This project implements a basic system setup for the following platforms:
- Ubuntu 16.04 LTS (tested by spectests)
- Ubuntu 18.04 LTS (tested by spectests)
- Debian Strech (tested by spectests)
- Centos 7
- implementation not complete
- contributions are very welcome
(just fix the code/tests and submit pull requests) - needs to be implemented:
- sysfs settings
- unattended os updates
- kernel parameters
This setup can be used as a base for server systems. The setup ist tested by using test-kitchen and serverspec tests. (for Details, review the Documentation of the test setup)
- motd generation by template
- basic sysctl kernel settings
- 10g networking
- oops-behavior, swappiness, ...
- custom systctl settings via hiera
- maximum number of processes and file descriptors
- zone_reclaim_mode on NUMA systems
- disable transparent hugepages/hugepage defrag
- sysfs settings
- hardening of openssh server/client
- no password login
- ciphers
- ...
- installation of mosh shell
(disabled by default) - time setup
- secure ntp setup
- rngd, improvement of random number generator for virtual systems
- postfix mta
- deliver mails to smarthost
- map root mail
- ...
- usermanagement via hiera
- group creation
- user creation
- generation of sudo permisssions based on configurable templates
- distribution of ssh keys
- distribution of standard dotfiles
- distribution of user specific dotfiles from a specifyable location
- minimal numeric uids/gids at 12000 to reduce collections with groups and users id without numeric id specification
- restrict distribution of users/groups by restriction tag
- override user/group details for dedicated nodes
- installation of zabbix agent
- add additional zabbix-agent-extenion packages
- package installtion via hiera
- numerous useful packages
- set vim as standard editor
- lvm
- lvm management via hiera
(see https://github.com/puppetlabs/puppetlabs-lvm) - lvm automatic snapshotting
- lvm management via hiera
- apt source management
https://forge.puppet.com/puppetlabs/apt - unattended configurable os updates
https://forge.puppet.com/puppet/unattended_upgrades - at/cron setup
- ulimits
- grub config
(no splash, no quiet mode) - execute fstrim at random time i.e. to prevent load spikes on the storage system (sunday, between 11AM and 4PM)
by priority:
- disable updatedb chmod -x /etc/cron.daily/mlocate
- install and configure puppet final agent config
(provide capability to switch environment) - Set in sshd
AcceptEnv GIT_* - SMART Daemon on non virtualized hardware systems (smart values for SAS and SATA devices are different)
- systemd journal configuration (housekeeping, permissions) https://www.freedesktop.org/software/systemd/man/journald.conf.html /etc/systemd/journald.conf
- IPTables base setup for ipv4/ipv6, https://github.com/puppetlabs/puppetlabs-firewall
- restrict for inbound everything except ssh
- restrict outbound except essential os parameters
- use groups of systems
- (default) filesystemparameters
- enhanced network tuning (Port Ranges, Socket Buffers, tcp_sack, tcp_timestamps )
- reduce deprecation warnings of used puppet modules
- specify exact versions for dependencies
- use hiera data in module for distibution specific parameters
- use testinfra as testing framework https://testinfra.readthedocs.io/en/latest/
- unique userids, do not reuse old users and groups
- implement a pool of outdated userids, uid, gids - remove them automatically
- remove user directories after a specified amount of days
- logshipping to syslog
- logstash/graylog support
- file a bug on the github project: https://github.com/scoopex/puppet-hosting_basesetup/issues
- fork the project and improve the template
- create a pull/merge request