Files
chef/site-cookbooks/kosmos-base/recipes/default.rb
T
greg 1759af98b8 Simplify and improve chef attribute handling
Set the attributes in a Ruby file under /etc/chef/client.d/ instead of
editing /etc/chef/client.rb
Now uses the new whitelist attribute:
https://docs.chef.io/client/19/cookbooks/attributes/attribute_persistence/

Local chef config also uses the same file. That means there is no longer
a need to use the sanitize script to remove override and default
attributes from nodes.
2026-07-11 17:28:03 +02:00

107 lines
3.0 KiB
Ruby

#
# Cookbook Name:: kosmos-base
# Recipe:: default
#
ruby_block "cleanup client.rb" do
block do
fe = Chef::Util::FileEdit.new("/etc/chef/client.rb")
# Delete old attributes, replaced by allow_*_attributes
fe.search_file_delete_line(/^.*_attribute_whitelist.*/)
fe.write_file
end
end
cookbook_file "/etc/chef/client.d/attributes.rb" do
source "chef_attributes.rb"
mode "0644"
notifies :create, "ruby_block[reload_client_config]", :immediately
end
ruby_block "reload_client_config" do
block do
Chef::Config.from_file("/etc/chef/client.rb")
end
action :nothing
end
include_recipe "apt"
directory "/etc/apt/keyrings" do
mode "0755"
action :create
end
include_recipe "timezone_iii"
include_recipe "ntp" if node["platform"] == "ubuntu" && node["platform_version"].to_f < 24.04
include_recipe "kosmos-base::journald_conf"
include_recipe "kosmos-base::systemd_emails"
node.override["apt"]["unattended_upgrades"]["enable"] = true
node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
"${distro_id}:${distro_codename}-security",
"${distro_id}:${distro_codename}-updates",
"${distro_id}ESMApps:${distro_codename}-apps-security",
"${distro_id}ESMApps:${distro_codename}-apps-updates",
"${distro_id}ESM:${distro_codename}-infra-security",
"${distro_id}ESM:${distro_codename}-infra-updates"
]
node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
include_recipe "apt::unattended-upgrades"
package "mailutils"
package "mosh"
package "vim"
# Don't create users and rewrite the sudo config in development environment.
# It breaks the vagrant user
unless node.chef_environment == "development"
# Searches data bag "users" for groups attribute "sysadmin".
# Places returned users in Unix group "sysadmin" with GID 2300.
users_manage "sysadmin" do
group_id 2300
action %i[remove create]
end
sudo "sysadmin" do
groups "sysadmin"
nopasswd true
defaults [
# not default on Ubuntu, explicitely enable. Uses a minimal white list of
# environment variables
"env_reset",
# Send emails on unauthorized attempts
"mail_badpass",
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"'
]
end
include_recipe "kosmos-base::firewall"
include_recipe "kosmos-postfix"
node.override["set_fqdn"] = "*"
include_recipe "hostname"
package "ca-certificates"
directory "/usr/local/share/ca-certificates/cacert" do
action :create
end
["http://www.cacert.org/certs/root.crt", "http://www.cacert.org/certs/class3.crt"].each do |cert|
remote_file "/usr/local/share/ca-certificates/cacert/#{File.basename(cert)}" do
source cert
action :create_if_missing
notifies :run, "execute[update-ca-certificates]", :immediately
end
end
execute "update-ca-certificates" do
action :nothing
end
end