default.rb 2.35 KB
Edit Raw Blame History Permalink



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110


# our custom repositories
if node['platform'] == 'centos'
  cookbook_file '/etc/yum.repos.d/softwarepublico.key' do
    owner 'root'
    mode 0644
  end
  template '/etc/yum.repos.d/softwarepublico.repo' do
    owner 'root'
    mode 0644
  end

  unless node['config']['keep_yum_cache']
    execute 'yum_clean_cache' do
      command 'yum clean all'
    end
    # reload internal Chef yum cache
    ruby_block "yum-cache-reload" do
      block { Chef::Provider::Package::Yum::YumCache.instance.reload }
    end
  end
end

# enable EPEL repository by default
package 'epel-release'

# replicate production security setup
package 'selinux-policy'
package 'policycoreutils-python'
cookbook_file '/etc/selinux/config' do
  source  'selinux_config'
  owner   'root'
  group   'root'
  mode    0644
end

cookbook_file '/usr/local/bin/selinux-enabled' do
  owner   'root'
  group   'root'
  mode    '0755'
end

execute 'setenforce Enforcing' do
  only_if 'selinux-enabled'
end
execute 'setsebool -P httpd_can_network_connect 1' do
  only_if 'selinux-enabled'
end
# directory for local type enforcements
directory '/etc/selinux/local' do
  owner   'root'
  group   'root'
  mode    '0755'
end
cookbook_file '/usr/local/bin/selinux-install-module' do
  owner   'root'
  group   'root'
  mode    '0755'
end

package 'vim'
package 'bash-completion'
package 'rsyslog'
package 'tmux'
package 'less'
package 'htop'
package 'ntp'

cookbook_file '/usr/local/bin/is-a-container' do
  owner   'root'
  group   'root'
  mode    '0755'
end
service 'ntpd' do
  action [:enable, :start]
  not_if 'is-a-container'
end

service 'firewalld' do
  action [:disable, :stop]
  ignore_failure true
end

service 'sshd' do
  action [:enable]
end

# FIXME on Debian it's postgresql-client
package 'postgresql'

# reload node[:fqdn] to make sure it reflects the contents of /etc/hosts
# without that the variable :fqdn would not be available on first run
ruby_block 'fqdn:update' do
  block do
    node.default[:fqdn] = `hostname --fqdn`.strip
  end
  action :nothing
end

execute 'avoid_etc_hosts_being_overwriten' do
  command 'sed -i -e \'/^\s*-\s*update_etc_hosts/d\' /etc/cloud/cloud.cfg'
  only_if { File.exist?('/etc/cloud/cloud.cfg') }
end

template '/etc/hosts' do
  owner 'root'
  mode  0644
  notifies :run, 'ruby_block[fqdn:update]', :immediately
  notifies :run, 'execute[avoid_etc_hosts_being_overwriten]', :immediately
end