Merge branch 'dev'

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-30 18:07:45 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-30 18:07:45 +0200
commit: 54460a893b4266d88fe23eb114a5b4e8a5b79077 (patch)
tree: 1493379a20cac50f4a0ef703db2e4fbdbca6ac58
parent: 3c1e202cf136cb7fae2860d7608cc1d077953d0b (diff)
parent: 77d4b0b7672ee0a840fb721463964c7edf0eb044 (diff)
download: Puppet-54460a893b4266d88fe23eb114a5b4e8a5b79077.tar.gz
Puppet-54460a893b4266d88fe23eb114a5b4e8a5b79077.tar.zst
Puppet-54460a893b4266d88fe23eb114a5b4e8a5b79077.zip
7 files changed, 64 insertions, 4 deletions
diff --git a/.gitmodules b/.gitmodules
index d68cf4e..f8ff2b7 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -67,3 +67,9 @@
 [submodule "external_modules/patch"]
        path = external_modules/patch
        url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git
+[submodule "external_modules/augeasproviders_pam"]
+        path = external_modules/augeasproviders_pam
+        url = git://git.immae.eu/github/hercules-team/augeasproviders_pam.git
+[submodule "external_modules/augeasproviders_core"]
+        path = external_modules/augeasproviders_core
+        url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git
diff --git a/external_modules/augeasproviders_core b/external_modules/augeasproviders_core
new file mode 160000
+Subproject 604680cb5fe7e32fd1ad1051fc34ef100a4d692
diff --git a/external_modules/augeasproviders_pam b/external_modules/augeasproviders_pam
new file mode 160000
+Subproject e20796872f094c56a201519bab7716f099c7881
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index 1825700..d5d871c 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -21,4 +21,47 @@ class base_installation::ldap inherits base_installation {
    require => File['/etc/openldap'],
  }
+  $password_seed  = lookup("base_installation::puppet_pass_seed")
+  $ldap_server    = lookup("base_installation::ldap_server")
+  $ldap_base      = lookup("base_installation::ldap_base")
+  $ldap_dn        = lookup("base_installation::ldap_dn")
+  $ldap_password  = generate_password(24, $password_seed, "ldap")
+  $ldap_attribute = "uid"
+  ensure_packages(["pam_ldap", "ruby-augeas"])
+  file { "/etc/pam_ldap.conf":
+    ensure  => "present",
+    mode    => "0400",
+    owner   => "root",
+    group   => "root",
+    content => template("base_installation/ldap/pam_ldap.conf.erb"),
+  }
+  ["system-auth", "passwd"].each |$service| {
+    pam { "Allow to change ldap password via $service":
+      ensure    => present,
+      service   => $service,
+      type      => "password",
+      control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
+      module    => "pam_ldap.so",
+      arguments => "ignore_unknown_user",
+      position  => 'before *[type="password" and module="pam_unix.so"]',
+      require   => Package["ruby-augeas"],
+    }
+  }
+  ["system-auth", "su", "su-l"].each |$service| {
+    ["auth", "account"].each |$type| {
+      pam { "Allow $service to $type with ldap password":
+        ensure    => present,
+        service   => $service,
+        type      => $type,
+        control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
+        module    => "pam_ldap.so",
+        arguments => "ignore_unknown_user",
+        position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+        require   => Package["ruby-augeas"],
+      }
+    }
+  }
 }
diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
new file mode 100644
index 0000000..f07490a
--- /dev/null
+++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
@@ -0,0 +1,7 @@
+host <%= @ldap_server %>
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index 382633b..7187350 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -4,6 +4,8 @@ class profile::apache {
    root_directory_options => ["All"],
    default_mods           => false,
    default_vhost          => false,
+    user                   => "http",
+    group                  => "http",
    log_formats            => {
      combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
      common   => '%h %l %u %t \"%r\" %>s %b',
diff --git a/modules/profile/manifests/redis.pp b/modules/profile/manifests/redis.pp
index 79871b1..d912c59 100644
--- a/modules/profile/manifests/redis.pp
+++ b/modules/profile/manifests/redis.pp
@@ -17,9 +17,8 @@ class profile::redis {
    notify  => Service["redis"],
  }
-  package { "ruby-augeas":
+  ensure_packages(["ruby-augeas"])
-    ensure => installed,
-  } ->
  class { '::redis':
    unixsocket       => "/run/redis/redis.sock",
    unixsocketperm   => "777",
@@ -28,7 +27,10 @@ class profile::redis {
    config_file      => "/etc/redis.conf",
    config_file_orig => "/etc/redis.conf.puppet",
    port             => 0,
-    require          => File["/etc/systemd/system/redis.service.d/socket_shutdown.conf"],
+    require          => [
+      File["/etc/systemd/system/redis.service.d/socket_shutdown.conf"],
+      Package["ruby-augeas"]
+    ]
  }
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-30 18:07:45 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-30 18:07:45 +0200
commit	54460a893b4266d88fe23eb114a5b4e8a5b79077 (patch)
tree	1493379a20cac50f4a0ef703db2e4fbdbca6ac58
parent	3c1e202cf136cb7fae2860d7608cc1d077953d0b (diff)
parent	77d4b0b7672ee0a840fb721463964c7edf0eb044 (diff)
download	Puppet-54460a893b4266d88fe23eb114a5b4e8a5b79077.tar.gz Puppet-54460a893b4266d88fe23eb114a5b4e8a5b79077.tar.zst Puppet-54460a893b4266d88fe23eb114a5b4e8a5b79077.zip

diff --git a/.gitmodules b/.gitmodules index d68cf4e..f8ff2b7 100644 --- a/.gitmodules +++ b/.gitmodules
@@ -67,3 +67,9 @@
67	[submodule "external_modules/patch"]	67	[submodule "external_modules/patch"]
68	path = external_modules/patch	68	path = external_modules/patch
69	url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git	69	url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git
		70	[submodule "external_modules/augeasproviders_pam"]
		71	path = external_modules/augeasproviders_pam
		72	url = git://git.immae.eu/github/hercules-team/augeasproviders_pam.git
		73	[submodule "external_modules/augeasproviders_core"]
		74	path = external_modules/augeasproviders_core
		75	url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git


diff --git a/external_modules/augeasproviders_core b/external_modules/augeasproviders_core new file mode 160000
			Subproject 604680cb5fe7e32fd1ad1051fc34ef100a4d692


diff --git a/external_modules/augeasproviders_pam b/external_modules/augeasproviders_pam new file mode 160000
			Subproject e20796872f094c56a201519bab7716f099c7881


diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 1825700..d5d871c 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp
@@ -21,4 +21,47 @@ class base_installation::ldap inherits base_installation {
21	require => File['/etc/openldap'],	21	require => File['/etc/openldap'],
22	}	22	}
23		23
		24	$password_seed = lookup("base_installation::puppet_pass_seed")
		25	$ldap_server = lookup("base_installation::ldap_server")
		26	$ldap_base = lookup("base_installation::ldap_base")
		27	$ldap_dn = lookup("base_installation::ldap_dn")
		28	$ldap_password = generate_password(24, $password_seed, "ldap")
		29	$ldap_attribute = "uid"
		30
		31	ensure_packages(["pam_ldap", "ruby-augeas"])
		32	file { "/etc/pam_ldap.conf":
		33	ensure => "present",
		34	mode => "0400",
		35	owner => "root",
		36	group => "root",
		37	content => template("base_installation/ldap/pam_ldap.conf.erb"),
		38	}
		39
		40	["system-auth", "passwd"].each \|$service\| {
		41	pam { "Allow to change ldap password via $service":
		42	ensure => present,
		43	service => $service,
		44	type => "password",
		45	control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
		46	module => "pam_ldap.so",
		47	arguments => "ignore_unknown_user",
		48	position => 'before *[type="password" and module="pam_unix.so"]',
		49	require => Package["ruby-augeas"],
		50	}
		51	}
		52
		53	["system-auth", "su", "su-l"].each \|$service\| {
		54	["auth", "account"].each \|$type\| {
		55	pam { "Allow $service to $type with ldap password":
		56	ensure => present,
		57	service => $service,
		58	type => $type,
		59	control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
		60	module => "pam_ldap.so",
		61	arguments => "ignore_unknown_user",
		62	position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
		63	require => Package["ruby-augeas"],
		64	}
		65	}
		66	}
24	}	67	}


diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb new file mode 100644 index 0000000..f07490a --- /dev/null +++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
@@ -0,0 +1,7 @@
		1	host <%= @ldap_server %>
		2
		3	base <%= @ldap_base %>
		4	binddn <%= @ldap_dn %>
		5	bindpw <%= @ldap_password %>
		6	pam_login_attribute <%= @ldap_attribute %>
		7


diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index 382633b..7187350 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp
@@ -4,6 +4,8 @@ class profile::apache {
4	root_directory_options => ["All"],	4	root_directory_options => ["All"],
5	default_mods => false,	5	default_mods => false,
6	default_vhost => false,	6	default_vhost => false,
		7	user => "http",
		8	group => "http",
7	log_formats => {	9	log_formats => {
8	combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',	10	combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
9	common => '%h %l %u %t \"%r\" %>s %b',	11	common => '%h %l %u %t \"%r\" %>s %b',


diff --git a/modules/profile/manifests/redis.pp b/modules/profile/manifests/redis.pp index 79871b1..d912c59 100644 --- a/modules/profile/manifests/redis.pp +++ b/modules/profile/manifests/redis.pp
@@ -17,9 +17,8 @@ class profile::redis {
17	notify => Service["redis"],	17	notify => Service["redis"],
18	}	18	}
19		19
20	package { "ruby-augeas":	20	ensure_packages(["ruby-augeas"])
21	ensure => installed,	21
22	} ->
23	class { '::redis':	22	class { '::redis':
24	unixsocket => "/run/redis/redis.sock",	23	unixsocket => "/run/redis/redis.sock",
25	unixsocketperm => "777",	24	unixsocketperm => "777",
@@ -28,7 +27,10 @@ class profile::redis {
28	config_file => "/etc/redis.conf",	27	config_file => "/etc/redis.conf",
29	config_file_orig => "/etc/redis.conf.puppet",	28	config_file_orig => "/etc/redis.conf.puppet",
30	port => 0,	29	port => 0,
31	require => File["/etc/systemd/system/redis.service.d/socket_shutdown.conf"],	30	require => [
		31	File["/etc/systemd/system/redis.service.d/socket_shutdown.conf"],
		32	Package["ruby-augeas"]
		33	]
32	}	34	}
33		35
34	}	36	}