From e3c15ec94649c7ba079c3332fc4afc5bda0b4b5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Tue, 14 Dec 2021 00:58:22 +0100
Subject: Migrate stuff from ansible.

---
 modules/pacman/files/mirrorlist                    |   6 +
 modules/pacman/manifests/init.pp                   |  26 ++++-
 modules/pacman/manifests/repo.pp                   |  24 ++++
 modules/profiles/files/passmenu                    |  29 +++++
 modules/profiles/files/ssh-agent.service           |  13 +++
 modules/profiles/lib/facter/pacman_version.rb      |   7 ++
 modules/profiles/manifests/dolphin.pp              |  70 ++++++++++++
 modules/profiles/manifests/imagemagick.pp          |  17 +++
 modules/profiles/manifests/syncthing.pp            |  28 +++++
 modules/profiles/manifests/synth.pp                |  33 ++++++
 modules/profiles/manifests/workstation.pp          | 126 +++++++++++++++++++++
 .../profiles/manifests/workstation/archlinux.pp    |  53 ++++++---
 modules/profiles/manifests/xmonad.pp               |  29 +++++
 modules/profiles/templates/aconnect.epp            |   8 ++
 .../profiles/templates/imagemagick-policy.xml.epp  |  89 +++++++++++++++
 modules/profiles/templates/keyvalue.epp            |   4 +
 modules/systemd_mount/manifests/init.pp            |  42 +++++++
 modules/systemd_mount/templates/automount.epp      |  11 ++
 modules/systemd_mount/templates/mount.epp          |  13 +++
 19 files changed, 613 insertions(+), 15 deletions(-)
 create mode 100644 modules/pacman/files/mirrorlist
 create mode 100644 modules/pacman/manifests/repo.pp
 create mode 100755 modules/profiles/files/passmenu
 create mode 100644 modules/profiles/files/ssh-agent.service
 create mode 100644 modules/profiles/lib/facter/pacman_version.rb
 create mode 100644 modules/profiles/manifests/dolphin.pp
 create mode 100644 modules/profiles/manifests/imagemagick.pp
 create mode 100644 modules/profiles/manifests/syncthing.pp
 create mode 100644 modules/profiles/manifests/synth.pp
 create mode 100644 modules/profiles/manifests/xmonad.pp
 create mode 100644 modules/profiles/templates/aconnect.epp
 create mode 100644 modules/profiles/templates/imagemagick-policy.xml.epp
 create mode 100644 modules/profiles/templates/keyvalue.epp
 create mode 100644 modules/systemd_mount/manifests/init.pp
 create mode 100644 modules/systemd_mount/templates/automount.epp
 create mode 100644 modules/systemd_mount/templates/mount.epp

(limited to 'modules')

diff --git a/modules/pacman/files/mirrorlist b/modules/pacman/files/mirrorlist
new file mode 100644
index 0000000..4ea5d0e
--- /dev/null
+++ b/modules/pacman/files/mirrorlist
@@ -0,0 +1,6 @@
+# File managed by puppet, local changes WILL be overwritten
+
+Server = https://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch
+Server = http://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch
+Server = https://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch
+Server = http://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch
diff --git a/modules/pacman/manifests/init.pp b/modules/pacman/manifests/init.pp
index eadc1c2..fb23328 100644
--- a/modules/pacman/manifests/init.pp
+++ b/modules/pacman/manifests/init.pp
@@ -1,9 +1,9 @@
 class pacman (
   String $hooks_path = '/etc/pacman.d/hooks-puppet',
   String $conf_path = '/etc/pacman.conf',
+  Boolean $ilovecandy = false,
 ) {
 
-  # TODO ability to set multiple settings
   ini_setting { 'Pacman HookDir':
     path    => $conf_path,
     section => 'options',
@@ -12,9 +12,33 @@ class pacman (
 
   }
 
+  ini_setting { 'Pacman ILoveCandy':
+    ensure            => if ($ilovecandy) { present } else { absent },
+    path              => '/etc/pacman.conf',
+    section           => 'options',
+    setting           => 'ILoveCandy',
+    key_val_separator => '',
+    value             => '',
+  }
+
+  if versioncmp($facts['pacman-version'], '6.0.0') >= 0 {
+    ini_setting { 'Pacman parallel downloads':
+      path    => '/etc/pacman.conf',
+      section => 'options',
+      setting => 'ParallelDownloads',
+      value   => 8,
+    }
+  }
+
   file { $hooks_path:
     ensure  => directory,
     recurse => true,
     purge   => true,
   }
+
+  file { '/etc/pacman.d/mirrorlist':
+    ensure => present,
+    backup => true,
+    source => 'puppet:///modules/pacman/mirrorlist',
+  }
 }
diff --git a/modules/pacman/manifests/repo.pp b/modules/pacman/manifests/repo.pp
new file mode 100644
index 0000000..28f92b0
--- /dev/null
+++ b/modules/pacman/manifests/repo.pp
@@ -0,0 +1,24 @@
+define pacman::repo (
+  Enum['present', 'absent'] $ensure = 'present',
+  String $repo_name = $name,
+  # String $include,
+  String $server,
+  String $sig_level,
+) {
+
+  ini_setting {
+    default:
+      ensure  => $ensure,
+      path    => $::pacman::conf_path,
+      section => $repo_name ,
+      ;
+    "Pacman repo [${repo_name}] server":
+      setting => 'Server',
+      value   => $server ,
+      ;
+    "Pacman repo [${repo_name}] SigLevel":
+      setting => 'SigLevel',
+      value   => $sig_level ,
+      ;
+  }
+}
diff --git a/modules/profiles/files/passmenu b/modules/profiles/files/passmenu
new file mode 100755
index 0000000..653ebda
--- /dev/null
+++ b/modules/profiles/files/passmenu
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+shopt -s nullglob globstar
+
+typeit=0
+if [[ $1 == "--type" ]]; then
+	typeit=1
+	shift
+fi
+
+prefix=${PASSWORD_STORE_DIR-~/.password-store}
+password_files=( "$prefix"/**/*.gpg )
+password_files=( "${password_files[@]#"$prefix"/}" )
+password_files=( "${password_files[@]%.gpg}" )
+
+password=$(printf '%s\n' "${password_files[@]}" | dmenu "$@")
+
+[[ -n $password ]] || exit
+
+if [[ "$password" == *-otp ]]; then
+	otp='otp'
+fi
+
+if [[ $typeit -eq 0 ]]; then
+	pass $otp show -c "$password" 2>/dev/null
+else
+	pass $otp show "$password" | { IFS= read -r pass; printf %s "$pass"; } |
+		xdotool type --clearmodifiers --file -
+fi
diff --git a/modules/profiles/files/ssh-agent.service b/modules/profiles/files/ssh-agent.service
new file mode 100644
index 0000000..d49edc6
--- /dev/null
+++ b/modules/profiles/files/ssh-agent.service
@@ -0,0 +1,13 @@
+# https://unix.stackexchange.com/questions/339840/how-to-start-and-use-ssh-agent-as-systemd-service
+
+[Unit]
+Description=SSH key agent
+
+[Service]
+Type=simple
+Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
+# ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
+ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
+
+[Install]
+WantedBy=default.target
diff --git a/modules/profiles/lib/facter/pacman_version.rb b/modules/profiles/lib/facter/pacman_version.rb
new file mode 100644
index 0000000..1d17b04
--- /dev/null
+++ b/modules/profiles/lib/facter/pacman_version.rb
@@ -0,0 +1,7 @@
+Facter.add('pacman-version') do
+  if File.exists?('/bin/pacman') then
+    setcode do
+      `pacman -Qi pacman | awk -F' : ' '/^Version/ { print $2 }'`.strip()
+    end
+  end
+end
diff --git a/modules/profiles/manifests/dolphin.pp b/modules/profiles/manifests/dolphin.pp
new file mode 100644
index 0000000..f1fdcf8
--- /dev/null
+++ b/modules/profiles/manifests/dolphin.pp
@@ -0,0 +1,70 @@
+# Configure the file manager dolphin
+class profiles::dolphin {
+  ensure_packages ([
+    'dolphin',
+    'kde-cli-tools',
+    'ffmpegthumbs',
+    'kdegraphics-thumbnailers',
+    'konsole',
+    'breeze-icons',
+  ], { ensure => installed })
+
+
+  $dolphin_settings = {
+    'General'                              => {
+      'BrowseThroughArchives'              => 'true',
+      'GlobalViewProps'                    => 'false',
+      'HomeUrl'                            => '/usr/net/video',
+      'OpenExternallyCalledFolderInNewTab' => 'false',
+      'RememberOpenedTabs'                 => 'false',
+      'ShowFullPath'                       => 'true',
+    },
+    'MainWindow'        => {
+      'MenuBar'         => 'Disabled',
+      'ToolBarsMovable' => 'Disabled',
+    },
+    'VersionControl'   => {
+      'enabledPlugins' => [
+        'Dropbox',
+        'Git',
+      ]
+    },
+    'PreviewSettings' => {
+      'Plugins'       => [
+        'appimagethumbnail',
+        'audiothumbnail',
+        'blenderthumbnail',
+        'comicbookthumbnail',
+        'djvuthumbnail',
+        'ebookthumbnail',
+        'exrthumbnail',
+        'directorythumbnail',
+        'fontthumbnail',
+        'imagethumbnail',
+        'jpegthumbnail',
+        'kraorathumbnail',
+        'windowsexethumbnail',
+        'windowsimagethumbnail',
+        'opendocumentthumbnail',
+        'gsthumbnail',
+        'svgthumbnail',
+        'textthumbnail',
+        'ffmpegthumbs',
+      ]
+    }
+  }
+
+  $dolphin_settings.map |$category, $group| {
+    $group.map |$setting, $value| {
+      ini_setting { "Dolphin [${category}].${setting}":
+        path    => '/etc/xdg/dolphinrc',
+        section => $category,
+        setting => $setting,
+        value   => $value ? {
+          Array  => $value.join(','),
+          String => $value,
+        }
+      }
+    }
+  }
+}
diff --git a/modules/profiles/manifests/imagemagick.pp b/modules/profiles/manifests/imagemagick.pp
new file mode 100644
index 0000000..7663cf8
--- /dev/null
+++ b/modules/profiles/manifests/imagemagick.pp
@@ -0,0 +1,17 @@
+class profiles::imagemagick {
+  package { 'imagemagick':
+    ensure => installed,
+  }
+
+  file { '/etc/ImageMagick-7/policy.xml':
+    content    => epp('profiles/imagemagick-policy.xml', {
+      policies => [
+        { 
+          domain  => 'coder',
+          rights  => 'read | write',
+          pattern => 'PDF'
+        },
+      ]
+      }),
+  }
+}
diff --git a/modules/profiles/manifests/syncthing.pp b/modules/profiles/manifests/syncthing.pp
new file mode 100644
index 0000000..7d8183e
--- /dev/null
+++ b/modules/profiles/manifests/syncthing.pp
@@ -0,0 +1,28 @@
+class profiles::syncthing (
+  Array[String] $enable_for = []
+) {
+
+  # TODO add repo for those systems that need it
+
+  package { 'syncthing':
+    ensure => installed
+  }
+
+  systemd::dropin_file { 'nospam.conf':
+    unit    => 'syncthing@.service',
+    content => @(EOF)
+      [Service]
+      ExecStart=
+      ExecStart=/bin/bash -c 'set -o pipefail; /usr/bin/syncthing -no-browser -no-restart -logflags=0 | grep -v "INFO: "'
+      | EOF
+  }
+
+  $enable_for.map |$user| {
+    service { "syncthing@${user}":
+      enable => true,
+    }
+  }
+
+  # TODO manage synced data
+
+}
diff --git a/modules/profiles/manifests/synth.pp b/modules/profiles/manifests/synth.pp
new file mode 100644
index 0000000..eb01f8f
--- /dev/null
+++ b/modules/profiles/manifests/synth.pp
@@ -0,0 +1,33 @@
+class profiles::synth {
+
+  package { 'freepats-general-midi':
+    ensure => installed,
+  }
+
+  file { '/etc/conf.d/fluidsynth':
+    content => @(EOF)
+      SOUND_FONT=/usr/share/soundfonts/freepats-general-midi.sf2
+      OTHER_OPTS='-a alsa'
+      | EOF
+  }
+
+  # TODO pull in aur package from 
+  # https://git.hornquist.se/archpkg/aconnect-service/
+
+  # TODO setup the rest
+
+  # - template:
+  #     dest: ~/.config/aconnect/impact
+  #     source: aconnect
+  #     vars:
+  #       input_unit: Impact LX25
+  #       output_unit: FLUID Synth
+  # 
+  # - systemd:
+  #     name: aconnect@{{ impact }}
+  #     scope: user
+  #     enabled: yes
+  #     become: yes
+  #     become_user: hugo
+
+}
diff --git a/modules/profiles/manifests/workstation.pp b/modules/profiles/manifests/workstation.pp
index 724a1b5..fe7e1cb 100644
--- a/modules/profiles/manifests/workstation.pp
+++ b/modules/profiles/manifests/workstation.pp
@@ -3,4 +3,130 @@ class profiles::workstation {
   include "::profiles::workstation::${os}"
 
   include ::profiles::group_profile
+
+  # TODO only if we use systemd
+  file { 'User ssh-agent service':
+    path   => '/etc/systemd/user/ssh-agent.service',
+    source => "puppet:///modules/profiles/ssh-agent.service",
+  }
+
+  file { 'Dvorak A6 TTY keyboard layout':
+    ensure => file,
+    path   => '/usr/share/kbd/keymaps/i386/dvorak/dvorak-sv-a6.map',
+    source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/linux-tty/dvorak-sv-a6.map',
+  }
+
+  file { 'Dvorak A6 X11 keyboard layout':
+    ensure => file,
+    path   => '/usr/share/X11/xkb/symbols/planck',
+    source => 'https://raw.githubusercontent.com/HugoNikanor/keymaps/master/X11/planck',
+  }
+
+  $xkb_layout = 'planck'
+  $xkb_variant = 'dvorak_a6'
+  $xkb_options = 'compose:caps'
+
+  file { 'Default X11 keymap':
+    ensure  => file,
+    path    => '/etc/X11/xorg.conf.d/00-keyboard.conf',
+    content => @("EOF")
+      Section "InputClass"
+        Identifier "system-keyboard"
+        MatchIsKeyboard "on"
+        Option "XkbLayout" "${xkb_layout}"
+        Option XkbModel "pc105"
+        Option "XkbVariant" "${xkb_variant}"
+        Option "XkbOptions" "${xkb_options}"
+      EndSection
+      | EOF
+  }
+
+  file { 'Model M X11 keymap':
+    ensure  => file,
+    path    => '/etc/X11/xorg.conf.d/01-model-m.conf',
+    content => @(EOF)
+      Section "InputClass"
+        Identifier "Model M"
+        MathUSBID "17f6:0822"
+        Option "XkbLayout" "us"
+        Option "XkbVariant" "dvorak"
+      EndSection
+      | EOF
+  }
+
+  file { 'Setup console':
+    ensure  => file,
+    path    => '/etc/vconsole.conf',
+    content =>  epp('profiles/keyvalue.epp', { 'values' => {
+      'KEYMAP' => 'dvorak-sv-a6',
+      'FONT'   => 'lat9v-12',
+    }}),
+  }
+
+  $cowpath = [
+    '/usr/share/cows',
+    '/usr/local/share/cows',
+  ]
+
+  file { '/etc/environment':
+    content =>  epp('profiles/keyvalue.epp', { values => {
+      'COWPATH'  => $cowpath.join(':'),
+      'MANWIDTH' => 80,
+      'MPD_HOST' => 'jukebox.lysator.liu.se',
+      'PAGER'    => 'less',
+      'EDITOR'   => '/usr/bin/vi',
+      'VISUAL'   => '/usr/bin/vim',
+    }})
+  }
+
+  service { 'systemd-resolved':
+    enable => mask,
+  }
+
+  file { 'Passmenu with OTP support':
+    path   => '/usr/local/bin/passmenu',
+    mode   => '0555',
+    source => 'puppet:///modules/profiles/passmenu',
+  }
+
+  file { '/etc/sudoers':
+    validate_cmd => '/usr/bin/visudo -cf %',
+    content      => @(EOF)
+      Defaults  insults
+      root   ALL=(ALL) ALL
+      %root  ALL=(ALL) ALL
+      %wheel ALL=(ALL) ALL
+
+      @includedir /etc/sudoers.d
+      | EOF
+  }
+
+  $locales = [
+    'en_DK.UTF-8 UTF-8',
+    'en_US.UTF-8 UTF-8',
+    'sv_SE.UTF-8 UTF-8',
+    'sv_SE.ISO-8859-1 ISO-8859-1',
+    '',
+  ]
+
+  file { '/etc/locale.gen':
+    content => $locales.join("\n")
+  } ~> exec { 'locale-gen':
+    path => [ '/bin', '/usr/bin', ],
+  }
+
+  file { 'Default locales':
+    path    => '/etc/locale.conf',
+    content => @(EOF)
+      LANG=en_US.UTF-8
+      LC_TIME=sv_SE.UTF-8
+      | EOF
+  }
+
+  $timezone = 'Europe/Stockholm'
+
+  file { '/etc/localtime':
+    ensure => link,
+    target => "/usr/share/zoneinfo/${timezone}",
+  }
 }
diff --git a/modules/profiles/manifests/workstation/archlinux.pp b/modules/profiles/manifests/workstation/archlinux.pp
index 963f4df..5274699 100644
--- a/modules/profiles/manifests/workstation/archlinux.pp
+++ b/modules/profiles/manifests/workstation/archlinux.pp
@@ -1,18 +1,4 @@
 class profiles::workstation::archlinux {
-  # Rebuilt my local xmonad config after an upgrade to xmonad.
-  # It's required, I think due to something with dynamic linking.
-  # It's actually pretty ugly that I'm hardcoded in here, but
-  # something had to be done.
-  pacman::hook { 'xmonad':
-    description => 'Rebuild local xmonad config.',
-    when        => 'PostTransaction',
-    exec        => '/bin/sudo -Hu hugo xmonad --recompile',
-    trigger       => {
-      type      => 'Package',
-      operation => ['Upgrade', 'Install'],
-      target    => 'xmonad*',
-    },
-  }
 
   pacman::hook { 'systemd daemon-reload':
     description => 'Reload systemd user daemon',
@@ -24,4 +10,43 @@ class profiles::workstation::archlinux {
       target    => 'usr/lib/systemd/user/*',
     },
   }
+
+  package { 'kernel-modules-hook':
+    ensure => installed,
+  } ~> service { 'linux-modules-cleanup':
+    ensure => running,
+    enable => true,
+  }
+
+  $cpus = $facts['processors']['count'] - 1
+  file_line { 'Makepkg paralell':
+    path  => '/etc/makepkg.conf',
+    after => '^#-- Make flags',
+    line  => "MAKEFLAGS='-j${cpus}'"
+  }
+
+  pacman::repo { 'adrift-space':
+    ensure    => present,
+    server    => 'http://repo.gandalf.adrift.space/arch',
+    sig_level => 'Optional',
+  }
+
+  # remove
+  # - netctl
+
+  # aur-packages
+#     - pacaur
+#     - ansible-aur-git
+#     - cyrus-sasl-xoauth2-git
+#     - todotxt
+#     - effitask
+#     - getmail
+#     - mu
+#     # - pacaur
+#     - pandoc-bin
+#     - tlclient
+#     # backups old modules on kernel update
+#     - kernel-modules-hook
+
+
 }
diff --git a/modules/profiles/manifests/xmonad.pp b/modules/profiles/manifests/xmonad.pp
new file mode 100644
index 0000000..be8d516
--- /dev/null
+++ b/modules/profiles/manifests/xmonad.pp
@@ -0,0 +1,29 @@
+# Setup xmonad, only tested on arch linux
+class profiles::xmonad {
+  ensure_packages ([
+    'xmonad',
+    'xmonad-contrib',
+    # apparently really needed by xmonad
+    'xorg-fonts-misc',
+    'ghc',
+    'xorg-xmessage',
+    'dzen2',
+    'dmenu',
+    'rofi',
+  ], { ensure => installed })
+
+  # Rebuilt my local xmonad config after an upgrade to xmonad.
+  # It's required, I think due to something with dynamic linking.
+  # It's actually pretty ugly that I'm hardcoded in here, but
+  # something had to be done.
+  pacman::hook { 'xmonad':
+    description => 'Rebuild local xmonad config.',
+    when        => 'PostTransaction',
+    exec        => '/bin/sudo -Hu hugo xmonad --recompile',
+    trigger       => {
+      type      => 'Package',
+      operation => ['Upgrade', 'Install'],
+      target    => 'xmonad*',
+    },
+  }
+}
diff --git a/modules/profiles/templates/aconnect.epp b/modules/profiles/templates/aconnect.epp
new file mode 100644
index 0000000..044ada6
--- /dev/null
+++ b/modules/profiles/templates/aconnect.epp
@@ -0,0 +1,8 @@
+<%- | String $input_unit,
+      String $output_unit
+| -%>
+# Where data comes from
+INPUT_UNIT='<%= $input_unit %>'
+# Where it should go
+OUTPUT_UNIT='<%= $output_unit %>'
+
diff --git a/modules/profiles/templates/imagemagick-policy.xml.epp b/modules/profiles/templates/imagemagick-policy.xml.epp
new file mode 100644
index 0000000..cbea9e9
--- /dev/null
+++ b/modules/profiles/templates/imagemagick-policy.xml.epp
@@ -0,0 +1,89 @@
+<%- | Array[Hash] $policies | -%>
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+  <!ELEMENT policymap (policy)*>
+  <!ATTLIST policymap xmlns CDATA #FIXED ''>
+  <!ELEMENT policy EMPTY>
+  <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
+    name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
+    stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
+]>
+<!--
+  Configure ImageMagick policies.
+
+  Domains include system, delegate, coder, filter, path, or resource.
+
+  Rights include none, read, write, execute and all.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+
+  Use a glob expression as a pattern.
+
+  Suppose we do not want users to process MPEG video images:
+
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+
+  Here we do not want users reading images from HTTP:
+
+    <policy domain="coder" rights="none" pattern="HTTP" />
+
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+
+    <policy domain="path" rights="read" pattern="/repository/*" />
+
+  Lets prevent users from executing any image filters:
+
+    <policy domain="filter" rights="none" pattern="*" />
+
+  Any large image is cached to disk rather than memory:
+
+    <policy domain="resource" name="area" value="1GP"/>
+
+  Use the default system font unless overwridden by the application:
+
+    <policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/>
+
+  Define arguments for the memory, map, area, width, height and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+
+  Rules are processed in order.  Here we want to restrict ImageMagick to only
+  read or write a small subset of proven web-safe image types:
+
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
+-->
+<policymap>
+  <!-- Sample policies -->
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
+  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
+  <!-- <policy domain="resource" name="width" value="10KP"/> -->
+  <!-- <policy domain="resource" name="height" value="10KP"/> -->
+  <!-- <policy domain="resource" name="list-length" value="128"/> -->
+  <!-- <policy domain="resource" name="area" value="100MP"/> -->
+  <!-- <policy domain="resource" name="disk" value="16EiB"/> -->
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
+  <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
+  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
+  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
+  <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="system" name="shred" value="2"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
+  <!-- Below policies generated from puppet -->
+  <% $policies.map |$policy| { %>
+  <policy domain="<%= $policy['domain'] %>" rights="<%= $policy['rights'] %>" pattern="<%= $policy['pattern'] %>" />
+  <%- } %>
+</policymap>
+<!-- NOTE File managed by puppet, any manual changes will be overwritten. -->
diff --git a/modules/profiles/templates/keyvalue.epp b/modules/profiles/templates/keyvalue.epp
new file mode 100644
index 0000000..694978a
--- /dev/null
+++ b/modules/profiles/templates/keyvalue.epp
@@ -0,0 +1,4 @@
+<%- | Hash $values | -%>
+<% $values.map |$key, $value| { -%>
+<%= $key %>=<%= $value %>
+<%- } %>
diff --git a/modules/systemd_mount/manifests/init.pp b/modules/systemd_mount/manifests/init.pp
new file mode 100644
index 0000000..ff081e4
--- /dev/null
+++ b/modules/systemd_mount/manifests/init.pp
@@ -0,0 +1,42 @@
+define systemd_mount (
+  String $what,  # elrond:/files
+  String $where, # /usr/net
+  Boolean $automount = false,
+  String $wantedBy = 'default.target',
+) {
+
+  $mostly_fixed = regsubst($where, '/', '-', 'G')
+  $fixed = if $mostly_fixed[0] == '-' {
+    $mostly_fixed[1, -1] # drop first char
+  } else {
+    $mostly_fixed
+  }
+
+  systemd::unit_file { "${fixed}.mount":
+      content => epp('systemd_mount/mount.epp', {
+        what     => $what,
+        where    => $where,
+        wantedby => if ($automount) { '' } else { "WantedBy=${wantedBy}" },
+      }),
+  }
+
+  if ($automount) {
+    systemd::unit_file { "${fixed}.automount":
+      content => epp('systemd_mount/automount.epp', {
+        where    => $where,
+        wantedBy => "WantedBy=${wantedBy}",
+        }),
+    }
+
+    service { "${fixed}.automount":
+      enable => true,
+      ensure => running,
+    }
+  } else {
+    service { "${fixed}.mount":
+      enable => true,
+      ensure => running,
+    }
+  }
+
+}
diff --git a/modules/systemd_mount/templates/automount.epp b/modules/systemd_mount/templates/automount.epp
new file mode 100644
index 0000000..c65f2ae
--- /dev/null
+++ b/modules/systemd_mount/templates/automount.epp
@@ -0,0 +1,11 @@
+<%- | String $where,
+      String $wantedBy,
+| -%>
+
+[Unit]
+
+[Install]
+<%= $wantedBy %>
+
+[Automount]
+Where=<%= $where %>
diff --git a/modules/systemd_mount/templates/mount.epp b/modules/systemd_mount/templates/mount.epp
new file mode 100644
index 0000000..54d191a
--- /dev/null
+++ b/modules/systemd_mount/templates/mount.epp
@@ -0,0 +1,13 @@
+<%- | String $where,
+      String $what,
+      String $wantedby,
+| -%>
+
+[Unit]
+
+[Install]
+<%= $wantedby %>
+
+[Mount]
+Where=<%= $where %>
+What=<%= $what %>
-- 
cgit v1.2.3