class nodo::subsystem::grsec {
  include nodo::utils::security::grsec
  include nodo::subsystem::grsec::group

  nodo::subsystem::sysctl::entry { 'kernel.grsecurity.grsec_lock':
    order => 'zz',
    value => 1,
  }

  nodo::subsystem::sysctl::entry { 'kernel.grsecurity.rwxmap_logging':
    order => 'xx',
    value => 0,
  }

  # We ship a custom grsec.conf that does not handle kernel.grsecurity.grsec_lock
  # so we can manage or own sysctl configs.
  # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810920
  file { "/etc/sysctl.d/grsec.conf":
    owner   => "root",
    group   => "root",
    mode    => '0644',
    ensure  => $ensure,
    source  => "puppet:///modules/nodo/etc/sysctl.d/grsec.conf",
  }

  # Old configs
  file { [ '/etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf', '/etc/sysctl.d/kernel.grsecurity.grsec_lock.conf' ]:
    ensure => absent,
  }
}