# # Cookbook Name:: kosmos-base # Recipe:: default # ruby_block "cleanup client.rb" do block do fe = Chef::Util::FileEdit.new("/etc/chef/client.rb") # Delete old attributes, replaced by allow_*_attributes fe.search_file_delete_line(/^.*_attribute_whitelist.*/) fe.write_file end end cookbook_file "/etc/chef/client.d/attributes.rb" do source "chef_attributes.rb" mode "0644" notifies :create, "ruby_block[reload_client_config]", :immediately end ruby_block "reload_client_config" do block do Chef::Config.from_file("/etc/chef/client.rb") end action :nothing end include_recipe "apt" directory "/etc/apt/keyrings" do mode "0755" action :create end include_recipe "timezone_iii" include_recipe "ntp" if node["platform"] == "ubuntu" && node["platform_version"].to_f < 24.04 include_recipe "kosmos-base::journald_conf" include_recipe "kosmos-base::systemd_emails" node.override["apt"]["unattended_upgrades"]["enable"] = true node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org" node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [ "${distro_id}:${distro_codename}-security", "${distro_id}:${distro_codename}-updates", "${distro_id}ESMApps:${distro_codename}-apps-security", "${distro_id}ESMApps:${distro_codename}-apps-updates", "${distro_id}ESM:${distro_codename}-infra-security", "${distro_id}ESM:${distro_codename}-infra-updates" ] node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org" node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true include_recipe "apt::unattended-upgrades" package "mailutils" package "mosh" package "vim" # Don't create users and rewrite the sudo config in development environment. # It breaks the vagrant user unless node.chef_environment == "development" # Searches data bag "users" for groups attribute "sysadmin". # Places returned users in Unix group "sysadmin" with GID 2300. users_manage "sysadmin" do group_id 2300 action %i[remove create] end sudo "sysadmin" do groups "sysadmin" nopasswd true defaults [ # not default on Ubuntu, explicitely enable. Uses a minimal white list of # environment variables "env_reset", # Send emails on unauthorized attempts "mail_badpass", 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"' ] end include_recipe "kosmos-base::firewall" include_recipe "kosmos-postfix" node.override["set_fqdn"] = "*" include_recipe "hostname" package "ca-certificates" directory "/usr/local/share/ca-certificates/cacert" do action :create end ["http://www.cacert.org/certs/root.crt", "http://www.cacert.org/certs/class3.crt"].each do |cert| remote_file "/usr/local/share/ca-certificates/cacert/#{File.basename(cert)}" do source cert action :create_if_missing notifies :run, "execute[update-ca-certificates]", :immediately end end execute "update-ca-certificates" do action :nothing end end