summaryrefslogtreecommitdiff
path: root/code/environments/production/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'code/environments/production/manifests')
-rw-r--r--code/environments/production/manifests/ca.pp1
-rw-r--r--code/environments/production/manifests/site.pp423
2 files changed, 424 insertions, 0 deletions
diff --git a/code/environments/production/manifests/ca.pp b/code/environments/production/manifests/ca.pp
new file mode 100644
index 0000000..bb2c57b
--- /dev/null
+++ b/code/environments/production/manifests/ca.pp
@@ -0,0 +1 @@
+include certregen::client \ No newline at end of file
diff --git a/code/environments/production/manifests/site.pp b/code/environments/production/manifests/site.pp
new file mode 100644
index 0000000..7d7c7b6
--- /dev/null
+++ b/code/environments/production/manifests/site.pp
@@ -0,0 +1,423 @@
+include apt
+
+$apt_origins = [
+ 'origin=Debian,n=${distro_codename}',
+ 'origin=Debian,n=${distro_codename}-updates',
+ 'origin=Debian,n=${distro_codename},label=Debian-Security',
+ 'origin=Debian,n=${distro_codename}-security,label=Debian-Security',
+ 'origin=IT-Zukunft Schule,n=${distro_codename},label=IT-Zukunft Schule',
+]
+
+class ssh_pubkeys_admins {
+ # Mike Gabriel, Fre(i)e Software GmbH
+ ssh_authorized_key { 'mike@minobo':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDn2moKR4u3yJW+/hvwmhUDjiLBxiMPB+46YO9iEo8HXsdulpMi20hi2TTmWA0w3hog1IEnre6C7UGHcZG0HfPg+eROIuuXRcOfg3WP/IBV0KMF4DTa1KDoN/Nw7HMlhWxGxFrdbumAoj/s2ZaA/of1fpaPKOhunF8S9Ch60LYmgnR3tzJW/b0jS9fww8o/rMB3pZy2WSW0uUfpOIbDv+XHhNiC/iu8IgD+M5KkK+qbNZFPoTQkebc0RPRBcOrmEYroofFGg+7jPU++AEKJUKSaGjZRWzACuXiUzTo2F9fT09EMWU4oiYV9zRqjx6ctncwfEB4qOfoRUycfxBSJk7t7',
+ user => 'root',
+ }
+ # Daniel Teichmann, Fre(i)e Software GmbH
+ ssh_authorized_key { 'daniel@nwt-01':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCytDYygwrARkiy/1cQ8x9otmWgE3k6EH3ymeHXaFnP/Du0BDRgGuLtdL1yj4OqE4tKqKdXOa1kULLQdbQ0C0ogGGxpZaza1TdxKTpB2YSx1L3LjhzG4KSr0hz/u9qpk7U1PVRi5N7tO/x7eRZWzbuH5UXxLemb1jj5X+q/siAi+8rFfmQmYta+ea4XDQIjfMiKU5ExGjg3DufhyPtsb75zsU9ZcoXo8j4lkjeCJegK7rdKrlmZqMidrZHd8pPN5Tjrn0LMg1fRL0Z+wwHxawhruaw+LHq2iJ3plWJ9igCwvUcXY3KtL1r9owxZATE5CN17OFxCbEFDqsS63OTYr3Xt',
+ user => 'root',
+ }
+
+ # Thies Wels, LW
+ ssh_authorized_key { 'lw@thies-ThinkPad-X1-Carbon-3rd':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCSXN3qZ0ShJkTjmDhUQZbO/llTFS/VirTHWrWOh/Gi8dKRe52jcZ+PRYcjkzUwKmhMjgFQVHB9M3wTaxMFJFAoHYJ8C/j/A9n6AYgk4Ng0vRYPqFcDbFza6lMsA0msSXofg4wckQhF0Bpn7pj3AAEbqOZoXJoOgPxyue1p2b4925sfChSPfhMd+QxXrs1X+xJAysSpZme0ujtB3MYFRk2ySa99nQSeuYrUnQkcKqH6HusRdTVRIthoY+f0sQCAGs9z2mrma0OtfwgMlgyGS1JZWnt2/47Nm35MyljmJdHheD123mRaeGxjKD5z29Pm3vOuj0xn/kff1eCPy4xC2T1jL4IBUROF9vg9T3BQP7A/z2DdJwZ2Lp/xzXQKFV22jillqeKjHMpLmiVNMgDt07C3PaRSPryxuCrUUWnG2cPdcf6vr1a/uoo8zBGXEsWFpTlnZF+q9wDgPtD7EChthkstOB/1IH9FOibmlD4+89GuZfJ4ej0EDsm0jF9ML51plrIie+Q/bsF/w22ctsKpfvm3hl87jBNaYTGiaWqb34BWUL61NjPRhuCPLOwswYbQtNBvVaIByrao4/3huIPq10KsvWghvq7yr4xhNLKjax/Dmmmd65F/xaTEytDM3vtyI4lp+spSvNCTD7Amz36VTsCubAEeRcCyExgcSa2HOFrs/w==',
+ user => 'root',
+ }
+}
+
+class ssh_pubkeys_firedadmins {
+ # Bad User, Example Project
+ ssh_authorized_key { 'badadmin@NOTEBOOK':
+ ensure => 'absent',
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC71S/LYktwTalKjE6Sb7XlOyV1tr1O+codh4C3g9uVtjqytYj/Lx6hExxegwN2tiTAjb3skEKpdg7uRbmpEZBtyST/UrrJCB0l0KbjJelfh4MANuRF+H9CNAPwaxcLfCWeTFwmQW8mcSHE20ljY7kpJykEoihBVjK49k+kD+sphIG1o4BU8nQii0i5/U2HqHkPZHzCIjIprN9kTx/n/zMmCLwuIW58KJitG/ttBXPq+TMsN/zcUQm7/PL7UmIMlvUtKzApuM36PUyah7/rpOB5mIYrqFcDXSBUpFLT1CIvfH6ZR5umhnwiRXDsVfP8e0WB1JhOZV1LqOez8s7c4a6/',
+ user => 'root',
+ }
+}
+
+#class ssh_pubkeys_backupserver {
+# ssh_authorized_key { 'root@backup-01':
+# type => 'ssh-rsa',
+# key => '',
+# user => 'root',
+# }
+#}
+
+class cups_browsed_polling {
+
+ file { '/etc/apparmor.d/local/usr.sbin.cups-browsed':
+ content => "/etc/cups/cups-browsed-debian-edu.conf r,\n",
+ }
+ ~> exec { '/usr/bin/systemctl restart apparmor.service': refreshonly => true }
+ ~> exec { '/usr/bin/systemctl restart cups-browsed.service': refreshonly => true }
+
+ exec { 'cups-browsed-reload':
+ command => '/usr/sbin/service cups-browsed restart',
+ subscribe => [File_line['cups-browsed-create-remote-cups-printers'], File_line['cups-browsed-poll-ipp-intern'], File_line['cups-browsed-queue-naming'], File_line['cups-browsed-no-remote-protos'], File_line['cups-browsed-no-local-protos']],
+ refreshonly => true,
+ }
+
+ exec { 'cups-delete-dead-printers':
+ command => '/bin/bash -c "LANG=C lpstat -a | grep \"not accepting requests\" | cut -d \" \" -f1 | while read printer; do lpadmin -x \$printer; done"',
+ subscribe => File_line['cups-browsed-no-remote-protos'],
+ refreshonly => true,
+ }
+
+ file_line { 'cups-browsed-create-remote-cups-printers':
+ path => '/etc/cups/cups-browsed.conf',
+ ensure => present,
+ line => "CreateRemoteCUPSPrinterQueues Yes",
+ match => '^CreateRemoteCUPSPrinterQueues.*',
+ }
+
+ file_line { 'cups-browsed-no-remote-protos':
+ path => '/etc/cups/cups-browsed.conf',
+ ensure => present,
+ line => "BrowseRemoteProtocols none",
+ match => '^BrowseRemoteProtocols.*',
+ }
+
+ file_line { 'cups-browsed-no-local-protos':
+ path => '/etc/cups/cups-browsed.conf',
+ ensure => present,
+ line => "BrowseLocalProtocols none",
+ match => '^BrowseLocalProtocols.*',
+ }
+
+ file_line { 'cups-browsed-queue-naming':
+ path => '/etc/cups/cups-browsed.conf',
+ ensure => present,
+ line => "LocalQueueNamingRemoteCUPS RemoteName",
+ match => '^LocalQueueNamingRemoteCUPS.*',
+ }
+
+ file_line { 'cups-browsed-poll-ipp-intern':
+ path => '/etc/cups/cups-browsed.conf',
+ ensure => present,
+ line => "BrowsePoll ipp.intern",
+ match => '^BrowsePoll\ .*',
+ append_on_no_match => true,
+ }
+}
+
+class itzks_systems_common {
+ package { 'itzks-systems-common':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_workstation {
+ package { 'itzks-systems-workstation':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_roamingworkstation {
+ package { 'itzks-systems-roamingworkstation':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_tablet {
+ package { 'itzks-systems-tablet':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_mainserver {
+ package { 'itzks-systems-mainserver':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_faiserver {
+ package { 'itzks-systems-faiserver':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_filter {
+ package { 'itzks-systems-filter':
+ ensure => 'latest',
+ }
+}
+
+class itzks_systems_disklserver {
+ package { 'itzks-systems-disklserver':
+ ensure => 'latest',
+ }
+}
+
+class lsb_release_with_version {
+ file { '/etc/lsb-release':
+ ensure => present,
+ }
+ file_line { 'lsb-release-with-version':
+ path => '/etc/lsb-release',
+ line => "DISTRIB_DESCRIPTION=\"Debian Edu / Skolelinux ${::operatingsystemrelease}\"",
+ match => "^DISTRIB_DESCRIPTION=\"DebianEdu/Skolelinux\"$",
+ }
+ file_line{ 'lsb-release-remove-cruft-1':
+ path => '/etc/lsb-release',
+ ensure => absent,
+ line => 'DISTRIB_DESCRIPTION="DebianEdu/Skolelinux"',
+ }
+}
+
+class login_manager {
+ package { 'arctica-greeter':
+ ensure => 'installed',
+ }
+ package { 'kdm':
+ ensure => 'purged',
+ }
+ package { 'sddm':
+ ensure => 'purged',
+ }
+ package { 'gdm3':
+ ensure => 'purged',
+ }
+}
+
+class browser_firefox {
+ package { firefox-esr:
+ ensure => 'latest',
+ }
+}
+class browser_chromium {
+ package { chromium:
+ ensure => 'latest',
+ }
+}
+
+#node "all_hosts" {
+# class { 'ssh_pubkeys_admins': }
+# class { 'ssh_pubkeys_firedadmins': }
+# class { 'lsb_release_with_version': }
+# class { 'login_manager': }
+#}
+
+#node "all_servers" {
+# class { 'ssh_pubkeys_admins': }
+# class { 'ssh_pubkeys_firedadmins': }
+# class { 'ssh_pubkeys_backupserver': }
+# class { 'lsb_release_with_version': }
+#}
+
+node "tjener.intern" {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+# class { 'ssh_pubkeys_backupserver': }
+ class { 'lsb_release_with_version': }
+ class { 'browser_firefox': }
+ class { 'browser_chromium': }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ age => { 'max' => 10 },
+ auto => {
+ 'clean' => 7,
+ ### WE DON'T REBOOT TJENER
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+ class { 'itzks_systems_mainserver': }
+ class { 'itzks_systems_common': }
+}
+
+node "disklserver.intern" {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+# class { 'ssh_pubkeys_backupserver': }
+ class { 'lsb_release_with_version': }
+ # vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots
+ ssh_authorized_key { 'root@vidar.das-netzwerkteam.de':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLGbx/U9slB9db8PAy8FTRo7/avVvLJUOZzkoBxZa5Edeo+74ezoU2Kv1OxcRJRnSGBe41XDcpLxDS04JMA5xBddUfdq5c+Y1A2SYChUPK1fkrGoKfmGC60dFmEqAQZ33dJhN9rxzQvuvxlmexX8x2TYJC8/jATa+6QuO4chHAFvGo9RLs8hzet5y06fammJDkf0yD6R32GT7q4XMNXilKQ564D1yBJygE6vZx/W3V3l8/QMr6m1lYTTk+W+29IkoxvQBZ6YXKFdnuTVkSYyanafjZwznTFSuBtBZKcgLXFFmyplcB4QlZGvdrrsEJazwwj+pnJeGx0HwV8ePbKxN',
+ user => 'root',
+ }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ auto => {
+ 'clean' => 7,
+ 'reboot' => true,
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+ class { 'itzks_systems_disklserver': }
+ class { 'itzks_systems_common': }
+ class { 'cups_browsed_polling': }
+ class { 'krb5hostkeytab': }
+}
+
+node "faiserver.intern" {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+# class { 'ssh_pubkeys_backupserver': }
+ class { 'lsb_release_with_version': }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ auto => {
+ 'clean' => 7,
+ 'reboot' => true,
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+ class { 'itzks_systems_faiserver': }
+ class { 'itzks_systems_common': }
+ class { 'cups_browsed_polling': }
+ class { 'krb5hostkeytab': }
+}
+
+#node "filter.intern" {
+# class { 'ssh_pubkeys_admins': }
+# class { 'ssh_pubkeys_firedadmins': }
+# class { 'ssh_pubkeys_backupserver': }
+# class { 'lsb_release_with_version': }
+# class { 'unattended_upgrades':
+# enable => 1,
+# origins => $apt_origins,
+# auto => {
+# 'clean' => 7,
+# 'reboot' => true,
+# },
+# upgradeable_packages => {
+# download_only => 1,
+# debdelta => 1,
+# },
+# }
+# class { 'itzks_systems_filter': }
+#}
+
+# NOT PRESENT node "bibserv.intern" inherits "all_servers" {}
+#node "opsiserver.intern" {
+# class { 'ssh_pubkeys_admins': }
+# class { 'ssh_pubkeys_firedadmins': }
+# class { 'ssh_pubkeys_backupserver': }
+# class { 'lsb_release_with_version': }
+# class { 'unattended_upgrades':
+# enable => 1,
+# origins => $apt_origins,
+# auto => {
+# 'clean' => 7,
+# 'reboot' => true,
+# },
+# upgradeable_packages => {
+# download_only => 1,
+# debdelta => 1,
+# },
+# }
+#}
+# NOT PRESENT node "displayserver.intern" inherits "all_servers" {}
+# NOT PRESENT node "contentserver.intern" inherits "all_servers" {}
+# NOT PRESENT node "devserver.intern" inherits "all_servers" {}
+
+# NOTEBOOKS (aka ROAMING WORKSTATIONS)
+node /(md-lap-[0-9]+|notebook-[0-9]+|test-notebook)\.intern$/ {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+ class { 'lsb_release_with_version': }
+ class { 'browser_firefox': }
+ class { 'browser_chromium': }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ auto => {
+ 'clean' => 7,
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+ class { 'itzks_systems_roamingworkstation': }
+ class { 'itzks_systems_common': }
+ class { 'login_manager': }
+ class { 'cups_browsed_polling': }
+ class { 'krb5hostkeytab': }
+}
+
+
+# WORKSTATIONS
+node /(workstation-[0-9]+|test-workstation)\.intern$/ {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+ class { 'lsb_release_with_version': }
+ class { 'browser_firefox': }
+ class { 'browser_chromium': }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ auto => {
+ 'clean' => 7,
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+ class { 'itzks_systems_workstation': }
+ class { 'itzks_systems_common': }
+ class { 'login_manager': }
+ class { 'cups_browsed_polling': }
+ class { 'krb5hostkeytab': }
+}
+
+# TABLETS
+node /(tab-[0-9]+|test-tablet)\.intern$/ {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+ class { 'lsb_release_with_version': }
+ class { 'browser_chromium': }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ auto => {
+ 'clean' => 7,
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+ class { 'itzks_systems_tablet': }
+ class { 'itzks_systems_common': }
+ class { 'cups_browsed_polling': }
+ class { 'krb5hostkeytab': }
+}
+
+# default / minimal
+node "default" {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_firedadmins': }
+ class { 'lsb_release_with_version': }
+ class { 'browser_firefox': }
+ class { 'browser_chromium': }
+ class { 'unattended_upgrades':
+ enable => 1,
+ origins => $apt_origins,
+ auto => {
+ 'clean' => 7,
+ },
+ upgradeable_packages => {
+ download_only => 1,
+ debdelta => 1,
+ },
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 11:19:29 +0000