Puppet Class: profile::toolforge::base

Defined in:
modules/profile/manifests/toolforge/base.pp

Overview

Parameters:

  • active_mail_relay (Stdlib::Fqdn) (defaults to: lookup('profile::toolforge::active_mail_relay'))
  • is_mail_relay (Boolean) (defaults to: lookup('profile::toolforge::is_mail_relay', {default_value => false}))
  • mail_domain (Stdlib::Fqdn) (defaults to: lookup('profile::toolforge::mail_domain', {default_value => 'toolforge.org'})) 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'modules/profile/manifests/toolforge/base.pp', line 1

class profile::toolforge::base(
    Stdlib::Fqdn $active_mail_relay = lookup('profile::toolforge::active_mail_relay'),
    Boolean      $is_mail_relay     = lookup('profile::toolforge::is_mail_relay', {default_value => false}),
    Stdlib::Fqdn $mail_domain       = lookup('profile::toolforge::mail_domain', {default_value => 'toolforge.org'}),
){
    # T292289
    class { 'sslcert::ca_deselect_dstx3': }

    package { 'nano':
        ensure => latest,
    }

    alternatives::select { 'editor':
        path => '/bin/nano',
    }

    file { '/root/.bashrc':
        ensure => file,
        source => 'puppet:///modules/profile/toolforge/rootrc',
        owner  => 'root',
        group  => 'root',
        mode   => '0750',
    }

    # Users can choose their shell accounts names freely, and some
    # choose ones that can be misleading to third parties inter alia
    # when they are used to send and receive mail at
    # "$user@tools.wmflabs.org".  The most common ones are already
    # addressed by the default system aliases for "abuse",
    # "postmaster", "webmaster", etc., so we only have to add aliases
    # here that have not been standardized per se, but still bear a
    # high risk of mimicry.
    mailalias { [ 'admin', 'administrator' ]:
        ensure    => present,
        recipient => 'root',
    }

    # By default, Cloud VPS projects have a sudoers policy in LDAP that
    # grants all project members the ability to sudo as root. We can't
    # use that as we only want admins to have unrestricted sudo powers,
    # and we don't want to manually maintain a sudo policy via Horizon
    # with everyone included. Therefore we provision that sudo policy
    # via here, as we can reference groups (like the Toolforge admin
    # group) this way.
    sudo::group { 'toolforge-admin-root':
        group      => "${::wmcs_project}.admin",
        privileges => ['ALL = (ALL) NOPASSWD: ALL'],
    }

    if !$is_mail_relay {
        class { '::exim4':
            queuerunner => 'combined',
            config      => template('profile/toolforge/route-to-mail-relay.exim4.conf.erb'),
            variant     => 'light',
        }
    }

    # Silence e-mails sent when regular users try to sudo (T95882)
    file { '/etc/sudoers.d/40-tools-sudoers-no-warning':
        ensure => file,
        mode   => '0440',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/profile/toolforge/40-tools-sudoers-no-warning',
    }

    file { '/etc/security/limits.d/50-no-bigfiles.conf':
        ensure => file,
        mode   => '0444',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/profile/toolforge/50-no-bigfiles.conf',
    }

    file { '/usr/local/bin/log-command-invocation':
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/profile/toolforge/log-command-invocation',
    }
}