_file} ${dir}": + ensure => present, + path => $exports_file, + match => "^${dir}", + line => "${dir} ${fixed_opts}" + } + +} diff --git a/modules/overlay/manifests/init.pp b/modules/overlay/manifests/init.pp new file mode 100644 index 0000000..a85683d --- /dev/null +++ b/modules/overlay/manifests/init.pp @@ -0,0 +1,17 @@ +define overlay ( +) { + + { + lowerdir => "${dir}/root/base", + upperdir => "${dir}/root/overlays/${name}", + workdir => "${dir}/root/workdirs/${name}", + nfs_export => 'on', + } + + file_line { + ensure => present, + path => "${dir}/fstab" + line => "overlay root/export/${name} + } + +} diff --git a/modules/raspi/manifests/init.pp b/modules/raspi/manifests/init.pp new file mode 100644 index 0000000..c622f26 --- /dev/null +++ b/modules/raspi/manifests/init.pp @@ -0,0 +1,143 @@ +define raspi ( + String $dir, + String $version, +) { + # https://www.kernel.org/doc/html/latest/admin-guide/nfs/nfsroot.html + + + file { $dir: + ensure => directory, + } + + $img_file = "${version}-raspios-buster-armhf-lite" + + file { "${dir}/${img_file}.zip": + ensure => file, + source => "https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-05-28/${img_file}.zip", + checksum => 'sha256', + checksum_value => 'c5dad159a2775c687e9281b1a0e586f7471690ae28f2f2282c90e7d59f64273c', + } ~> exec { "/usr/bin/unzip ${img_file}.zip": + creates => "${dir}/${img_file}.img", + cwd => $dir, + } + + # see modprobe.d(5) + # /sys/module/loop/parameters/max_part + file { '/etc/modprobe.d/loop.conf': + content => "options loop max_part=8\n", + } + + ['root'].each |$d| { + file { "${dir}/${d}": + ensure => directory, + } + ['base', 'export', 'overlays', 'workdirs'].each |$subdir| { + file { "${dir}/${d}/${subdir}": + ensure => directory, + } + } + } + + $mounts = { + 'root' => ['music',], + # 'boot' => ['music',], + } + + # overlay fs not supported for FAT32 filesystems + + $fstab = "${dir}/fstab" + file { $fstab: + ensure => file, + } + + File[$fstab] -> File_Line <| path == $fstab |> + + $mounts.each |$type, $lst| { + $lst.each |$name| { + + $dict = { + lowerdir => "${dir}/${type}/base", + upperdir => "${dir}/${type}/overlays/${name}", + workdir => "${dir}/${type}/workdirs/${name}", + nfs_export => 'on', + } + + $target = "${dir}/${type}/export/${name}" + + file { [ + $dict['upperdir'], + $dict['workdir'], + $target, + ] : + ensure => directory, + } + + $opts = $dict.map |$k, $v| { "$k=$v" }.join(',') + + file_line { "Raspi fstab ${type} ${target}": + ensure => present, + path => $fstab, + line => "overlay ${target} overlay ${opts}", + } + } + } + + ensure_packages ( ['nfs-utils'], { ensure => latest, }) + service { 'nfs-server': + ensure => running, + enable => true, + } + + exports { "${dir}/root/export": + options => { + '*' => [ + 'rw', + 'no_subtree_check', + 'no_root_squash', + # Our mounts under the exported tree are also exported, which is + # needed since our export point is simply a mount point + 'crossmnt', + 'fsid=1', + ], + }, + } + + # TODO ensure that we are mounted before we start changing stuff + + $root = "${dir}/root/export/music" + + file { "${root}/etc/systemd/system/multi-user.target.wants/ssh.service": + ensure => link, + target => '/lib/systemd/system/ssh.service', + } + + file { "${root}/etc/fstab": + ensure => absent, + } + + file { "${root}/root/.ssh": + ensure => directory, + } + + file { "${root}/root/.ssh/authorized_keys": + ensure => file, + } + + file_line { 'raspbian root key': + path => "${root}/root/.ssh/authorized_keys", + line => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8bdCl6aFmYoWAZIoorFv96oV45Jv75vH0TyNTKyByNV0dr6qgJzt8HJ1J/bVDs+q679f4udA1HLGLncyoJS1rGw9meP36dXCQBPMdfZJN0tIrYWgo2Hb7ZpDjsvxGTHaE9jzWlDUI9DcoWoa1Hy8roqsFZgbEnW4H1QG2Hr1+MkjoKvxhXFZoDxuq5K8WcHpehhEU8YcHSKiL0R5jhGlGbL+Qvb1QUL1sXQquHrgJB4IwrrYt2chX4W9Uo+PMny6VYV8ubuXvYCyQehQqZmkYSWD3iJAu59Ti0MLC+egBVZ6UkWAn4kik5cbboC36ioDCKQfrpvfZuUg4OA01N033QoC3+aKUwic8t+Z9sQz7PKT3JTJA5cLTjV+FMoZfKUiSrgm2jgk2mYl86HyHbjwvVq3I0Ny5xXHX3n2DwY9kT3tV16lA3m6oRPeUwZDo7sCzHuMTj2tQE8mMzpZ6kA/CkwAOotY6S/XSbyynIrYpu0Y2HJ6Rax8XGt09DEc7XAE= hugo@gandalf', + } + + # $ l=$(losetup --show -f ${file}.img) + # $ mount "${l}p1" boot/base + # $ mount "${l}p2" root/base + # $ dd if=/dev/loop0p1 of=boot-sector.img + + + # console=serial0,115200 console=tty1 root=/dev/nfs rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp id=dhcp elevator=deadline rootwait rw + + # cmdline.txt + # root=/dev/nfs + # rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp + +} -- cgit v1.2.3 From 510a3014391d056a26555a5be1320c3f1b94f796 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Thu, 4 Nov 2021 18:33:21 +0100 Subject: Set up nsupdate. --- modules/nsupdate/manifests/init.pp | 64 +++++++++++++++++++++++++++++++++ modules/nsupdate/manifests/setup.pp | 14 ++++++++ modules/nsupdate/templates/nsupdate.epp | 18 ++++++++++ 3 files changed, 96 insertions(+) create mode 100644 modules/nsupdate/manifests/init.pp create mode 100644 modules/nsupdate/manifests/setup.pp create mode 100644 modules/nsupdate/templates/nsupdate.epp (limited to 'modules') diff --git a/modules/nsupdate/manifests/init.pp b/modules/nsupdate/manifests/init.pp new file mode 100644 index 0000000..8141f5a --- /dev/null +++ b/modules/nsupdate/manifests/init.pp @@ -0,0 +1,64 @@ +# type DNSRecordType = ['A', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS', +# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', +# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', +# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG', +# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA', +# 'TSIG', 'TXT', 'URI', 'ZA', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS', +# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', +# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', +# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG', +# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA', +# 'TSIG', 'TXT', 'URI', 'ZONEMD'] + +type DNSRecordType = Enum['A'] + +type DNSRecord = Struct[{ + domain => String, + type => DNSRecordType, + ttl => Integer, +}] + +# Sets up a single instance of a reoccuring nsupdate. +# Note that nsupdate::secret.$keyname needs to be made available through hiera +# /etc/puppetlabs/code/environments/production/data/nodes/hornquist.se.yaml +define nsupdate ( + String $nameserver, + Array[DNSRecord] $records, + String $iface = $facts['networking']['primary'], + Enum['present', 'absent'] $ensure = present, + String $keyname = $name, +) { + + require ::nsupdate::setup + + file { "/usr/libexec/nsupdate/${name}": + ensure => $ensure, + mode => '0555', + content => epp('nsupdate/nsupdate.epp', { + iface => $iface, + nameserver => $nameserver, + records => $records, + keyname => $keyname, + }) + } + + $key = lookup("nsupdate::secrets.\"${keyname}\"") + $secret = Sensitive($key['secret']) + file { "/var/lib/nsupdate/${keyname}.key": + ensure => file, + mode => '0400', + show_diff => false, + content => @("EOF") + key "${keyname}" { + algorithm ${key['algorithm']}; + secret "${secret.unwrap}"; + }; + | EOF + } + + cron { "nsupdate ${name}": + ensure => $ensure, + command => "/usr/libexec/nsupdate/${name}", + minute => 0, + } +} diff --git a/modules/nsupdate/manifests/setup.pp b/modules/nsupdate/manifests/setup.pp new file mode 100644 index 0000000..9aba4ff --- /dev/null +++ b/modules/nsupdate/manifests/setup.pp @@ -0,0 +1,14 @@ +class nsupdate::setup ( +) { + file { '/usr/libexec/nsupdate': + ensure => directory, + } + + file { '/var/lib/nsupdate': + ensure => directory, + } + + ensure_packages(['bind9-dnsutils'], { + ensure => installed, + }) +} diff --git a/modules/nsupdate/templates/nsupdate.epp b/modules/nsupdate/templates/nsupdate.epp new file mode 100644 index 0000000..66fe4b2 --- /dev/null +++ b/modules/nsupdate/templates/nsupdate.epp @@ -0,0 +1,18 @@ +<%- | + String $iface, + String $nameserver, + String $keyname, + Array[DNSRecord] $records, +| -%> +#!/bin/bash + +IP=$(ip -j a show dev <%= $iface %> | jq --raw-output '.[0].addr_info[] | select(.family == "inet").local') + +nsupdate "$@" -k '/var/lib/nsupdate/<%= $keyname %>.key' << EOF +server <%= $nameserver %> +<%- $records.each |$record| { -%> +update delete <%= $record['domain'] %> <%= $record['type'] %> +update add <%= $record['domain'] %> <%= $record['ttl'] %> <%= $record['type'] %> ${IP} +<%- } -%> +send +EOF -- cgit v1.2.3 From 85793838bc917566d739b330255d11e941320b45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:35:56 +0100 Subject: Add losetup. --- modules/losetup/files/dismantle-loop-device | 15 +++++++++++++++ modules/losetup/files/loop@.service | 12 ++++++++++++ modules/losetup/files/setup-loop-device | 16 ++++++++++++++++ modules/losetup/manifests/init.pp | 24 ++++++++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 modules/losetup/files/dismantle-loop-device create mode 100644 modules/losetup/files/loop@.service create mode 100755 modules/losetup/files/setup-loop-device create mode 100644 modules/losetup/manifests/init.pp (limited to 'modules') diff --git a/modules/losetup/files/dismantle-loop-device b/modules/losetup/files/dismantle-loop-device new file mode 100644 index 0000000..be3f3a0 --- /dev/null +++ b/modules/losetup/files/dismantle-loop-device @@ -0,0 +1,15 @@ +#!/bin/bash + +target_file="$1" +safe_name="$(systemd-escape "$target_file")" + +set +x + +loop_device=$(readlink "/dev/loop-by-name/${safe_name}") +rm "/dev/loop-by-name/${safe_name}" + +for part in "/dev/loop-by-name/${safe_name}"-p*; do + rm "$part" +done + +losetup -d $loop_device diff --git a/modules/losetup/files/loop@.service b/modules/losetup/files/loop@.service new file mode 100644 index 0000000..e9dc008 --- /dev/null +++ b/modules/losetup/files/loop@.service @@ -0,0 +1,12 @@ +[Unit] +Description=Loopback device for %I + +[Service] +ExecStart=/usr/libexec/setup-loop-device "%I" +ExecStop=/usr/libexec/dismantle-loop-device "%I" +#ExecStopPost=rm /dev/loop-by-name/"%i"* +#ExecStart=echo %I +ExecStartPre=mkdir -p /dev/loop-by-name +# Cant't have any dashes in filename, due to escaping rules +# ExecStartPre=/bin/sh -c "grep -vq '-' <<< "%i"" +RemainAfterExit=yes diff --git a/modules/losetup/files/setup-loop-device b/modules/losetup/files/setup-loop-device new file mode 100755 index 0000000..4215273 --- /dev/null +++ b/modules/losetup/files/setup-loop-device @@ -0,0 +1,16 @@ +#!/bin/bash + +target_file="$1" +safe_name="$(systemd-escape "$target_file")" + +set +x + +loop_device=$(losetup --find --show "$target_file") + +ln -s $loop_device "/dev/loop-by-name/${safe_name}" + +for part in "${loop_device}"p*; do + last_two=${part:$[${#part}-2]} + ln -s $part \ + "/dev/loop-by-name/${safe_name}-${last_two}" +done diff --git a/modules/losetup/manifests/init.pp b/modules/losetup/manifests/init.pp new file mode 100644 index 0000000..8d7f8d8 --- /dev/null +++ b/modules/losetup/manifests/init.pp @@ -0,0 +1,24 @@ +class losetup { + file { '/etc/systemd/system/loop@.service': + ensure => file, + source => "puppet:///modules/${module_name}/loop@.service", + } + + # ensure_resource ('file', { path => '/usr/libexec', ensure => directory }) + file { '/usr/libexec': + ensure => directory, + } + + file { + default: + ensure => file, + mode => '0555', + ; +'/usr/libexec/setup-loop-device': + source => "puppet:///modules/${module_name}/setup-loop-device", + ; +'/usr/libexec/dismantle-loop-device': + source => "puppet:///modules/${module_name}/dismantle-loop-device", + ; + } +} -- cgit v1.2.3 From d449ef502030454ba88eeb0a81fdb46b09d0d6b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:37:40 +0100 Subject: Minor fixes --- modules/cgit/files/filters/hugo-pre.sh | 4 ++-- modules/exports/manifests/init.pp | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/cgit/files/filters/hugo-pre.sh b/modules/cgit/files/filters/hugo-pre.sh index de94b26..b716525 100755 --- a/modules/cgit/files/filters/hugo-pre.sh +++ b/modules/cgit/files/filters/hugo-pre.sh @@ -2,10 +2,10 @@ name=$1 -extension=${1: -3} +extension=${name: -3} case $extension in - .md) markdown ;; + .md) pandoc -f gfm -t html ;; *) cat <<- EOF 
$(cat -)
diff --git a/modules/exports/manifests/init.pp b/modules/exports/manifests/init.pp index ce75b29..8280c71 100644 --- a/modules/exports/manifests/init.pp +++ b/modules/exports/manifests/init.pp @@ -1,3 +1,5 @@ +# Setup export item. +# Should be be callable multiple times define exports ( Hash[String,Array[String]] $options, String $dir = $name, -- cgit v1.2.3 From 0301818fa87bf588dfcd13c1644936aa5537fa15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:38:02 +0100 Subject: Gandalf web certbot. --- modules/profiles/manifests/gandalf_web.pp | 54 +++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp index 810064b..1295d83 100644 --- a/modules/profiles/manifests/gandalf_web.pp +++ b/modules/profiles/manifests/gandalf_web.pp @@ -1,4 +1,6 @@ -class profiles::gandalf_web { +class profiles::gandalf_web ( + String $certname, +) { class { '::nginx': manage_repo => false, @@ -13,6 +15,7 @@ class profiles::gandalf_web { 'text/plain' => 'wiki txt', }, include_modules_enabled => true, + server_purge => true, } file { '/etc/nginx/modules-enabled': @@ -21,7 +24,41 @@ class profiles::gandalf_web { recurse => true, } - $certname = 'bookmark.gandalf.adrift.space' + # TODO this fails at bootstrapping, since letsencrypt requires nginx + # to be enabled, but nginx can't be enabled if any cert file is + # missing + # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |> + + $domains = [ + 'bookmark.gandalf.adrift.space', + 'calendar.gandalf.adrift.space', + 'repo.gandalf.adrift.space', + 'gandalf.adrift.space', + 'hack.adrift.space', + 'adrift.space', + ] + + ensure_packages (['cronie',], { ensure => installed }) + + ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed }) + class { '::letsencrypt': + config => { + email => 'hugo@hornquist.se', + # server => 'https://acme-staging-v02.api.letsencrypt.org/directory', + server => 'https://acme-v02.api.letsencrypt.org/directory', + }, + manage_install => false, + } + + letsencrypt::certonly { $certname: + ensure => present, + domains => $domains, + manage_cron => true, + plugin => 'nginx', + additional_args => [ '--quiet', ], + # pre_hook_commands => [ 'systemctl stop nginx.service', ], + post_hook_commands => [ 'systemctl restart nginx.service', ], + } nginx::resource::server { 'gandalf': @@ -49,4 +86,17 @@ class profiles::gandalf_web { server => 'gandalf', } + nginx::resource::server { 'repo.gandalf.adrift.space': + ipv6_enable => true, + ipv6_listen_options => '', + server_name => [ 'repo.gandalf.adrift.space', ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/usr/net/repo/', + use_default_location => true, + } + } -- cgit v1.2.3 From fa66475b6dd9835ac6f060202acc744632dd4c89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:39:36 +0100 Subject: Raspi setup was a bad idea. --- modules/raspi/manifests/init.pp | 143 ---------------------------------------- 1 file changed, 143 deletions(-) delete mode 100644 modules/raspi/manifests/init.pp (limited to 'modules') diff --git a/modules/raspi/manifests/init.pp b/modules/raspi/manifests/init.pp deleted file mode 100644 index c622f26..0000000 --- a/modules/raspi/manifests/init.pp +++ /dev/null @@ -1,143 +0,0 @@ -define raspi ( - String $dir, - String $version, -) { - # https://www.kernel.org/doc/html/latest/admin-guide/nfs/nfsroot.html - - - file { $dir: - ensure => directory, - } - - $img_file = "${version}-raspios-buster-armhf-lite" - - file { "${dir}/${img_file}.zip": - ensure => file, - source => "https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-05-28/${img_file}.zip", - checksum => 'sha256', - checksum_value => 'c5dad159a2775c687e9281b1a0e586f7471690ae28f2f2282c90e7d59f64273c', - } ~> exec { "/usr/bin/unzip ${img_file}.zip": - creates => "${dir}/${img_file}.img", - cwd => $dir, - } - - # see modprobe.d(5) - # /sys/module/loop/parameters/max_part - file { '/etc/modprobe.d/loop.conf': - content => "options loop max_part=8\n", - } - - ['root'].each |$d| { - file { "${dir}/${d}": - ensure => directory, - } - ['base', 'export', 'overlays', 'workdirs'].each |$subdir| { - file { "${dir}/${d}/${subdir}": - ensure => directory, - } - } - } - - $mounts = { - 'root' => ['music',], - # 'boot' => ['music',], - } - - # overlay fs not supported for FAT32 filesystems - - $fstab = "${dir}/fstab" - file { $fstab: - ensure => file, - } - - File[$fstab] -> File_Line <| path == $fstab |> - - $mounts.each |$type, $lst| { - $lst.each |$name| { - - $dict = { - lowerdir => "${dir}/${type}/base", - upperdir => "${dir}/${type}/overlays/${name}", - workdir => "${dir}/${type}/workdirs/${name}", - nfs_export => 'on', - } - - $target = "${dir}/${type}/export/${name}" - - file { [ - $dict['upperdir'], - $dict['workdir'], - $target, - ] : - ensure => directory, - } - - $opts = $dict.map |$k, $v| { "$k=$v" }.join(',') - - file_line { "Raspi fstab ${type} ${target}": - ensure => present, - path => $fstab, - line => "overlay ${target} overlay ${opts}", - } - } - } - - ensure_packages ( ['nfs-utils'], { ensure => latest, }) - service { 'nfs-server': - ensure => running, - enable => true, - } - - exports { "${dir}/root/export": - options => { - '*' => [ - 'rw', - 'no_subtree_check', - 'no_root_squash', - # Our mounts under the exported tree are also exported, which is - # needed since our export point is simply a mount point - 'crossmnt', - 'fsid=1', - ], - }, - } - - # TODO ensure that we are mounted before we start changing stuff - - $root = "${dir}/root/export/music" - - file { "${root}/etc/systemd/system/multi-user.target.wants/ssh.service": - ensure => link, - target => '/lib/systemd/system/ssh.service', - } - - file { "${root}/etc/fstab": - ensure => absent, - } - - file { "${root}/root/.ssh": - ensure => directory, - } - - file { "${root}/root/.ssh/authorized_keys": - ensure => file, - } - - file_line { 'raspbian root key': - path => "${root}/root/.ssh/authorized_keys", - line => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8bdCl6aFmYoWAZIoorFv96oV45Jv75vH0TyNTKyByNV0dr6qgJzt8HJ1J/bVDs+q679f4udA1HLGLncyoJS1rGw9meP36dXCQBPMdfZJN0tIrYWgo2Hb7ZpDjsvxGTHaE9jzWlDUI9DcoWoa1Hy8roqsFZgbEnW4H1QG2Hr1+MkjoKvxhXFZoDxuq5K8WcHpehhEU8YcHSKiL0R5jhGlGbL+Qvb1QUL1sXQquHrgJB4IwrrYt2chX4W9Uo+PMny6VYV8ubuXvYCyQehQqZmkYSWD3iJAu59Ti0MLC+egBVZ6UkWAn4kik5cbboC36ioDCKQfrpvfZuUg4OA01N033QoC3+aKUwic8t+Z9sQz7PKT3JTJA5cLTjV+FMoZfKUiSrgm2jgk2mYl86HyHbjwvVq3I0Ny5xXHX3n2DwY9kT3tV16lA3m6oRPeUwZDo7sCzHuMTj2tQE8mMzpZ6kA/CkwAOotY6S/XSbyynIrYpu0Y2HJ6Rax8XGt09DEc7XAE= hugo@gandalf', - } - - # $ l=$(losetup --show -f ${file}.img) - # $ mount "${l}p1" boot/base - # $ mount "${l}p2" root/base - # $ dd if=/dev/loop0p1 of=boot-sector.img - - - # console=serial0,115200 console=tty1 root=/dev/nfs rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp id=dhcp elevator=deadline rootwait rw - - # cmdline.txt - # root=/dev/nfs - # rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp - -} -- cgit v1.2.3 From e3c15ec94649c7ba079c3332fc4afc5bda0b4b5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 14 Dec 2021 00:58:22 +0100 Subject: Migrate stuff from ansible. --- modules/pacman/files/mirrorlist | 6 + modules/pacman/manifests/init.pp | 26 ++++- modules/pacman/manifests/repo.pp | 24 ++++ modules/profiles/files/passmenu | 29 +++++ modules/profiles/files/ssh-agent.service | 13 +++ modules/profiles/lib/facter/pacman_version.rb | 7 ++ modules/profiles/manifests/dolphin.pp | 70 ++++++++++++ modules/profiles/manifests/imagemagick.pp | 17 +++ modules/profiles/manifests/syncthing.pp | 28 +++++ modules/profiles/manifests/synth.pp | 33 ++++++ modules/profiles/manifests/workstation.pp | 126 +++++++++++++++++++++ .../profiles/manifests/workstation/archlinux.pp | 53 ++++++--- modules/profiles/manifests/xmonad.pp | 29 +++++ modules/profiles/templates/aconnect.epp | 8 ++ .../profiles/templates/imagemagick-policy.xml.epp | 89 +++++++++++++++ modules/profiles/templates/keyvalue.epp | 4 + modules/systemd_mount/manifests/init.pp | 42 +++++++ modules/systemd_mount/templates/automount.epp | 11 ++ modules/systemd_mount/templates/mount.epp | 13 +++ 19 files changed, 613 insertions(+), 15 deletions(-) create mode 100644 modules/pacman/files/mirrorlist create mode 100644 modules/pacman/manifests/repo.pp create mode 100755 modules/profiles/files/passmenu create mode 100644 modules/profiles/files/ssh-agent.service create mode 100644 modules/profiles/lib/facter/pacman_version.rb create mode 100644 modules/profiles/manifests/dolphin.pp create mode 100644 modules/profiles/manifests/imagemagick.pp create mode 100644 modules/profiles/manifests/syncthing.pp create mode 100644 modules/profiles/manifests/synth.pp create mode 100644 modules/profiles/manifests/xmonad.pp create mode 100644 modules/profiles/templates/aconnect.epp create mode 100644 modules/profiles/templates/imagemagick-policy.xml.epp create mode 100644 modules/profiles/templates/keyvalue.epp create mode 100644 modules/systemd_mount/manifests/init.pp create mode 100644 modules/systemd_mount/templates/automount.epp create mode 100644 modules/systemd_mount/templates/mount.epp (limited to 'modules') diff --git a/modules/pacman/files/mirrorlist b/modules/pacman/files/mirrorlist new file mode 100644 index 0000000..4ea5d0e --- /dev/null +++ b/modules/pacman/files/mirrorlist @@ -0,0 +1,6 @@ +# File managed by puppet, local changes WILL be overwritten + +Server = https://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch +Server = http://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch +Server = https://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch +Server = http://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch diff --git a/modules/pacman/manifests/init.pp b/modules/pacman/manifests/init.pp index eadc1c2..fb23328 100644 --- a/modules/pacman/manifests/init.pp +++ b/modules/pacman/manifests/init.pp @@ -1,9 +1,9 @@ class pacman ( String $hooks_path = '/etc/pacman.d/hooks-puppet', String $conf_path = '/etc/pacman.conf', + Boolean $ilovecandy = false, ) { - # TODO ability to set multiple settings ini_setting { 'Pacman HookDir': path => $conf_path, section => 'options', @@ -12,9 +12,33 @@ class pacman ( } + ini_setting { 'Pacman ILoveCandy': + ensure => if ($ilovecandy) { present } else { absent }, + path => '/etc/pacman.conf', + section => 'options', + setting => 'ILoveCandy', + key_val_separator => '', + value => '', + } + + if versioncmp($facts['pacman-version'], '6.0.0') >= 0 { + ini_setting { 'Pacman parallel downloads': + path => '/etc/pacman.conf', + section => 'options', + setting => 'ParallelDownloads', + value => 8, + } + } + file { $hooks_path: ensure => directory, recurse => true, purge => true, } + + file { '/etc/pacman.d/mirrorlist': + ensure => present, + backup => true, + source => 'puppet:///modules/pacman/mirrorlist', + } } diff --git a/modules/pacman/manifests/repo.pp b/modules/pacman/manifests/repo.pp new file mode 100644 index 0000000..28f92b0 --- /dev/null +++ b/modules/pacman/manifests/repo.pp @@ -0,0 +1,24 @@ +define pacman::repo ( + Enum['present', 'absent'] $ensure = 'present', + String $repo_name = $name, + # String $include, + String $server, + String $sig_level, +) { + + ini_setting { + default: + ensure => $ensure, + path => $::pacman::conf_path, + section => $repo_name , + ; + "Pacman repo [${repo_name}] server": + setting => 'Server', + value => $server , + ; + "Pacman repo [${repo_name}] SigLevel": + setting => 'SigLevel', + value => $sig_level , + ; + } +} diff --git a/modules/profiles/files/passmenu b/modules/profiles/files/passmenu new file mode 100755 index 0000000..653ebda --- /dev/null +++ b/modules/profiles/files/passmenu @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +shopt -s nullglob globstar + +typeit=0 +if [[ $1 == "--type" ]]; then + typeit=1 + shift +fi + +prefix=${PASSWORD_STORE_DIR-~/.password-store} +password_files=( "$prefix"/**/*.gpg ) +password_files=( "${password_files[@]#"$prefix"/}" ) +password_files=( "${password_files[@]%.gpg}" ) + +password=$(printf '%s\n' "${password_files[@]}" | dmenu "$@") + +[[ -n $password ]] || exit + +if [[ "$password" == *-otp ]]; then + otp='otp' +fi + +if [[ $typeit -eq 0 ]]; then + pass $otp show -c "$password" 2>/dev/null +else + pass $otp show "$password" | { IFS= read -r pass; printf %s "$pass"; } | + xdotool type --clearmodifiers --file - +fi diff --git a/modules/profiles/files/ssh-agent.service b/modules/profiles/files/ssh-agent.service new file mode 100644 index 0000000..d49edc6 --- /dev/null +++ b/modules/profiles/files/ssh-agent.service @@ -0,0 +1,13 @@ +# https://unix.stackexchange.com/questions/339840/how-to-start-and-use-ssh-agent-as-systemd-service + +[Unit] +Description=SSH key agent + +[Service] +Type=simple +Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket +# ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK +ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK + +[Install] +WantedBy=default.target diff --git a/modules/profiles/lib/facter/pacman_version.rb b/modules/profiles/lib/facter/pacman_version.rb new file mode 100644 index 0000000..1d17b04 --- /dev/null +++ b/modules/profiles/lib/facter/pacman_version.rb @@ -0,0 +1,7 @@ +Facter.add('pacman-version') do + if File.exists?('/bin/pacman') then + setcode do + `pacman -Qi pacman | awk -F' : ' '/^Version/ { print $2 }'`.strip() + end + end +end diff --git a/modules/profiles/manifests/dolphin.pp b/modules/profiles/manifests/dolphin.pp new file mode 100644 index 0000000..f1fdcf8 --- /dev/null +++ b/modules/profiles/manifests/dolphin.pp @@ -0,0 +1,70 @@ +# Configure the file manager dolphin +class profiles::dolphin { + ensure_packages ([ + 'dolphin', + 'kde-cli-tools', + 'ffmpegthumbs', + 'kdegraphics-thumbnailers', + 'konsole', + 'breeze-icons', + ], { ensure => installed }) + + + $dolphin_settings = { + 'General' => { + 'BrowseThroughArchives' => 'true', + 'GlobalViewProps' => 'false', + 'HomeUrl' => '/usr/net/video', + 'OpenExternallyCalledFolderInNewTab' => 'false', + 'RememberOpenedTabs' => 'false', + 'ShowFullPath' => 'true', + }, + 'MainWindow' => { + 'MenuBar' => 'Disabled', + 'ToolBarsMovable' => 'Disabled', + }, + 'VersionControl' => { + 'enabledPlugins' => [ + 'Dropbox', + 'Git', + ] + }, + 'PreviewSettings' => { + 'Plugins' => [ + 'appimagethumbnail', + 'audiothumbnail', + 'blenderthumbnail', + 'comicbookthumbnail', + 'djvuthumbnail', + 'ebookthumbnail', + 'exrthumbnail', + 'directorythumbnail', + 'fontthumbnail', + 'imagethumbnail', + 'jpegthumbnail', + 'kraorathumbnail', + 'windowsexethumbnail', + 'windowsimagethumbnail', + 'opendocumentthumbnail', + 'gsthumbnail', + 'svgthumbnail', + 'textthumbnail', + 'ffmpegthumbs', + ] + } + } + + $dolphin_settings.map |$category, $group| { + $group.map |$setting, $value| { + ini_setting { "Dolphin [${category}].${setting}": + path => '/etc/xdg/dolphinrc', + section => $category, + setting => $setting, + value => $value ? { + Array => $value.join(','), + String => $value, + } + } + } + } +} diff --git a/modules/profiles/manifests/imagemagick.pp b/modules/profiles/manifests/imagemagick.pp new file mode 100644 index 0000000..7663cf8 --- /dev/null +++ b/modules/profiles/manifests/imagemagick.pp @@ -0,0 +1,17 @@ +class profiles::imagemagick { + package { 'imagemagick': + ensure => installed, + } + + file { '/etc/ImageMagick-7/policy.xml': + content => epp('profiles/imagemagick-policy.xml', { + policies => [ + { + domain => 'coder', + rights => 'read | write', + pattern => 'PDF' + }, + ] + }), + } +} diff --git a/modules/profiles/manifests/syncthing.pp b/modules/profiles/manifests/syncthing.pp new file mode 100644 index 0000000..7d8183e --- /dev/null +++ b/modules/profiles/manifests/syncthing.pp @@ -0,0 +1,28 @@ +class profiles::syncthing ( + Array[String] $enable_for = [] +) { + + # TODO add repo for those systems that need it + + package { 'syncthing': + ensure => installed + } + + systemd::dropin_file { 'nospam.conf': + unit => 'syncthing@.service', + content => @(EOF) + [Service] + ExecStart= + ExecStart=/bin/bash -c 'set -o pipefail; /usr/bin/syncthing -no-browser -no-restart -logflags=0 | grep -v "INFO: "' + | EOF + } + + $enable_for.map |$user| { + service { "syncthing@${user}": + enable => true, + } + } + + # TODO manage synced data + +} diff --git a/modules/profiles/manifests/synth.pp b/modules/profiles/manifests/synth.pp new file mode 100644 index 0000000..eb01f8f --- /dev/null +++ b/modules/profiles/manifests/synth.pp @@ -0,0 +1,33 @@ +class profiles::synth { + + package { 'freepats-general-midi': + ensure => installed, + } + + file { '/etc/conf.d/fluidsynth': + content => @(EOF) + SOUND_FONT=/usr/share/soundfonts/freepats-general-midi.sf2 + OTHER_OPTS='-a alsa' + | EOF + } + + # TODO pull in aur package from + # https://git.hornquist.se/archpkg/aconnect-service/ + + # TODO setup the rest + + # - template: + # dest: ~/.config/aconnect/impact + # source: aconnect + # vars: + # input_unit: Impact LX25 + # output_unit: FLUID Synth + # + # - systemd: + # name: aconnect@{{ impact }} + # scope: user + # enabled: yes + # become: yes + # become_user: hugo + +} diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp index 724a1b5..fe7e1cb 100644 --- a/modules/profiles/manifests/workstation.pp +++ b/modules/profiles/manifests/workstation.pp @@ -3,4 +3,130 @@ class profiles::workstation { include "::profiles::workstation::${os}" include ::profiles::group_profile + + # TODO only if we use systemd + file { 'User ssh-agent service': + path => '/etc/systemd/user/ssh-agent.service', + source => "puppet:///modules/profiles/ssh-agent.service", + } + + file { 'Dvorak A6 TTY keyboard layout': + ensure => file, + path => '/usr/share/kbd/keymaps/i386/dvorak/dvorak-sv-a6.map', + source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/linux-tty/dvorak-sv-a6.map', + } + + file { 'Dvorak A6 X11 keyboard layout': + ensure => file, + path => '/usr/share/X11/xkb/symbols/planck', + source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/X11/planck', + } + + $xkb_layout = 'planck' + $xkb_variant = 'dvorak_a6' + $xkb_options = 'compose:caps' + + file { 'Default X11 keymap': + ensure => file, + path => '/etc/X11/xorg.conf.d/00-keyboard.conf', + content => @("EOF") + Section "InputClass" + Identifier "system-keyboard" + MatchIsKeyboard "on" + Option "XkbLayout" "${xkb_layout}" + Option XkbModel "pc105" + Option "XkbVariant" "${xkb_variant}" + Option "XkbOptions" "${xkb_options}" + EndSection + | EOF + } + + file { 'Model M X11 keymap': + ensure => file, + path => '/etc/X11/xorg.conf.d/01-model-m.conf', + content => @(EOF) + Section "InputClass" + Identifier "Model M" + MathUSBID "17f6:0822" + Option "XkbLayout" "us" + Option "XkbVariant" "dvorak" + EndSection + | EOF + } + + file { 'Setup console': + ensure => file, + path => '/etc/vconsole.conf', + content => epp('profiles/keyvalue.epp', { 'values' => { + 'KEYMAP' => 'dvorak-sv-a6', + 'FONT' => 'lat9v-12', + }}), + } + + $cowpath = [ + '/usr/share/cows', + '/usr/local/share/cows', + ] + + file { '/etc/environment': + content => epp('profiles/keyvalue.epp', { values => { + 'COWPATH' => $cowpath.join(':'), + 'MANWIDTH' => 80, + 'MPD_HOST' => 'jukebox.lysator.liu.se', + 'PAGER' => 'less', + 'EDITOR' => '/usr/bin/vi', + 'VISUAL' => '/usr/bin/vim', + }}) + } + + service { 'systemd-resolved': + enable => mask, + } + + file { 'Passmenu with OTP support': + path => '/usr/local/bin/passmenu', + mode => '0555', + source => 'puppet:///modules/profiles/passmenu', + } + + file { '/etc/sudoers': + validate_cmd => '/usr/bin/visudo -cf %', + content => @(EOF) + Defaults insults + root ALL=(ALL) ALL + %root ALL=(ALL) ALL + %wheel ALL=(ALL) ALL + + @includedir /etc/sudoers.d + | EOF + } + + $locales = [ + 'en_DK.UTF-8 UTF-8', + 'en_US.UTF-8 UTF-8', + 'sv_SE.UTF-8 UTF-8', + 'sv_SE.ISO-8859-1 ISO-8859-1', + '', + ] + + file { '/etc/locale.gen': + content => $locales.join("\n") + } ~> exec { 'locale-gen': + path => [ '/bin', '/usr/bin', ], + } + + file { 'Default locales': + path => '/etc/locale.conf', + content => @(EOF) + LANG=en_US.UTF-8 + LC_TIME=sv_SE.UTF-8 + | EOF + } + + $timezone = 'Europe/Stockholm' + + file { '/etc/localtime': + ensure => link, + target => "/usr/share/zoneinfo/${timezone}", + } } diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp index 963f4df..5274699 100644 --- a/modules/profiles/manifests/workstation/archlinux.pp +++ b/modules/profiles/manifests/workstation/archlinux.pp @@ -1,18 +1,4 @@ class profiles::workstation::archlinux { - # Rebuilt my local xmonad config after an upgrade to xmonad. - # It's required, I think due to something with dynamic linking. - # It's actually pretty ugly that I'm hardcoded in here, but - # something had to be done. - pacman::hook { 'xmonad': - description => 'Rebuild local xmonad config.', - when => 'PostTransaction', - exec => '/bin/sudo -Hu hugo xmonad --recompile', - trigger => { - type => 'Package', - operation => ['Upgrade', 'Install'], - target => 'xmonad*', - }, - } pacman::hook { 'systemd daemon-reload': description => 'Reload systemd user daemon', @@ -24,4 +10,43 @@ class profiles::workstation::archlinux { target => 'usr/lib/systemd/user/*', }, } + + package { 'kernel-modules-hook': + ensure => installed, + } ~> service { 'linux-modules-cleanup': + ensure => running, + enable => true, + } + + $cpus = $facts['processors']['count'] - 1 + file_line { 'Makepkg paralell': + path => '/etc/makepkg.conf', + after => '^#-- Make flags', + line => "MAKEFLAGS='-j${cpus}'" + } + + pacman::repo { 'adrift-space': + ensure => present, + server => 'http://repo.gandalf.adrift.space/arch', + sig_level => 'Optional', + } + + # remove + # - netctl + + # aur-packages +# - pacaur +# - ansible-aur-git +# - cyrus-sasl-xoauth2-git +# - todotxt +# - effitask +# - getmail +# - mu +# # - pacaur +# - pandoc-bin +# - tlclient +# # backups old modules on kernel update +# - kernel-modules-hook + + } diff --git a/modules/profiles/manifests/xmonad.pp b/modules/profiles/manifests/xmonad.pp new file mode 100644 index 0000000..be8d516 --- /dev/null +++ b/modules/profiles/manifests/xmonad.pp @@ -0,0 +1,29 @@ +# Setup xmonad, only tested on arch linux +class profiles::xmonad { + ensure_packages ([ + 'xmonad', + 'xmonad-contrib', + # apparently really needed by xmonad + 'xorg-fonts-misc', + 'ghc', + 'xorg-xmessage', + 'dzen2', + 'dmenu', + 'rofi', + ], { ensure => installed }) + + # Rebuilt my local xmonad config after an upgrade to xmonad. + # It's required, I think due to something with dynamic linking. + # It's actually pretty ugly that I'm hardcoded in here, but + # something had to be done. + pacman::hook { 'xmonad': + description => 'Rebuild local xmonad config.', + when => 'PostTransaction', + exec => '/bin/sudo -Hu hugo xmonad --recompile', + trigger => { + type => 'Package', + operation => ['Upgrade', 'Install'], + target => 'xmonad*', + }, + } +} diff --git a/modules/profiles/templates/aconnect.epp b/modules/profiles/templates/aconnect.epp new file mode 100644 index 0000000..044ada6 --- /dev/null +++ b/modules/profiles/templates/aconnect.epp @@ -0,0 +1,8 @@ +<%- | String $input_unit, + String $output_unit +| -%> +# Where data comes from +INPUT_UNIT='<%= $input_unit %>' +# Where it should go +OUTPUT_UNIT='<%= $output_unit %>' + diff --git a/modules/profiles/templates/imagemagick-policy.xml.epp b/modules/profiles/templates/imagemagick-policy.xml.epp new file mode 100644 index 0000000..cbea9e9 --- /dev/null +++ b/modules/profiles/templates/imagemagick-policy.xml.epp @@ -0,0 +1,89 @@ +<%- | Array[Hash] $policies | -%> + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + <% $policies.map |$policy| { %> + + <%- } %> + + diff --git a/modules/profiles/templates/keyvalue.epp b/modules/profiles/templates/keyvalue.epp new file mode 100644 index 0000000..694978a --- /dev/null +++ b/modules/profiles/templates/keyvalue.epp @@ -0,0 +1,4 @@ +<%- | Hash $values | -%> +<% $values.map |$key, $value| { -%> +<%= $key %>=<%= $value %> +<%- } %> diff --git a/modules/systemd_mount/manifests/init.pp b/modules/systemd_mount/manifests/init.pp new file mode 100644 index 0000000..ff081e4 --- /dev/null +++ b/modules/systemd_mount/manifests/init.pp @@ -0,0 +1,42 @@ +define systemd_mount ( + String $what, # elrond:/files + String $where, # /usr/net + Boolean $automount = false, + String $wantedBy = 'default.target', +) { + + $mostly_fixed = regsubst($where, '/', '-', 'G') + $fixed = if $mostly_fixed[0] == '-' { + $mostly_fixed[1, -1] # drop first char + } else { + $mostly_fixed + } + + systemd::unit_file { "${fixed}.mount": + content => epp('systemd_mount/mount.epp', { + what => $what, + where => $where, + wantedby => if ($automount) { '' } else { "WantedBy=${wantedBy}" }, + }), + } + + if ($automount) { + systemd::unit_file { "${fixed}.automount": + content => epp('systemd_mount/automount.epp', { + where => $where, + wantedBy => "WantedBy=${wantedBy}", + }), + } + + service { "${fixed}.automount": + enable => true, + ensure => running, + } + } else { + service { "${fixed}.mount": + enable => true, + ensure => running, + } + } + +} diff --git a/modules/systemd_mount/templates/automount.epp b/modules/systemd_mount/templates/automount.epp new file mode 100644 index 0000000..c65f2ae --- /dev/null +++ b/modules/systemd_mount/templates/automount.epp @@ -0,0 +1,11 @@ +<%- | String $where, + String $wantedBy, +| -%> + +[Unit] + +[Install] +<%= $wantedBy %> + +[Automount] +Where=<%= $where %> diff --git a/modules/systemd_mount/templates/mount.epp b/modules/systemd_mount/templates/mount.epp new file mode 100644 index 0000000..54d191a --- /dev/null +++ b/modules/systemd_mount/templates/mount.epp @@ -0,0 +1,13 @@ +<%- | String $where, + String $what, + String $wantedby, +| -%> + +[Unit] + +[Install] +<%= $wantedby %> + +[Mount] +Where=<%= $where %> +What=<%= $what %> -- cgit v1.2.3