From 5239846956644f27d1619ce43b742034925d3ebc Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Fri, 25 Aug 2017 17:21:05 +0200 Subject: Changed policies organisation to use methods --- services/applications.cf | 8 ++++++ services/applications/bareos_fd.cf | 38 +++++++++++++++++++++++++++ services/applications/check_mk.cf | 43 +++++++++++++++++++++++++++++++ services/applications/fcgiwrap.cf | 8 ++++++ services/applications/sshd.cf | 33 ++++++++++++++++++++++++ services/bareos_fd.cf | 34 ------------------------ services/check_mk.cf | 40 ---------------------------- services/common.cf | 38 +++++++++++++-------------- services/debian.cf | 53 -------------------------------------- services/freebsd.cf | 24 ----------------- services/julien.cf | 5 ++-- services/main.cf | 16 +++--------- services/os.cf | 22 ++++++++++++++++ services/os/debian.cf | 53 ++++++++++++++++++++++++++++++++++++++ services/os/freebsd.cf | 24 +++++++++++++++++ services/os/ubuntu.cf | 53 ++++++++++++++++++++++++++++++++++++++ services/specific.cf | 12 --------- services/sshd.cf | 33 ------------------------ services/ubuntu.cf | 53 -------------------------------------- 19 files changed, 307 insertions(+), 283 deletions(-) create mode 100644 services/applications.cf create mode 100644 services/applications/bareos_fd.cf create mode 100644 services/applications/check_mk.cf create mode 100644 services/applications/fcgiwrap.cf create mode 100644 services/applications/sshd.cf delete mode 100644 services/bareos_fd.cf delete mode 100644 services/check_mk.cf delete mode 100644 services/debian.cf delete mode 100644 services/freebsd.cf create mode 100644 services/os.cf create mode 100644 services/os/debian.cf create mode 100644 services/os/freebsd.cf create mode 100644 services/os/ubuntu.cf delete mode 100644 services/specific.cf delete mode 100644 services/sshd.cf delete mode 100644 services/ubuntu.cf (limited to 'services') diff --git a/services/applications.cf b/services/applications.cf new file mode 100644 index 0000000..07ac9e0 --- /dev/null +++ b/services/applications.cf @@ -0,0 +1,8 @@ +body file control +{ + inputs => { + "services/applications/bareos_fd.cf", + "services/applications/check_mk.cf", + "services/applications/sshd.cf", + }; +} diff --git a/services/applications/bareos_fd.cf b/services/applications/bareos_fd.cf new file mode 100644 index 0000000..3b16a91 --- /dev/null +++ b/services/applications/bareos_fd.cf @@ -0,0 +1,38 @@ +bundle agent bareos_fd +{ + vars: + freebsd:: + "packages" slist => { + "bareos-client", + }; + "rc_conf_lines" slist => { + "bareos_fd_enable=\"YES\"", + "bareos_fd_config=\"/usr/local/etc/bareos/\"", + }; + !freebsd:: + "packages" slist => {}; + classes: + freebsd:: + "bareos_fd_service_running" expression => returnszero("/usr/sbin/service bareos-fd status", "noshell"); + methods: + freebsd:: + "any" usebundle => install_package("$(bareos_fd.packages)"); + "any" usebundle => add_rc_conf_line("$(bareos_fd.rc_conf_lines)"); + files: + freebsd:: + "/usr/local/etc/bareos/bareos-fd.d/client/myself.conf" + edit_defaults => std_defs, + perms => system_owned("444"), + edit_line => replace_line_end("Name =", "$(sys.host)-fd"), + classes => if_repaired("bareos_client_file_repaired"); + commands: + freebsd.!bareos_fd_service_running:: + "/usr/sbin/service bareos-fd start" classes => if_repaired("bareos_fd_service_repaired"); + freebsd.bareos_client_file_repaired:: + "/usr/sbin/service bareos-fd restart" classes => if_repaired("bareos_fd_service_restarted"); + reports: + any:: + "$(this.bundle): /usr/local/etc/bareos/bareos-fd.d/client/myself.conf repaired" ifvarclass => "bareos_client_file_repaired"; + "$(this.bundle): bareos-fd service repaired" ifvarclass => "bareos_fd_service_repaired"; + "$(this.bundle): bareos-fd service restarted" ifvarclass => "bareos_fd_service_restarted"; +} diff --git a/services/applications/check_mk.cf b/services/applications/check_mk.cf new file mode 100644 index 0000000..0731eaa --- /dev/null +++ b/services/applications/check_mk.cf @@ -0,0 +1,43 @@ +bundle agent check_mk +{ + vars: + freebsd:: + "rc_conf_lines" slist => { + "inetd_enable=\"YES\"", + "inetd_flags=\"-wW\"", + }; + files: + freebsd:: + "/etc/services" + edit_defaults => std_defs, + perms => system_owned("444"), + edit_line => append_if_no_line("check_mk_agent 6556/tcp"), + classes => if_repaired("check_mk_services_file_repaired"); + "/etc/inetd.conf" + edit_defaults => std_defs, + perms => system_owned("444"), + edit_line => append_if_no_line("check_mk_agent stream tcp nowait root /usr/local/bin/check_mk_agent check_mk_agent"), + classes => if_repaired("check_mk_inetd_conf_file_repaired"); + "/usr/local/bin/check_mk_agent" + perms => system_owned("555"), + copy_from => local_cp("$(sys.inputdir)/templates/check_mk/check_mk_agent.freebsd"), + classes => if_repaired("check_mk_agent_repaired"); + classes: + freebsd:: + "inetd_service_running" expression => returnszero("/usr/sbin/service inetd status", "noshell"); + methods: + freebsd:: + "any" usebundle => add_rc_conf_line("$(check_mk.rc_conf_lines)"); + commands: + freebsd.!inetd_service_running:: + "/usr/sbin/service inetd start" classes => if_repaired("inet_service_repaired"); + freebsd.check_mk_inetd_conf_file_repaired:: + "/usr/sbin/service inetd restart" classes => if_repaired("inetd_service_restarted"); + reports: + any:: + "$(this.bundle): /etc/services repaired" ifvarclass => "check_mk_services_file_repaired"; + "$(this.bundle): /etc/inetd.conf repaired" ifvarclass => "check_mk_inetd_conf_file_repaired"; + "$(this.bundle): /usr/local/bin/check_mk_agent repaired" ifvarclass => "check_mk_agent_repaired"; + "$(this.bundle): inetd service repaired" ifvarclass => "inetd_service_repaired"; + "$(this.bundle): inetd service restarted" ifvarclass => "inetd_service_restarted"; +} diff --git a/services/applications/fcgiwrap.cf b/services/applications/fcgiwrap.cf new file mode 100644 index 0000000..af2e8f8 --- /dev/null +++ b/services/applications/fcgiwrap.cf @@ -0,0 +1,8 @@ +bundle common fcgiwrap +{ + vars: + use_fcgiwrap:: + "packages" slist => { + "fcgiwrap", + }; +} diff --git a/services/applications/sshd.cf b/services/applications/sshd.cf new file mode 100644 index 0000000..da602a1 --- /dev/null +++ b/services/applications/sshd.cf @@ -0,0 +1,33 @@ +bundle agent sshd +{ + files: + freebsd:: + "/etc/rc.conf" + create => "true", + edit_defaults => std_defs, + perms => system_owned("444"), + edit_line => append_if_no_line("sshd_enable=\"YES\""), + classes => if_repaired("sshd_rc_conf_file_repaired"); + "/root/.ssh/." + create => "true", + perms => system_owned("700"), + classes => if_repaired("sshd_ssh_dir_repaired"); + "/root/.ssh/authorized_keys" + create => "true", + edit_defaults => empty, + perms => system_owned("444"), + edit_template => "$(sys.inputdir)/templates/sshd/authorized_keys", + classes => if_repaired("sshd_authorized_keys_files_repaired"); + classes: + freebsd:: + "sshd_service_running" expression => returnszero("/usr/sbin/service sshd status", "noshell"); + commands: + freebsd.!sshd_service_running:: + "/usr/sbin/service sshd start" classes => if_repaired("sshd_service_repaired"); + reports: + any:: + "$(this.bundle): /etc/rc.conf repaired" ifvarclass => "sshd_rc_conf_file_repaired"; + "$(this.bundle): /root/.ssh directory repaired" ifvarclass => "sshd_ssh_dir_repaired"; + "$(this.bundle): /root/.ssh/authorized_keys repaired" ifvarclass => "sshd_rc_conf_file_repaired"; + "$(this.bundle): sshd service repaired" ifvarclass => "sshd_service_repaired"; +} diff --git a/services/bareos_fd.cf b/services/bareos_fd.cf deleted file mode 100644 index 457655d..0000000 --- a/services/bareos_fd.cf +++ /dev/null @@ -1,34 +0,0 @@ -bundle agent bareos_fd -{ - vars: - freebsd:: - "packages" slist => { - "bareos-client", - }; - "rc_conf_lines" slist => { - "bareos_fd_enable=\"YES\"", - "bareos_fd_config=\"/usr/local/etc/bareos/\"", - }; - !freebsd:: - "packages" slist => {}; - classes: - freebsd:: - "bareos_fd_service_running" expression => returnszero("/usr/sbin/service bareos-fd status", "noshell"); - files: - freebsd:: - "/usr/local/etc/bareos/bareos-fd.d/client/myself.conf" - edit_defaults => std_defs, - perms => system_owned("444"), - edit_line => replace_line_end("Name =", "$(sys.host)-fd"), - classes => if_repaired("bareos_client_file_repaired"); - commands: - freebsd.!bareos_fd_service_running:: - "/usr/sbin/service bareos-fd start" classes => if_repaired("bareos_fd_service_repaired"); - freebsd.bareos_client_file_repaired:: - "/usr/sbin/service bareos-fd restart" classes => if_repaired("bareos_fd_service_restarted"); - reports: - any:: - "$(this.bundle): /usr/local/etc/bareos/bareos-fd.d/client/myself.conf repaired" ifvarclass => "bareos_client_file_repaired"; - "$(this.bundle): bareos-fd service repaired" ifvarclass => "bareos_fd_service_repaired"; - "$(this.bundle): bareos-fd service restarted" ifvarclass => "bareos_fd_service_restarted"; -} diff --git a/services/check_mk.cf b/services/check_mk.cf deleted file mode 100644 index fef8549..0000000 --- a/services/check_mk.cf +++ /dev/null @@ -1,40 +0,0 @@ -bundle agent check_mk -{ - vars: - freebsd:: - "rc_conf_lines" slist => { - "inetd_enable=\"YES\"", - "inetd_flags=\"-wW\"", - }; - files: - freebsd:: - "/etc/services" - edit_defaults => std_defs, - perms => system_owned("444"), - edit_line => append_if_no_line("check_mk_agent 6556/tcp"), - classes => if_repaired("check_mk_services_file_repaired"); - "/etc/inetd.conf" - edit_defaults => std_defs, - perms => system_owned("444"), - edit_line => append_if_no_line("check_mk_agent stream tcp nowait root /usr/local/bin/check_mk_agent check_mk_agent"), - classes => if_repaired("check_mk_inetd_conf_file_repaired"); - "/usr/local/bin/check_mk_agent" - perms => system_owned("555"), - copy_from => local_cp("$(sys.inputdir)/templates/check_mk/check_mk_agent.freebsd"), - classes => if_repaired("check_mk_agent_repaired"); - classes: - freebsd:: - "inetd_service_running" expression => returnszero("/usr/sbin/service inetd status", "noshell"); - commands: - freebsd.!inetd_service_running:: - "/usr/sbin/service inetd start" classes => if_repaired("inet_service_repaired"); - freebsd.check_mk_inetd_conf_file_repaired:: - "/usr/sbin/service inetd restart" classes => if_repaired("inetd_service_restarted"); - reports: - any:: - "$(this.bundle): /etc/services repaired" ifvarclass => "check_mk_services_file_repaired"; - "$(this.bundle): /etc/inetd.conf repaired" ifvarclass => "check_mk_inetd_conf_file_repaired"; - "$(this.bundle): /usr/local/bin/check_mk_agent repaired" ifvarclass => "check_mk_agent_repaired"; - "$(this.bundle): inetd service repaired" ifvarclass => "inetd_service_repaired"; - "$(this.bundle): inetd service restarted" ifvarclass => "inetd_service_restarted"; -} diff --git a/services/common.cf b/services/common.cf index 7cb92d5..b5e7b75 100644 --- a/services/common.cf +++ b/services/common.cf @@ -1,13 +1,5 @@ bundle agent common { - vars: - any:: - "packages" slist => { - @(flavour.packages), - @(julien.packages), - @(bareos_fd.packages), - @(specific.packages), - }; files: any:: "/etc/hosts" @@ -15,21 +7,9 @@ bundle agent common perms => system_owned("444"), edit_template => "$(sys.inputdir)/templates/common/hosts", classes => if_repaired("common_hosts_files_repaired"); - packages: - debian|ubuntu:: - "$(packages)" - policy => "present", - package_module => apt_get, - classes => if_repaired("common_packages_$(packages)_add_repaired"); - freebsd:: - "$(packages)" - policy => "present", - package_module => pkg, - classes => if_repaired("common_packages_$(packages)_add_repaired"); reports: any:: "$(this.bundle): /etc/hosts repaired" ifvarclass => "common_hosts_files_repaired"; - "$(this.bundle): $(packages) installed" ifvarclass => "common_packages_$(packages)_add_repaired"; } bundle agent home_skel(user) @@ -45,3 +25,21 @@ bundle agent home_skel(user) any:: "$(this.bundle): /home/$(user) initialized" ifvarclass => "home_skel_$(user)_repaired"; } + +bundle agent install_package(package) +{ + packages: + debian|ubuntu:: + "$(package)" + policy => "present", + package_module => apt_get, + classes => if_repaired("common_package_$(package)_add_repaired"); + freebsd:: + "$(package)" + policy => "present", + package_module => pkg, + classes => if_repaired("common_package_$(package)_add_repaired"); + reports: + any:: + "$(this.bundle): $(package) installed" ifvarclass => "common_package_$(package)_add_repaired"; +} diff --git a/services/debian.cf b/services/debian.cf deleted file mode 100644 index 920816b..0000000 --- a/services/debian.cf +++ /dev/null @@ -1,53 +0,0 @@ -bundle common flavour -{ - vars: - debian:: - "packages" slist => { - "at", - "bridge-utils", - "check-mk-agent", - "curl", - "dstat", - "git", - "htop", - "iptables", - "mailutils", - "ncdu", - "socat", - "tig", - "tmux", - "tree", - "vim", - "wget", - }; - debian&!containers:: - "packages" slist => { - @(packages), - "ethtool", - "iptstate", - "ipvsadm", - "lvm2", - "mosh", - "nmap", - "ntpdate", - "openntpd", - "openssh-server", - "needrestart", - }; - debian&console_julien:: - "packages" slist => { - @(packages), - "apt-file", - "asciidoc", - "build-essential", - "cgdb", - "cmake", - "gpa", - "pass", - "pwgen", - "sipcalc", - "valgrind", - "weechat", - "whois", - }; -} diff --git a/services/freebsd.cf b/services/freebsd.cf deleted file mode 100644 index c83e08f..0000000 --- a/services/freebsd.cf +++ /dev/null @@ -1,24 +0,0 @@ -bundle agent flavour -{ - vars: - freebsd:: - "packages" slist => { - "bash", - "ncdu", - }; - "rc_conf_lines" slist => { - @(bareos_fd.rc_conf_lines), - @(check_mk.rc_conf_lines), - }; - files: - freebsd:: - "/etc/rc.conf" - create => "true", - edit_defaults => std_defs, - perms => system_owned("444"), - edit_line => append_if_no_line("$(rc_conf_lines)"), - classes => if_repaired("freebsd_rc_conf_file_repaired"); - reports: - any:: - "$(this.bundle): /etc/rc.conf repaired" ifvarclass => "freebsd_rc_conf_file_repaired"; -} diff --git a/services/julien.cf b/services/julien.cf index e154a38..bf21323 100644 --- a/services/julien.cf +++ b/services/julien.cf @@ -1,8 +1,6 @@ bundle agent julien { vars: - !console_julien:: - "packages" slist => {}; console_julien.(debian|ubuntu):: "bash_path" string => "/bin/bash"; "group_command" string => "$(paths.groupadd)"; @@ -34,6 +32,9 @@ bundle agent julien console_julien:: "group_julien_absent" not => groupexists("julien"); + methods: + console_julien:: + "any" usebundle => install_package("$(julien.packages)"); commands: group_julien_absent:: "$(group_command)" diff --git a/services/main.cf b/services/main.cf index 3bde9b0..e6d7642 100644 --- a/services/main.cf +++ b/services/main.cf @@ -4,26 +4,18 @@ bundle common classify any:: "bundles" slist => { "common", + "os", + "julien", "bareos_fd", "check_mk", - "flavour", - "julien", "sshd", }; "inputs" slist => { "services/common.cf", - "services/$(flavour).cf", - "services/bareos_fd.cf", - "services/check_mk.cf", + "services/applications.cf", + "services/os.cf", "services/julien.cf", - "services/sshd.cf", }; - debian:: - "flavour" string => "debian"; - freebsd:: - "flavour" string => "freebsd"; - ubuntu:: - "flavour" string => "ubuntu"; classes: any:: "containers" or => { diff --git a/services/os.cf b/services/os.cf new file mode 100644 index 0000000..ee8dc65 --- /dev/null +++ b/services/os.cf @@ -0,0 +1,22 @@ +body file control +{ + inputs => { + "services/os/debian.cf", + "services/os/freebsd.cf", + "services/os/ubuntu.cf", + }; +} + +bundle agent os +{ + methods: + debian:: + "any" usebundle => install_package("$(debian.packages)"); + "any" usebundle => debian; + freebsd:: + "any" usebundle => install_package("$(freebsd.packages)"); + "any" usebundle => freebsd; + ubuntu:: + "any" usebundle => install_package("$(ubuntu.packages)"); + "any" usebundle => ubuntu; +} diff --git a/services/os/debian.cf b/services/os/debian.cf new file mode 100644 index 0000000..3d73c2b --- /dev/null +++ b/services/os/debian.cf @@ -0,0 +1,53 @@ +bundle common debian +{ + vars: + debian:: + "packages" slist => { + "at", + "bridge-utils", + "check-mk-agent", + "curl", + "dstat", + "git", + "htop", + "iptables", + "mailutils", + "ncdu", + "socat", + "tig", + "tmux", + "tree", + "vim", + "wget", + }; + debian&!containers:: + "packages" slist => { + @(packages), + "ethtool", + "iptstate", + "ipvsadm", + "lvm2", + "mosh", + "nmap", + "ntpdate", + "openntpd", + "openssh-server", + "needrestart", + }; + debian&console_julien:: + "packages" slist => { + @(packages), + "apt-file", + "asciidoc", + "build-essential", + "cgdb", + "cmake", + "gpa", + "pass", + "pwgen", + "sipcalc", + "valgrind", + "weechat", + "whois", + }; +} diff --git a/services/os/freebsd.cf b/services/os/freebsd.cf new file mode 100644 index 0000000..7c930db --- /dev/null +++ b/services/os/freebsd.cf @@ -0,0 +1,24 @@ +bundle agent freebsd +{ + vars: + freebsd:: + "packages" slist => { + "bash", + "ncdu", + }; +} + +bundle agent add_rc_conf_line(line) +{ + files: + freebsd:: + "/etc/rc.conf" + create => "true", + edit_defaults => std_defs, + perms => system_owned("444"), + edit_line => append_if_no_line("$(line)"), + classes => if_repaired("freebsd_rc_conf_file_repaired"); + reports: + any:: + "$(this.bundle): /etc/rc.conf repaired" ifvarclass => "freebsd_rc_conf_file_repaired"; +} diff --git a/services/os/ubuntu.cf b/services/os/ubuntu.cf new file mode 100644 index 0000000..58bd2d5 --- /dev/null +++ b/services/os/ubuntu.cf @@ -0,0 +1,53 @@ +bundle common ubuntu +{ + vars: + ubuntu:: + "packages" slist => { + "at", + "bridge-utils", + "check-mk-agent", + "curl", + "dstat", + "git", + "htop", + "iptables", + "mailutils", + "ncdu", + "socat", + "tig", + "tmux", + "tree", + "vim", + "wget", + }; + ubuntu&!containers:: + "packages" slist => { + @(packages), + "ethtool", + "iptstate", + "ipvsadm", + "lvm2", + "mosh", + "nmap", + "ntpdate", + "openntpd", + "openssh-server", + "needrestart", + }; + ubuntu&console_julien:: + "packages" slist => { + @(packages), + "apt-file", + "asciidoc", + "build-essential", + "cgdb", + "cmake", + "gpa", + "pass", + "pwgen", + "sipcalc", + "valgrind", + "weechat", + "whois", + }; +} diff --git a/services/specific.cf b/services/specific.cf deleted file mode 100644 index 0b31a61..0000000 --- a/services/specific.cf +++ /dev/null @@ -1,12 +0,0 @@ -bundle common specific -{ - defaults: - !git_lxd:: - "packages" slist => {}; - vars: - git_lxd:: - "packages" slist => { - "git-annex", - "gitolite3", - }; -} diff --git a/services/sshd.cf b/services/sshd.cf deleted file mode 100644 index da602a1..0000000 --- a/services/sshd.cf +++ /dev/null @@ -1,33 +0,0 @@ -bundle agent sshd -{ - files: - freebsd:: - "/etc/rc.conf" - create => "true", - edit_defaults => std_defs, - perms => system_owned("444"), - edit_line => append_if_no_line("sshd_enable=\"YES\""), - classes => if_repaired("sshd_rc_conf_file_repaired"); - "/root/.ssh/." - create => "true", - perms => system_owned("700"), - classes => if_repaired("sshd_ssh_dir_repaired"); - "/root/.ssh/authorized_keys" - create => "true", - edit_defaults => empty, - perms => system_owned("444"), - edit_template => "$(sys.inputdir)/templates/sshd/authorized_keys", - classes => if_repaired("sshd_authorized_keys_files_repaired"); - classes: - freebsd:: - "sshd_service_running" expression => returnszero("/usr/sbin/service sshd status", "noshell"); - commands: - freebsd.!sshd_service_running:: - "/usr/sbin/service sshd start" classes => if_repaired("sshd_service_repaired"); - reports: - any:: - "$(this.bundle): /etc/rc.conf repaired" ifvarclass => "sshd_rc_conf_file_repaired"; - "$(this.bundle): /root/.ssh directory repaired" ifvarclass => "sshd_ssh_dir_repaired"; - "$(this.bundle): /root/.ssh/authorized_keys repaired" ifvarclass => "sshd_rc_conf_file_repaired"; - "$(this.bundle): sshd service repaired" ifvarclass => "sshd_service_repaired"; -} diff --git a/services/ubuntu.cf b/services/ubuntu.cf deleted file mode 100644 index 9b711a3..0000000 --- a/services/ubuntu.cf +++ /dev/null @@ -1,53 +0,0 @@ -bundle common flavour -{ - vars: - ubuntu:: - "packages" slist => { - "at", - "bridge-utils", - "check-mk-agent", - "curl", - "dstat", - "git", - "htop", - "iptables", - "mailutils", - "ncdu", - "socat", - "tig", - "tmux", - "tree", - "vim", - "wget", - }; - ubuntu&!containers:: - "packages" slist => { - @(packages), - "ethtool", - "iptstate", - "ipvsadm", - "lvm2", - "mosh", - "nmap", - "ntpdate", - "openntpd", - "openssh-server", - "needrestart", - }; - ubuntu&console_julien:: - "packages" slist => { - @(packages), - "apt-file", - "asciidoc", - "build-essential", - "cgdb", - "cmake", - "gpa", - "pass", - "pwgen", - "sipcalc", - "valgrind", - "weechat", - "whois", - }; -} -- cgit v1.2.3