diff --git a/bash/bash_aliases.root b/bash/bash_aliases.root new file mode 100644 index 0000000..3257197 --- /dev/null +++ b/bash/bash_aliases.root @@ -0,0 +1,67 @@ +#!/bin/bash +# +# Nifty shell aliases for debugging (Salt managed) +# + +function peer2v6ffpb() +{ + peername=$1 + peer2v6ll $1 fdca:ffee:ff12:132: +} + +function peer2v6ll() +{ + peername=$1 + prefix=$2 + if [ -z "$prefix" ]; then + prefix="fe80::" + fi + + mac=$(grep MAC /etc/freifunk/peers/$peername | cut -d ' ' -f 3) + if [ -z "${mac}" ]; then + echo "no peer named '${peername}' found, did you spell it correctly?" >&2 + return 1 + else + euid64=$(ipv6calc -q --action geneui64 -I mac ${mac}) + echo ${prefix}${euid64} + return 0 + fi +} + +function connect2peer() +{ + peername=$1 + target=$(peer2v6ll $peername) + if [ "$?" == "0" ]; then + echo "trying to ssh into peer '${peername}' (${target})" + ssh -l root -6 ${target}%br-ffpb + fi +} + +function pingpeer() +{ + peername=$1 + target=$(peer2v6ll $peername) + if [ "$?" == "0" ]; then + echo "pinging peer '${peername}' (${target})" + ping6 ${target}%br-ffpb + fi +} + +function peerstatus() +{ + peername=$1 + target=$(peer2v6ll $peername fdca:ffee:ff12:132:) + tf=`tempfile` + echo -en "\e[97mFetching node status of '$peername' ...\e[39m " + wget -q "http://[$target]/cgi-bin/status" -O $tf + if [ $? -eq 0 ]; then + echo -e "\e[92mOK\e[39m" + cp $tf /tmp/ffpb-nodestatus-$peername.htm + #less /tmp/ffpb-nodestatus-$peername.htm + lynx -dump /tmp/ffpb-nodestatus-$peername.htm + else + echo -e "\e[91mERROR\e[39m" + fi + rm $tf +} diff --git a/bash/bashrc.root b/bash/bashrc.root new file mode 100644 index 0000000..4f7555f --- /dev/null +++ b/bash/bashrc.root @@ -0,0 +1,23 @@ +# ~/.bashrc: executed by bash(1) for non-login shells. + +# Note: PS1 and umask are already set in /etc/profile. You should not +# need this unless you want different defaults for root. +fqdn=$(hostname -f) +PS1='${debian_chroot:+($debian_chroot)}${fqdn}:\w\$ ' +# umask 022 + +# You may uncomment the following lines if you want `ls' to be colorized: +export LS_OPTIONS='--color=auto' +eval "`dircolors`" +alias ls='ls $LS_OPTIONS' +# alias ll='ls $LS_OPTIONS -l' +# alias l='ls $LS_OPTIONS -lA' +# +# Some more alias to avoid making mistakes: +# alias rm='rm -i' +# alias cp='cp -i' +# alias mv='mv -i' + +if [ -f ~/.bash_aliases ]; then + . ~/.bash_aliases +fi diff --git a/bash/init.sls b/bash/init.sls new file mode 100644 index 0000000..d675e03 --- /dev/null +++ b/bash/init.sls @@ -0,0 +1,20 @@ +# +# Bash +# + +{%- import "globals.sls" as globals with context %} + +# +# .bashrc for root +/root/.bashrc: + file.managed: + - source: salt://bash/bashrc.root + - template: jinja + +# +# Nifty aliases for gateway +{% if 'gateway' in globals.ROLES %} +/root/.bash_aliases: + file.managed: + - source: salt://bash/bash_aliases.root +{% endif %} diff --git a/console-tools/config b/console-tools/config new file mode 100644 index 0000000..6226d77 --- /dev/null +++ b/console-tools/config @@ -0,0 +1,72 @@ +# +# This files tells the console-tools package: (Salt managed) +# +# - whether to load a specific font and boot (and maybe a screen-font map, +# but you should avoid that if possible). +# - whether to setup an Application-Charset Map other than the default CP437. +# - whether to start "vcstime" to have time on all text VC'S. +# +# You can also specify per-VC settings by suffixing variable names as in +# the examples below. This only works on framebuffer devices. +# +# CAVEATS: +# +# - When using the new framebuffer devices, the "global setting" for a font +# only affects the current console (ie., at boot-time, the first one) +# - ACM setting involves 2 steps (maybe loading a user ACM, and activating +# it on a given charset slot - see charset(1) for details), the 1st of which +# affects the entire system, but the 2nd of which only affects the current +# VC (ie., at boot-time, the first one). So that if you want to use the same +# ACM on all VCs, you have to specify "APP_CHARSET_MAP_vc=user" for all +# relevant values of . +# +# Example: +# +#SCREEN_FONT=iso01.f16 +#SCREEN_FONT_vc2=LatArCyrHeb-16 +# +#APP_CHARSET_MAP=iso05 +#APP_CHARSET_MAP_vc2=user +# +# Set the following - more euro-friendly default than kernel font. +# SCREEN_FONT=latcyrheb-sun16.psf + +#DO_VCSTIME=yes +# +# Forget this one unless you _know_ it is necessary for your font: +#SCREEN_FONT_MAP=iso01 + +# **** screen saver/DPMS settings: all VCs **** +# These settings are commented by default to avoid the chance of damage to +# very old monitors that don't support DPMS signalling. + +# screen blanking timeout. monitor remains on, but the screen is cleared to +# range: 0-60 min (0==never) kernels I've looked at default to 10 minutes. +# (see linux/drivers/char/console.c) +BLANK_TIME=0 + +# blanking method (VESA DPMS mode to use after BLANK_TIME, before powerdown): +# on: the default, no DPMS signalling. near instant powerup, no power saving +# vsync: DPMS Standby mode. nearly instant recovery, uses 110/120W (17" screen) +# hsync: DPMS Suspend mode. typically 3s recovery, uses 15/120W (17" screen) +# powerdown,off: DPMS Off mode, typ. 10s recovery, uses 5/120W (17" screen) + +# Those values are for my 17" Mag, but some monitors do suspend the same as +# standby. xset dpms force {off|standby|suspend|on} is useful for this, if X +# supports DPMS on your video card. Set X's DPMS screensaver with xset dpms +# or use option power_saver in XF86Config +# +# DPMS set by default to off, because hsync can cause problems on certain +# hardware, such as Armada E500 laptops +BLANK_DPMS=off + +# Powerdown time. The console will go to DPMS Off mode POWERDOWN_TIME +# minutes _after_ blanking. (POWERDOWN_TIME + BLANK_TIME after the last input) +POWERDOWN_TIME=0 + +# rate and delay can get only specific values, consult kbdrate(1) for help +#KEYBOARD_RATE="30" +#KEYBOARD_DELAY="250" + +# Turn on numlock by default +#LEDS=+num diff --git a/console-tools/init.sls b/console-tools/init.sls new file mode 100644 index 0000000..1fc3eb6 --- /dev/null +++ b/console-tools/init.sls @@ -0,0 +1,21 @@ +# +# Install and configure console-tools to disable scree blanking +# + +{% if grains['oscodename'] == 'wheezy' %} +console-tools: + pkg.installed: + - name: console-tools + +/etc/console-tools/config: + file.managed: + - source: salt://console-tools/config + - require: + - pkg: console-tools +{%- endif %} + +{% if grains['oscodename'] == 'jessie' %} +/etc/issue: + file.managed: + - source: salt://console-tools/issue.Debian.jessie +{% endif %} diff --git a/console-tools/issue.Debian.jessie b/console-tools/issue.Debian.jessie new file mode 100644 index 0000000..78baff8 --- /dev/null +++ b/console-tools/issue.Debian.jessie @@ -0,0 +1,3 @@ +Debian GNU/Linux 8 \n \l + +[9;0] \ No newline at end of file diff --git a/locales/init.sls b/locales/init.sls new file mode 100644 index 0000000..4f35b40 --- /dev/null +++ b/locales/init.sls @@ -0,0 +1,25 @@ +# +# Configure locales +# + +locales: + pkg.installed + +# Workaround missing locale.present in our salt version +/etc/locale.gen: + file.managed: + - source: salt://locales/locale.gen + - require: + - pkg: locales + +locale-gen: + cmd.wait: + - watch: + - file: /etc/locale.gen + +en_US.UTF-8: + locale.system: + - require: + - file: /etc/locale.gen + + diff --git a/locales/locale.gen b/locales/locale.gen new file mode 100644 index 0000000..558d4dc --- /dev/null +++ b/locales/locale.gen @@ -0,0 +1,13 @@ +# +# Locale to be generated (Salt managed) +# +# This file lists locales that you wish to have built. You can find a list +# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add +# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change +# this file, you need to rerun locale-gen. + +de_DE.UTF-8 UTF-8 +de_DE@euro ISO-8859-15 + +en_US.ISO-8859-15 ISO-8859-15 +en_US.UTF-8 UTF-8 diff --git a/mosh/init.sls b/mosh/init.sls new file mode 100644 index 0000000..537423b --- /dev/null +++ b/mosh/init.sls @@ -0,0 +1,11 @@ +# +# Mosh +# + +mosh: + pkg.installed: + - name: 'mosh' + +/etc/ufw/applications.d/mosh: + file.managed: + - source: salt://mosh/mosh.ufw.conf diff --git a/mosh/mosh.ufw.conf b/mosh/mosh.ufw.conf new file mode 100644 index 0000000..a13b49b --- /dev/null +++ b/mosh/mosh.ufw.conf @@ -0,0 +1,4 @@ +[mosh] +title=Mosh (mobile shell) +description=Mobile shell that supports roaming and intelligent local echo +ports=60000:60010/udp diff --git a/ntp/init.sls b/ntp/init.sls new file mode 100644 index 0000000..bb4f7f2 --- /dev/null +++ b/ntp/init.sls @@ -0,0 +1,12 @@ +# +# NTP +# + +ntp: + pkg.installed: + - name: ntp + + +/etc/ntp.conf: + file.managed: + - source: salt://ntp/ntp.conf diff --git a/ntp/ntp.conf b/ntp/ntp.conf new file mode 100644 index 0000000..1bd2eaa --- /dev/null +++ b/ntp/ntp.conf @@ -0,0 +1,44 @@ +# +# /etc/ntp.conf (Salt managed) +# +# configuration for ntpd; see ntp.conf(5) for help +# +driftfile /var/lib/ntp/ntp.drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +server 0.debian.pool.ntp.org iburst +server 1.debian.pool.ntp.org iburst +server 2.debian.pool.ntp.org iburst + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# CVE-2013-5211 +disable monitor diff --git a/postfix/aliases b/postfix/aliases new file mode 100644 index 0000000..833eaf8 --- /dev/null +++ b/postfix/aliases @@ -0,0 +1,15 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root + +root: ops@ffho.net diff --git a/postfix/init.sls b/postfix/init.sls new file mode 100644 index 0000000..867bf25 --- /dev/null +++ b/postfix/init.sls @@ -0,0 +1,46 @@ +# +# Postfix +# + +# Force installation of bsd-mailx as it's not installed anymore in Debian Jessie.. +bsd-mailx: + pkg.installed: + - name: bsd-mailx + + +postfix: + pkg.installed: + - name: postfix + - requires: + - file: /etc/mailname + service.running: + - enable: true + - reload: true + +# +# Don't listen on port 25, by default, a unix socket is enough. +/etc/postfix/master.cf: + file.managed: + - source: + - salt://postfix/master.cf.{{ grains['nodename'] }} + - salt://postfix/master.cf + - watch_in: + - service: postfix + +# +# Send root mail to ops@ffho.net +/etc/aliases: + file.managed: + - source: salt://postfix/aliases + +newaliases: + cmd.wait: + - name: /usr/bin/newaliases + - watch: + - file: /etc/aliases + + +# Set mailname for xxx.paderborn.freifunk.net (FIXME) +/etc/mailname: + file.managed: + - contents: "{{ grains.nodename }}.paderborn.freifunk.net" diff --git a/postfix/master.cf b/postfix/master.cf new file mode 100644 index 0000000..b129a91 --- /dev/null +++ b/postfix/master.cf @@ -0,0 +1,115 @@ +# +# Postfix master config (Salt managed) +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +#smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/postfix/master.cf.ops b/postfix/master.cf.ops new file mode 100644 index 0000000..e5e5cfa --- /dev/null +++ b/postfix/master.cf.ops @@ -0,0 +1,115 @@ +# +# Postfix master config (Salt managed) +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/rsyslog/ffho.conf b/rsyslog/ffho.conf new file mode 100644 index 0000000..757b798 --- /dev/null +++ b/rsyslog/ffho.conf @@ -0,0 +1 @@ +$IncludeConfig /etc/rsyslog.d/ffho/*.conf diff --git a/rsyslog/ffho.logrotate b/rsyslog/ffho.logrotate new file mode 100644 index 0000000..fd0f618 --- /dev/null +++ b/rsyslog/ffho.logrotate @@ -0,0 +1,18 @@ +/var/log/bird.log +/var/log/dhcp.log +/var/log/fastd.log +/var/log/named.log +/var/log/net.log +/var/log/openvpn.log +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} + diff --git a/rsyslog/ffho/20-bird.conf b/rsyslog/ffho/20-bird.conf new file mode 100644 index 0000000..45e022e --- /dev/null +++ b/rsyslog/ffho/20-bird.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +if $programname == 'bird' or $programname == 'bird6' then /var/log/bird.log +& ~ diff --git a/rsyslog/ffho/20-dhcp.conf b/rsyslog/ffho/20-dhcp.conf new file mode 100644 index 0000000..cd5cb34 --- /dev/null +++ b/rsyslog/ffho/20-dhcp.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +if $programname == 'dhcpd' then /var/log/dhcp.log +& ~ diff --git a/rsyslog/ffho/20-fastd.conf b/rsyslog/ffho/20-fastd.conf new file mode 100644 index 0000000..08b3c19 --- /dev/null +++ b/rsyslog/ffho/20-fastd.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +if $programname == 'fastd' then /var/log/fastd.log +& ~ diff --git a/rsyslog/ffho/20-named.conf b/rsyslog/ffho/20-named.conf new file mode 100644 index 0000000..edad3be --- /dev/null +++ b/rsyslog/ffho/20-named.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +if $programname == 'named' then /var/log/named.log +& ~ diff --git a/rsyslog/ffho/20-openvpn.conf b/rsyslog/ffho/20-openvpn.conf new file mode 100644 index 0000000..03f3c38 --- /dev/null +++ b/rsyslog/ffho/20-openvpn.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +if $programname startswith 'ovpn' then /var/log/openvpn.log +& ~ diff --git a/rsyslog/ffho/30-net.conf b/rsyslog/ffho/30-net.conf new file mode 100644 index 0000000..8fcc142 --- /dev/null +++ b/rsyslog/ffho/30-net.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +if $fromhost-ip startswith '172.30.' and $syslogfacility-text == 'local0' then /var/log/net.log +& ~ diff --git a/rsyslog/ffho/50-auth.conf b/rsyslog/ffho/50-auth.conf new file mode 100644 index 0000000..4779c9a --- /dev/null +++ b/rsyslog/ffho/50-auth.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +auth.*,authpriv.* /var/log/auth.log +& ~ diff --git a/rsyslog/ffho/50-kern.conf b/rsyslog/ffho/50-kern.conf new file mode 100644 index 0000000..b1fb1c9 --- /dev/null +++ b/rsyslog/ffho/50-kern.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +kern.* -/var/log/kern.log +& ~ diff --git a/rsyslog/ffho/50-messages.conf b/rsyslog/ffho/50-messages.conf new file mode 100644 index 0000000..6218857 --- /dev/null +++ b/rsyslog/ffho/50-messages.conf @@ -0,0 +1,12 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +*.=info;*.=notice;*.=warn;*.=emerg;\ + auth.none,authpriv.none;\ + cron.none,daemon.none;\ + mail.none,news.none;\ + local0.none,local1.none;\ + local2.none,local3.none;\ + local4.none,local5.none;\ + local6.none,local7.none -/var/log/messages diff --git a/rsyslog/ffho/50-user.conf b/rsyslog/ffho/50-user.conf new file mode 100644 index 0000000..40ffff4 --- /dev/null +++ b/rsyslog/ffho/50-user.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +user.* -/var/log/user.log +& ~ diff --git a/rsyslog/ffho/90-cron.conf b/rsyslog/ffho/90-cron.conf new file mode 100644 index 0000000..c0f0716 --- /dev/null +++ b/rsyslog/ffho/90-cron.conf @@ -0,0 +1,6 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +#crons sollten nicht auf dem logserver geloggt werden. Falls doch bitte mit Einzelfilter und höherer Priorität +cron.* ~ diff --git a/rsyslog/ffho/99-debug.conf b/rsyslog/ffho/99-debug.conf new file mode 100644 index 0000000..abf0be9 --- /dev/null +++ b/rsyslog/ffho/99-debug.conf @@ -0,0 +1,12 @@ +$FileCreateMode 0640 +$FileOwner root +$FileGroup adm + +#*.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug + +#fängt vorerst alle Nachrichten ab, die nicht in anderen Logs landen um rauszufinden was noch interessant sein könnte + +*.* /var/log/debug +& ~ diff --git a/rsyslog/init.sls b/rsyslog/init.sls new file mode 100644 index 0000000..c22f244 --- /dev/null +++ b/rsyslog/init.sls @@ -0,0 +1,43 @@ +# +# Rsyslog configuration +# + +{% set roles = pillar.get ('roles', []) %} + +rsyslog: + pkg.installed: + - name: rsyslog + service.running: + - enable: True + +/etc/rsyslog.conf: + file.managed: + - watch_in: + - service: rsyslog +{% if 'logserver' in roles %} + - source: salt://rsyslog/rsyslog.conf.logserver +{% else %} + - source: salt://rsyslog/rsyslog.conf +{% endif %} + +{% if 'logserver' in roles %} +/etc/rsyslog.d/ffho.conf: + file.managed: + - source: salt://rsyslog/ffho.conf + +/etc/rsyslog.d/ffho: + file.recurse: + - source: salt://rsyslog/ffho + - file_mode: 644 + - dir_mode: 755 + - user: root + - group: root + - clean: true + - watch_in: + - service: rsyslog + +/etc/logrotate.d/ffho: + file.managed: + - source: salt://rsyslog/ffho.logrotate + +{% endif %} diff --git a/rsyslog/rsyslog.conf b/rsyslog/rsyslog.conf new file mode 100644 index 0000000..41cfc31 --- /dev/null +++ b/rsyslog/rsyslog.conf @@ -0,0 +1,123 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole + +*.* @10.132.251.43 diff --git a/rsyslog/rsyslog.conf.logserver b/rsyslog/rsyslog.conf.logserver new file mode 100644 index 0000000..632518d --- /dev/null +++ b/rsyslog/rsyslog.conf.logserver @@ -0,0 +1,121 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +$ModLoad imudp +$UDPServerRun 514 + +# provides TCP syslog reception +$ModLoad imtcp +$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +#auth,authpriv.* /var/log/auth.log +#*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +#daemon.* -/var/log/daemon.log +#kern.* -/var/log/kern.log +#lpr.* -/var/log/lpr.log +#mail.* -/var/log/mail.log +#user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +#mail.info -/var/log/mail.info +#mail.warn -/var/log/mail.warn +#mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +#news.crit /var/log/news/news.crit +#news.err /var/log/news/news.err +#news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +#*.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +#*.=info;*.=notice;*.=warn;\ +# auth,authpriv.none;\ +# cron,daemon.none;\ +# mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +#*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +#daemon.*;mail.*;\ +# news.err;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn |/dev/xconsole diff --git a/screen/init.sls b/screen/init.sls new file mode 100644 index 0000000..cd42406 --- /dev/null +++ b/screen/init.sls @@ -0,0 +1,11 @@ +# +# Screen +# + +screen: + pkg.installed: + - name: screen + +/root/.screenrc: + file.managed: + - source: salt://screen/screenrc.root diff --git a/screen/screenrc.root b/screen/screenrc.root new file mode 100644 index 0000000..c33f5d9 --- /dev/null +++ b/screen/screenrc.root @@ -0,0 +1,17 @@ +# +# /root/.screenrc (Salt managed) +# + +nethack on +autodetach on +crlf off +deflogin off +hardcopy_append off +startup_message off +vbell off +defscrollback 10000 +silencewait 15 +hardstatus alwayslastline " %H (%l) | %d.%m %c | %w" +sorendition 02 10 + +bind P paste . diff --git a/snmpd/default_snmpd b/snmpd/default_snmpd new file mode 100644 index 0000000..afffdf7 --- /dev/null +++ b/snmpd/default_snmpd @@ -0,0 +1,22 @@ +# This file controls the activity of snmpd and snmptrapd (Salt managed) + +# Don't load any MIBs by default. +# You might comment this lines once you have the MIBs downloaded. +export MIBS= + +# snmpd control (yes means start daemon). +SNMPDRUN=yes + +# snmpd options (use syslog, close stdin/out/err). +SNMPDOPTS='-LSwd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid' + +# snmptrapd control (yes means start daemon). As of net-snmp version +# 5.0, master agentx support must be enabled in snmpd before snmptrapd +# can be run. See snmpd.conf(5) for how to do this. +TRAPDRUN=no + +# snmptrapd options (use syslog). +TRAPDOPTS='-LS5d -p /var/run/snmptrapd.pid' + +# create symlink on Debian legacy location to official RFC path +SNMPDCOMPAT=yes diff --git a/snmpd/ifAlias b/snmpd/ifAlias new file mode 100755 index 0000000..af5cc98 --- /dev/null +++ b/snmpd/ifAlias @@ -0,0 +1,155 @@ +#!/bin/bash +# (c) 2013, 2014, f0o@devilcode.org +# (c) 2015 by Maximilian Wilhelm +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +ALIASES_FILE="/etc/snmp/if_aliases" + +BASE='.1.3.6.1.2.1.31.1.1.1.18' +ID=$(cut -d . -f 13 <<< $2) +cache=$(ip l) + +if [ -z "$ID" ]; then + ID=0 +fi + +if [ "$1" = "-n" ]; then + IFS=" +" + for dev in $(grep mtu <<<"$cache" | cut -d : -f 1|sort -n); do + if [ "$LAST" == "$ID" ]; then + ID=$dev + BRK=1 + break + else + LAST=$dev + fi + done + if [ -z "$BRK" ]; then + exit 0 + fi +fi + +IFACE=$(grep "^${ID}: " <<<"$cache" | sed 's/[:@]\s/ /g'| cut -d " " -f 2) + +echo ${BASE}.${ID} +if [ "X${IFACE}" = "X" ]; then + echo noSuchName +else + if_alias="" + + # Try to figure out current Linux distribution to guess network configuration file + distro="" + if [ -x /usr/bin/distro ]; then + distro=$(distro | cut -d " " -f 1) + elif which lsb_release >/dev/null 2>/dev/null; then + distro="$(lsb_release -a 2>/dev/null | awk -F: '/^Distributor ID/ { print $2 }' | tr -d '[[:space:]]')" + fi + + if [ "${distro}" ]; then + case "${distro}" in + Debian) + cnf="/etc/network/interfaces" + # TODO: Support /etc/network/interfaces.d/ + ;; + + Gentoo) + cnf="/etc/conf.d/net" + ;; + + CentOS|RedHat|SuSE|Mandriva|Mandrake) + cnf="/etc/sysconfig/network-scripts/ifcfg-$IFACE" + ;; + + Archlinux) + cnf="/etc/conf.d/net-conf-$IFACE" + ;; + + *) + cnf="" + ;; + esac + fi + + if [ -n "$cnf" ]; then + if_alias=$(grep -i "^# $IFACE:" "${cnf}" | sed "s/^# $IFACE: //i") + fi + + if [ ! "${if_alias}" -a -f "${ALIASES_FILE}" ]; then + if_alias=$(grep -i "^$IFACE:" "${ALIASES_FILE}" | sed -e "s/^$IFACE:[[:space:]]*//") + fi + + + # FFHO local + case "${IFACE}" in + # Transit + tun42) + if_alias="Transit: Perfect Privacy" + ;; + + he-ipv6) + if_alias="Transit: HE-IPv6" + ;; + + gre_ffrl*) + if_alias="Transit: FFRL" + ;; + + # Peerings + icvpn) + if_alias="Peering: ICVPN" + ;; + + # Core + core*) + if_alias="Core: core-vpn" + ;; + + bb-*) + if_alias="Core: Backbone-vpn" + ;; + + vlan1*) + if_alias="Core: X-Connect" + ;; + + inter-gw-vpn) + if_alias="Core: Inter-Gateway-B.A.T.M.A.N." + ;; + + # Server + infra-srv-vpn|user-srv-vpn) + if_alias="Server: ${IFACE}" + ;; + + vlan3*) + if_alias="Server: Mgmt" + ;; + + # Customer + mesh-*) + if_alias="Cust: B.A.T.M.A.N. mesh" + ;; + + vlan23) + if_alias="Cust: Local Mesh break-out" + ;; + esac + + echo "string" + echo ${if_alias} +fi + +exit 0 diff --git a/snmpd/init.sls b/snmpd/init.sls new file mode 100644 index 0000000..c3a284c --- /dev/null +++ b/snmpd/init.sls @@ -0,0 +1,51 @@ +# +# SNMPd +# + +include: + - network.interfaces + +# +# Install and start SNMPd +# Require /etc/network/interfaces to be installed (and ifreload'ed) so we +# can simply pick lookback IP addresses from grains. +snmpd: + pkg.installed: + - name: snmpd + - require: + - file: /etc/network/interfaces + service.running: + - enable: true + - reload: true + + +/etc/default/snmpd: + file.managed: + - source: salt://snmpd/default_snmpd + - require: + - pkg: snmpd + - watch_in: + - service: snmpd + + +/etc/snmp/snmpd.conf: + file.managed: + - template: jinja + - source: salt://snmpd/snmpd.conf + - require: + - pkg: snmpd + - watch_in: + - service: snmpd + + +/etc/snmp/ifAlias: + file.managed: + - source: salt://snmpd/ifAlias + - user: root + - group: root + - mode: 755 + - require: + - pkg: snmpd + + +# TODO: Lookback-IP aus grains diff --git a/snmpd/snmpd.conf b/snmpd/snmpd.conf new file mode 100644 index 0000000..a9af89d --- /dev/null +++ b/snmpd/snmpd.conf @@ -0,0 +1,94 @@ +{%- import "globals.sls" as globals with context %} +{%- set ro_community = salt['pillar.get'] ('ffho:snmp:ro_community', "Configure ffho:snmp:ro_community in pillar...") %} +# +# /etc/snmp/snmpd.conf (Salt managed) +# + +# Listen for connections from the local system +agentAddress udp:127.0.0.1:161 +agentAddress udp6:[::1]:161 + +# Listen for connections on Loopback-IPs +{%- if globals.LOOPBACK_IPv4 %} +agentAddress udp:{{ globals.LOOPBACK_IPv4 }}:161 +{%- endif %} +{%- if globals.LOOPBACK_IPv6 %} +agentAddress udp6:[{{ globals.LOOPBACK_IPv6 }}]:161 +{%- endif %} + + +ocommunity {{ ro_community }} 10.132.251.161 +rocommunity6 {{ ro_community }} fdca:ffee:ff12:a251::161 + +sysLocation {{ globals.SYS_LOCATION }} +sysContact ops@ffho.net +sysServices 72 + +# +# Network interfaces +# +{%- if 'gateway' in globals.ROLES %} +# Set B.A.T.M.A.N. related devices to 100 MBit/s +interface bat0 6 100000000 +interface inter-gw-vpn 6 100000000 +interface mesh-vpn-v4 6 100000000 +interface mesh-vpn-v6 6 100000000 +{%- endif %} + +{%- set ovpn_networks = [] %} +{%- for netname, network in salt['pillar.get']('ovpn', {}).items () if grains['id'] in network %} + {%- do ovpn_networks.append (netname) %} +{%- endfor %} +{%- for netname in ovpn_networks|sort %} + {%- set network = salt['pillar.get']('ovpn:' ~ netname) %} + {%- set network_config = network.get ('config') %} + {%- set host_stanza = network.get (grains['id']) %} + {%- set host_config = host_stanza.get ('config', {}) %} + {%- set interface = host_config.get ('interface', network_config.get ('interface')) %} + {%- if loop.first %} +# OpenVPN interfaces + {%- endif %} +interface {{ interface }} 6 100000000 +{%- endfor %} + + +# +# Try to figure out meaningful interface descriptions/aliases +pass .1.3.6.1.2.1.31.1.1.1.18 /etc/snmp/ifAlias + + +# +# Disk Monitoring +# + # 10MBs required on root disk, 5% free on /var, 10% free on all other disks +disk / 10000 +disk /var 5% +includeAllDisks 10% + +# Walk the UCD-SNMP-MIB::dskTable to see the resulting output +# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file + + +# +# System Load +# + # Unacceptable 1-, 5-, and 15-minute load averages +load 12 10 5 + +# Walk the UCD-SNMP-MIB::laTable to see the resulting output +# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file + + +# +# Event MIB - automatically generate alerts +# + # Remember to activate the 'createUser' lines above +iquerySecName internalUser +rouser internalUser + # generate traps on UCD error conditions +defaultMonitors no + # generate traps on linkUp/Down +linkUpDownNotifications no + + +master agentx diff --git a/sudo/ffho.tmpl b/sudo/ffho.tmpl new file mode 100644 index 0000000..75945bb --- /dev/null +++ b/sudo/ffho.tmpl @@ -0,0 +1,8 @@ +{%- import "globals.sls" as globals with context %} + +{% for role in globals.ROLES %} + {%- set file = "sudo/roles/" + role %} + {%- include file ignore missing %} +{% endfor %} + +{%- include "sudo/hosts/" + grains['id'] ignore missing %} diff --git a/sudo/hosts/services.in.ffho.net b/sudo/hosts/services.in.ffho.net new file mode 100644 index 0000000..03fb631 --- /dev/null +++ b/sudo/hosts/services.in.ffho.net @@ -0,0 +1,4 @@ +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh_comm +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_bat0_health +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_rouge_gw diff --git a/sudo/init.sls b/sudo/init.sls new file mode 100644 index 0000000..801ae31 --- /dev/null +++ b/sudo/init.sls @@ -0,0 +1,23 @@ +# +# Vim magic +# + +sudo: + pkg.installed: + - name: sudo + +/etc/sudoers.d: + file.directory: + - user: root + - group: root + - mode: 755 + - makedirs: True + +/etc/sudoers: + file.managed: + - source: salt://sudo/sudoers + +/etc/sudoers.d/ffho: + file.managed: + - source: salt://sudo/ffho.tmpl + - template: jinja diff --git a/sudo/roles/gateway b/sudo/roles/gateway new file mode 100644 index 0000000..febb197 --- /dev/null +++ b/sudo/roles/gateway @@ -0,0 +1,3 @@ +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh_comm +nagios ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_bat0_health diff --git a/sudo/roles/kvm_host b/sudo/roles/kvm_host new file mode 100644 index 0000000..679f52d --- /dev/null +++ b/sudo/roles/kvm_host @@ -0,0 +1 @@ +nagios ALL=NOPASSWD:/usr/lib/nagios/plugins/check_kvm diff --git a/sudo/sudoers b/sudo/sudoers new file mode 100644 index 0000000..3794533 --- /dev/null +++ b/sudo/sudoers @@ -0,0 +1,27 @@ +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d diff --git a/sysctl/NAT.conf b/sysctl/NAT.conf new file mode 100644 index 0000000..b7f164e --- /dev/null +++ b/sysctl/NAT.conf @@ -0,0 +1,12 @@ +# +# /etc/sysctl.d/NAT.conf (Salt managed) +# +# "Be conservative in what you do, +# be liberal in what you accept from others." +# If it's non-zero, we mark only out of window RST segments as INVALID. +# -- net/netfilter/nf_conntrack_proto_tcp.c +# +net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1 + +# Increase conntrack table size (default 32k) +net.ipv4.netfilter.ip_conntrack_max = 16777216 diff --git a/sysctl/arp_caches.conf b/sysctl/arp_caches.conf new file mode 100644 index 0000000..94eec12 --- /dev/null +++ b/sysctl/arp_caches.conf @@ -0,0 +1,7 @@ +net.ipv4.neigh.default.gc_thresh1 = 1024 +net.ipv4.neigh.default.gc_thresh2 = 2048 +net.ipv4.neigh.default.gc_thresh3 = 4096 + +net.ipv6.neigh.default.gc_thresh1 = 1024 +net.ipv6.neigh.default.gc_thresh2 = 2048 +net.ipv6.neigh.default.gc_thresh3 = 4096 diff --git a/sysctl/init.sls b/sysctl/init.sls new file mode 100644 index 0000000..e2b41dd --- /dev/null +++ b/sysctl/init.sls @@ -0,0 +1,17 @@ +# +# sysctl +# + +# Define command to reload sysctl settings here without dependencies +# and define inverse dependencies where useful (see sysctl.conf) +reload-sysctl: + cmd.wait: + - watch: [] + - name: /sbin/sysctl --system + + +/etc/sysctl.conf: + file.managed: + - source: salt://sysctl/sysctl.conf + - watch_in: + - cmd: reload-sysctl diff --git a/sysctl/ip_forward.conf b/sysctl/ip_forward.conf new file mode 100644 index 0000000..c24ade9 --- /dev/null +++ b/sysctl/ip_forward.conf @@ -0,0 +1,2 @@ +net.ipv4.ip_forward=1 +net.ipv6.conf.all.forwarding=1 diff --git a/sysctl/kernel.conf b/sysctl/kernel.conf new file mode 100644 index 0000000..0e691d4 --- /dev/null +++ b/sysctl/kernel.conf @@ -0,0 +1,3 @@ +# after kernel oops wait 1 sec, than reset system +kernel.panic_on_oops = 1 +kernel.panic = 1 diff --git a/sysctl/nf-ignore-bridge.conf b/sysctl/nf-ignore-bridge.conf new file mode 100644 index 0000000..54fccda --- /dev/null +++ b/sysctl/nf-ignore-bridge.conf @@ -0,0 +1,4 @@ +# Don't filter packet passing a bridge and not being routed on this host. +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-arptables = 0 diff --git a/sysctl/router.sls b/sysctl/router.sls new file mode 100644 index 0000000..7212d69 --- /dev/null +++ b/sysctl/router.sls @@ -0,0 +1,36 @@ +# +# Sysctl stuff for routers +# + +include: + - sysctl + +/etc/sysctl.d/21-ip_forward.conf: + file.managed: + - source: salt://sysctl/ip_forward.conf + - watch_in: + - cmd: reload-sysctl + +/etc/sysctl.d/20-arp_caches.conf: + file.managed: + - source: salt://sysctl/arp_caches.conf + - watch_in: + - cmd: reload-sysctl + +/etc/sysctl.d/22-kernel.conf: + file.managed: + - source: salt://sysctl/kernel.conf + - watch_in: + - cmd: reload-sysctl + +/etc/sysctl.d/NAT.conf: + file.managed: + - source: salt://sysctl/NAT.conf + - watch_in: + - cmd: reload-sysctl + +/etc/sysctl.d/nf-ignore-bridge.conf: + file.managed: + - source: salt://sysctl/nf-ignore-bridge.conf + - watch_in: + - cmd: reload-sysctl diff --git a/sysctl/sysctl.conf b/sysctl/sysctl.conf new file mode 100644 index 0000000..2a96f6c --- /dev/null +++ b/sysctl/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +#net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/vim/init.sls b/vim/init.sls new file mode 100644 index 0000000..067fc66 --- /dev/null +++ b/vim/init.sls @@ -0,0 +1,11 @@ +# +# Vim magic +# + +vim: + pkg.installed: + - name: vim + +/root/.vimrc: + file.managed: + - source: salt://vim/vimrc diff --git a/vim/vimrc b/vim/vimrc new file mode 100644 index 0000000..7df2fb2 --- /dev/null +++ b/vim/vimrc @@ -0,0 +1,4 @@ +set nowrap +set ai +syn on +color delek