[submodule "external_modules/augeasproviders_core"]
path = external_modules/augeasproviders_core
url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git
+[submodule "external_modules/nfs"]
+ path = external_modules/nfs
+ url = git://git.immae.eu/github/derdanne/puppet-nfs
base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}"
base_installation::ldap_server: "ldap.immae.eu"
base_installation::ldap_uri: "ldaps://ldap.immae.eu"
-# FIXME: get all mounts without needing that hack?
base_installation::puppet_conf_path: "/etc/puppetlabs/puppet"
+base_installation::puppet_notifies_path: "/etc/puppetlabs/notifies"
base_installation::puppet_code_path: "/etc/puppetlabs/code"
base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed"
base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl"
base_installation::system_timezone: "Europe/Paris"
base_installation::system_users: [] # Fetched via ldap
base_installation::notify_xmpp: {}
-profile::fstab::mounts:
- - "%{facts.ldapvar.self.vars.mounts.0}"
- - "%{facts.ldapvar.self.vars.mounts.1}"
+profile::fstab::mounts: []
profile::xmr_stak::mining_pool: ""
profile::xmr_stak::wallet: ""
profile::mail::mailhub: "" # Fetched via ldap
role::cryptoportfolio::group: "cryptoportfolio"
role::cryptoportfolio::home: "/home/cryptoportfolio"
role::cryptoportfolio::env: "prod"
-role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}"
+role::cryptoportfolio::webhook_url: ""
role::cryptoportfolio::pg_db: "cryptoportfolio"
role::cryptoportfolio::pg_user: "cryptoportfolio"
role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}"
--- /dev/null
+---
+classes:
+ role::file_store: ~
+letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}"
--- /dev/null
+Subproject commit 24020205590d9ae942e0acf79c1506b40ab09e40
--- /dev/null
+require "base64"
+require "openssl"
+
+Puppet::Functions.create_function(:generate_password) do
+ dispatch :generate_password do
+ param 'Integer', :size
+ param 'String', :seed_file
+ param 'String', :password_key
+ optional_param 'String', :method
+ optional_param 'Boolean', :encode
+ return_type 'String'
+ end
+
+ def generate_password(size, seed_file, password_key, method = nil, encode = false)
+ key = get_key(seed_file, password_key)
+ case method
+ when nil
+ pass = generate_string(size, key)
+ when "curve25519"
+ pass = generate_string(32, key, binary = true)
+ pass[0] = (pass[0].ord & 248).chr
+ pass[31] = ((pass[31].ord & 127) | 64).chr
+ else
+ raise "Unknown method"
+ end
+
+ if encode
+ Base64.strict_encode64(pass).strip
+ else
+ pass
+ end
+ end
+
+ def generate_string(size, key, binary = false)
+ if binary
+ set = (0 .. 255).map { |i| i.chr }
+ else
+ set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
+ end
+
+ size.times.collect do |i|
+ set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
+ end.join
+ end
+
+ def get_key(seed_file, password_key)
+ "#{File.open(seed_file).read}:#{password_key}"
+ end
+end
+++ /dev/null
-module Puppet::Parser::Functions
- newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS
-Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry.
-Prototype:
- generate_password(length, seed_file, password_key)
-EOS
-) do |*arguments|
- arguments = arguments.shift if arguments.first.is_a?(Array)
-
- raise Puppet::ParseError, "generate_password(): Wrong number of arguments " +
- "given (#{arguments.size} for 3)" if arguments.size != 3
-
- size = arguments.shift
- seed_file = arguments.shift
- password_key = arguments.shift
-
- unless size.class.ancestors.include?(Numeric) or size.is_a?(String)
- raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument'
- end
-
- size = size.to_i
-
- set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
-
- key = "#{File.open(seed_file).read}:#{password_key}"
-
- size.times.collect do |i|
- set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
- end.join
-end
-end
--- /dev/null
+require 'puppet'
+
+Puppet::Reports.register_report(:cat_files) do
+ FOLLOWED_RESOURCES = [
+ "File[/etc/puppetlabs/notifies/host_ldap.info]",
+ ]
+
+ def process
+ self.resource_statuses.each do |name, status|
+ if FOLLOWED_RESOURCES.include?(status.resource) && status.events.any? { |e| e.status == "success" }
+ puts File.open(status.title, "r").read()
+ end
+ end
+ end
+
+end
+
class base_installation (
- Optional[String] $grub_device = $base_installation::params::grub_device,
- Optional[String] $ldap_base = $base_installation::params::ldap_base,
- Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path,
- Optional[String] $ldap_cn = $base_installation::params::ldap_cn,
- Optional[String] $ldap_dn = $base_installation::params::ldap_dn,
- Optional[String] $ldap_server = $base_installation::params::ldap_server,
- Optional[String] $ldap_uri = $base_installation::params::ldap_uri,
- Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path,
- Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path,
- Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed,
- Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path,
- Optional[String] $real_hostname = $base_installation::params::real_hostname,
- Optional[String] $system_hostname = $base_installation::params::system_hostname,
- Optional[Array[String]] $system_locales = $base_installation::params::system_locales,
- Optional[String] $system_timezone = $base_installation::params::system_timezone,
- Optional[Array[Hash]] $system_users = $base_installation::params::system_users,
+ Optional[String] $grub_device = $base_installation::params::grub_device,
+ Optional[String] $ldap_base = $base_installation::params::ldap_base,
+ Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path,
+ Optional[String] $ldap_cn = $base_installation::params::ldap_cn,
+ Optional[String] $ldap_dn = $base_installation::params::ldap_dn,
+ Optional[String] $ldap_server = $base_installation::params::ldap_server,
+ Optional[String] $ldap_uri = $base_installation::params::ldap_uri,
+ Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path,
+ Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path,
+ Optional[String] $puppet_notifies_path = $base_installation::params::puppet_notifies_path,
+ Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed,
+ Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path,
+ Optional[String] $real_hostname = $base_installation::params::real_hostname,
+ Optional[String] $system_hostname = $base_installation::params::system_hostname,
+ Optional[Array[String]] $system_locales = $base_installation::params::system_locales,
+ Optional[String] $system_timezone = $base_installation::params::system_timezone,
+ Optional[Array[Hash]] $system_users = $base_installation::params::system_users,
) inherits base_installation::params {
contain ::base_installation::packages
contain ::base_installation::locales
class base_installation::params {
- $puppet_code_path = "/etc/puppetlabs/code"
- $puppet_conf_path = "/etc/puppetlabs/puppet"
- $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
- $puppet_ssl_path = "/etc/puppetlabs/ssl"
- $grub_device = "/dev/sda"
- $ldap_base = "dc=example,dc=com"
- $ldap_cn = "node"
- $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com"
- $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt"
- $ldap_uri = "ldaps://ldap.example.com"
- $ldap_server = "ldap.example.com"
- $real_hostname = "example.com"
- $system_hostname = "example.com"
- $system_locales = ["en_US.UTF-8"]
- $system_timezone = "UTC"
- $system_users = [
+ $puppet_code_path = "/etc/puppetlabs/code"
+ $puppet_conf_path = "/etc/puppetlabs/puppet"
+ $puppet_notifies_path = "/etc/puppetlabs/notifies"
+ $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
+ $puppet_ssl_path = "/etc/puppetlabs/ssl"
+ $grub_device = "/dev/sda"
+ $ldap_base = "dc=example,dc=com"
+ $ldap_cn = "node"
+ $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com"
+ $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt"
+ $ldap_uri = "ldaps://ldap.example.com"
+ $ldap_server = "ldap.example.com"
+ $real_hostname = "example.com"
+ $system_hostname = "example.com"
+ $system_locales = ["en_US.UTF-8"]
+ $system_timezone = "UTC"
+ $system_users = [
{
userid => 1000,
username => "example",
}
}
- if file("$base_installation::puppet_conf_path/host_ldap.info", "/dev/null") != "" and
+ if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and
empty($facts["ldapvar"]) {
fail("LDAP was activated but facts are not available")
}
+ file { $base_installation::puppet_notifies_path:
+ ensure => directory,
+ require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
+ recurse => true,
+ purge => true,
+ force => true,
+ }
+
$ips = lookup("ips", { 'default_value' => undef })
- file { "$base_installation::puppet_conf_path/host_ldap.info":
- content => template("base_installation/puppet/host_ldap.info.erb"),
- require => File[$base_installation::puppet_conf_path],
- notify => Notify_refresh["notify-ldap-password"],
+ concat { "$base_installation::puppet_notifies_path/host_ldap.info":
+ ensure => "present",
+ mode => "0600",
+ require => File[$base_installation::puppet_notifies_path],
+ ensure_newline => true,
+ }
+
+ concat::fragment { "host_ldap add top":
+ target => "$base_installation::puppet_notifies_path/host_ldap.info",
+ content => template("base_installation/puppet/host_ldap_add_top.info.erb"),
+ order => "00-01",
+ }
+ concat::fragment { "host_ldap add bottom":
+ target => "$base_installation::puppet_notifies_path/host_ldap.info",
+ content => "EOF",
+ order => "00-99",
}
- notify_refresh { "notify-ldap-password":
- message => template("base_installation/puppet/host_ldap.info.erb"),
- refreshonly => true
+ concat::fragment { "host_ldap mod top":
+ target => "$base_installation::puppet_notifies_path/host_ldap.info",
+ content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),
+ order => "01-01",
+ }
+ concat::fragment { "host_ldap mod bottom":
+ target => "$base_installation::puppet_notifies_path/host_ldap.info",
+ content => "EOF",
+ order => "01-99",
}
}
}
environment: <%= @environment %>
puppetVar: real_hostname=<%= @real_hostname %>
userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
-EOF
-\e[0;35m#### Or modify an existing entry:\e[0m
-ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
-dn: <%= @ldap_dn %>
-changetype: modify
-replace: userPassword
-userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
--
-replace: environment
-environment: <%= @environment %>
-<%- unless @ips.empty? -%>
--
-delete: ipHostNumber
-<%- unless @ips["v4"].nil? -%>
--
-add: ipHostNumber
-ipHostNumber: <%= @ips["v4"]["ipAddress"] %>
-<%- end -%>
-<%- unless @ips["v6"].nil? -%>
--
-add: ipHostNumber
-ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %>
-<%- end -%>
-<%- end -%>
-EOF
--- /dev/null
+\e[0;35m#### Or modify an existing entry:\e[0m
+ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
+dn: <%= @ldap_dn %>
+changetype: modify
+replace: userPassword
+userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
+-
+replace: environment
+environment: <%= @environment %>
+<%- unless @ips.empty? -%>
+-
+delete: ipHostNumber
+<%- unless @ips["v4"].nil? -%>
+-
+add: ipHostNumber
+ipHostNumber: <%= @ips["v4"]["ipAddress"] %>
+<%- end -%>
+<%- unless @ips["v6"].nil? -%>
+-
+add: ipHostNumber
+ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %>
+<%- end -%>
+<%- end -%>
[main]
<%
- reports = ["store"]
+ reports = ["store", "cat_files"]
if @xmpp.count > 0
reports << "xmpp"
end
--- /dev/null
+[libdefaults]
+ default_realm = IMMAE.EU
+
+[realms]
+ IMMAE.EU = {
+ kdc = kerberos.immae.eu
+ admin_server = kerberos.immae.eu
+ }
+
+[domain_realm]
+ immae.eu = IMMAE.EU
+ .immae.eu = IMMAE.EU
--- /dev/null
+class profile::kerberos::client {
+ ensure_packages(["krb5", "cyrus-sasl-gssapi"])
+
+ file { "/etc/krb5.conf":
+ source => "puppet:///modules/profile/kerberos/krb5_client.conf"
+ }
+}
--- /dev/null
+class profile::wireguard (
+) {
+ $password_seed = lookup("base_installation::puppet_pass_seed")
+
+ ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
+ ensure_packages(["wireguard-tools", "wireguard-dkms"])
+
+ $host = $facts["ldapvar"]["self"]
+ if has_key($host["vars"], "wireguard_ip") {
+ $ips = $host["vars"]["wireguard_ip"]
+ } else {
+ $ips = []
+ }
+
+ $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
+
+ if file("/usr/bin/wg", "/dev/null") != "" {
+ $puppet_notifies_path = lookup("base_installation::puppet_notifies_path")
+ $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey")
+ concat::fragment { "host_ldap add wireguard":
+ target => "$puppet_notifies_path/host_ldap.info",
+ content => "puppetVar: wireguard_public=$public_key",
+ order => "00-80"
+ }
+ }
+
+ file { "/etc/wireguard/network.conf":
+ ensure => "file",
+ mode => "0600",
+ content => template("profile/wireguard/network.conf.erb"),
+ require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
+ notify => Service["wg-quick@network"],
+ }
+ ->
+ service { "wg-quick@network":
+ ensure => "running",
+ enable => true,
+ }
+
+}
--- /dev/null
+[Interface]
+<%- @ips.each do |ip| -%>
+Address = <%= ip %>
+<%- end -%>
+PrivateKey = <%= @private_key %>
+ListenPort = 51820
+
+<%- @facts["ldapvar"]["other"].each do |host| -%>
+<%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
+[Peer]
+# <%= host["vars"]["real_hostname"][0] %>
+PublicKey = <%= host["vars"]["wireguard_public"][0] %>
+<%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%>
+AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %>
+<%- end -%>
+Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820
+
+<% end -%>
+<%- end -%>
--- /dev/null
+class role::file_store (
+ Optional[Hash] $nfs_mounts = {},
+ Optional[String] $mountpoint = "/fichiers1",
+) {
+ include "base_installation"
+
+ include "profile::fstab"
+ include "profile::tools"
+ include "profile::monitoring"
+ include "profile::wireguard"
+
+ unless empty($mountpoint) {
+ class { "::nfs":
+ server_enabled => true,
+ nfs_v4 => true,
+ nfs_v4_export_root => '/exports',
+ nfs_v4_export_root_clients => 'localhost(rw)',
+ require => Mount[$mountpoint],
+ }
+
+ $nfs_mounts.each |$nfs_mount, $hosts| {
+ file { "$mountpoint/$nfs_mount":
+ ensure => "directory",
+ mode => "0755",
+ owner => "nobody",
+ group => "nobody",
+ require => Mount[$mountpoint],
+ }
+
+ $hosts.each |$host_cn| {
+ $host = find_host($facts["ldapvar"]["other"], $host_cn)
+ if empty($host) {
+ fail("No host found for nfs")
+ } elsif has_key($host["vars"], "wireguard_ip") {
+ $clients = sprintf("%s%s",
+ join($host["vars"]["wireguard_ip"], "(rw,secure,sync,all_squash) "),
+ "(rw,secure,sync,all_squash)")
+ nfs::server::export { "$mountpoint/$nfs_mount":
+ owner => "nobody",
+ group => "nobody",
+ ensure => "present",
+ clients => $clients,
+ }
+ } elsif has_key($host["vars"], "host") {
+ nfs::server::export { "$mountpoint/$nfs_mount":
+ owner => "nobody",
+ group => "nobody",
+ ensure => "present",
+ clients => "${host[vars][host][0]}(rw,secure,sync,all_squash)",
+ }
+ } else {
+ nfs::server::export { "$mountpoint/$nfs_mount":
+ owner => "nobody",
+ group => "nobody",
+ ensure => "present",
+ clients => "${host[vars][real_hostname][0]}(rw,secure,sync,all_squash)",
+ }
+ }
+ }
+ }
+ }
+}