From f057008d9c07f5f15de1b65ca9bd7c63d37c2db8 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 31 Jul 2015 16:05:20 -0300
Subject: Adds nodo::subsystem::sysctl::disable_ipv6

---
 files/etc/sysctl.d/disable_ipv6.conf       |  4 ++++
 manifests/subsystem/sysctl.pp              |  2 ++
 manifests/subsystem/sysctl/disable_ipv6.pp | 19 +++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 files/etc/sysctl.d/disable_ipv6.conf
 create mode 100644 manifests/subsystem/sysctl/disable_ipv6.pp

diff --git a/files/etc/sysctl.d/disable_ipv6.conf b/files/etc/sysctl.d/disable_ipv6.conf
new file mode 100644
index 0000000..243a00d
--- /dev/null
+++ b/files/etc/sysctl.d/disable_ipv6.conf
@@ -0,0 +1,4 @@
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+net.ipv6.conf.eth0.disable_ipv6 = 1
diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp
index 03e1683..94fbae0 100644
--- a/manifests/subsystem/sysctl.pp
+++ b/manifests/subsystem/sysctl.pp
@@ -1,4 +1,6 @@
 class nodo::subsystem::sysctl {
+  class { 'nodo::subsystem::sysctl::disable_ipv6': }
+
   # Root exploit fix, see http://wiki.debian.org/mmap_min_addr
   # Maybe this can be remove in the future or included in a sysctl puppet module
   file { "/etc/sysctl.d/mmap_min_addr.conf":
diff --git a/manifests/subsystem/sysctl/disable_ipv6.pp b/manifests/subsystem/sysctl/disable_ipv6.pp
new file mode 100644
index 0000000..a6486a0
--- /dev/null
+++ b/manifests/subsystem/sysctl/disable_ipv6.pp
@@ -0,0 +1,19 @@
+# Do not enable ipv6 by default
+# See https://wiki.debian.org/DebianIPv6
+class nodo::subsystem::sysctl::disable_ipv6(
+  $ensure = hiera('nodo::sysctl::disable_ipv6', 'present'),
+) {
+  file { "/etc/sysctl.d/disable_ipv6.conf":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => $ensure,
+    source  => "puppet:///modules/nodo/etc/sysctl.d/disable_ipv6.conf",
+  }
+
+  exec { "sysctl-disable-ipv6":
+    command     => '/sbin/sysctl -p',
+    subscribe   => File["/etc/sysctl.d/disable_ipv6.conf"],
+    refreshonly => true,
+  }
+}
-- 
cgit v1.2.3