[debian-edu-commits] debian-edu/ 01/14: Add configuration files for Cfengine3 setup.
Wolfgang Schweer
schweer-guest at moszumanska.debian.org
Sat Jan 6 23:46:40 UTC 2018
This is an automated email from the git hooks/post-receive script.
schweer-guest pushed a commit to branch master
in repository debian-edu-config.
commit bdf4f6ff77e006be7be86e4ac929b5c22eef9457
Author: Wolfgang Schweer <wschweer at arcor.de>
Date: Sat Jan 6 23:16:09 2018 +0100
Add configuration files for Cfengine3 setup.
---
cf3/cf.adduser | 26 ++++++
cf3/cf.apache2 | 52 ++++++++++++
cf3/cf.bind | 51 ++++++++++++
cf3/cf.chromium | 19 +++++
cf3/cf.cups | 21 +++++
cf3/cf.dhcpserver | 57 +++++++++++++
cf3/cf.exim | 22 +++++
cf3/cf.finalize | 42 ++++++++++
cf3/cf.firefox-esr | 35 ++++++++
cf3/cf.grub | 64 +++++++++++++++
cf3/cf.homes | 82 ++++++++++++++++++
cf3/cf.imap | 15 ++++
cf3/cf.inetd | 25 ++++++
cf3/cf.krb5client | 24 ++++++
cf3/cf.ldapclient | 94 +++++++++++++++++++++
cf3/cf.ldapserver | 55 +++++++++++++
cf3/cf.ntp | 49 +++++++++++
cf3/cf.pki | 16 ++++
cf3/cf.pxeinstall | 12 +++
cf3/cf.samba | 12 +++
cf3/cf.squid | 70 ++++++++++++++++
cf3/cf.syslog | 62 ++++++++++++++
cf3/cf.thunderbird | 23 ++++++
cf3/cf.xrdp | 18 ++++
cf3/edu.cf | 33 ++++++++
cf3/promises.cf | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++++
26 files changed, 1216 insertions(+)
diff --git a/cf3/cf.adduser b/cf3/cf.adduser
new file mode 100644
index 0000000..e633950
--- /dev/null
+++ b/cf3/cf.adduser
@@ -0,0 +1,26 @@
+bundle agent adduser
+{
+# The file /etc/adduser.conf controls local user creation.
+# For local user creation we want to make sure that local users do
+# not have uidNumbers and gidNumber conflicting with those in LDAP.
+
+files:
+
+ debian.!standalone.installation::
+
+ "/etc/adduser.conf"
+ edit_line => adduser_conf;
+}
+
+bundle edit_line adduser_conf
+{
+
+replace_patterns:
+
+ "FIRST_UID=1000" replace_with => value("FIRST_UID=500");
+ "LAST_UID=59999" replace_with => value("LAST_UID=999");
+ "FIRST_GID=1000" replace_with => value("FIRST_GID=500");
+ "LAST_GID=59999" replace_with => value("LAST_GID=999");
+ "DIR_MODE=0755" replace_with => value("DIR_MODE=0700");
+}
+
diff --git a/cf3/cf.apache2 b/cf3/cf.apache2
new file mode 100644
index 0000000..8e845f3
--- /dev/null
+++ b/cf3/cf.apache2
@@ -0,0 +1,52 @@
+bundle agent apache2
+{
+
+files:
+
+ debian.server.installation::
+
+ "/etc/php/apache2/php.ini"
+ link_from => ln_s("/etc/php/apache2/php-debian-edu.ini"),
+ move_obstructions => "true";
+ "/etc/apache2/mods-available/debian-edu-userdir.load"
+ link_from => ln_s("/etc/apache2/mods-available/userdir.load"),
+ move_obstructions => "true";
+
+commands:
+
+ debian.server.installation::
+
+ # Generate certificates and keys (rootCA and multipurpose server) using
+ # the create-debian-edu-certs tool.
+ "/usr/share/debian-edu-config/tools/create-debian-edu-certs"
+ contain => in_shell;
+ # Disable default userdir.
+ "/usr/sbin/a2dismod userdir"
+ contain => in_shell;
+ # Enabling debian-edu-userdir; create a directory ~/public_html
+ # to make it available as https://www/~<username>.
+ "/usr/sbin/a2enmod debian-edu-userdir"
+ contain => in_shell;
+ # Enabling ssl
+ "/usr/sbin/a2enmod ssl"
+ contain => in_shell;
+ # Use our own default site configuration, and ssl site configuration.
+ "/usr/sbin/a2enconf debian-edu-config-doc.conf"
+ contain => in_shell;
+ "/usr/sbin/a2ensite debian-edu-default.conf"
+ contain => in_shell;
+ "/usr/sbin/a2ensite debian-edu-ssl-default.conf"
+ contain => in_shell;
+ # Enable sitesummary with cgi, workaround for bug #760084
+ "/usr/sbin/a2enmod cgi"
+ contain => in_shell;
+ "/usr/sbin/a2enconf sitesummary.conf"
+ contain => in_shell;
+ # Disable the stock debian sitefile
+ "/usr/sbin/a2dissite 000-default.conf"
+ contain => in_shell;
+ # Reload apache2 for changes to take effect
+ "/usr/sbin/service apache2 restart"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.bind b/cf3/cf.bind
new file mode 100644
index 0000000..b8b49f2
--- /dev/null
+++ b/cf3/cf.bind
@@ -0,0 +1,51 @@
+bundle agent bind
+{
+# Configure DNS setup with bind.
+
+vars:
+
+ "bind_file" string => "/etc/bind/.";
+
+files:
+
+ debian.server.installation::
+
+ "$(bind_file)"
+ perms => mog("2775","root","bind");
+
+ "/etc/default/bind9"
+ edit_line => bind_default;
+}
+
+bundle agent editline_bind
+{
+
+vars:
+
+ "local" string => "include \"/etc/bind/named.conf.ldap2zone\";";
+ "alias" string => "bind: root";
+
+files:
+
+ debian.server.installation::
+
+ # Configure ldap2bind for Debian Edu.
+ "/etc/bind/named.conf.local"
+ create => "true",
+ edit_line => append_if_no_line("$(local)");
+ # Add alias for mails to user bind.
+ "/etc/aliases"
+ create => "true",
+ edit_line => append_if_no_line("$(alias)");
+}
+
+bundle edit_line bind_default
+{
+# Disable IPv6 (to silence IPv6 lookup failure messages):
+
+replace_patterns:
+
+ "OPTIONS=\"-u bind\""
+ replace_with => value("OPTIONS=\"-4 -u bind\"");
+}
+
diff --git a/cf3/cf.chromium b/cf3/cf.chromium
new file mode 100644
index 0000000..d61e13b
--- /dev/null
+++ b/cf3/cf.chromium
@@ -0,0 +1,19 @@
+bundle agent chromium
+{
+# Change default Chromium homepage. Standalone machines get our project page,
+# while school machines get the school start page from LDAP.
+# The clients using LDAP also update the pages at boot.
+
+commands:
+
+ debian.standalone.installation::
+
+ "/usr/share/debian-edu-config/tools/update-chromium-homepage http\://www.skolelinux.org/"
+ contain => in_shell;
+
+ debian.!standalone.installation::
+
+ "/usr/share/debian-edu-config/tools/update-chromium-homepage ldap\:homepage"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.cups b/cf3/cf.cups
new file mode 100644
index 0000000..f747ef5
--- /dev/null
+++ b/cf3/cf.cups
@@ -0,0 +1,21 @@
+bundle agent cups
+{
+
+files:
+
+ debian.server.installation::
+
+ "/etc/cups/cupsd.conf"
+ link_from => ln_s("/etc/cups/cupsd-debian-edu.conf"),
+ move_obstructions => "true";
+ "/etc/cups/cups-files.conf"
+ link_from => ln_s("/etc/cups/cups-files-debian-edu.conf"),
+ move_obstructions => "true";
+ "/etc/cups/ssl/tjener.intern.crt"
+ link_from => ln_s("/etc/ssl/certs/debian-edu-server.crt"),
+ move_obstructions => "true";
+ "/etc/cups/ssl/tjener.intern.key"
+ link_from => ln_s("/etc/ssl/private/debian-edu-server.key"),
+ move_obstructions => "true";
+}
+
diff --git a/cf3/cf.dhcpserver b/cf3/cf.dhcpserver
new file mode 100644
index 0000000..52ac4a6
--- /dev/null
+++ b/cf3/cf.dhcpserver
@@ -0,0 +1,57 @@
+bundle agent dhcpserver
+{
+
+files:
+
+ debian.server.installation::
+
+ "/etc/dhcp/dhcpd.conf"
+ link_from => ln_s("/etc/dhcp/dhcpd-debian-edu.conf"),
+ move_obstructions => "true";
+
+ debian.!server.!standalone.installation::
+
+ "/etc/dhcp/dhclient.conf"
+ link_from => ln_s("/etc/dhcp/dhclient-debian-edu.conf"),
+ move_obstructions => "true";
+
+ debian.server.!ltspserver::
+
+ "/etc/default/isc-dhcp-server"
+ edit_line => ip_conf1;
+
+ debian.server.ltspserver::
+
+ "/etc/default/isc-dhcp-server"
+ edit_line => ip_conf2;
+
+ debian.!server.ltspserver::
+
+ "/etc/default/isc-dhcp-server"
+ edit_line => ip_conf3;
+}
+
+bundle edit_line ip_conf1
+{
+
+replace_patterns:
+
+ "INTERFACESv4=\"\"" replace_with => value("INTERFACESv4=\"eth0\"");
+}
+
+bundle edit_line ip_conf2
+{
+
+replace_patterns:
+
+ "INTERFACESv4=\"\"" replace_with => value("INTERFACESv4=\"eth0 eth1\"");
+}
+
+bundle edit_line ip_conf3
+{
+
+replace_patterns:
+
+ "INTERFACESv4=\"\"" replace_with => value("INTERFACESv4=\"eth1\"");
+}
+
diff --git a/cf3/cf.exim b/cf3/cf.exim
new file mode 100644
index 0000000..904f94d
--- /dev/null
+++ b/cf3/cf.exim
@@ -0,0 +1,22 @@
+bundle agent exim
+{
+
+files:
+
+ debian.server.installation::
+
+ "/etc/exim4/exim4.conf"
+ link_from => ln_s("/etc/exim4/exim-ldap-server-v4.conf"),
+ move_obstructions => "true";
+ "/etc/default/exim4"
+ edit_line => exim_default;
+}
+
+bundle edit_line exim_default
+{
+
+ insert_lines:
+
+ "KRB5_KTNAME=/etc/krb5.keytab.smtp; export KRB5_KTNAME";
+}
+
diff --git a/cf3/cf.finalize b/cf3/cf.finalize
new file mode 100644
index 0000000..3a71a45
--- /dev/null
+++ b/cf3/cf.finalize
@@ -0,0 +1,42 @@
+bundle agent finalize
+{
+# These are the last steps of an installation / upgrade.
+# Moved from other bundles to this last one in the sequence to get the right
+# execution order.
+
+commands:
+
+ debian.server.installation::
+
+ "/usr/share/debian-edu-config/tools/exim4-create-environment"
+ contain => in_shell;
+
+ "/usr/sbin/dpkg-reconfigure sitesummary"
+ contain => in_shell;
+
+ "/usr/sbin/exim4 -qff"
+ contain => in_shell;
+
+ # Update /etc/environment and APT configuration using wpad.dat file.
+ # Do it late to make sure scripts like debian-edu-pxeinstall do not get
+ # the wrong proxy setting when installing a main-server and the webcache
+ # proxy isn't up yet.
+
+ debian.!server.!standalone::
+
+ "/usr/share/debian-edu-config/tools/update-proxy-from-wpad"
+ contain => in_shell;
+
+ debian.server.installation::
+
+ "/usr/share/debian-edu-config/tools/update-proxy-from-wpad file\:///etc/debian-edu/www/wpad.dat"
+ contain => in_shell;
+
+ # Activate changes to pam-configs in /etc/pam.d/
+
+ debian.!standalone.installation::
+
+ "/usr/sbin/pam-auth-update --package"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.firefox-esr b/cf3/cf.firefox-esr
new file mode 100644
index 0000000..565b7cc
--- /dev/null
+++ b/cf3/cf.firefox-esr
@@ -0,0 +1,35 @@
+bundle agent firefox
+{
+# Set up firefox to accept the default ssl certificate created through
+# cf.apache2.
+# On the main server use /etc/skel/ to create a default profile for new
+# users in case they start firefox for the first time.
+
+commands:
+
+ debian.server.installation::
+
+ "/usr/bin/update-ini-file /etc/skel/.mozilla/firefox/profiles.ini General StartWithLastProfile 1"
+ contain => in_shell;
+ "/usr/bin/update-ini-file /etc/skel/.mozilla/firefox/profiles.ini Profile0 Name default"
+ contain => in_shell;
+ "/usr/bin/update-ini-file /etc/skel/.mozilla/firefox/profiles.ini Profile0 IsRelative 1"
+ contain => in_shell;
+ "/usr/bin/update-ini-file /etc/skel/.mozilla/firefox/profiles.ini Profile0 Path debian-edu.default"
+ contain => in_shell;
+
+ # Change default start page. Standalone machines get our project page,
+ # while school machines get the school start page from LDAP.
+ # The clients using LDAP also update the pages at boot.
+
+ debian.standalone.installation::
+
+ "/usr/share/debian-edu-config/tools/update-firefox-homepage http\://www.skolelinux.org/"
+ contain => in_shell;
+
+ debian.!standalone.installation::
+
+ "/usr/share/debian-edu-config/tools/update-firefox-homepage ldap\:homepage"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.grub b/cf3/cf.grub
new file mode 100644
index 0000000..5284d5a
--- /dev/null
+++ b/cf3/cf.grub
@@ -0,0 +1,64 @@
+bundle agent grub
+{
+# Configure GRUB:
+# - for plymouth (everywhere except on servers and ltsp-clients)
+# - handle the network interface setup (keep old device names) for networked
+# systems (everywhere except on roaming machines and standalone)
+
+files:
+
+ debian.(standalone|roaming).installation::
+
+ "/etc/default/grub"
+ edit_line => grub_conf1;
+
+ debian.workstation.!server.!ltspclient.!standalone.!roaming.installation::
+
+ "/etc/default/grub"
+ edit_line => grub_conf2;
+
+ debian.(server|ltspclient).installation::
+
+ "/etc/default/grub"
+ edit_line => grub_conf3;
+
+commands:
+
+ debian.!ltspclient.installation::
+
+ "/usr/sbin/update-grub"
+ contain => in_shell;
+
+ debian.!server.!ltspclient.installation::
+
+ "/usr/sbin/plymouth-set-default-theme lines"
+ contain => in_shell;
+}
+
+bundle edit_line grub_conf1
+{
+
+replace_patterns:
+
+ "LINUX_DEFAULT=\"quiet"
+ replace_with => value("LINUX_DEFAULT=\"splash quiet");
+}
+
+bundle edit_line grub_conf2
+{
+
+replace_patterns:
+
+ "LINUX_DEFAULT=\"quiet"
+ replace_with => value("LINUX_DEFAULT=\"net.ifnames=0 splash quiet");
+}
+
+bundle edit_line grub_conf3
+{
+
+replace_patterns:
+
+ "LINUX_DEFAULT=\"quiet"
+ replace_with => value("LINUX_DEFAULT=\"net.ifnames=0 quiet");
+}
+
diff --git a/cf3/cf.homes b/cf3/cf.homes
new file mode 100644
index 0000000..376f43f
--- /dev/null
+++ b/cf3/cf.homes
@@ -0,0 +1,82 @@
+bundle agent homes
+{
+}
+
+bundle agent permission_homes
+{
+# Handle the user home directories on the server
+
+vars:
+
+ "home_files" slist => { "/skole/",
+ "/skole/backup/",
+ "/skole/tjener/home0/",
+ "/srv/nfs4/home0/" };
+files:
+
+ # Make sure directories have proper permissions just in case someone installs
+ # a main server using 'atomic' partitioning scheme (only one partition).
+
+ debian.server.atomic.installation::
+
+ "$(home_files)"
+ create => "true",
+ perms => mog("755","root","root");
+
+commands:
+
+ # Disable autofs on the main server.
+
+ debian.server.installation::
+
+ "/bin/systemctl disable autofs"
+ contain => in_shell;
+}
+
+bundle agent editline_homes
+{
+vars:
+
+ "exports" slist => { "/srv/nfs4 @ltsp-server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,fsid=0,crossmnt,no_subtree_check) @workstation-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,fsid=0,crossmnt,no_subtree_check) @server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,fsid=0,crossmnt,no_subtree_check)",
+ "/srv/nfs4/home0 @ltsp-server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,no_subtree_check) @workstation-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,no_subtree_check) @server-hosts(sec=krb5p:krb5i:krb5:sys,rw,sync,no_subtree_check)" };
+ "fstab" string => "/skole/tjener/home0 /srv/nfs4/home0 none bind 0 0";
+ "menu" string => "MENUREORDER=true";
+ "nfs" string => "NEED_SVCGSSD=yes";
+ "autofs" string => "LDAPURI=ldap://$(edu.ldapserver)";
+
+files:
+
+ debian.server.installation::
+
+ "/etc/exports"
+ create => "true",
+ edit_line => append_if_no_line("$(exports)");
+
+ "/etc/fstab"
+ create => "true",
+ edit_line => append_if_no_line("$(fstab)");
+
+ # Enable our menu overrides on standalone installations
+
+ debian.standalone.installation::
+
+ "/etc/debian-edu/config"
+ create => "true",
+ edit_line => append_if_no_line("$(menu)");
+
+ debian.server.installation::
+
+ "/etc/default/nfs-kernel-server"
+ create => "true",
+ edit_line => append_if_no_line("$(nfs)");
+
+ # Enable autofs using LDAP unless running the server,
+ # standalone or roaming workstations.
+
+ debian.!server.!standalone.!roaming.installation::
+
+ "/etc/default/autofs"
+ create => "true",
+ edit_line => append_if_no_line("$(autofs)");
+}
+
diff --git a/cf3/cf.imap b/cf3/cf.imap
new file mode 100644
index 0000000..a7f7a3a
--- /dev/null
+++ b/cf3/cf.imap
@@ -0,0 +1,15 @@
+bundle agent imap
+{
+
+files:
+
+ debian.server.installation::
+
+ "/etc/dovecot/private/dovecot.pem"
+ link_from => ln_s("/etc/ssl/certs/debian-edu-server.crt"),
+ move_obstructions => "true";
+ "/etc/dovecot/private/dovecot.key"
+ link_from => ln_s("/etc/ssl/private/debian-edu-server.key"),
+ move_obstructions => "true";
+}
+
diff --git a/cf3/cf.inetd b/cf3/cf.inetd
new file mode 100644
index 0000000..db3a4b4
--- /dev/null
+++ b/cf3/cf.inetd
@@ -0,0 +1,25 @@
+bundle agent inetd
+{
+# Use native tool to adjust inetd.conf
+
+commands:
+
+ # Remove the services we don't need from /etc/inetd.conf
+
+ debian.!standalone.installation::
+
+ "update-inetd --multi --disable discard"
+ contain => in_shell;
+ "update-inetd --disable daytime"
+ contain => in_shell;
+ "update-inetd --disable time"
+ contain => in_shell;
+
+ # Standalone hosts should not listen to incoming SMTP connections.
+
+ debian.standalone.installation::
+
+ "update-inetd --disable smtp"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.krb5client b/cf3/cf.krb5client
new file mode 100644
index 0000000..4c20bc8
--- /dev/null
+++ b/cf3/cf.krb5client
@@ -0,0 +1,24 @@
+bundle agent krb5client
+{
+# Configure KRB5 client
+
+files:
+
+ debian.!standalone.installation::
+
+ "/usr/share/pam-configs/edu-nopwdchange"
+ link_from => ln_s("/usr/share/debian-edu-config/pam-config-nopwdchange"),
+ move_obstructions => "true";
+
+commands:
+
+ # On the main server, krb5.conf is generated using tools/kerberos-kdc-init,
+ # on a roaming workstation using tools/setup-roaming; see cf.ldapserver
+ # and cf.ldapclient resp.
+
+ debian.!standalone.!roaming.!server.installation::
+
+ "/usr/share/debian-edu-config/tools/sssd-generate-config -k > /etc/krb5.conf"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.ldapclient b/cf3/cf.ldapclient
new file mode 100644
index 0000000..df64658
--- /dev/null
+++ b/cf3/cf.ldapclient
@@ -0,0 +1,94 @@
+bundle agent ldapclient
+{
+# Configure NSS and PAM to use LDAP directory
+
+commands:
+
+ debian.roaming.installation::
+
+ "/usr/share/debian-edu-config/tools/setup-roaming"
+ contain => in_shell;
+}
+
+bundle agent editline_ldapclient
+{
+# Configure Debian Edu specific setup.
+
+vars:
+
+ "nss_conf" slist => { "passwd: files ldap",
+ "group: files ldap",
+ "shadow: files ldap",
+ "netgroup: files ldap",
+ "automount: files ldap" };
+ "ldap_conf" slist => { "HOST $(edu.ldapserver)",
+ "sudoers_base ou=sudoers,$(edu.ldapbase)",
+ "BASE $(edu.ldapbase)",
+ "TLS_REQCERT demand",
+ "TLS_CACERT /etc/ldap/ssl/ldap-server-pubkey.pem" };
+ "nslcd_conf" string => "tls_cacertfile /etc/ldap/ssl/ldap-server-pubkey.pem";
+
+files:
+
+ debian.!standalone.!roaming.installation::
+
+ "/etc/nsswitch.conf"
+ edit_line => nsswitch_conf;
+
+ "/etc/nsswitch.conf"
+ edit_line => append_if_no_line("$(nss_conf)");
+
+ # Adjust for package sudo-ldap; also use the downloaded LDAP SSL certificate
+ # to verify the connection to the server.
+
+ debian.!standalone.installation::
+
+ "/etc/ldap/ldap.conf"
+ edit_line => ca1_conf;
+
+ "/etc/ldap/ldap.conf"
+ edit_line => append_if_no_line("$(ldap_conf)");
+
+ "/etc/nslcd.conf"
+ edit_line => ca2_conf;
+
+ "/etc/nslcd.conf"
+ edit_line => append_if_no_line("$(nslcd_conf)");
+}
+
+bundle edit_line ca1_conf
+{
+
+vars:
+
+ "regexpr" string => "TLS_CACERT.*";
+
+replace_patterns:
+
+ "^($(regexpr))$" replace_with => comment("#");
+}
+
+bundle edit_line ca2_conf
+{
+
+vars:
+
+ "regexpr" string => "tls_cacertfile.*";
+
+replace_patterns:
+
+ "^($(regexpr))$" replace_with => comment("#");
+}
+
+bundle edit_line nsswitch_conf
+{
+
+vars:
+
+ "regexpr" slist => { "passwd.*", "shadow.*", "group.*", "netgroup.*" };
+
+replace_patterns:
+
+ "^($(regexpr))$" replace_with => comment("#");
+}
+
diff --git a/cf3/cf.ldapserver b/cf3/cf.ldapserver
new file mode 100644
index 0000000..e8bb8aa
--- /dev/null
+++ b/cf3/cf.ldapserver
@@ -0,0 +1,55 @@
+bundle agent ldapserver
+{
+# Configure LDAP server and communication with the LDAP server
+
+vars:
+
+ "slapd_ssl" string => "/etc/ldap/ssl";
+
+files:
+
+ debian.server.installation::
+
+ "/etc/ldap/slapd.conf"
+ link_from => ln_s("/etc/ldap/slapd-squeeze_debian-edu.conf"),
+ move_obstructions => "true";
+
+ # Adjust rights, just to be sure.
+
+ "$(slapd_ssl)"
+ perms => og("openldap","openldap");
+
+commands:
+
+ debian.server.installation::
+
+ # Generate TLS certificates
+ "/usr/bin/mkslapdcert"
+ contain => in_shell;
+
+ # Create the initial LDAP database, using the new slapd.conf.
+ # The Kerberos KDC is set up within this script too. Needs to
+ # run after the ssl certs are made available (cf.apache2).
+ "/usr/bin/ldap-debian-edu-install"
+ contain => in_shell;
+}
+
+bundle agent editline_ldapserver
+{
+# Configure Debian Edu specific setup.
+
+vars:
+
+ "default" slist => { "SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\"",
+ "export KRB5_KTNAME=/etc/krb5.keytab.ldap",
+ "SLAPD_OPTIONS=\"-4\"",
+ "ulimit -n 32768" };
+
+files:
+
+ debian.server.installation::
+
+ "/etc/default/slapd"
+ edit_line => append_if_no_line("$(default)");
+}
+
diff --git a/cf3/cf.ntp b/cf3/cf.ntp
new file mode 100644
index 0000000..d3ad792
--- /dev/null
+++ b/cf3/cf.ntp
@@ -0,0 +1,49 @@
+bundle agent ntp
+{
+# Disable Systemd service, use custom ntp configuration.
+# Respect that LTSP is prefering systemd-timesyncd.
+
+commands:
+
+ debian.!ltspclient.installation::
+
+ "/bin/systemctl disable systemd-timesyncd"
+ contain => in_shell;
+}
+
+bundle agent editline_ntp
+{
+# LTSP chroot modification is done via 'ltspConfig: TIMESERVER=ntp' (in LDAP).
+
+vars:
+
+ "networked" string => "statsdir /var/log/ntpstats/";
+ "mainserver" string => "server 127.127.1.0";
+ "clientconf" string => "server ntp iburst";
+
+files:
+
+ debian.!standalone.!ltspclient.installation::
+
+ "/etc/ntp.conf"
+ create => "true",
+ edit_line => append_if_no_line("$(networked)");
+
+ # Add local clock on the main-server to ensure clients can sync with
+ # the main-server even when all the machines are disconnected from
+ # the Internet. When they are on the Internet, all will sync with
+ # pool.ntp.org machines.
+
+ debian.server.installation::
+
+ "/etc/ntp.conf"
+ create => "true",
+ edit_line => append_if_no_line("$(mainserver)");
+
+ debian.!server.!standalone.!ltspclient.installation::
+
+ "/etc/ntp.conf"
+ create => "true",
+ edit_line => append_if_no_line("$(clientconf)");
+}
+
diff --git a/cf3/cf.pki b/cf3/cf.pki
new file mode 100644
index 0000000..92d9fea
--- /dev/null
+++ b/cf3/cf.pki
@@ -0,0 +1,16 @@
+bundle agent pki
+{
+# Make sure the pki store directory has proper rights.
+
+vars:
+
+ "pki_file" string => "/etc/skel/.pki/.";
+
+files:
+
+ debian.server.installation::
+
+ "$(pki_file)"
+ perms => mog("700","root","root");
+}
+
diff --git a/cf3/cf.pxeinstall b/cf3/cf.pxeinstall
new file mode 100644
index 0000000..92a80ac
--- /dev/null
+++ b/cf3/cf.pxeinstall
@@ -0,0 +1,12 @@
+bundle agent pxeinstall
+{
+# Enable PXE installation framework.
+
+commands:
+
+ debian.(server|ltspserver).installation::
+
+ "/usr/sbin/debian-edu-pxeinstall"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.samba b/cf3/cf.samba
new file mode 100644
index 0000000..3ad8e95
--- /dev/null
+++ b/cf3/cf.samba
@@ -0,0 +1,12 @@
+bundle agent samba
+{
+
+files:
+
+ debian.server.installation::
+
+ "/etc/samba/smb.conf"
+ link_from => ln_s("/etc/samba/smb-debian-edu.conf"),
+ move_obstructions => "true";
+}
+
diff --git a/cf3/cf.squid b/cf3/cf.squid
new file mode 100644
index 0000000..59e0ca4
--- /dev/null
+++ b/cf3/cf.squid
@@ -0,0 +1,70 @@
+bundle agent squid
+{
+# Configure squid, copy our setup to /etc/squid/ (instead of
+# including it in the package as a conffile), to ensure package
+# upgrades do not trigger a conffile question from dpkg.
+
+files:
+
+ debian.server.installation::
+
+ # Use Debian Edu configuration file.
+
+ "/etc/squid/squid-debian-edu.conf"
+ link_from => ln_s("/usr/share/debian-edu-config/squid.conf"),
+ move_obstructions => "true";
+
+ # Enforce proxy on networked installs
+
+ debian.!standalone.installation::
+
+ "/etc/firefox-esr/debian-edu-networked.js"
+ link_from => ln_s("/usr/share/debian-edu-config/firefox-networked-prefs.js"),
+ move_obstructions => "true";
+
+commands:
+
+ # Reconfigure squid. This is needed if squid has already been started
+ # using the default configuration; a cache dir isn't used in this case,
+ # storage uses memory. The reconfiguration initializes the cache dir.
+
+ debian.server.installation::
+
+ "/usr/sbin/dpkg-reconfigure squid"
+ contain => in_shell;
+
+ # Update Squid to use all the available space (aka 80% of the partition)
+
+ debian.server.installation::
+ "/usr/share/debian-edu-config/tools/squid-update-cachedir /etc/squid/squid-debian-edu.conf"
+ contain => in_shell;
+
+}
+
+bundle agent editline_squid
+{
+
+vars:
+
+ "default" slist => { "CONFIG=/etc/squid/squid-debian-edu.conf",
+ "SQUID_ARGS=\"-YC -f /etc/squid/squid-debian-edu.conf\"" };
+ "proxy" string => "DHCP_WPAD_PROXY_UPDATE=false";
+
+files:
+
+ debian.server.installation::
+
+ "/etc/default/squid"
+ create => "true",
+ edit_line => append_if_no_line("$(default)");
+
+ # Disable the automatic proxy configuration on LTSP boot, as the
+ # default setup is already correct and not calling
+ # wpad-proxy-update shaves 3 seconds from the boot.
+
+ debian.ltspclient.installation::
+
+ "/etc/debian-edu/config"
+ edit_line => append_if_no_line("$(proxy)");
+}
+
diff --git a/cf3/cf.syslog b/cf3/cf.syslog
new file mode 100644
index 0000000..6cac62e
--- /dev/null
+++ b/cf3/cf.syslog
@@ -0,0 +1,62 @@
+bundle agent syslog
+{
+# Configure rsyslogd and tcp-wrapper for it.
+
+vars:
+
+ "syslog_file" string => "/etc/rsyslog.d/debian-edu-client.conf";
+
+files:
+
+ debian.!server.!standalone::
+
+ "$(syslog_file)"
+ perms => m("644");
+
+ debian.(server|ltspserver)::
+
+ # Enable UDP to make sure that syslog messages are accepted via UDP
+
+ "/etc/rsyslog.d/debian-edu-collector.conf"
+ link_from => ln_s("/usr/share/debian-edu-config/rsyslog-collector"),
+ move_obstructions => "true";
+}
+
+bundle agent editline_syslog
+{
+
+vars:
+
+ "hosts" string => "syslog: 10.";
+ "ltsp" string => "syslog: 192.168.0.";
+ "client" string => "*.* @${edu.syslogserver}";
+
+files:
+
+ # FIXME tcp-wrapper doesn't seem to be used by rsyslogd.
+ # Allow syslog packages from 10.0.0.0/8 on server.
+
+ debian.server.installation::
+
+ "/etc/hosts.allow"
+ create => "true",
+ edit_line => append_if_no_line("$(hosts)");
+
+ # Allow syslog packages from 192.168.0.0/24 on ltsp-server.
+
+ debian.ltspserver.installation::
+
+ "/etc/hosts.allow"
+ create => "true",
+ edit_line => append_if_no_line("$(ltsp)");
+
+ # On every host except the server and a standalone machine, send
+ # syslog messages to the central collector.
+
+ debian.!server.!standalone.installation::
+
+ "/etc/rsyslog.d/debian-edu-client.conf"
+ create => "true",
+ edit_line => append_if_no_line("$(client)");
+}
+
diff --git a/cf3/cf.thunderbird b/cf3/cf.thunderbird
new file mode 100644
index 0000000..eba8da1
--- /dev/null
+++ b/cf3/cf.thunderbird
@@ -0,0 +1,23 @@
+bundle agent thunderbird
+{
+# Allow to create / update certificate and key dbs for Thunderbird.
+#
+# On the main server use /etc/skel/ to create a default profile for new
+# users in case they start Thunderbird for the first time.
+
+commands:
+
+ # Enable the default profile.
+
+ debian.server.installation::
+
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini General StartWithLastProfile 1"
+ contain => in_shell;
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini Profile0 Name default"
+ contain => in_shell;
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini Profile0 IsRelative 1"
+ contain => in_shell;
+ "/usr/bin/update-ini-file /etc/skel/.thunderbird/profiles.ini Profile0 Path debian-edu.default"
+ contain => in_shell;
+}
+
diff --git a/cf3/cf.xrdp b/cf3/cf.xrdp
new file mode 100644
index 0000000..975a5b0
--- /dev/null
+++ b/cf3/cf.xrdp
@@ -0,0 +1,18 @@
+bundle agent xrdp
+{
+# Enable trusted TLS use; overwrite default cert and key for this to work.
+# On the server, configuring xrdp to actually use TLS is needed; on clients,
+# the 'debian-edu-server.crt' certificate has to be imported as trusted CA one.
+
+files:
+
+ debian.server.ltspserver.installation::
+
+ "/etc/xrdp/cert.pem"
+ link_from => ln_s("/etc/ssl/certs/debian-edu-server.crt"),
+ move_obstructions => "true";
+ "/etc/xrdp/key.pem"
+ link_from => ln_s("/etc/ssl/private/debian-edu-server.key"),
+ move_obstructions => "true";
+}
+
diff --git a/cf3/edu.cf b/cf3/edu.cf
new file mode 100644
index 0000000..aa1c8fe
--- /dev/null
+++ b/cf3/edu.cf
@@ -0,0 +1,33 @@
+bundle common edu
+#
+# This common bundle defines global Debian Edu vars and classes.
+# If vars are used in bundles of type agent they must be prepended with 'edu',
+# for example 'edu.ldapbase' to be available.
+#
+# Author: Wolfgang Schweer <wschweer at arcor.de>, Dec. 2017
+
+{
+
+ vars:
+
+ "ltsp_arch" string => execresult("/usr/bin/ltsp-arch-debian-edu", "noshell");
+ "ldapserver" string => execresult("/usr/bin/debian-edu-ldapserver -f", "noshell");
+ "ldapbase" string => execresult("/usr/bin/debian-edu-ldapserver -b -f", "noshell");
+ "syslogserver" string => execresult("/usr/share/debian-edu-config/tools/locate-syslog-collector", "noshell");
+
+ classes:
+
+ "server" expression => returnszero("/bin/grep 'Main-Server' /etc/debian-edu/config","noshell");
+ "ltspserver" expression => fileexists("/usr/sbin/ltsp-build-client");
+ "workstation" and => { fileexists("/etc/desktop-profiles/debian-edu-menus.listing"), fileexists("/usr/bin/ntpq") };
+ "roaming" expression => returnszero("/bin/grep 'Roaming-Workstation' /etc/debian-edu/config","noshell");
+ "standalone" expression => not( fileexists("/usr/bin/ntpq") );
+ "ltspclient" expression => fileexists("/usr/bin/getltscfg");
+ "installation" expression => fileexists("/sbin/start-stop-daemon.REAL");
+ "testinstall" expression => returnszero("/bin/grep 'TESTINSTALL=\"true\"' /etc/debian-edu/config","noshell");
+ # Set if the internet is reachable for downloading files.
+ "internet" expression => returnszero("/usr/bin/wget -qO /dev/null http://deb.debian.org/debian/README","noshell");
+ # Set if atomic partioning has been used (everything on one partion, w/ or w/o lvm).
+ "atomic" expression => returnszero("/usr/bin/namei -mol /skole | /bin/grep T", "useshell");
+}
+
diff --git a/cf3/promises.cf b/cf3/promises.cf
new file mode 100644
index 0000000..56367bb
--- /dev/null
+++ b/cf3/promises.cf
@@ -0,0 +1,237 @@
+###############################################################################
+#
+# promises.cf - Basic Policy for CFEngine (adjusted for Debian Edu)
+# Author: Wolfgang Schweer <wschweer at arcor.de>, Dec. 2017.
+#
+###############################################################################
+
+body server control
+# Debian Edu specific
+{
+ allowconnects => { "10.0.0.0.0/8" };
+ allowallconnects => { "10.0.0.0.0/8" };
+ trustkeysfrom => { "10.0.0.0.0/8" };
+ maxconnections => "15";
+ denybadclocks => "false";
+ allowusers => { "root" };
+ cfruncommand => "/usr/sbin/cf-agent";
+}
+
+body common control
+# Please note that order matters (in bundlesequence).
+# The Cfengine2 concepts 'actionsequence' and 'passes' (like secondpass)
+# are gone; this bundlesequence with cf.finalize added as last one is sort of
+# an equivalent. All bundles are passed up to three times. If convergence isn't
+# successful (like edits), no change is done for this item, the outcome is
+# logged. After installation see /var/log/installer/cfengine-edu-install.log.
+{
+
+ bundlesequence => {
+ edu,
+ permission_homes,
+ editline_homes,
+ editline_bind,
+ editline_ntp,
+ editline_squid,
+ editline_ldapserver,
+ editline_ldapclient,
+ editline_syslog,
+ adduser,
+ apache2,
+ bind,
+ homes,
+ firefox,
+ thunderbird,
+ chromium,
+ samba,
+ cups,
+ dhcpserver,
+ exim,
+ grub,
+ imap,
+ inetd,
+ krb5client,
+ ldapserver,
+ pki,
+ ldapclient,
+ ldapserver,
+ ntp,
+ squid,
+ syslog,
+ xrdp,
+ pxeinstall,
+ finalize,
+ };
+
+ inputs => {
+ "services/main.cf",
+ "debian-edu/edu.cf",
+ "lib/stdlib.cf",
+ "lib/common.cf",
+ "lib/commands.cf",
+ "lib/files.cf",
+ "debian-edu/cf.adduser",
+ "debian-edu/cf.apache2",
+ "debian-edu/cf.bind",
+ "debian-edu/cf.chromium",
+ "debian-edu/cf.cups",
+ "debian-edu/cf.samba",
+ "debian-edu/cf.dhcpserver",
+ "debian-edu/cf.exim",
+ "debian-edu/cf.firefox-esr",
+ "debian-edu/cf.finalize",
+ "debian-edu/cf.grub",
+ "debian-edu/cf.homes",
+ "debian-edu/cf.imap",
+ "debian-edu/cf.inetd",
+ "debian-edu/cf.krb5client",
+ "debian-edu/cf.ldapserver",
+ "debian-edu/cf.ldapclient",
+ "debian-edu/cf.ntp",
+ "debian-edu/cf.pki",
+ "debian-edu/cf.pxeinstall",
+ "debian-edu/cf.squid",
+ "debian-edu/cf.syslog",
+ "debian-edu/cf.thunderbird",
+ "debian-edu/cf.xrdp",
+ };
+
+ version => "CFEngine Promises.cf 3.10.2";
+
+}
+
+bundle common cfe_internal_inputs
+# @brief Include internal self management policies
+{
+ vars:
+ any::
+
+ "input[cfe_internal_management]"
+ string => "cfe_internal/CFE_cfengine.cf",
+ comment => "This policy activates internal management policies
+ for both core and enterprise";
+
+ "input[core_main]"
+ string => "cfe_internal/core/main.cf",
+ comment => "This policy activates other core policies";
+
+ "input[core_limit_robot_agents]"
+ string => "cfe_internal/core/limit_robot_agents.cf",
+ comment => "The policy here ensures that we don't have too many
+ cf-monitord or cf-execd processes";
+
+ "input[core_log_rotation]"
+ string => "cfe_internal/core/log_rotation.cf",
+ comment => "This policy ensures that various cfengine log files
+ do not grow without bound and fill up the disk";
+
+ "input[core_host_info_report]"
+ string => "cfe_internal/core/host_info_report.cf",
+ comment => "This policy produces a text based host info report
+ and serves as a functional example of using mustache templates";
+
+ "input[cfengine_internal_core_watchdog]"
+ string => "cfe_internal/core/watchdog/watchdog.cf",
+ comment => "This policy configures external watchdogs to ensure that
+ cf-execd is always running.";
+
+ any::
+ "inputs" slist => getvalues("input");
+}
+
+bundle common cfengine_stdlib
+# @brief Include the standard library
+{
+ vars:
+ !cfengine_3_7::
+ # CFEngine 3.6 can include through a secondary file
+ # CFEngine version 3.6 and prior use the split library to avoid syntax
+ # errors introduced by new functionality. For example new functions.
+ # This also works for 3.8 because local_libdir should be set to lib
+ # instead of lib/3.8
+ "inputs" slist => { "$(sys.local_libdir)/stdlib.cf" };
+
+ cfengine_3_7::
+ # CFEngine 3.7 has local_libdir set to $(sys.inputdir)/lib/3.7, but with
+ # the @if macro support we can re-unify the split library for 3.7+ so we
+ # specify the unified lib relative to local_libdir.
+ "inputs" slist => { "$(sys.local_libdir)/../stdlib.cf" };
+
+
+ reports:
+ verbose_mode::
+ "$(this.bundle): defining inputs='$(inputs)'";
+}
+
+bundle common cfengine_controls
+# @brief Include various agent control policies
+{
+ vars:
+ # 3.7+ uses the re-unified controls
+ cfengine_3_6::
+ "def_inputs"
+ slist => {
+ "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/def.cf",
+ "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/def_inputs.cf",
+ },
+ comment => "We strictly order the def inputs because they should be parsed first";
+
+ "input[cf_agent]"
+ string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_agent.cf",
+ comment => "Agent control options";
+
+ "input[cf_execd]"
+ string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_execd.cf",
+ comment => "Executor (scheduler) control options";
+
+ "input[cf_monitord]"
+ string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_monitord.cf",
+ comment => "Monitor/Measurement control options";
+
+ "input[cf_serverd]"
+ string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_serverd.cf",
+ comment => "Server control options";
+
+ "input[cf_runagent]"
+ string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_runagent.cf",
+ comment => "Runagent (remote activation request) control options";
+
+ # 3.7+ uses the re-unified controls
+ !cfengine_3_6::
+ "def_inputs"
+ slist => {
+ "controls/def.cf",
+ "controls/def_inputs.cf",
+ },
+ comment => "We strictly order the def inputs because they should be parsed first";
+
+ "input[cf_agent]"
+ string => "controls/cf_agent.cf",
+ comment => "Agent control options";
+
+ "input[cf_execd]"
+ string => "controls/cf_execd.cf",
+ comment => "Executor (scheduler) control options";
+
+ "input[cf_monitord]"
+ string => "controls/cf_monitord.cf",
+ comment => "Monitor/Measurement control options";
+
+ "input[cf_serverd]"
+ string => "controls/cf_serverd.cf",
+ comment => "Server control options";
+
+ "input[cf_runagent]"
+ string => "controls/cf_runagent.cf",
+ comment => "Runagent (remote activation request) control options";
+
+ any::
+
+ "inputs" slist => getvalues(input);
+
+ reports:
+ DEBUG|DEBUG_cfengine_controls::
+ "DEBUG $(this.bundle)";
+ "$(const.t)defining inputs='$(inputs)'";
+}
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list