Merge branch 'dev'

19 files changed, 308 insertions, 102 deletions

diff --git a/.gitmodules b/.gitmodules
index f8ff2b7..f5d2bd0 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -73,3 +73,6 @@
 [submodule "external_modules/augeasproviders_core"]
         path = external_modules/augeasproviders_core
         url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git
+[submodule "external_modules/nfs"]
+        path = external_modules/nfs
+        url = git://git.immae.eu/github/derdanne/puppet-nfs
diff --git a/environments/global/common.yaml b/environments/global/common.yaml
index 3cc75fa..2f2db35 100644
--- a/environments/global/common.yaml
+++ b/environments/global/common.yaml
@@ -21,8 +21,8 @@ base_installation::ldap_dn: "cn=%{facts.ec2_metadata.hostname},ou=hosts,dc=immae
 base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}"
 base_installation::ldap_server: "ldap.immae.eu"
 base_installation::ldap_uri: "ldaps://ldap.immae.eu"
-# FIXME: get all mounts without needing that hack?
 base_installation::puppet_conf_path: "/etc/puppetlabs/puppet"
+base_installation::puppet_notifies_path: "/etc/puppetlabs/notifies"
 base_installation::puppet_code_path: "/etc/puppetlabs/code"
 base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed"
 base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl"
@@ -30,9 +30,7 @@ base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"]
 base_installation::system_timezone: "Europe/Paris"
 base_installation::system_users: [] # Fetched via ldap
 base_installation::notify_xmpp: {}
-profile::fstab::mounts:
-  - "%{facts.ldapvar.self.vars.mounts.0}"
-  - "%{facts.ldapvar.self.vars.mounts.1}"
+profile::fstab::mounts: []
 profile::xmr_stak::mining_pool: ""
 profile::xmr_stak::wallet: ""
 profile::mail::mailhub: "" # Fetched via ldap
diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml
index 138da7a..661af2d 100644
--- a/environments/global/roles/cryptoportfolio.yaml
+++ b/environments/global/roles/cryptoportfolio.yaml
@@ -6,7 +6,7 @@ role::cryptoportfolio::user: "cryptoportfolio"
 role::cryptoportfolio::group: "cryptoportfolio"
 role::cryptoportfolio::home: "/home/cryptoportfolio"
 role::cryptoportfolio::env: "prod"
-role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}"
+role::cryptoportfolio::webhook_url: ""
 role::cryptoportfolio::pg_db: "cryptoportfolio"
 role::cryptoportfolio::pg_user: "cryptoportfolio"
 role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}"
diff --git a/environments/global/roles/file_store.yaml b/environments/global/roles/file_store.yaml
new file mode 100644
index 0000000..c0912e2
--- /dev/null
+++ b/environments/global/roles/file_store.yaml
@@ -0,0 +1,4 @@
+---
+classes:
+  role::file_store: ~
+letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}"
diff --git a/external_modules/nfs b/external_modules/nfs
new file mode 160000
+Subproject 24020205590d9ae942e0acf79c1506b40ab09e4
diff --git a/modules/base_installation/lib/puppet/functions/generate_password.rb b/modules/base_installation/lib/puppet/functions/generate_password.rb
new file mode 100644
index 0000000..0ccd4d6
--- /dev/null
+++ b/modules/base_installation/lib/puppet/functions/generate_password.rb
@@ -0,0 +1,49 @@
+require "base64"
+require "openssl"
+
+Puppet::Functions.create_function(:generate_password) do
+  dispatch :generate_password do
+    param 'Integer', :size
+    param 'String',  :seed_file
+    param 'String',  :password_key
+    optional_param 'String', :method
+    optional_param 'Boolean', :encode
+    return_type 'String'
+  end
+
+  def generate_password(size, seed_file, password_key, method = nil, encode = false)
+    key = get_key(seed_file, password_key)
+    case method
+    when nil
+      pass = generate_string(size, key)
+    when "curve25519"
+      pass = generate_string(32, key, binary = true)
+      pass[0] = (pass[0].ord & 248).chr
+      pass[31] = ((pass[31].ord & 127) | 64).chr
+    else
+      raise "Unknown method"
+    end
+
+    if encode
+      Base64.strict_encode64(pass).strip
+    else
+      pass
+    end
+  end
+
+  def generate_string(size, key, binary = false)
+    if binary
+      set = (0 .. 255).map { |i| i.chr }
+    else
+      set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
+    end
+
+    size.times.collect do |i|
+      set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
+    end.join
+  end
+
+  def get_key(seed_file, password_key)
+    "#{File.open(seed_file).read}:#{password_key}"
+  end
+end
diff --git a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
deleted file mode 100644
index 384d81b..0000000
--- a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
+++ /dev/null
@@ -1,31 +0,0 @@
-module Puppet::Parser::Functions
-  newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS
-Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry.
-Prototype:
-  generate_password(length, seed_file, password_key)
-EOS
-) do |*arguments|
-  arguments = arguments.shift if arguments.first.is_a?(Array)
-
-  raise Puppet::ParseError, "generate_password(): Wrong number of arguments " +
-    "given (#{arguments.size} for 3)" if arguments.size != 3
-
-  size = arguments.shift
-  seed_file = arguments.shift
-  password_key = arguments.shift
-
-  unless size.class.ancestors.include?(Numeric) or size.is_a?(String)
-    raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument'
-  end
-
-  size = size.to_i
-
-  set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
-
-  key = "#{File.open(seed_file).read}:#{password_key}"
-
-  size.times.collect do |i|
-    set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
-  end.join
-end
-end
diff --git a/modules/base_installation/lib/puppet/reports/cat_files.rb b/modules/base_installation/lib/puppet/reports/cat_files.rb
new file mode 100644
index 0000000..9d9c068
--- /dev/null
+++ b/modules/base_installation/lib/puppet/reports/cat_files.rb
@@ -0,0 +1,17 @@
+require 'puppet'
+
+Puppet::Reports.register_report(:cat_files) do
+  FOLLOWED_RESOURCES = [
+    "File[/etc/puppetlabs/notifies/host_ldap.info]",
+  ]
+
+  def process
+    self.resource_statuses.each do |name, status|
+      if FOLLOWED_RESOURCES.include?(status.resource) && status.events.any? { |e| e.status == "success" }
+        puts File.open(status.title, "r").read()
+      end
+    end
+  end
+
+end
+
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp
index d8abcaf..a1b5ca8 100644
--- a/modules/base_installation/manifests/init.pp
+++ b/modules/base_installation/manifests/init.pp
@@ -1,20 +1,21 @@
 class base_installation (
-  Optional[String]        $grub_device      = $base_installation::params::grub_device,
-  Optional[String]        $ldap_base        = $base_installation::params::ldap_base,
-  Optional[String]        $ldap_cert_path   = $base_installation::params::ldap_cert_path,
-  Optional[String]        $ldap_cn          = $base_installation::params::ldap_cn,
-  Optional[String]        $ldap_dn          = $base_installation::params::ldap_dn,
-  Optional[String]        $ldap_server      = $base_installation::params::ldap_server,
-  Optional[String]        $ldap_uri         = $base_installation::params::ldap_uri,
-  Optional[String]        $puppet_code_path = $base_installation::params::puppet_code_path,
-  Optional[String]        $puppet_conf_path = $base_installation::params::puppet_conf_path,
-  Optional[String]        $puppet_pass_seed = $base_installation::params::puppet_pass_seed,
-  Optional[String]        $puppet_ssl_path  = $base_installation::params::puppet_ssl_path,
-  Optional[String]        $real_hostname    = $base_installation::params::real_hostname,
-  Optional[String]        $system_hostname  = $base_installation::params::system_hostname,
-  Optional[Array[String]] $system_locales   = $base_installation::params::system_locales,
-  Optional[String]        $system_timezone  = $base_installation::params::system_timezone,
-  Optional[Array[Hash]]   $system_users     = $base_installation::params::system_users,
+  Optional[String]        $grub_device          = $base_installation::params::grub_device,
+  Optional[String]        $ldap_base            = $base_installation::params::ldap_base,
+  Optional[String]        $ldap_cert_path       = $base_installation::params::ldap_cert_path,
+  Optional[String]        $ldap_cn              = $base_installation::params::ldap_cn,
+  Optional[String]        $ldap_dn              = $base_installation::params::ldap_dn,
+  Optional[String]        $ldap_server          = $base_installation::params::ldap_server,
+  Optional[String]        $ldap_uri             = $base_installation::params::ldap_uri,
+  Optional[String]        $puppet_code_path     = $base_installation::params::puppet_code_path,
+  Optional[String]        $puppet_conf_path     = $base_installation::params::puppet_conf_path,
+  Optional[String]        $puppet_notifies_path = $base_installation::params::puppet_notifies_path,
+  Optional[String]        $puppet_pass_seed     = $base_installation::params::puppet_pass_seed,
+  Optional[String]        $puppet_ssl_path      = $base_installation::params::puppet_ssl_path,
+  Optional[String]        $real_hostname        = $base_installation::params::real_hostname,
+  Optional[String]        $system_hostname      = $base_installation::params::system_hostname,
+  Optional[Array[String]] $system_locales       = $base_installation::params::system_locales,
+  Optional[String]        $system_timezone      = $base_installation::params::system_timezone,
+  Optional[Array[Hash]]   $system_users         = $base_installation::params::system_users,
 ) inherits base_installation::params {
   contain ::base_installation::packages
   contain ::base_installation::locales
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp
index 5ade838..f336b65 100644
--- a/modules/base_installation/manifests/params.pp
+++ b/modules/base_installation/manifests/params.pp
@@ -1,20 +1,21 @@
 class base_installation::params {
-  $puppet_code_path = "/etc/puppetlabs/code"
-  $puppet_conf_path = "/etc/puppetlabs/puppet"
-  $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
-  $puppet_ssl_path  = "/etc/puppetlabs/ssl"
-  $grub_device      = "/dev/sda"
-  $ldap_base        = "dc=example,dc=com"
-  $ldap_cn          = "node"
-  $ldap_dn          = "cn=node,ou=hosts,dc=example,dc=com"
-  $ldap_cert_path   = "/etc/ssl/certs/ca-certificates.crt"
-  $ldap_uri         = "ldaps://ldap.example.com"
-  $ldap_server      = "ldap.example.com"
-  $real_hostname    = "example.com"
-  $system_hostname  = "example.com"
-  $system_locales   = ["en_US.UTF-8"]
-  $system_timezone  = "UTC"
-  $system_users     = [
+  $puppet_code_path     = "/etc/puppetlabs/code"
+  $puppet_conf_path     = "/etc/puppetlabs/puppet"
+  $puppet_notifies_path = "/etc/puppetlabs/notifies"
+  $puppet_pass_seed     = "/etc/puppetlabs/puppet/password_seed"
+  $puppet_ssl_path      = "/etc/puppetlabs/ssl"
+  $grub_device          = "/dev/sda"
+  $ldap_base            = "dc=example,dc=com"
+  $ldap_cn              = "node"
+  $ldap_dn              = "cn=node,ou=hosts,dc=example,dc=com"
+  $ldap_cert_path       = "/etc/ssl/certs/ca-certificates.crt"
+  $ldap_uri             = "ldaps://ldap.example.com"
+  $ldap_server          = "ldap.example.com"
+  $real_hostname        = "example.com"
+  $system_hostname      = "example.com"
+  $system_locales       = ["en_US.UTF-8"]
+  $system_timezone      = "UTC"
+  $system_users         = [
     {
       userid   => 1000,
       username => "example",
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp
index 05fe9a1..603a961 100644
--- a/modules/base_installation/manifests/puppet.pp
+++ b/modules/base_installation/manifests/puppet.pp
@@ -103,21 +103,47 @@ class base_installation::puppet (
       }
     }
 
-    if file("$base_installation::puppet_conf_path/host_ldap.info", "/dev/null") != "" and
+    if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and
       empty($facts["ldapvar"]) {
         fail("LDAP was activated but facts are not available")
     }
 
+    file { $base_installation::puppet_notifies_path:
+      ensure  => directory,
+      require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
+      recurse => true,
+      purge   => true,
+      force   => true,
+    }
+
     $ips = lookup("ips", { 'default_value' => undef })
-    file { "$base_installation::puppet_conf_path/host_ldap.info":
-      content => template("base_installation/puppet/host_ldap.info.erb"),
-      require => File[$base_installation::puppet_conf_path],
-      notify  => Notify_refresh["notify-ldap-password"],
+    concat { "$base_installation::puppet_notifies_path/host_ldap.info":
+      ensure         => "present",
+      mode           => "0600",
+      require        => File[$base_installation::puppet_notifies_path],
+      ensure_newline => true,
+    }
+
+    concat::fragment { "host_ldap add top":
+      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+      content => template("base_installation/puppet/host_ldap_add_top.info.erb"),
+      order   => "00-01",
+    }
+    concat::fragment { "host_ldap add bottom":
+      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+      content => "EOF",
+      order   => "00-99",
     }
 
-    notify_refresh { "notify-ldap-password":
-      message     => template("base_installation/puppet/host_ldap.info.erb"),
-      refreshonly => true
+    concat::fragment { "host_ldap mod top":
+      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+      content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),
+      order   => "01-01",
+    }
+    concat::fragment { "host_ldap mod bottom":
+      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+      content => "EOF",
+      order   => "01-99",
     }
   }
 }
diff --git a/modules/base_installation/templates/puppet/host_ldap.info.erb b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
index 7afdf2d..3aafc19 100644
--- a/modules/base_installation/templates/puppet/host_ldap.info.erb
+++ b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
@@ -14,28 +14,3 @@ objectclass: ipHost
 environment: <%= @environment %>
 puppetVar: real_hostname=<%= @real_hostname %>
 userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
-EOF
-#### Or modify an existing entry:
-ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
-dn: <%= @ldap_dn %>
-changetype: modify
-replace: userPassword
-userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
--
-replace: environment
-environment: <%= @environment %>
-<%- unless @ips.empty? -%>
--
-delete: ipHostNumber
-<%- unless @ips["v4"].nil? -%>
--
-add: ipHostNumber
-ipHostNumber: <%= @ips["v4"]["ipAddress"] %>
-<%- end -%>
-<%- unless @ips["v6"].nil? -%>
--
-add: ipHostNumber
-ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %>
-<%- end -%>
-<%- end -%>
-EOF
diff --git a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
new file mode 100644
index 0000000..d7a1294
--- /dev/null
+++ b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
@@ -0,0 +1,23 @@
+#### Or modify an existing entry:
+ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
+dn: <%= @ldap_dn %>
+changetype: modify
+replace: userPassword
+userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
+-
+replace: environment
+environment: <%= @environment %>
+<%- unless @ips.empty? -%>
+-
+delete: ipHostNumber
+<%- unless @ips["v4"].nil? -%>
+-
+add: ipHostNumber
+ipHostNumber: <%= @ips["v4"]["ipAddress"] %>
+<%- end -%>
+<%- unless @ips["v6"].nil? -%>
+-
+add: ipHostNumber
+ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %>
+<%- end -%>
+<%- end -%>
diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb
index da39468..38a0c1b 100644
--- a/modules/base_installation/templates/puppet/puppet.conf.erb
+++ b/modules/base_installation/templates/puppet/puppet.conf.erb
@@ -1,6 +1,6 @@
 [main]
 <%
-  reports = ["store"]
+  reports = ["store", "cat_files"]
   if @xmpp.count > 0
     reports << "xmpp"
   end
diff --git a/modules/profile/files/kerberos/krb5_client.conf b/modules/profile/files/kerberos/krb5_client.conf
new file mode 100644
index 0000000..3fce983
--- /dev/null
+++ b/modules/profile/files/kerberos/krb5_client.conf
@@ -0,0 +1,12 @@
+[libdefaults]
+  default_realm = IMMAE.EU
+
+[realms]
+  IMMAE.EU = {
+    kdc = kerberos.immae.eu
+    admin_server = kerberos.immae.eu
+  }
+
+[domain_realm]
+  immae.eu = IMMAE.EU
+  .immae.eu = IMMAE.EU
diff --git a/modules/profile/manifests/kerberos/client.pp b/modules/profile/manifests/kerberos/client.pp
new file mode 100644
index 0000000..1f1f2cd
--- /dev/null
+++ b/modules/profile/manifests/kerberos/client.pp
@@ -0,0 +1,7 @@
+class profile::kerberos::client {
+  ensure_packages(["krb5", "cyrus-sasl-gssapi"])
+
+  file { "/etc/krb5.conf":
+    source => "puppet:///modules/profile/kerberos/krb5_client.conf"
+  }
+}
diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp
new file mode 100644
index 0000000..829f82d
--- /dev/null
+++ b/modules/profile/manifests/wireguard.pp
@@ -0,0 +1,40 @@
+class profile::wireguard (
+) {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+
+  ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
+  ensure_packages(["wireguard-tools", "wireguard-dkms"])
+
+  $host = $facts["ldapvar"]["self"]
+  if has_key($host["vars"], "wireguard_ip") {
+    $ips = $host["vars"]["wireguard_ip"]
+  } else {
+    $ips = []
+  }
+
+  $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
+
+  if file("/usr/bin/wg", "/dev/null") != "" {
+    $puppet_notifies_path = lookup("base_installation::puppet_notifies_path")
+    $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey")
+    concat::fragment { "host_ldap add wireguard":
+      target  => "$puppet_notifies_path/host_ldap.info",
+      content => "puppetVar: wireguard_public=$public_key",
+      order   => "00-80"
+    }
+  }
+
+  file { "/etc/wireguard/network.conf":
+    ensure  => "file",
+    mode    => "0600",
+    content => template("profile/wireguard/network.conf.erb"),
+    require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
+    notify  => Service["wg-quick@network"],
+  }
+  ->
+  service { "wg-quick@network":
+    ensure => "running",
+    enable => true,
+  }
+
+}
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb
new file mode 100644
index 0000000..5327dfd
--- /dev/null
+++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -0,0 +1,19 @@
+[Interface]
+<%- @ips.each do |ip| -%>
+Address = <%= ip %>
+<%- end -%>
+PrivateKey = <%= @private_key %>
+ListenPort = 51820
+
+<%- @facts["ldapvar"]["other"].each do |host| -%>
+<%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
+[Peer]
+# <%= host["vars"]["real_hostname"][0] %>
+PublicKey = <%= host["vars"]["wireguard_public"][0] %>
+<%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%>
+AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %>
+<%- end -%>
+Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820
+
+<% end -%>
+<%- end -%>
diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp
new file mode 100644
index 0000000..d1f6a67
--- /dev/null
+++ b/modules/role/manifests/file_store.pp
@@ -0,0 +1,62 @@
+class role::file_store (
+  Optional[Hash]  $nfs_mounts = {},
+  Optional[String] $mountpoint = "/fichiers1",
+) {
+  include "base_installation"
+
+  include "profile::fstab"
+  include "profile::tools"
+  include "profile::monitoring"
+  include "profile::wireguard"
+
+  unless empty($mountpoint) {
+    class { "::nfs":
+      server_enabled             => true,
+      nfs_v4                     => true,
+      nfs_v4_export_root         => '/exports',
+      nfs_v4_export_root_clients => 'localhost(rw)',
+      require                    => Mount[$mountpoint],
+    }
+
+    $nfs_mounts.each |$nfs_mount, $hosts| {
+      file { "$mountpoint/$nfs_mount":
+        ensure  => "directory",
+        mode    => "0755",
+        owner   => "nobody",
+        group   => "nobody",
+        require => Mount[$mountpoint],
+      }
+
+      $hosts.each |$host_cn| {
+        $host = find_host($facts["ldapvar"]["other"], $host_cn)
+        if empty($host) {
+          fail("No host found for nfs")
+        } elsif has_key($host["vars"], "wireguard_ip") {
+          $clients = sprintf("%s%s",
+            join($host["vars"]["wireguard_ip"], "(rw,secure,sync,all_squash) "),
+            "(rw,secure,sync,all_squash)")
+          nfs::server::export { "$mountpoint/$nfs_mount":
+            owner   => "nobody",
+            group   => "nobody",
+            ensure  => "present",
+            clients => $clients,
+          }
+        } elsif has_key($host["vars"], "host") {
+          nfs::server::export { "$mountpoint/$nfs_mount":
+            owner   => "nobody",
+            group   => "nobody",
+            ensure  => "present",
+            clients => "${host[vars][host][0]}(rw,secure,sync,all_squash)",
+          }
+        } else {
+          nfs::server::export { "$mountpoint/$nfs_mount":
+            owner   => "nobody",
+            group   => "nobody",
+            ensure  => "present",
+            clients => "${host[vars][real_hostname][0]}(rw,secure,sync,all_squash)",
+          }
+        }
+      }
+    }
+  }
+}