1759af98b8
Set the attributes in a Ruby file under /etc/chef/client.d/ instead of editing /etc/chef/client.rb Now uses the new whitelist attribute: https://docs.chef.io/client/19/cookbooks/attributes/attribute_persistence/ Local chef config also uses the same file. That means there is no longer a need to use the sanitize script to remove override and default attributes from nodes.
107 lines
3.0 KiB
Ruby
107 lines
3.0 KiB
Ruby
#
|
|
# Cookbook Name:: kosmos-base
|
|
# Recipe:: default
|
|
#
|
|
|
|
ruby_block "cleanup client.rb" do
|
|
block do
|
|
fe = Chef::Util::FileEdit.new("/etc/chef/client.rb")
|
|
# Delete old attributes, replaced by allow_*_attributes
|
|
fe.search_file_delete_line(/^.*_attribute_whitelist.*/)
|
|
fe.write_file
|
|
end
|
|
end
|
|
|
|
cookbook_file "/etc/chef/client.d/attributes.rb" do
|
|
source "chef_attributes.rb"
|
|
mode "0644"
|
|
notifies :create, "ruby_block[reload_client_config]", :immediately
|
|
end
|
|
|
|
ruby_block "reload_client_config" do
|
|
block do
|
|
Chef::Config.from_file("/etc/chef/client.rb")
|
|
end
|
|
action :nothing
|
|
end
|
|
|
|
include_recipe "apt"
|
|
|
|
directory "/etc/apt/keyrings" do
|
|
mode "0755"
|
|
action :create
|
|
end
|
|
|
|
include_recipe "timezone_iii"
|
|
include_recipe "ntp" if node["platform"] == "ubuntu" && node["platform_version"].to_f < 24.04
|
|
include_recipe "kosmos-base::journald_conf"
|
|
include_recipe "kosmos-base::systemd_emails"
|
|
|
|
node.override["apt"]["unattended_upgrades"]["enable"] = true
|
|
node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
|
|
node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
|
|
node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
|
|
"${distro_id}:${distro_codename}-security",
|
|
"${distro_id}:${distro_codename}-updates",
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security",
|
|
"${distro_id}ESMApps:${distro_codename}-apps-updates",
|
|
"${distro_id}ESM:${distro_codename}-infra-security",
|
|
"${distro_id}ESM:${distro_codename}-infra-updates"
|
|
]
|
|
node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
|
|
node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
|
|
include_recipe "apt::unattended-upgrades"
|
|
|
|
package "mailutils"
|
|
package "mosh"
|
|
package "vim"
|
|
|
|
# Don't create users and rewrite the sudo config in development environment.
|
|
# It breaks the vagrant user
|
|
unless node.chef_environment == "development"
|
|
# Searches data bag "users" for groups attribute "sysadmin".
|
|
# Places returned users in Unix group "sysadmin" with GID 2300.
|
|
users_manage "sysadmin" do
|
|
group_id 2300
|
|
action %i[remove create]
|
|
end
|
|
|
|
sudo "sysadmin" do
|
|
groups "sysadmin"
|
|
nopasswd true
|
|
defaults [
|
|
# not default on Ubuntu, explicitely enable. Uses a minimal white list of
|
|
# environment variables
|
|
"env_reset",
|
|
# Send emails on unauthorized attempts
|
|
"mail_badpass",
|
|
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"'
|
|
]
|
|
end
|
|
|
|
include_recipe "kosmos-base::firewall"
|
|
|
|
include_recipe "kosmos-postfix"
|
|
|
|
node.override["set_fqdn"] = "*"
|
|
include_recipe "hostname"
|
|
|
|
package "ca-certificates"
|
|
|
|
directory "/usr/local/share/ca-certificates/cacert" do
|
|
action :create
|
|
end
|
|
|
|
["http://www.cacert.org/certs/root.crt", "http://www.cacert.org/certs/class3.crt"].each do |cert|
|
|
remote_file "/usr/local/share/ca-certificates/cacert/#{File.basename(cert)}" do
|
|
source cert
|
|
action :create_if_missing
|
|
notifies :run, "execute[update-ca-certificates]", :immediately
|
|
end
|
|
end
|
|
|
|
execute "update-ca-certificates" do
|
|
action :nothing
|
|
end
|
|
end
|