rtyler
/
infrastructure-puppet
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Adding initial CentOS 6 support

This commit is contained in:
Andrew Bayer 2014-12-09 10:46:30 -08:00
parent d84254956f
commit 49a4d80968
39 changed files with 1052 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Puppetfile
View File

@ -89,6 +89,10 @@ mod 'ssh',
:git => 'https://github.com/pctony/puppet-ssh.git',
:commit => '042ec53bd282498294e7549a711027f43c61d60'
mod 'stahnma-epel',
:git => 'https://github.com/stahnma/puppet-module-epel',
:tag => 1.0.0'
mod 'stdlib',
:git => 'https://github.com/puppetlabs/puppetlabs-stdlib.git',
:tag => '4.3.2'

195
data/centos/6x.yaml Normal file
View File

@ -0,0 +1,195 @@
---
classes:
- base
- dnsclient
- epel
- orthrus
- postfix::server
- subversionclient
- ulimit
base::basepackages:
- bash
- ca-certificates
- git
- htop
- sockstat
- software-properties-common
- stunnel4
- zsh
base::install::centos::6x::asfinternalrepo: 'http://dl.bintray.com/apache/asf-internal-centos6x'
ldapclient::install::centos::6x::tlscertpath: '/etc/openldap/cacerts/ldap-client.pem'
ldapclient::install::centos::6x::pamhostcheck: 'yes'
ldapclient::ldapclient_packages:
- openldap
- openldap-clients
- nss-pam-ldapd
- pam-devel
ldapclient::ldapclient_remove_packages:
- nscd
ntp::interfaces:
- eth0
- lo
postfix::server::myhostname: "%{::fqdn}"
postfix::server::mydomain: 'apache.org'
postfix::server::mydestination: "%{::fqdn}, localhost.%{::domain}, localhost"
postfix::server::inet_interfaces: 'all'
postfix::server::message_size_limit: '15360000'
postfix::server::relayhost: '[mail.apache.org]:2025'
postfix::server::alias_maps: 'hash:/etc/aliases'
postfix::server::mail_name: "ASF Mail Server at %{::fqdn}"
postfix::server::smtpd_sender_restrictions:
- 'permit_mynetworks'
- 'reject_unknown_sender_domain'
postfix::server::smtpd_recipient_restrictions:
- 'permit_mynetworks'
- 'reject_unauth_destination'
postfix::server::smtpd_tls_key_file: '/etc/ssl/private/wildcard.apache.org.key'
postfix::server::smtpd_tls_cert_file: '/etc/ssl/private/wildcard.apache.org-combined.crt'
postfix::server::ssl: 'wildcard.apache.org'
postfix::server::submission: 'true'
puppet::puppetconf: '/etc/puppet/puppet.conf'
spamassassin::spamassassin_packages:
- spamassassin
subversionclient::packages:
- subversion
subversionclient::svn_conf_config: '/etc/subversion/config'
subversionclient::svn_conf_servers: '/etc/subversion/servers'
build_slaves::distro_packages:
- ant
- apr-devel
- apr-util-devel
- asciidoc
- autoconf
- automake
- bison
- boost-devel
- boost-filesystem
- boost-program-options
- boost-system
- boost-test
- bzip
- bzip-devel
- cabal-install
- cmake
- cppcheck
- cppunit-devel
- curl
- cyrus-sasl-devel
- docker-io
- eclipse-swt
- emacs-nox
- erlang
- erlang-eunit
- flex
- fuse-devel
- gcc
- gcc-c+++
- ghc
- ghc-binary-devel
- ghc-hashable-devel
- ghc-http-devel
- ghc-network-devel
- ghc-unordered-containers-devel
- ghc-vector-devel
- git
- glib2-devel
- golang
- golang-go
- libcurl-devel
- libevent-devel
- libjpeg-turbo-devel
- libstdc++-devel
- libtool
- lua
- lua-devel
- lzo-devel
- mingw32
- mingw32-binutils
- mingw32-runtime
- mingw32-nsis
- mono-devel
- mono-web-devel
- ncurses-devel
- ncurses-libs
- nodejs
- nodejs-devel
- npm
- openssl-devel
- perl-Bit-Vector
- perl-Class-Accessor
- perl-XML-XPath
- php-pear
- php
- php-cli
- php-devel
- pkgconfig
- protobuf-compiler
- python
- python-devel
- python-boto
- python-pip
- python-setuptools
- python-support
- qt-devel
- re2c
- ruby
- ruby-devel
- screen
- sharutils
- sloccount
- snappy-devel
- subversion-devel
- tmux
- unzip
- xorg-x11-server-Xvfb
- zlib-devel
build_slaves::jenkins::jenkins_packages:
- asf-build-apache-ant-1.9.4
- asf-build-apache-forrest-0.9
- asf-build-apache-maven-2.2.1
- asf-build-apache-maven-3.0.4
- asf-build-apache-maven-3.2.1
- asf-build-clover-ant-2.4.3
- asf-build-findbugs-2.0.3
- asf-build-harmony-jdk-713673
- asf-build-ibmjava2-142
- asf-build-ibmjava2-amd64-142
- asf-build-ibm-java2-i386-50
- asf-build-ibm-java2-x86-64-50
- asf-build-ibm-java-i386-60
- asf-build-ibm-java-x86-64-60
- asf-build-ibm-java-x86-64-70
- asf-build-j2sdk1.4.2-19
- asf-build-jdk1.5.0-17-32
- asf-build-jdk1.5.0-17-64
- asf-build-jdk1.5.0-22-32
- asf-build-jdk1.5.0-22-64
- asf-build-jdk1.6.0-11-32
- asf-build-jdk1.6.0-11-64
- asf-build-jdk1.6.0-20-32
- asf-build-jdk1.6.0-20-32-unlimited-security
- asf-build-jdk1.6.0-20-64
- asf-build-jdk1.6.0-27-32
- asf-build-jdk1.6.0-27-64
- asf-build-jdk1.6.0-45-32
- asf-build-jdk1.6.0-45-64
- asf-build-jdk1.7.0-04
- asf-build-jdk1.7.0-25-32
- asf-build-jdk1.7.0-25-64
- asf-build-jdk1.7.0-32
- asf-build-jdk1.7.0-55
- asf-build-jdk1.7.0-64
- asf-build-jdk1.8.0
- asf-build-jira-cli-2.1.0

20
modules/base/manifests/install/centos/6x.pp Normal file
View File

@ -0,0 +1,20 @@
class base::install::centos::6x (
$asfinternalrepo = ""
) {
yumrepo { 'asf_internal':
baseurl => $asfinternalrepo,
enabled => 1,
gpgcheck => 0,
descr => "ASF Internal Yum Repo for CentOS 6"
}
file {
'/usr/local/bin/zsh':
ensure => link,
target => '/usr/bin/zsh';
'/usr/local/bin/bash':
ensure => link,
target => '/bin/bash';
}
}

3
modules/build_slaves/manifests/init.pp
View File

@ -2,6 +2,9 @@ class build_slaves (
$distro_packages = [],
) {
class { "build_slaves::install::${asfosname}::${asfosrelease}":
}
package { $distro_packages:
ensure => installed,
}

14
modules/build_slaves/manifests/install/centos/6x.pp Normal file
View File

@ -0,0 +1,14 @@
class build_slave::install::centos::6x (
$erlangrepo => '',
$erlangrepokey => ''
) {
yumrepo { 'erlang-solutions':
baseurl => $erlangrepo,
enabled => 1,
gpgcheck => 1,
descr => "Erlang Solutions erlang repo",
gpgkey => $erlangrepokey
}
}

4
modules/build_slaves/manifests/install/ubuntu/1404.pp Normal file
View File

@ -0,0 +1,4 @@
class build_slave::install::ubuntu::1404 (
) {
}

1
modules/build_slaves/manifests/jenkins.pp
View File

@ -107,7 +107,6 @@ class build_slaves::jenkins (
}
package { $jenkins_packages:
require => Apt::Source['lxc_docker'],
ensure => installed,
}
}

4
modules/dnsclient/data/centos/6x.yaml Normal file
View File

@ -0,0 +1,4 @@
---
dnsclient::packages:
- 'bind-utils'

15
modules/dovecot/manifests/install/centos/6x.pp Normal file
View File

@ -0,0 +1,15 @@
class dovecot::install::centos::6x (
$ldapservers = hiera('ldapclient::ldapservers'),
)
{
file {
'/etc/dovecot/dovecot.conf':
content => template('dovecot/dovecot.conf.erb');
'/etc/dovecot/dovecot-ldap-userdb.conf.ext':
content => template('dovecot/dovecot-ldap-userdb.conf.ext.erb'),
require => File['/etc/dovecot/dovecot.conf'];
'/etc/dovecot/dovecot-ldap-passdb.conf.ext':
content => template('dovecot/dovecot-ldap-passdb.conf.ext.erb'),
require => File['/etc/dovecot/dovecot.conf'];
}
}

11
modules/ldapclient/data/centos/6x.yaml Normal file
View File

@ -0,0 +1,11 @@
---
ldapclient::ldapclient_packages:
- 'openldap'
- 'openldap-clients'
- 'nss-pam-ldapd'
ldapclient::install::centos::6x::tlscertpath: '/etc/openldap/cacert.pem'
ldapclient::install::centos::6x::pamhostcheck: 'yes'
ldapclient::install::centos::6x:::bashpath: '/bin/bash'

34
modules/ldapclient/manifests/install/centos/6x.pp Normal file
View File

@ -0,0 +1,34 @@
class ldapclient::install::centos::6x (
$ldapcert = '',
$ldapservers = '',
$nssbinddn = '',
$nssbindpasswd = '',
$pamhostcheck = '',
$tlscertpath = '',
) {
file {
'/etc/ldap.conf':
content => template('ldapclient/ldap.conf.erb');
'/etc/openldap/ldap.conf':
ensure => link,
target => '/etc/openldap/ldap.conf',
require => File['/etc/ldap.conf'];
'/etc/nss_ldap.conf':
ensure => link,
target => '/etc/ldap.conf',
require => File['/etc/ldap.conf'];
'/etc/nsswitch.conf':
source => 'puppet:///modules/ldapclient/etc/nsswitch.conf',
require => File['/etc/ldap.conf'];
'/etc/openldap/cacerts':
ensure => directory,
mode => 755;
'/etc/openldap/cacerts/ldap-client.pem':
content => $ldapcert,
require => File['/etc/openldap/cacerts'];
}
}

15
modules/orthrus/manifests/init.pp
View File

@ -17,6 +17,21 @@ class orthrus {
require => Package['orthrus'],
}
}
centos: {
package { 'orthrus':
ensure => present,
require => Yumrepo['asf_internal'],
}
exec { 'setuid-ortpasswd':
command => '/bin/chmod u+s /usr/bin/ortpasswd',
unless => '/usr/bin/test -u /usr/bin/ortpasswd',
onlyif => '/usr/bin/test -f /usr/bin/ortpasswd',
require => Package['orthrus'],
}
}
default: {
}

14
modules/pam/files/centos/6x/accountsservice Normal file
View File

@ -0,0 +1,14 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/accountsservice
##
#%PAM-1.0
# Must use substack here, so the success of pam_unix will still
# cause our pam_pin to run
password substack common-password
password optional pam_pin.so

17
modules/pam/files/centos/6x/atd Normal file
View File

@ -0,0 +1,17 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/atd
##
#
# The PAM configuration file for the at daemon
#
@include common-auth
@include common-account
@include common-session-noninteractive
session required pam_limits.so
session required pam_env.so user_readenv=1

24
modules/pam/files/centos/6x/chfn Normal file
View File

@ -0,0 +1,24 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/chfn
##
#
# The PAM configuration file for the Shadow `chfn' service
#
# This allows root to change user infomation without being
# prompted for a password
auth sufficient pam_rootok.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

13
modules/pam/files/centos/6x/chpasswd Normal file
View File

@ -0,0 +1,13 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/chpasswd
##
# The PAM configuration file for the Shadow 'chpasswd' service
#
@include common-password

28
modules/pam/files/centos/6x/chsh Normal file
View File

@ -0,0 +1,28 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/chsh
##
#
# The PAM configuration file for the Shadow `chsh' service
#
# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth required pam_shells.so
# This allows root to change user shell without being
# prompted for a password
auth sufficient pam_rootok.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

34
modules/pam/files/centos/6x/common-account Normal file
View File

@ -0,0 +1,34 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/common-account
##
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

35
modules/pam/files/centos/6x/common-auth Normal file
View File

@ -0,0 +1,35 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/common-auth
##
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

42
modules/pam/files/centos/6x/common-password Normal file
View File

@ -0,0 +1,42 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/common-password
##
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

41
modules/pam/files/centos/6x/common-session Normal file
View File

@ -0,0 +1,41 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/common-session
##
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
# end of pam-auth-update config

39
modules/pam/files/centos/6x/common-session-noninteractive Normal file
View File

@ -0,0 +1,39 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/common-session-noninteractive
##
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
# end of pam-auth-update config

26
modules/pam/files/centos/6x/cron Normal file
View File

@ -0,0 +1,26 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/cron
##
# The PAM configuration file for the cron daemon
@include common-auth
# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session required pam_env.so
# In addition, read system locale information
session required pam_env.so envfile=/etc/default/locale
@include common-account
@include common-session-noninteractive
# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session required pam_limits.so

118
modules/pam/files/centos/6x/login Normal file
View File

@ -0,0 +1,118 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/login
##
#
# The PAM configuration file for the Shadow `login' service
#
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the message of the day upon succesful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so
# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

13
modules/pam/files/centos/6x/newusers Normal file
View File

@ -0,0 +1,13 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/newusers
##
# The PAM configuration file for the Shadow 'newusers' service
#
@include common-password

24
modules/pam/files/centos/6x/other Normal file
View File

@ -0,0 +1,24 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/other
##
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used. If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.
# We fall back to the system default in /etc/pam.d/common-*
#
@include common-auth
@include common-account
@include common-password
@include common-session

14
modules/pam/files/centos/6x/passwd Normal file
View File

@ -0,0 +1,14 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/passwd
##
#
# The PAM configuration file for the Shadow `passwd' service
#
@include common-password

16
modules/pam/files/centos/6x/polkit-1 Normal file
View File

@ -0,0 +1,16 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/polkit-1
##
#%PAM-1.0
@include common-auth
@include common-account
@include common-password
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-session

14
modules/pam/files/centos/6x/ppp Normal file
View File

@ -0,0 +1,14 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/ppp
##
#%PAM-1.0
# Information for the PPPD process with the 'login' option.
auth required pam_nologin.so
@include common-auth
@include common-account
@include common-session

63
modules/pam/files/centos/6x/sshd Normal file
View File

@ -0,0 +1,63 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/sshd
##
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password

70
modules/pam/files/centos/6x/su Normal file
View File

@ -0,0 +1,70 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/su
##
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

17
modules/pam/files/centos/6x/sudo Normal file
View File

@ -0,0 +1,17 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/pam/files/centos/6x/sudo
##
#%PAM-1.0
auth required /usr/local/lib/security/pam_orthrus.so
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
# @include common-auth
@include common-account
@include common-session-noninteractive

12
modules/pam/manifests/install/centos/6x.pp Normal file
View File

@ -0,0 +1,12 @@
class pam::install::centos::6x (
) {
file { '/etc/pam.d/':
ensure => present,
source => "puppet:///modules/pam/${asfosname}/${asfosrelease}",
recurse => true,
owner => 'root',
group => 'root',
mode => '755',
}
}

1
modules/rootbin_asf/files/bin/lib/perl/ASF/Manage/Util.pm
View File

@ -84,6 +84,7 @@ sub systems {
/fedora/ and $v->{os} = "fedora" and next;
/sunos/ and $v->{os} = "solaris" and next;
/^10\.\d$/ and $v->{os} = "mac" and next;
/centos/ and $v->{os} = "centos" and next;
}
return $sys_h;

1
modules/rootbin_asf/manifests/init.pp
View File

@ -10,6 +10,7 @@ class rootbin_asf {
owner => 'root',
group => $::asfosname ? {
/^ubuntu$/ => 'root',
/^centos$/ => 'root',
/^freebsd$/ => 'wheel',
default => 'root',
},

8
modules/subversionclient/data/centos/6x.yaml Normal file
View File

@ -0,0 +1,8 @@
---
subversionclient::packages:
- subversion
subversionclient::svn_conf_config: '/etc/subversion/config'
subversionclient::svn_conf_servers: '/etc/subversion/servers'

8
modules/sudoers/data/centos/6x.yaml Normal file
View File

@ -0,0 +1,8 @@
---
sudoers::sudoers_packages:
- 'sudo'
sudoers::sudoers_file: '/etc/sudoers'
sudoers::sudoers_template: '/usr/local/etc/puppet/modules/sudoers/templates/centos_6x_sudoers.erb'

7
modules/sudoers/manifests/install/centos/6x.pp Normal file
View File

@ -0,0 +1,7 @@
class sudoers::install::centos::6x (
) {
file {'/etc/sudoers':
content => template('sudoers/centos_6x_sudoers.erb');
}
}

34
modules/sudoers/templates/centos_6x_sudoers.erb Normal file
View File

@ -0,0 +1,34 @@
##
## This file is managed by puppet, all local changes will be lost
## during the next puppet run.
##
## Source file: puppet/modules/sudoers/templates/centos_6x_sudoers.erb
##
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group root-sudoers to gain root privileges
%root-sudoers ALL=(ALL) ALL
# Allow members of group <%= scope.lookupvar('::fqdn') %>-sudoers to gain root privileges
%<%= scope.lookupvar('::fqdn') %>-sudoers ALL=(ALL) ALL
# Allow the asf999 local user account to use sudo, without a password.
asf999 ALL=NOPASSWD: ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d