diff options
19 files changed, 308 insertions, 102 deletions
diff --git a/.gitmodules b/.gitmodules index f8ff2b7..f5d2bd0 100644 --- a/.gitmodules +++ b/.gitmodules | |||
@@ -73,3 +73,6 @@ | |||
73 | [submodule "external_modules/augeasproviders_core"] | 73 | [submodule "external_modules/augeasproviders_core"] |
74 | path = external_modules/augeasproviders_core | 74 | path = external_modules/augeasproviders_core |
75 | url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git | 75 | url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git |
76 | [submodule "external_modules/nfs"] | ||
77 | path = external_modules/nfs | ||
78 | url = git://git.immae.eu/github/derdanne/puppet-nfs | ||
diff --git a/environments/global/common.yaml b/environments/global/common.yaml index 3cc75fa..2f2db35 100644 --- a/environments/global/common.yaml +++ b/environments/global/common.yaml | |||
@@ -21,8 +21,8 @@ base_installation::ldap_dn: "cn=%{facts.ec2_metadata.hostname},ou=hosts,dc=immae | |||
21 | base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}" | 21 | base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}" |
22 | base_installation::ldap_server: "ldap.immae.eu" | 22 | base_installation::ldap_server: "ldap.immae.eu" |
23 | base_installation::ldap_uri: "ldaps://ldap.immae.eu" | 23 | base_installation::ldap_uri: "ldaps://ldap.immae.eu" |
24 | # FIXME: get all mounts without needing that hack? | ||
25 | base_installation::puppet_conf_path: "/etc/puppetlabs/puppet" | 24 | base_installation::puppet_conf_path: "/etc/puppetlabs/puppet" |
25 | base_installation::puppet_notifies_path: "/etc/puppetlabs/notifies" | ||
26 | base_installation::puppet_code_path: "/etc/puppetlabs/code" | 26 | base_installation::puppet_code_path: "/etc/puppetlabs/code" |
27 | base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed" | 27 | base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed" |
28 | base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl" | 28 | base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl" |
@@ -30,9 +30,7 @@ base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"] | |||
30 | base_installation::system_timezone: "Europe/Paris" | 30 | base_installation::system_timezone: "Europe/Paris" |
31 | base_installation::system_users: [] # Fetched via ldap | 31 | base_installation::system_users: [] # Fetched via ldap |
32 | base_installation::notify_xmpp: {} | 32 | base_installation::notify_xmpp: {} |
33 | profile::fstab::mounts: | 33 | profile::fstab::mounts: [] |
34 | - "%{facts.ldapvar.self.vars.mounts.0}" | ||
35 | - "%{facts.ldapvar.self.vars.mounts.1}" | ||
36 | profile::xmr_stak::mining_pool: "" | 34 | profile::xmr_stak::mining_pool: "" |
37 | profile::xmr_stak::wallet: "" | 35 | profile::xmr_stak::wallet: "" |
38 | profile::mail::mailhub: "" # Fetched via ldap | 36 | profile::mail::mailhub: "" # Fetched via ldap |
diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml index 138da7a..661af2d 100644 --- a/environments/global/roles/cryptoportfolio.yaml +++ b/environments/global/roles/cryptoportfolio.yaml | |||
@@ -6,7 +6,7 @@ role::cryptoportfolio::user: "cryptoportfolio" | |||
6 | role::cryptoportfolio::group: "cryptoportfolio" | 6 | role::cryptoportfolio::group: "cryptoportfolio" |
7 | role::cryptoportfolio::home: "/home/cryptoportfolio" | 7 | role::cryptoportfolio::home: "/home/cryptoportfolio" |
8 | role::cryptoportfolio::env: "prod" | 8 | role::cryptoportfolio::env: "prod" |
9 | role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}" | 9 | role::cryptoportfolio::webhook_url: "" |
10 | role::cryptoportfolio::pg_db: "cryptoportfolio" | 10 | role::cryptoportfolio::pg_db: "cryptoportfolio" |
11 | role::cryptoportfolio::pg_user: "cryptoportfolio" | 11 | role::cryptoportfolio::pg_user: "cryptoportfolio" |
12 | role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}" | 12 | role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}" |
diff --git a/environments/global/roles/file_store.yaml b/environments/global/roles/file_store.yaml new file mode 100644 index 0000000..c0912e2 --- /dev/null +++ b/environments/global/roles/file_store.yaml | |||
@@ -0,0 +1,4 @@ | |||
1 | --- | ||
2 | classes: | ||
3 | role::file_store: ~ | ||
4 | letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" | ||
diff --git a/external_modules/nfs b/external_modules/nfs new file mode 160000 | |||
Subproject 24020205590d9ae942e0acf79c1506b40ab09e4 | |||
diff --git a/modules/base_installation/lib/puppet/functions/generate_password.rb b/modules/base_installation/lib/puppet/functions/generate_password.rb new file mode 100644 index 0000000..0ccd4d6 --- /dev/null +++ b/modules/base_installation/lib/puppet/functions/generate_password.rb | |||
@@ -0,0 +1,49 @@ | |||
1 | require "base64" | ||
2 | require "openssl" | ||
3 | |||
4 | Puppet::Functions.create_function(:generate_password) do | ||
5 | dispatch :generate_password do | ||
6 | param 'Integer', :size | ||
7 | param 'String', :seed_file | ||
8 | param 'String', :password_key | ||
9 | optional_param 'String', :method | ||
10 | optional_param 'Boolean', :encode | ||
11 | return_type 'String' | ||
12 | end | ||
13 | |||
14 | def generate_password(size, seed_file, password_key, method = nil, encode = false) | ||
15 | key = get_key(seed_file, password_key) | ||
16 | case method | ||
17 | when nil | ||
18 | pass = generate_string(size, key) | ||
19 | when "curve25519" | ||
20 | pass = generate_string(32, key, binary = true) | ||
21 | pass[0] = (pass[0].ord & 248).chr | ||
22 | pass[31] = ((pass[31].ord & 127) | 64).chr | ||
23 | else | ||
24 | raise "Unknown method" | ||
25 | end | ||
26 | |||
27 | if encode | ||
28 | Base64.strict_encode64(pass).strip | ||
29 | else | ||
30 | pass | ||
31 | end | ||
32 | end | ||
33 | |||
34 | def generate_string(size, key, binary = false) | ||
35 | if binary | ||
36 | set = (0 .. 255).map { |i| i.chr } | ||
37 | else | ||
38 | set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a | ||
39 | end | ||
40 | |||
41 | size.times.collect do |i| | ||
42 | set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size] | ||
43 | end.join | ||
44 | end | ||
45 | |||
46 | def get_key(seed_file, password_key) | ||
47 | "#{File.open(seed_file).read}:#{password_key}" | ||
48 | end | ||
49 | end | ||
diff --git a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb deleted file mode 100644 index 384d81b..0000000 --- a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | module Puppet::Parser::Functions | ||
2 | newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS | ||
3 | Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry. | ||
4 | Prototype: | ||
5 | generate_password(length, seed_file, password_key) | ||
6 | EOS | ||
7 | ) do |*arguments| | ||
8 | arguments = arguments.shift if arguments.first.is_a?(Array) | ||
9 | |||
10 | raise Puppet::ParseError, "generate_password(): Wrong number of arguments " + | ||
11 | "given (#{arguments.size} for 3)" if arguments.size != 3 | ||
12 | |||
13 | size = arguments.shift | ||
14 | seed_file = arguments.shift | ||
15 | password_key = arguments.shift | ||
16 | |||
17 | unless size.class.ancestors.include?(Numeric) or size.is_a?(String) | ||
18 | raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument' | ||
19 | end | ||
20 | |||
21 | size = size.to_i | ||
22 | |||
23 | set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a | ||
24 | |||
25 | key = "#{File.open(seed_file).read}:#{password_key}" | ||
26 | |||
27 | size.times.collect do |i| | ||
28 | set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size] | ||
29 | end.join | ||
30 | end | ||
31 | end | ||
diff --git a/modules/base_installation/lib/puppet/reports/cat_files.rb b/modules/base_installation/lib/puppet/reports/cat_files.rb new file mode 100644 index 0000000..9d9c068 --- /dev/null +++ b/modules/base_installation/lib/puppet/reports/cat_files.rb | |||
@@ -0,0 +1,17 @@ | |||
1 | require 'puppet' | ||
2 | |||
3 | Puppet::Reports.register_report(:cat_files) do | ||
4 | FOLLOWED_RESOURCES = [ | ||
5 | "File[/etc/puppetlabs/notifies/host_ldap.info]", | ||
6 | ] | ||
7 | |||
8 | def process | ||
9 | self.resource_statuses.each do |name, status| | ||
10 | if FOLLOWED_RESOURCES.include?(status.resource) && status.events.any? { |e| e.status == "success" } | ||
11 | puts File.open(status.title, "r").read() | ||
12 | end | ||
13 | end | ||
14 | end | ||
15 | |||
16 | end | ||
17 | |||
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp index d8abcaf..a1b5ca8 100644 --- a/modules/base_installation/manifests/init.pp +++ b/modules/base_installation/manifests/init.pp | |||
@@ -1,20 +1,21 @@ | |||
1 | class base_installation ( | 1 | class base_installation ( |
2 | Optional[String] $grub_device = $base_installation::params::grub_device, | 2 | Optional[String] $grub_device = $base_installation::params::grub_device, |
3 | Optional[String] $ldap_base = $base_installation::params::ldap_base, | 3 | Optional[String] $ldap_base = $base_installation::params::ldap_base, |
4 | Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path, | 4 | Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path, |
5 | Optional[String] $ldap_cn = $base_installation::params::ldap_cn, | 5 | Optional[String] $ldap_cn = $base_installation::params::ldap_cn, |
6 | Optional[String] $ldap_dn = $base_installation::params::ldap_dn, | 6 | Optional[String] $ldap_dn = $base_installation::params::ldap_dn, |
7 | Optional[String] $ldap_server = $base_installation::params::ldap_server, | 7 | Optional[String] $ldap_server = $base_installation::params::ldap_server, |
8 | Optional[String] $ldap_uri = $base_installation::params::ldap_uri, | 8 | Optional[String] $ldap_uri = $base_installation::params::ldap_uri, |
9 | Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, | 9 | Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, |
10 | Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path, | 10 | Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path, |
11 | Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed, | 11 | Optional[String] $puppet_notifies_path = $base_installation::params::puppet_notifies_path, |
12 | Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path, | 12 | Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed, |
13 | Optional[String] $real_hostname = $base_installation::params::real_hostname, | 13 | Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path, |
14 | Optional[String] $system_hostname = $base_installation::params::system_hostname, | 14 | Optional[String] $real_hostname = $base_installation::params::real_hostname, |
15 | Optional[Array[String]] $system_locales = $base_installation::params::system_locales, | 15 | Optional[String] $system_hostname = $base_installation::params::system_hostname, |
16 | Optional[String] $system_timezone = $base_installation::params::system_timezone, | 16 | Optional[Array[String]] $system_locales = $base_installation::params::system_locales, |
17 | Optional[Array[Hash]] $system_users = $base_installation::params::system_users, | 17 | Optional[String] $system_timezone = $base_installation::params::system_timezone, |
18 | Optional[Array[Hash]] $system_users = $base_installation::params::system_users, | ||
18 | ) inherits base_installation::params { | 19 | ) inherits base_installation::params { |
19 | contain ::base_installation::packages | 20 | contain ::base_installation::packages |
20 | contain ::base_installation::locales | 21 | contain ::base_installation::locales |
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp index 5ade838..f336b65 100644 --- a/modules/base_installation/manifests/params.pp +++ b/modules/base_installation/manifests/params.pp | |||
@@ -1,20 +1,21 @@ | |||
1 | class base_installation::params { | 1 | class base_installation::params { |
2 | $puppet_code_path = "/etc/puppetlabs/code" | 2 | $puppet_code_path = "/etc/puppetlabs/code" |
3 | $puppet_conf_path = "/etc/puppetlabs/puppet" | 3 | $puppet_conf_path = "/etc/puppetlabs/puppet" |
4 | $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed" | 4 | $puppet_notifies_path = "/etc/puppetlabs/notifies" |
5 | $puppet_ssl_path = "/etc/puppetlabs/ssl" | 5 | $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed" |
6 | $grub_device = "/dev/sda" | 6 | $puppet_ssl_path = "/etc/puppetlabs/ssl" |
7 | $ldap_base = "dc=example,dc=com" | 7 | $grub_device = "/dev/sda" |
8 | $ldap_cn = "node" | 8 | $ldap_base = "dc=example,dc=com" |
9 | $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com" | 9 | $ldap_cn = "node" |
10 | $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt" | 10 | $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com" |
11 | $ldap_uri = "ldaps://ldap.example.com" | 11 | $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt" |
12 | $ldap_server = "ldap.example.com" | 12 | $ldap_uri = "ldaps://ldap.example.com" |
13 | $real_hostname = "example.com" | 13 | $ldap_server = "ldap.example.com" |
14 | $system_hostname = "example.com" | 14 | $real_hostname = "example.com" |
15 | $system_locales = ["en_US.UTF-8"] | 15 | $system_hostname = "example.com" |
16 | $system_timezone = "UTC" | 16 | $system_locales = ["en_US.UTF-8"] |
17 | $system_users = [ | 17 | $system_timezone = "UTC" |
18 | $system_users = [ | ||
18 | { | 19 | { |
19 | userid => 1000, | 20 | userid => 1000, |
20 | username => "example", | 21 | username => "example", |
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp index 05fe9a1..603a961 100644 --- a/modules/base_installation/manifests/puppet.pp +++ b/modules/base_installation/manifests/puppet.pp | |||
@@ -103,21 +103,47 @@ class base_installation::puppet ( | |||
103 | } | 103 | } |
104 | } | 104 | } |
105 | 105 | ||
106 | if file("$base_installation::puppet_conf_path/host_ldap.info", "/dev/null") != "" and | 106 | if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and |
107 | empty($facts["ldapvar"]) { | 107 | empty($facts["ldapvar"]) { |
108 | fail("LDAP was activated but facts are not available") | 108 | fail("LDAP was activated but facts are not available") |
109 | } | 109 | } |
110 | 110 | ||
111 | file { $base_installation::puppet_notifies_path: | ||
112 | ensure => directory, | ||
113 | require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]], | ||
114 | recurse => true, | ||
115 | purge => true, | ||
116 | force => true, | ||
117 | } | ||
118 | |||
111 | $ips = lookup("ips", { 'default_value' => undef }) | 119 | $ips = lookup("ips", { 'default_value' => undef }) |
112 | file { "$base_installation::puppet_conf_path/host_ldap.info": | 120 | concat { "$base_installation::puppet_notifies_path/host_ldap.info": |
113 | content => template("base_installation/puppet/host_ldap.info.erb"), | 121 | ensure => "present", |
114 | require => File[$base_installation::puppet_conf_path], | 122 | mode => "0600", |
115 | notify => Notify_refresh["notify-ldap-password"], | 123 | require => File[$base_installation::puppet_notifies_path], |
124 | ensure_newline => true, | ||
125 | } | ||
126 | |||
127 | concat::fragment { "host_ldap add top": | ||
128 | target => "$base_installation::puppet_notifies_path/host_ldap.info", | ||
129 | content => template("base_installation/puppet/host_ldap_add_top.info.erb"), | ||
130 | order => "00-01", | ||
131 | } | ||
132 | concat::fragment { "host_ldap add bottom": | ||
133 | target => "$base_installation::puppet_notifies_path/host_ldap.info", | ||
134 | content => "EOF", | ||
135 | order => "00-99", | ||
116 | } | 136 | } |
117 | 137 | ||
118 | notify_refresh { "notify-ldap-password": | 138 | concat::fragment { "host_ldap mod top": |
119 | message => template("base_installation/puppet/host_ldap.info.erb"), | 139 | target => "$base_installation::puppet_notifies_path/host_ldap.info", |
120 | refreshonly => true | 140 | content => template("base_installation/puppet/host_ldap_mod_top.info.erb"), |
141 | order => "01-01", | ||
142 | } | ||
143 | concat::fragment { "host_ldap mod bottom": | ||
144 | target => "$base_installation::puppet_notifies_path/host_ldap.info", | ||
145 | content => "EOF", | ||
146 | order => "01-99", | ||
121 | } | 147 | } |
122 | } | 148 | } |
123 | } | 149 | } |
diff --git a/modules/base_installation/templates/puppet/host_ldap.info.erb b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb index 7afdf2d..3aafc19 100644 --- a/modules/base_installation/templates/puppet/host_ldap.info.erb +++ b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb | |||
@@ -14,28 +14,3 @@ objectclass: ipHost | |||
14 | environment: <%= @environment %> | 14 | environment: <%= @environment %> |
15 | puppetVar: real_hostname=<%= @real_hostname %> | 15 | puppetVar: real_hostname=<%= @real_hostname %> |
16 | userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> | 16 | userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> |
17 | EOF | ||
18 | [0;35m#### Or modify an existing entry:[0m | ||
19 | ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF' | ||
20 | dn: <%= @ldap_dn %> | ||
21 | changetype: modify | ||
22 | replace: userPassword | ||
23 | userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> | ||
24 | - | ||
25 | replace: environment | ||
26 | environment: <%= @environment %> | ||
27 | <%- unless @ips.empty? -%> | ||
28 | - | ||
29 | delete: ipHostNumber | ||
30 | <%- unless @ips["v4"].nil? -%> | ||
31 | - | ||
32 | add: ipHostNumber | ||
33 | ipHostNumber: <%= @ips["v4"]["ipAddress"] %> | ||
34 | <%- end -%> | ||
35 | <%- unless @ips["v6"].nil? -%> | ||
36 | - | ||
37 | add: ipHostNumber | ||
38 | ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %> | ||
39 | <%- end -%> | ||
40 | <%- end -%> | ||
41 | EOF | ||
diff --git a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb new file mode 100644 index 0000000..d7a1294 --- /dev/null +++ b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb | |||
@@ -0,0 +1,23 @@ | |||
1 | [0;35m#### Or modify an existing entry:[0m | ||
2 | ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF' | ||
3 | dn: <%= @ldap_dn %> | ||
4 | changetype: modify | ||
5 | replace: userPassword | ||
6 | userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> | ||
7 | - | ||
8 | replace: environment | ||
9 | environment: <%= @environment %> | ||
10 | <%- unless @ips.empty? -%> | ||
11 | - | ||
12 | delete: ipHostNumber | ||
13 | <%- unless @ips["v4"].nil? -%> | ||
14 | - | ||
15 | add: ipHostNumber | ||
16 | ipHostNumber: <%= @ips["v4"]["ipAddress"] %> | ||
17 | <%- end -%> | ||
18 | <%- unless @ips["v6"].nil? -%> | ||
19 | - | ||
20 | add: ipHostNumber | ||
21 | ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %> | ||
22 | <%- end -%> | ||
23 | <%- end -%> | ||
diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb index da39468..38a0c1b 100644 --- a/modules/base_installation/templates/puppet/puppet.conf.erb +++ b/modules/base_installation/templates/puppet/puppet.conf.erb | |||
@@ -1,6 +1,6 @@ | |||
1 | [main] | 1 | [main] |
2 | <% | 2 | <% |
3 | reports = ["store"] | 3 | reports = ["store", "cat_files"] |
4 | if @xmpp.count > 0 | 4 | if @xmpp.count > 0 |
5 | reports << "xmpp" | 5 | reports << "xmpp" |
6 | end | 6 | end |
diff --git a/modules/profile/files/kerberos/krb5_client.conf b/modules/profile/files/kerberos/krb5_client.conf new file mode 100644 index 0000000..3fce983 --- /dev/null +++ b/modules/profile/files/kerberos/krb5_client.conf | |||
@@ -0,0 +1,12 @@ | |||
1 | [libdefaults] | ||
2 | default_realm = IMMAE.EU | ||
3 | |||
4 | [realms] | ||
5 | IMMAE.EU = { | ||
6 | kdc = kerberos.immae.eu | ||
7 | admin_server = kerberos.immae.eu | ||
8 | } | ||
9 | |||
10 | [domain_realm] | ||
11 | immae.eu = IMMAE.EU | ||
12 | .immae.eu = IMMAE.EU | ||
diff --git a/modules/profile/manifests/kerberos/client.pp b/modules/profile/manifests/kerberos/client.pp new file mode 100644 index 0000000..1f1f2cd --- /dev/null +++ b/modules/profile/manifests/kerberos/client.pp | |||
@@ -0,0 +1,7 @@ | |||
1 | class profile::kerberos::client { | ||
2 | ensure_packages(["krb5", "cyrus-sasl-gssapi"]) | ||
3 | |||
4 | file { "/etc/krb5.conf": | ||
5 | source => "puppet:///modules/profile/kerberos/krb5_client.conf" | ||
6 | } | ||
7 | } | ||
diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp new file mode 100644 index 0000000..829f82d --- /dev/null +++ b/modules/profile/manifests/wireguard.pp | |||
@@ -0,0 +1,40 @@ | |||
1 | class profile::wireguard ( | ||
2 | ) { | ||
3 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
4 | |||
5 | ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] }) | ||
6 | ensure_packages(["wireguard-tools", "wireguard-dkms"]) | ||
7 | |||
8 | $host = $facts["ldapvar"]["self"] | ||
9 | if has_key($host["vars"], "wireguard_ip") { | ||
10 | $ips = $host["vars"]["wireguard_ip"] | ||
11 | } else { | ||
12 | $ips = [] | ||
13 | } | ||
14 | |||
15 | $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true) | ||
16 | |||
17 | if file("/usr/bin/wg", "/dev/null") != "" { | ||
18 | $puppet_notifies_path = lookup("base_installation::puppet_notifies_path") | ||
19 | $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey") | ||
20 | concat::fragment { "host_ldap add wireguard": | ||
21 | target => "$puppet_notifies_path/host_ldap.info", | ||
22 | content => "puppetVar: wireguard_public=$public_key", | ||
23 | order => "00-80" | ||
24 | } | ||
25 | } | ||
26 | |||
27 | file { "/etc/wireguard/network.conf": | ||
28 | ensure => "file", | ||
29 | mode => "0600", | ||
30 | content => template("profile/wireguard/network.conf.erb"), | ||
31 | require => [Package["wireguard-tools"], Package["wireguard-dkms"]], | ||
32 | notify => Service["wg-quick@network"], | ||
33 | } | ||
34 | -> | ||
35 | service { "wg-quick@network": | ||
36 | ensure => "running", | ||
37 | enable => true, | ||
38 | } | ||
39 | |||
40 | } | ||
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb new file mode 100644 index 0000000..5327dfd --- /dev/null +++ b/modules/profile/templates/wireguard/network.conf.erb | |||
@@ -0,0 +1,19 @@ | |||
1 | [Interface] | ||
2 | <%- @ips.each do |ip| -%> | ||
3 | Address = <%= ip %> | ||
4 | <%- end -%> | ||
5 | PrivateKey = <%= @private_key %> | ||
6 | ListenPort = 51820 | ||
7 | |||
8 | <%- @facts["ldapvar"]["other"].each do |host| -%> | ||
9 | <%- if (host["vars"]["wireguard_public"] || []).count > 0 %> | ||
10 | [Peer] | ||
11 | # <%= host["vars"]["real_hostname"][0] %> | ||
12 | PublicKey = <%= host["vars"]["wireguard_public"][0] %> | ||
13 | <%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%> | ||
14 | AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %> | ||
15 | <%- end -%> | ||
16 | Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820 | ||
17 | |||
18 | <% end -%> | ||
19 | <%- end -%> | ||
diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp new file mode 100644 index 0000000..d1f6a67 --- /dev/null +++ b/modules/role/manifests/file_store.pp | |||
@@ -0,0 +1,62 @@ | |||
1 | class role::file_store ( | ||
2 | Optional[Hash] $nfs_mounts = {}, | ||
3 | Optional[String] $mountpoint = "/fichiers1", | ||
4 | ) { | ||
5 | include "base_installation" | ||
6 | |||
7 | include "profile::fstab" | ||
8 | include "profile::tools" | ||
9 | include "profile::monitoring" | ||
10 | include "profile::wireguard" | ||
11 | |||
12 | unless empty($mountpoint) { | ||
13 | class { "::nfs": | ||
14 | server_enabled => true, | ||
15 | nfs_v4 => true, | ||
16 | nfs_v4_export_root => '/exports', | ||
17 | nfs_v4_export_root_clients => 'localhost(rw)', | ||
18 | require => Mount[$mountpoint], | ||
19 | } | ||
20 | |||
21 | $nfs_mounts.each |$nfs_mount, $hosts| { | ||
22 | file { "$mountpoint/$nfs_mount": | ||
23 | ensure => "directory", | ||
24 | mode => "0755", | ||
25 | owner => "nobody", | ||
26 | group => "nobody", | ||
27 | require => Mount[$mountpoint], | ||
28 | } | ||
29 | |||
30 | $hosts.each |$host_cn| { | ||
31 | $host = find_host($facts["ldapvar"]["other"], $host_cn) | ||
32 | if empty($host) { | ||
33 | fail("No host found for nfs") | ||
34 | } elsif has_key($host["vars"], "wireguard_ip") { | ||
35 | $clients = sprintf("%s%s", | ||
36 | join($host["vars"]["wireguard_ip"], "(rw,secure,sync,all_squash) "), | ||
37 | "(rw,secure,sync,all_squash)") | ||
38 | nfs::server::export { "$mountpoint/$nfs_mount": | ||
39 | owner => "nobody", | ||
40 | group => "nobody", | ||
41 | ensure => "present", | ||
42 | clients => $clients, | ||
43 | } | ||
44 | } elsif has_key($host["vars"], "host") { | ||
45 | nfs::server::export { "$mountpoint/$nfs_mount": | ||
46 | owner => "nobody", | ||
47 | group => "nobody", | ||
48 | ensure => "present", | ||
49 | clients => "${host[vars][host][0]}(rw,secure,sync,all_squash)", | ||
50 | } | ||
51 | } else { | ||
52 | nfs::server::export { "$mountpoint/$nfs_mount": | ||
53 | owner => "nobody", | ||
54 | group => "nobody", | ||
55 | ensure => "present", | ||
56 | clients => "${host[vars][real_hostname][0]}(rw,secure,sync,all_squash)", | ||
57 | } | ||
58 | } | ||
59 | } | ||
60 | } | ||
61 | } | ||
62 | } | ||