###############################################################################
#
# promises.cf - Basic Policy for CFEngine (adjusted for Debian Edu)
# Author: Wolfgang Schweer <wschweer@arcor.de>, Dec. 2017.
#
###############################################################################

body server control
# Debian Edu specific
{
      allowconnects         => { "127.0.0.1", "::1", "10.0.0.0/8" };
      allowallconnects      => { "127.0.0.1", "::1", "10.0.0.0/8" };
      trustkeysfrom         => { "127.0.0.1", "::1", "10.0.0.0/8" };
      maxconnections        => "15";
      denybadclocks         => "false";
      allowusers            => { "root" };
      cfruncommand          => "/usr/sbin/cf-agent";
}

body common control
# Please note that order matters (in bundlesequence).
# The Cfengine2 concepts 'actionsequence' and 'passes' (like secondpass)
# are gone; this bundlesequence with cf.finalize added as last one is sort of
# an equivalent. All bundles are passed up to three times. If convergence isn't
# successful (like edits), no change is done for this item, the outcome is
# logged. After installation see /var/log/installer/cfengine-edu-install.log.
{

      bundlesequence => {
                          edu,
                          cfengine3,
                          permission_homes,
                          editline_homes,
                          editline_bind,
                          editline_ldapserver,
                          editline_ldapclient,
                          editline_pam_group,
                          editline_syslog,
                          adduser,
                          apache2,
                          bind,
                          homes,
                          firefox,
                          chromium,
                          samba,
                          cups,
                          dhcpserver,
                          exim,
                          grub,
                          imap,
                          inetd,
                          krb5client,
                          icinga,
                          ldapserver,
                          ldapclient,
                          desktop,
                          ntp,
                          squid,
                          sshd,
                          syslog,
                          xrdp,
                          workarounds,
                          pxeinstall,
                          finalize,
                          editline_finalize,
     };

      inputs => {
                  "services/main.cf",
                  "debian-edu/edu.cf",
                  "lib/stdlib.cf",
                  "lib/common.cf",
                  "lib/commands.cf",
                  "lib/files.cf",
                  "lib/services.cf",
                  "debian-edu/cf.adduser",
                  "debian-edu/cf.apache2",
                  "debian-edu/cf.bind",
                  "debian-edu/cf.cfengine3",
                  "debian-edu/cf.chromium",
                  "debian-edu/cf.cups",
                  "debian-edu/cf.samba",
                  "debian-edu/cf.desktop-networked",
                  "debian-edu/cf.dhcpserver",
                  "debian-edu/cf.exim",
                  "debian-edu/cf.firefox-esr",
                  "debian-edu/cf.finalize",
                  "debian-edu/cf.grub",
                  "debian-edu/cf.homes",
                  "debian-edu/cf.icinga",
                  "debian-edu/cf.imap",
                  "debian-edu/cf.inetd",
                  "debian-edu/cf.krb5client",
                  "debian-edu/cf.ldapserver",
                  "debian-edu/cf.ldapclient",
                  "debian-edu/cf.ntp",
                  "debian-edu/cf.pam",
                  "debian-edu/cf.pxeinstall",
                  "debian-edu/cf.squid",
                  "debian-edu/cf.sshd",
                  "debian-edu/cf.syslog",
                  "debian-edu/cf.workarounds",
                  "debian-edu/cf.xrdp",
      };

      version => "CFEngine Promises.cf 3.10.2";

}

bundle common cfe_internal_inputs
# @brief Include internal self management policies
{
  vars:
    any::

      "input[cfe_internal_management]"
        string => "cfe_internal/CFE_cfengine.cf",
        comment => "This policy activates internal management policies
                    for both core and enterprise";

      "input[core_main]"
        string => "cfe_internal/core/main.cf",
        comment => "This policy activates other core policies";

      "input[core_limit_robot_agents]"
        string => "cfe_internal/core/limit_robot_agents.cf",
        comment => "The policy here ensures that we don't have too many
                    cf-monitord or cf-execd processes";

      "input[core_log_rotation]"
        string => "cfe_internal/core/log_rotation.cf",
        comment => "This policy ensures that various cfengine log files
                    do not grow without bound and fill up the disk";

      "input[core_host_info_report]"
        string => "cfe_internal/core/host_info_report.cf",
        comment => "This policy produces a text based host info report
                    and serves as a functional example of using mustache templates";

      "input[cfengine_internal_core_watchdog]"
        string => "cfe_internal/core/watchdog/watchdog.cf",
        comment => "This policy configures external watchdogs to ensure that
                    cf-execd is always running.";

    any::
      "inputs" slist => getvalues("input");
}

bundle common cfengine_stdlib
# @brief Include the standard library
{
  vars:
    !cfengine_3_7::
      # CFEngine 3.6 can include through a secondary file
      # CFEngine version 3.6 and prior use the split library to avoid syntax
      # errors introduced by new functionality. For example new functions.
      # This also works for 3.8 because local_libdir should be set to lib
      # instead of lib/3.8
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf" };

    cfengine_3_7::
      # CFEngine 3.7 has local_libdir set to $(sys.inputdir)/lib/3.7, but with
      # the @if macro support we can re-unify the split library for 3.7+ so we
      # specify the unified lib relative to local_libdir.
      "inputs" slist => { "$(sys.local_libdir)/../stdlib.cf" };


  reports:
    verbose_mode::
      "$(this.bundle): defining inputs='$(inputs)'";
}

bundle common cfengine_controls
# @brief Include various agent control policies
{
  vars:
    # 3.7+ uses the re-unified controls
    cfengine_3_6::
      "def_inputs"
        slist => {
                   "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/def.cf",
                   "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/def_inputs.cf",
                 },
        comment => "We strictly order the def inputs because they should be parsed first";

      "input[cf_agent]"
        string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_agent.cf",
        comment => "Agent control options";

      "input[cf_execd]"
        string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_execd.cf",
        comment => "Executor (scheduler) control options";

      "input[cf_monitord]"
        string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_monitord.cf",
        comment => "Monitor/Measurement control options";

      "input[cf_serverd]"
        string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_serverd.cf",
        comment => "Server control options";

      "input[cf_runagent]"
        string => "controls/$(sys.cf_version_major).$(sys.cf_version_minor)/cf_runagent.cf",
        comment => "Runagent (remote activation request) control options";

    # 3.7+ uses the re-unified controls
    !cfengine_3_6::
      "def_inputs"
        slist => {
                   "controls/def.cf",
                   "controls/def_inputs.cf",
                 },
        comment => "We strictly order the def inputs because they should be parsed first";

      "input[cf_agent]"
        string => "controls/cf_agent.cf",
        comment => "Agent control options";

      "input[cf_execd]"
        string => "controls/cf_execd.cf",
        comment => "Executor (scheduler) control options";

      "input[cf_monitord]"
        string => "controls/cf_monitord.cf",
        comment => "Monitor/Measurement control options";

      "input[cf_serverd]"
        string => "controls/cf_serverd.cf",
        comment => "Server control options";

      "input[cf_runagent]"
        string => "controls/cf_runagent.cf",
        comment => "Runagent (remote activation request) control options";

    any::

      "inputs" slist => getvalues(input);

  reports:
    DEBUG|DEBUG_cfengine_controls::
      "DEBUG $(this.bundle)";
        "$(const.t)defining inputs='$(inputs)'";
}