aboutsummaryrefslogtreecommitdiff
path: root/files/etc
diff options
context:
space:
mode:
Diffstat (limited to 'files/etc')
-rw-r--r--files/etc/crypttab4
-rw-r--r--files/etc/fstab3
-rw-r--r--files/etc/initramfs-tools/modules15
-rw-r--r--files/etc/modprobe.d/blacklist78
-rw-r--r--files/etc/rc.local22
-rw-r--r--files/etc/sudoers21
6 files changed, 143 insertions, 0 deletions
diff --git a/files/etc/crypttab b/files/etc/crypttab
new file mode 100644
index 0000000..35f0521
--- /dev/null
+++ b/files/etc/crypttab
@@ -0,0 +1,4 @@
+# <target name> <source device> <key file> <options>
+root /dev/mapper/vg-root none luks,cipher=aes-cbc-essiv:sha256
+cswap /dev/sda1 /dev/random swap,cipher=aes-cbc-essiv:sha256
+vservers /dev/mapper/vg-vservers none luks,cipher=aes-cbc-essiv:sha256
diff --git a/files/etc/fstab b/files/etc/fstab
new file mode 100644
index 0000000..0878617
--- /dev/null
+++ b/files/etc/fstab
@@ -0,0 +1,3 @@
+/dev/mapper/cswap none swap sw 0 0
+/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1
+/dev/mapper/vservers /var/vservers ext3 defaults,errors=remount-ro 0 0
diff --git a/files/etc/initramfs-tools/modules b/files/etc/initramfs-tools/modules
new file mode 100644
index 0000000..265b8fd
--- /dev/null
+++ b/files/etc/initramfs-tools/modules
@@ -0,0 +1,15 @@
+# List of modules that you want to include in your initramfs.
+#
+# Syntax: module_name [args ...]
+#
+# You must run update-initramfs(8) to effect this change.
+#
+# Examples:
+#
+# raid1
+# sd_mod
+dm-mod
+dm-crypt
+aes
+twofish
+sha256
diff --git a/files/etc/modprobe.d/blacklist b/files/etc/modprobe.d/blacklist
new file mode 100644
index 0000000..1505e86
--- /dev/null
+++ b/files/etc/modprobe.d/blacklist
@@ -0,0 +1,78 @@
+# This file lists modules which will not be loaded as the result of
+# alias expansion, with the purpose of preventing the hotplug subsystem
+# to load them. It does not affect autoloading of modules by the kernel.
+# This file is provided by the udev package.
+
+# evbug is a debug tool and should be loaded explicitly
+blacklist evbug
+
+# these drivers are very simple, the HID drivers are usually preferred
+blacklist usbmouse
+blacklist usbkbd
+
+# replaced by e100
+blacklist eepro100
+
+# replaced by tulip
+blacklist de4x5
+
+# replaced by tmscsim
+blacklist am53c974
+
+# watchdog drivers should be loaded only if a watchdog daemon is installed
+blacklist acquirewdt
+blacklist advantechwdt
+blacklist alim1535_wdt
+blacklist alim7101_wdt
+blacklist booke_wdt
+blacklist cpu5wdt
+blacklist eurotechwdt
+blacklist hpwdt
+blacklist i6300esb
+blacklist i8xx_tco
+blacklist ib700wdt
+blacklist ibmasr
+blacklist indydog
+blacklist ixp2000_wdt
+blacklist ixp4xx_wdt
+blacklist it8712f_wdt
+blacklist iTCO_wdt
+blacklist machzwd
+blacklist mixcomwd
+blacklist mpc8xx_wdt
+blacklist mpcore_wdt
+blacklist mv64x60_wdt
+blacklist pc87413_wdt
+blacklist pcwd
+blacklist pcwd_pci
+blacklist pcwd_usb
+blacklist s3c2410_wdt
+blacklist sa1100_wdt
+blacklist sbc60xxwdt
+blacklist sbc7240_wdt
+blacklist sbc8360
+blacklist sbc_epx_c3
+blacklist sc1200wdt
+blacklist sc520_wdt
+blacklist scx200_wdt
+blacklist shwdt
+blacklist smsc37b787_wdt
+blacklist softdog
+blacklist w83627hf_wdt
+blacklist w83697hf_wdt
+blacklist w83877f_wdt
+blacklist w83977f_wdt
+blacklist wafer5823wdt
+blacklist wdt285
+blacklist wdt977
+blacklist wdt
+blacklist wdt_pci
+
+# Physical memory attacks via Firewire/DMA Mitigation
+# Prevent automatic loading of the ohci1394 module.
+# See http://padrao.sarava.org/trac/wiki/Debian/Firewire
+blacklist ohci1394
+# Prevent manual loading of the ohci1394 module.
+install ohci1394 false
+# Iff we should ever load the ohci1394 module, force the use of the 'phys_dma=0' option.
+options ohci1394 phys_dma=0
diff --git a/files/etc/rc.local b/files/etc/rc.local
new file mode 100644
index 0000000..393c83e
--- /dev/null
+++ b/files/etc/rc.local
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+
+# Force the hostname
+/bin/hostname `cat /etc/hostname`
+
+# Then restart puppet with the right hostname
+/etc/init.d/puppet stop
+/etc/init.d/puppet start
+
+# Then exit
+exit 0
diff --git a/files/etc/sudoers b/files/etc/sudoers
new file mode 100644
index 0000000..1026c16
--- /dev/null
+++ b/files/etc/sudoers
@@ -0,0 +1,21 @@
+# /etc/sudoers
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# See the man page for details on how to write a sudoers file.
+#
+
+Defaults env_reset
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+
+# Uncomment to allow members of group sudo to not need a password
+# (Note that later entries override this, so you might need to move
+# it further down)
+%sudo ALL=NOPASSWD: ALL