include apt $apt_origins = [ 'origin=Debian,n=${distro_codename}', 'origin=Debian,n=${distro_codename}-updates', 'origin=Debian,n=${distro_codename},l=Debian-Security', 'origin=IT-Zukunft Schule,n=${distro_codename},l=IT-Zukunft Schule', ] class ssh_pubkeys_admins { # Mike Gabriel, IT-Zukunft Schule ssh_authorized_key { 'mike@minobo': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDn2moKR4u3yJW+/hvwmhUDjiLBxiMPB+46YO9iEo8HXsdulpMi20hi2TTmWA0w3hog1IEnre6C7UGHcZG0HfPg+eROIuuXRcOfg3WP/IBV0KMF4DTa1KDoN/Nw7HMlhWxGxFrdbumAoj/s2ZaA/of1fpaPKOhunF8S9Ch60LYmgnR3tzJW/b0jS9fww8o/rMB3pZy2WSW0uUfpOIbDv+XHhNiC/iu8IgD+M5KkK+qbNZFPoTQkebc0RPRBcOrmEYroofFGg+7jPU++AEKJUKSaGjZRWzACuXiUzTo2F9fT09EMWU4oiYV9zRqjx6ctncwfEB4qOfoRUycfxBSJk7t7', user => 'root', } # Marcel Sandow, IT-Zukunft Schule ssh_authorized_key { 'marcel@Bigblue': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQD3RPZTCJNjuV2vq8cO6AwPaVcjimg2DgRi2GitC/K4HzQuy0+RswVktyBACKpFogx254S1gjGoueYDfHq+T4hdoBussGln0MEsJKbEPEgWpGUZgurg3eWSAlzAWlhf9Goy5ZA362sOz3NsbY3DE+4CqxQWth+CctpGz1WzAvFy0K7oclfoncbOlftgEUukvKqJtSapxNAb+O+Ijjur/yaXKwk/dK7T+ZTPhZwChlxo50kLuiN8d3TYgFxc19LncJxq6s8BqQs70Z6m1CNHA07t6UD01Pto29TRNZfAnjuAP8FiO9Cu06cUnHrwlG2jgvr5hA0rLFYnVtgGaQX6RCsT', user => 'root', } # Benjamin Schlüter, LOGO EDV-Systeme GmbH ssh_authorized_key { 'benni@nbbenni': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCy2oN7DNtxUXsKUEOsQiUWW9fupzVJAuoaGe3OWxlcZN1je9EpObfHEn5HuYJFcBgHK6PSapPIOJ9QXbLsUYX5vhQwx9oBOg7W8He0kNscO23kjVOLJGaebGX5zNpf96RjZIy/Jhwlb73hCMqTTdp+D3/VDIm7q1UbMn2KOl9ldGwPJCxppeBeHdr89CED1RX/XAXt69qknrC1wm1NXp+UGz9FaG9YWJPNrFXBBvrGCt1oUrB8bXo/poo+doIuVmMqvN0e7lBDOzsRIiorDEk/cFc+ZOUBn4QOeY7J7keX6l2v3AxRXq6ErZrX+ooa83duRGXj2HkNWufmAi0CqzeXqGFIw+9S9vextn/zCp15G737cruJ50nX5jK38I9fnf3rfGveYdGuf3ta3Eihw1QiK/J4DQeTFKscsR4+P/iRcnsFO4/aVgDbOtCeKIaLK0fh9JWa/H2NVaLWvYv7beDoPtZ7I8TW+SsnO6mykmqUg679fcA/ZTIoAfLfK99UDiOhpye0EtWxGMiBBHn0V1RbERNjfHEVcBnlvcnPRIqkfwOEK5bASXpzzPvEuEGkFlHhtuXQ6WoWdA8zCq+lakNLYeq8CemU9Hd20JgILOidP4Yt9yNuusTP/EDg0AN9fggQe/rc1Raui/5/rVgkzqYFp8DMbgFAAcBTqsBCh1GVDQ==', user => 'root', } } class ssh_pubkeys_firedadmins { # Lucian Anderwald, IT-Zukunft Schule ssh_authorized_key { 'lucian@SATELLITE': ensure => 'absent', type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC71S/LYktwTalKjE6Sb7XlOyV1tr1O+codh4C3g9uVtjqytYj/Lx6hExxegwN2tiTAjb3skEKpdg7uRbmpEZBtyST/UrrJCB0l0KbjJelfh4MANuRF+H9CNAPwaxcLfCWeTFwmQW8mcSHE20ljY7kpJykEoihBVjK49k+kD+sphIG1o4BU8nQii0i5/U2HqHkPZHzCIjIprN9kTx/n/zMmCLwuIW58KJitG/ttBXPq+TMsN/zcUQm7/PL7UmIMlvUtKzApuM36PUyah7/rpOB5mIYrqFcDXSBUpFLT1CIvfH6ZR5umhnwiRXDsVfP8e0WB1JhOZV1LqOez8s7c4a6/', user => 'root', } # Marius Rasch, IT-Zukunft Schule ssh_authorized_key { 'marius@soledad': ensure => 'absent', type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCuoOfxXovfHlODw7dDlfcLKHaD7fotGT5Kb/HADNQY+GMINKy9Zu71/qpjVZtrckLl92nS7ygCf7+KpyfihdJgKBIeacikD4Y8/slDA2AbBuTZsHOp9HEzopmE1DbJbjeFtnjv8usPx/zB0buEtXy7Fa+bMIu6gIDIK7pO83kqiI/uv1sDyyaElw50Hn8tvZg7OtVHuShxjRCZVDolqUKBDDrQ+lZQG24XeMrQ4cEZ9yLYNAeeLwqqiWqnQ0jrCf2JYI4V7Oo1tvjKJM8HiVFSjsPh8cEu5iLBi08fuKCR7p1efSTOsy06HeraZpWJw5MH+At7sy3qjuuJ0oftrg3n', user => 'root', } } class ssh_pubkeys_backupserver { ssh_authorized_key { 'root@backup-01': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDGL8sYrjG0usmnzLskbniZ1Evbeb0F1l9QN0MFkAoXKgA50iJTUd3wmHZQeH+JLQ/ZnK44jBHd3mSwvOwUeLmBHe+yd7rPy2fkSOHjCPrRm+qt6qSHlSgntICEtQxqyY0vfjnEDFvCNz+K6I7Ox0Rc7sdAYfB/KBwlDneLFQLFYiCGa1j3x2HHpJPttxV9vkSxWU2Xrqv4PzFCgpPpM2ll81KK+OpDYFLuPAXcuWby73sLoumeRTkl4sk8Rg/Z5+ZSABczQsygzSjelf5TrV8lbYK7c7dnvRwVCflLTGzvpdoQL3ZhoKGTpl907cnLTkfOc/g+7pSyRat59XsepL6r', user => 'root', } } class lsb_release_with_version { file { '/etc/lsb-release': ensure => present, } file_line { 'lsb-release-with-version': path => '/etc/lsb-release', line => "DISTRIB_DESCRIPTION=\"Debian Edu / Skolelinux ${::operatingsystemrelease}\"", match => "^DISTRIB_DESCRIPTION=\"DebianEdu/Skolelinux\"$", } file_line{ 'lsb-release-remove-cruft-1': path => '/etc/lsb-release', ensure => absent, line => 'DISTRIB_DESCRIPTION="DebianEdu/Skolelinux"', } file_line{ 'lsb-release-remove-cruft-2': path => '/etc/lsb-release', ensure => absent, line => 'DISTRIB_DESCRIPTION=Debian Edu / Skolelinux 8.11', } file_line{ 'lsb-release-remove-cruft-3': path => '/etc/lsb-release', ensure => absent, line => 'DISTRIB_DESCRIPTION=Debian Edu / Skolelinux 9.6', } } class anacron_on_battery { file_line { 'anacron-on-battery': path => '/etc/default/anacron', line => 'ANACRON_RUN_ON_BATTERY_POWER=yes', match => '^ANACRON_RUN_ON_BATTERY_POWER\=.*$', } } class login_manager { package { 'arctica-greeter': ensure => 'installed', } package { 'kdm': ensure => 'purged', } } class browsers { package { firefox-esr: ensure => 'latest', } package { chromium: ensure => 'latest', } $flashplayer_mozilla_package = $::operatingsystemrelease ? { /(?i:8\..*)/ => 'hello', default => 'flashplayer-mozilla', } package { $flashplayer_mozilla_package: ensure => 'latest', } $flashplayer_chromium_package = $::operatingsystemrelease ? { /(?i:8\..*)/ => 'hello', default => 'flashplayer-chromium', } package { $flashplayer_chromium_package: ensure => 'latest', } } class cachefilesd { exec { 'modify_cachefilesd': command => "/bin/sed -e 's/#RUN=yes/RUN=yes/g' -i /etc/default/cachefilesd" } exec { 'ensure_cachefilesd_enabled': command => "/bin/systemctl enable cachefilesd.service" } } class ldapservercert_renewal { exec { 'ldapservercert_age_test': command => "/usr/bin/test /etc/ldap/ssl/ldap-server-pubkey.pem -ot /etc/debian-edu/itzks.buster-rollout-date", onlyif => [ "/usr/bin/test ! -e /etc/debian-edu/itzks.buster-rollout-date", "/usr/bin/touch -t 201907021800.00 /etc/debian-edu/itzks.buster-rollout-date", "/usr/bin/test -e /etc/ldap/ssl/ldap-server-pubkey.pem" ], } exec { 'ensure_ldapservercert_prebuster_removed': command => "/usr/bin/find /etc/ldap/ssl/ldap-server-pubkey.pem -type f -not -newermt \"2019-07-02 18:00:00\" -delete", subscribe => Exec['ldapservercert_age_test'], refreshonly => true, } exec { 'ensure_ldapservercert_renewed': command => "/bin/systemctl restart fetch-ldap-cert", subscribe => Exec['ensure_ldapservercert_prebuster_removed'], refreshonly => true, } exec { 'ldapservercert_renewal_restart_nslcd': command => "/bin/systemctl restart nslcd", subscribe => Exec['ensure_ldapservercert_renewed'], refreshonly => true, } } class debianeducacert_2_cacerts { exec { 'ensure_debianeducert_installed': command => "/usr/sbin/update-ca-certificates", onlyif => [ "/usr/bin/test ! -e /usr/local/share/ca-certificates/debian-edu/Debian-Edu_rootCA.crt", "/usr/bin/test -e /etc/ssl/certs/Debian-Edu_rootCA.crt", "/bin/mkdir -p /usr/local/share/ca-certificates/debian-edu", "/bin/cp /etc/ssl/certs/Debian-Edu_rootCA.crt /usr/local/share/ca-certificates/debian-edu/" ], } } class cups_browsed_polling { exec { 'cups-browsed-reload': command => '/usr/sbin/service cups-browsed restart', subscribe => [File_line['cups-browsed-poll-ipp-intern'], File_line['cups-browsed-queue-naming'], File_line['cups-browsed-no-remote-protos'], File_line['cups-browsed-no-local-protos']], refreshonly => true, } exec { 'cups-delete-dead-printers': command => '/bin/bash -c "LANG=C lpstat -a | grep \"not accepting requests\" | cut -d \" \" -f1 | while read printer; do lpadmin -x \$printer; done"', subscribe => File_line['cups-browsed-no-remote-protos'], refreshonly => true, } file_line { 'cups-browsed-no-remote-protos': path => '/etc/cups/cups-browsed.conf', ensure => present, line => "BrowseRemoteProtocols none", match => '^BrowseRemoteProtocols.*', } file_line { 'cups-browsed-no-local-protos': path => '/etc/cups/cups-browsed.conf', ensure => present, line => "BrowseLocalProtocols none", match => '^BrowseLocalProtocols.*', } file_line { 'cups-browsed-queue-naming': path => '/etc/cups/cups-browsed.conf', ensure => present, line => "LocalQueueNamingRemoteCUPS RemoteName", match => '^LocalQueueNamingRemoteCUPS.*', } file_line { 'cups-browsed-poll-ipp-intern': path => '/etc/cups/cups-browsed.conf', ensure => present, line => "BrowsePoll ipp.intern", match => '^BrowsePoll\ .*', append_on_no_match => true, } } class itzks_systems_common { package { 'itzks-systems-common': ensure => 'latest', } } class itzks_systems_workstation { package { 'itzks-systems-workstation': ensure => 'latest', } package { 'nscd': ensure => 'purged', } package { 'network-manager-gnome': ensure => 'latest', } } class itzks_systems_mainserver { package { 'itzks-systems-mainserver': ensure => 'latest', } } class itzks_systems_filter { package { 'itzks-systems-filter': ensure => 'latest', } } class itzks_systems_disklserver { package { 'itzks-systems-disklserver': ensure => 'latest', } } class fsautoresizetab { file { '/etc/fsautoresizetab': ensure => 'present', replace => 'no', source => '/usr/share/debian-edu-config/fsautoresizetab', } file_line { '/var': path => '/etc/fsautoresizetab', line => '/var 10% 30g defaults', match => '^/var\ .*', } file_line { 'usr': path => '/etc/fsautoresizetab', line => '/usr 10% 30g defaults', match => '^/usr\ .*', } } class ensure_roaming_workstation { file_line { 'debianedu_profile_roamingworkstation': path => '/etc/debian-edu/config', ensure => present, line => "PROFILE=\"Roaming-Workstation\"", match => '^PROFILE=.*', } exec { 'convert_to_profile_roamingworkstation': command => "/usr/sbin/cf-agent -I -D installation", subscribe => File_Line['debianedu_profile_roamingworkstation'], refreshonly => true, } package { 'itzks-systems-roamingworkstation': ensure => 'latest', } } node "disklserver.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_disklserver': } class { 'itzks_systems_common': } # vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots ssh_authorized_key { 'root@vidar.das-netzwerkteam.de': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLGbx/U9slB9db8PAy8FTRo7/avVvLJUOZzkoBxZa5Edeo+74ezoU2Kv1OxcRJRnSGBe41XDcpLxDS04JMA5xBddUfdq5c+Y1A2SYChUPK1fkrGoKfmGC60dFmEqAQZ33dJhN9rxzQvuvxlmexX8x2TYJC8/jATa+6QuO4chHAFvGo9RLs8hzet5y06fammJDkf0yD6R32GT7q4XMNXilKQ564D1yBJygE6vZx/W3V3l8/QMr6m1lYTTk+W+29IkoxvQBZ6YXKFdnuTVkSYyanafjZwznTFSuBtBZKcgLXFFmyplcB4QlZGvdrrsEJazwwj+pnJeGx0HwV8ePbKxN', user => 'root', } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, 'reboot' => true, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node "tjener.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_mainserver': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, age => { 'max' => 10 }, auto => { 'clean' => 7, ### WE DON'T REBOOT TJENER }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } } node "faiserver.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, 'reboot' => true, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node "filter.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_filter': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, 'reboot' => true, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } # NOT PRESENT node "opsiserver.intern" inherits "all_servers" {} # NOT PRESENT node "displayserver.intern" inherits "all_servers" {} node "contentserver.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, 'reboot' => true, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node "devserver.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, 'reboot' => true, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node "bibserv.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, 'reboot' => true, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } # Notebooks in den Medienwagen node /^mw.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node /^nbw.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node /^net.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node /^snb.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node /^t410.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node /^t61.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } node /^tp.*\.intern$/ { class { 'anacron_on_battery': } class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'login_manager': } class { 'itzks_systems_workstation': } class { 'itzks_systems_common': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'browsers': } class { 'cachefilesd': } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } } # default / minimal node "default" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'lsb_release_with_version': } class { 'fsautoresizetab': } class { 'unattended_upgrades': enable => 1, origins => $apt_origins, auto => { 'clean' => 7, }, upgradeable_packages => { download_only => 1, debdelta => 1, }, } class { 'ldapservercert_renewal': } class { 'cups_browsed_polling': } class { 'debianeducacert_2_cacerts': } }