default.rb
2.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# our custom repositories
if node['platform'] == 'centos'
cookbook_file '/etc/yum.repos.d/softwarepublico.key' do
owner 'root'
mode 0644
end
template '/etc/yum.repos.d/softwarepublico.repo' do
owner 'root'
mode 0644
end
unless node['config']['keep_yum_cache']
execute 'yum_clean_cache' do
command 'yum clean all'
end
# reload internal Chef yum cache
ruby_block "yum-cache-reload" do
block { Chef::Provider::Package::Yum::YumCache.instance.reload }
end
end
end
# enable EPEL repository by default
package 'epel-release'
# replicate production security setup
package 'selinux-policy'
package 'policycoreutils-python'
cookbook_file '/etc/selinux/config' do
source 'selinux_config'
owner 'root'
group 'root'
mode 0644
end
cookbook_file '/usr/local/bin/selinux-enabled' do
owner 'root'
group 'root'
mode '0755'
end
execute 'setenforce Enforcing' do
only_if 'selinux-enabled'
end
execute 'setsebool -P httpd_can_network_connect 1' do
only_if 'selinux-enabled'
end
# directory for local type enforcements
directory '/etc/selinux/local' do
owner 'root'
group 'root'
mode '0755'
end
cookbook_file '/usr/local/bin/selinux-install-module' do
owner 'root'
group 'root'
mode '0755'
end
package 'vim'
package 'bash-completion'
package 'rsyslog'
package 'tmux'
package 'less'
package 'htop'
package 'ntp'
cookbook_file '/usr/local/bin/is-a-container' do
owner 'root'
group 'root'
mode '0755'
end
service 'ntpd' do
action [:enable, :start]
not_if 'is-a-container'
end
service 'firewalld' do
action [:disable, :stop]
ignore_failure true
end
service 'sshd' do
action [:enable]
end
# FIXME on Debian it's postgresql-client
package 'postgresql'
# reload node[:fqdn] to make sure it reflects the contents of /etc/hosts
# without that the variable :fqdn would not be available on first run
ruby_block 'fqdn:update' do
block do
node.default[:fqdn] = `hostname --fqdn`.strip
end
action :nothing
end
execute 'avoid_etc_hosts_being_overwriten' do
command 'sed -i -e \'/^\s*-\s*update_etc_hosts/d\' /etc/cloud/cloud.cfg'
only_if { File.exist?('/etc/cloud/cloud.cfg') }
end
template '/etc/hosts' do
owner 'root'
mode 0644
notifies :run, 'ruby_block[fqdn:update]', :immediately
notifies :run, 'execute[avoid_etc_hosts_being_overwriten]', :immediately
end