paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 13:03:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
63fe39e38109ec27e2ac28a59c1c5eeafdcb3b45
zulip/puppet/zulip_ops/manifests/base.pp
Tim Abbott 63fe39e381 zulip_ops: Disable Ubuntu's built-in update-motd.d files. 
We can't really do this in the zulip manifests (since it's sorta a
sysadmin policy decision), but these scripts can cause significant
load when Nagios logs into a server (because many of them take 50ms or
more of work to run).  So we just get rid of them.
2018-05-06 18:47:40 -07:00

222 lines
6.9 KiB
Puppet
Raw Blame History

class zulip_ops::base {
include zulip::base
include zulip::apt_repository
$org_base_packages = [# Management for our systems
"openssh-server",
"mosh",
# package management
"aptitude",
# SSL Certificates
"letsencrypt",
# Monitoring
"munin-node",
"munin-plugins-extra" ,
# Security
"iptables-persistent",
# For managing our current Debian packages
"debian-goodies",
# Needed for zulip-ec2-configure-network-interfaces
'dhcpcd5',
"python3-six",
"python-six",
# "python3-boto", # missing on trusty
"python-boto", # needed for postgres_common too
"python3-netifaces",
"python-netifaces",
# Popular editors
"vim",
"emacs-nox",
"puppet-el",
# Prevent accidental reboots
"molly-guard",
# Useful tools in a production environment
"screen",
"strace",
"host",
"git",
"nagios-plugins-contrib",
]
package { $org_base_packages: ensure => "installed" }
# Add system users here
$users = []
# Add hosts to monitor here
$hosts = []
file { '/etc/apt/apt.conf.d/02periodic':
ensure => file,
mode => '0644',
source => 'puppet:///modules/zulip_ops/apt/apt.conf.d/02periodic',
}
file { '/etc/apt/apt.conf.d/50unattended-upgrades':
ensure => file,
mode => '0644',
source => 'puppet:///modules/zulip_ops/apt/apt.conf.d/50unattended-upgrades',
}
file { '/home/zulip/.ssh':
ensure => directory,
require => User['zulip'],
owner => "zulip",
group => "zulip",
mode => '0600',
}
# Clear /etc/update-motd.d, to fix load problems with Nagios
# caused by Ubuntu's default MOTD tools for things like "checking
# for the next release" being super slow.
file { '/etc/update-motd.d':
ensure => directory,
recurse => true,
purge => true,
}
file { '/etc/pam.d/common-session':
ensure => file,
require => Package['openssh-server'],
source => 'puppet:///modules/zulip_ops/common-session',
owner => 'root',
group => 'root',
mode => '0644',
}
service { 'ssh':
ensure => running,
}
if $zulip::base::release_name == "xenial" {
# Our custom sshd_config uses options that don't exist on trusty.
file { '/etc/ssh/sshd_config':
ensure => file,
require => Package['openssh-server'],
source => 'puppet:///modules/zulip_ops/sshd_config',
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['ssh'],
}
}
file { '/root/.emacs':
ensure => file,
mode => '0600',
owner => "root",
group => "root",
source => 'puppet:///modules/zulip_ops/dot_emacs.el',
}
file { '/home/zulip/.emacs':
ensure => file,
mode => '0600',
owner => "zulip",
group => "zulip",
source => 'puppet:///modules/zulip_ops/dot_emacs.el',
require => User['zulip'],
}
if $zulip::base::release_name == "xenial" {
# TODO: Change this condition to something more coherent.
file { '/root/.ssh/authorized_keys':
ensure => file,
mode => '0600',
owner => "root",
group => "root",
source => 'puppet:///modules/zulip_ops/root_authorized_keys',
}
file { '/home/zulip/.ssh/authorized_keys':
ensure => file,
require => File['/home/zulip/.ssh'],
mode => '0600',
owner => "zulip",
group => "zulip",
source => 'puppet:///modules/zulip_ops/authorized_keys',
}
file { '/var/lib/nagios/.ssh/authorized_keys':
ensure => file,
require => File['/var/lib/nagios/.ssh'],
mode => '0600',
owner => "nagios",
group => "nagios",
source => 'puppet:///modules/zulip_ops/nagios_authorized_keys',
}
}
if $zulip::base::release_name == "xenial" {
# This is a proxy for the fact that our xenial machines are the
# ones in EC2.
file { '/usr/local/sbin/zulip-ec2-configure-interfaces':
ensure => file,
mode => '0755',
source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces',
}
file { '/etc/network/if-up.d/zulip-ec2-configure-interfaces_if-up.d.sh':
ensure => file,
mode => '0755',
source => 'puppet:///modules/zulip_ops/zulip-ec2-configure-interfaces_if-up.d.sh',
}
}
group { 'nagios':
ensure => present,
gid => '1050',
}
user { 'nagios':
ensure => present,
uid => '1050',
gid => '1050',
shell => '/bin/bash',
home => '/var/lib/nagios',
managehome => true,
}
file { '/var/lib/nagios/':
ensure => directory,
require => User['nagios'],
owner => "nagios",
group => "nagios",
mode => '0600',
}
file { '/var/lib/nagios/.ssh':
ensure => directory,
require => File['/var/lib/nagios/'],
owner => "nagios",
group => "nagios",
mode => '0600',
}
file { '/home/nagios':
ensure => absent,
force => true,
recurse => true,
}
if $zulip::base::release_name == "xenial" {
# Trusty's puppet doesn't support the include? rule used in rules.v4.
file { '/etc/iptables/rules.v4':
ensure => file,
mode => '0600',
content => template('zulip_ops/iptables/rules.v4.erb'),
require => Package['iptables-persistent'],
}
service { 'netfilter-persistent':
ensure => running,
# Because there is no running process for this service, the normal status
# checks fail. Because puppet then thinks the service has been manually
# stopped, it won't restart it. This fake status command will trick puppet
# into thinking the service is *always* running (which in a way it is, as
# iptables is part of the kernel.)
hasstatus => true,
status => "/bin/true",
# Under Debian, the "restart" parameter does not reload the rules, so tell
# Puppet to fall back to stop/start, which does work.
hasrestart => false,
require => Package['iptables-persistent'],
subscribe => File['/etc/iptables/rules.v4'],
}
}
}
Reference in New Issue View Git Blame Copy Permalink