diff options
Diffstat (limited to 'files/etc')
-rw-r--r-- | files/etc/crypttab | 4 | ||||
-rw-r--r-- | files/etc/fstab | 3 | ||||
-rw-r--r-- | files/etc/initramfs-tools/modules | 15 | ||||
-rw-r--r-- | files/etc/modprobe.d/blacklist | 78 | ||||
-rw-r--r-- | files/etc/rc.local | 22 | ||||
-rw-r--r-- | files/etc/sudoers | 21 |
6 files changed, 143 insertions, 0 deletions
diff --git a/files/etc/crypttab b/files/etc/crypttab new file mode 100644 index 0000000..35f0521 --- /dev/null +++ b/files/etc/crypttab @@ -0,0 +1,4 @@ +# <target name> <source device> <key file> <options> +root /dev/mapper/vg-root none luks,cipher=aes-cbc-essiv:sha256 +cswap /dev/sda1 /dev/random swap,cipher=aes-cbc-essiv:sha256 +vservers /dev/mapper/vg-vservers none luks,cipher=aes-cbc-essiv:sha256 diff --git a/files/etc/fstab b/files/etc/fstab new file mode 100644 index 0000000..0878617 --- /dev/null +++ b/files/etc/fstab @@ -0,0 +1,3 @@ +/dev/mapper/cswap none swap sw 0 0 +/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1 +/dev/mapper/vservers /var/vservers ext3 defaults,errors=remount-ro 0 0 diff --git a/files/etc/initramfs-tools/modules b/files/etc/initramfs-tools/modules new file mode 100644 index 0000000..265b8fd --- /dev/null +++ b/files/etc/initramfs-tools/modules @@ -0,0 +1,15 @@ +# List of modules that you want to include in your initramfs. +# +# Syntax: module_name [args ...] +# +# You must run update-initramfs(8) to effect this change. +# +# Examples: +# +# raid1 +# sd_mod +dm-mod +dm-crypt +aes +twofish +sha256 diff --git a/files/etc/modprobe.d/blacklist b/files/etc/modprobe.d/blacklist new file mode 100644 index 0000000..1505e86 --- /dev/null +++ b/files/etc/modprobe.d/blacklist @@ -0,0 +1,78 @@ +# This file lists modules which will not be loaded as the result of +# alias expansion, with the purpose of preventing the hotplug subsystem +# to load them. It does not affect autoloading of modules by the kernel. +# This file is provided by the udev package. + +# evbug is a debug tool and should be loaded explicitly +blacklist evbug + +# these drivers are very simple, the HID drivers are usually preferred +blacklist usbmouse +blacklist usbkbd + +# replaced by e100 +blacklist eepro100 + +# replaced by tulip +blacklist de4x5 + +# replaced by tmscsim +blacklist am53c974 + +# watchdog drivers should be loaded only if a watchdog daemon is installed +blacklist acquirewdt +blacklist advantechwdt +blacklist alim1535_wdt +blacklist alim7101_wdt +blacklist booke_wdt +blacklist cpu5wdt +blacklist eurotechwdt +blacklist hpwdt +blacklist i6300esb +blacklist i8xx_tco +blacklist ib700wdt +blacklist ibmasr +blacklist indydog +blacklist ixp2000_wdt +blacklist ixp4xx_wdt +blacklist it8712f_wdt +blacklist iTCO_wdt +blacklist machzwd +blacklist mixcomwd +blacklist mpc8xx_wdt +blacklist mpcore_wdt +blacklist mv64x60_wdt +blacklist pc87413_wdt +blacklist pcwd +blacklist pcwd_pci +blacklist pcwd_usb +blacklist s3c2410_wdt +blacklist sa1100_wdt +blacklist sbc60xxwdt +blacklist sbc7240_wdt +blacklist sbc8360 +blacklist sbc_epx_c3 +blacklist sc1200wdt +blacklist sc520_wdt +blacklist scx200_wdt +blacklist shwdt +blacklist smsc37b787_wdt +blacklist softdog +blacklist w83627hf_wdt +blacklist w83697hf_wdt +blacklist w83877f_wdt +blacklist w83977f_wdt +blacklist wafer5823wdt +blacklist wdt285 +blacklist wdt977 +blacklist wdt +blacklist wdt_pci + +# Physical memory attacks via Firewire/DMA Mitigation +# Prevent automatic loading of the ohci1394 module. +# See http://padrao.sarava.org/trac/wiki/Debian/Firewire +blacklist ohci1394 +# Prevent manual loading of the ohci1394 module. +install ohci1394 false +# Iff we should ever load the ohci1394 module, force the use of the 'phys_dma=0' option. +options ohci1394 phys_dma=0 diff --git a/files/etc/rc.local b/files/etc/rc.local new file mode 100644 index 0000000..393c83e --- /dev/null +++ b/files/etc/rc.local @@ -0,0 +1,22 @@ +#!/bin/sh -e +# +# rc.local +# +# This script is executed at the end of each multiuser runlevel. +# Make sure that the script will "exit 0" on success or any other +# value on error. +# +# In order to enable or disable this script just change the execution +# bits. +# +# By default this script does nothing. + +# Force the hostname +/bin/hostname `cat /etc/hostname` + +# Then restart puppet with the right hostname +/etc/init.d/puppet stop +/etc/init.d/puppet start + +# Then exit +exit 0 diff --git a/files/etc/sudoers b/files/etc/sudoers new file mode 100644 index 0000000..1026c16 --- /dev/null +++ b/files/etc/sudoers @@ -0,0 +1,21 @@ +# /etc/sudoers +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the man page for details on how to write a sudoers file. +# + +Defaults env_reset + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification + +# Uncomment to allow members of group sudo to not need a password +# (Note that later entries override this, so you might need to move +# it further down) +%sudo ALL=NOPASSWD: ALL |