aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules3
-rw-r--r--environments/global/common.yaml6
-rw-r--r--environments/global/roles/cryptoportfolio.yaml2
-rw-r--r--environments/global/roles/file_store.yaml4
m---------external_modules/nfs0
-rw-r--r--modules/base_installation/lib/puppet/functions/generate_password.rb49
-rw-r--r--modules/base_installation/lib/puppet/parser/functions/generate_password.rb31
-rw-r--r--modules/base_installation/lib/puppet/reports/cat_files.rb17
-rw-r--r--modules/base_installation/manifests/init.pp33
-rw-r--r--modules/base_installation/manifests/params.pp33
-rw-r--r--modules/base_installation/manifests/puppet.pp42
-rw-r--r--modules/base_installation/templates/puppet/host_ldap_add_top.info.erb (renamed from modules/base_installation/templates/puppet/host_ldap.info.erb)25
-rw-r--r--modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb23
-rw-r--r--modules/base_installation/templates/puppet/puppet.conf.erb2
-rw-r--r--modules/profile/files/kerberos/krb5_client.conf12
-rw-r--r--modules/profile/manifests/kerberos/client.pp7
-rw-r--r--modules/profile/manifests/wireguard.pp40
-rw-r--r--modules/profile/templates/wireguard/network.conf.erb19
-rw-r--r--modules/role/manifests/file_store.pp62
19 files changed, 308 insertions, 102 deletions
diff --git a/.gitmodules b/.gitmodules
index f8ff2b7..f5d2bd0 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -73,3 +73,6 @@
73[submodule "external_modules/augeasproviders_core"] 73[submodule "external_modules/augeasproviders_core"]
74 path = external_modules/augeasproviders_core 74 path = external_modules/augeasproviders_core
75 url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git 75 url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git
76[submodule "external_modules/nfs"]
77 path = external_modules/nfs
78 url = git://git.immae.eu/github/derdanne/puppet-nfs
diff --git a/environments/global/common.yaml b/environments/global/common.yaml
index 3cc75fa..2f2db35 100644
--- a/environments/global/common.yaml
+++ b/environments/global/common.yaml
@@ -21,8 +21,8 @@ base_installation::ldap_dn: "cn=%{facts.ec2_metadata.hostname},ou=hosts,dc=immae
21base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}" 21base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}"
22base_installation::ldap_server: "ldap.immae.eu" 22base_installation::ldap_server: "ldap.immae.eu"
23base_installation::ldap_uri: "ldaps://ldap.immae.eu" 23base_installation::ldap_uri: "ldaps://ldap.immae.eu"
24# FIXME: get all mounts without needing that hack?
25base_installation::puppet_conf_path: "/etc/puppetlabs/puppet" 24base_installation::puppet_conf_path: "/etc/puppetlabs/puppet"
25base_installation::puppet_notifies_path: "/etc/puppetlabs/notifies"
26base_installation::puppet_code_path: "/etc/puppetlabs/code" 26base_installation::puppet_code_path: "/etc/puppetlabs/code"
27base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed" 27base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed"
28base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl" 28base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl"
@@ -30,9 +30,7 @@ base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"]
30base_installation::system_timezone: "Europe/Paris" 30base_installation::system_timezone: "Europe/Paris"
31base_installation::system_users: [] # Fetched via ldap 31base_installation::system_users: [] # Fetched via ldap
32base_installation::notify_xmpp: {} 32base_installation::notify_xmpp: {}
33profile::fstab::mounts: 33profile::fstab::mounts: []
34 - "%{facts.ldapvar.self.vars.mounts.0}"
35 - "%{facts.ldapvar.self.vars.mounts.1}"
36profile::xmr_stak::mining_pool: "" 34profile::xmr_stak::mining_pool: ""
37profile::xmr_stak::wallet: "" 35profile::xmr_stak::wallet: ""
38profile::mail::mailhub: "" # Fetched via ldap 36profile::mail::mailhub: "" # Fetched via ldap
diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml
index 138da7a..661af2d 100644
--- a/environments/global/roles/cryptoportfolio.yaml
+++ b/environments/global/roles/cryptoportfolio.yaml
@@ -6,7 +6,7 @@ role::cryptoportfolio::user: "cryptoportfolio"
6role::cryptoportfolio::group: "cryptoportfolio" 6role::cryptoportfolio::group: "cryptoportfolio"
7role::cryptoportfolio::home: "/home/cryptoportfolio" 7role::cryptoportfolio::home: "/home/cryptoportfolio"
8role::cryptoportfolio::env: "prod" 8role::cryptoportfolio::env: "prod"
9role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}" 9role::cryptoportfolio::webhook_url: ""
10role::cryptoportfolio::pg_db: "cryptoportfolio" 10role::cryptoportfolio::pg_db: "cryptoportfolio"
11role::cryptoportfolio::pg_user: "cryptoportfolio" 11role::cryptoportfolio::pg_user: "cryptoportfolio"
12role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}" 12role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}"
diff --git a/environments/global/roles/file_store.yaml b/environments/global/roles/file_store.yaml
new file mode 100644
index 0000000..c0912e2
--- /dev/null
+++ b/environments/global/roles/file_store.yaml
@@ -0,0 +1,4 @@
1---
2classes:
3 role::file_store: ~
4letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}"
diff --git a/external_modules/nfs b/external_modules/nfs
new file mode 160000
Subproject 24020205590d9ae942e0acf79c1506b40ab09e4
diff --git a/modules/base_installation/lib/puppet/functions/generate_password.rb b/modules/base_installation/lib/puppet/functions/generate_password.rb
new file mode 100644
index 0000000..0ccd4d6
--- /dev/null
+++ b/modules/base_installation/lib/puppet/functions/generate_password.rb
@@ -0,0 +1,49 @@
1require "base64"
2require "openssl"
3
4Puppet::Functions.create_function(:generate_password) do
5 dispatch :generate_password do
6 param 'Integer', :size
7 param 'String', :seed_file
8 param 'String', :password_key
9 optional_param 'String', :method
10 optional_param 'Boolean', :encode
11 return_type 'String'
12 end
13
14 def generate_password(size, seed_file, password_key, method = nil, encode = false)
15 key = get_key(seed_file, password_key)
16 case method
17 when nil
18 pass = generate_string(size, key)
19 when "curve25519"
20 pass = generate_string(32, key, binary = true)
21 pass[0] = (pass[0].ord & 248).chr
22 pass[31] = ((pass[31].ord & 127) | 64).chr
23 else
24 raise "Unknown method"
25 end
26
27 if encode
28 Base64.strict_encode64(pass).strip
29 else
30 pass
31 end
32 end
33
34 def generate_string(size, key, binary = false)
35 if binary
36 set = (0 .. 255).map { |i| i.chr }
37 else
38 set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
39 end
40
41 size.times.collect do |i|
42 set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
43 end.join
44 end
45
46 def get_key(seed_file, password_key)
47 "#{File.open(seed_file).read}:#{password_key}"
48 end
49end
diff --git a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
deleted file mode 100644
index 384d81b..0000000
--- a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
+++ /dev/null
@@ -1,31 +0,0 @@
1module Puppet::Parser::Functions
2 newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS
3Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry.
4Prototype:
5 generate_password(length, seed_file, password_key)
6EOS
7) do |*arguments|
8 arguments = arguments.shift if arguments.first.is_a?(Array)
9
10 raise Puppet::ParseError, "generate_password(): Wrong number of arguments " +
11 "given (#{arguments.size} for 3)" if arguments.size != 3
12
13 size = arguments.shift
14 seed_file = arguments.shift
15 password_key = arguments.shift
16
17 unless size.class.ancestors.include?(Numeric) or size.is_a?(String)
18 raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument'
19 end
20
21 size = size.to_i
22
23 set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
24
25 key = "#{File.open(seed_file).read}:#{password_key}"
26
27 size.times.collect do |i|
28 set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
29 end.join
30end
31end
diff --git a/modules/base_installation/lib/puppet/reports/cat_files.rb b/modules/base_installation/lib/puppet/reports/cat_files.rb
new file mode 100644
index 0000000..9d9c068
--- /dev/null
+++ b/modules/base_installation/lib/puppet/reports/cat_files.rb
@@ -0,0 +1,17 @@
1require 'puppet'
2
3Puppet::Reports.register_report(:cat_files) do
4 FOLLOWED_RESOURCES = [
5 "File[/etc/puppetlabs/notifies/host_ldap.info]",
6 ]
7
8 def process
9 self.resource_statuses.each do |name, status|
10 if FOLLOWED_RESOURCES.include?(status.resource) && status.events.any? { |e| e.status == "success" }
11 puts File.open(status.title, "r").read()
12 end
13 end
14 end
15
16end
17
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp
index d8abcaf..a1b5ca8 100644
--- a/modules/base_installation/manifests/init.pp
+++ b/modules/base_installation/manifests/init.pp
@@ -1,20 +1,21 @@
1class base_installation ( 1class base_installation (
2 Optional[String] $grub_device = $base_installation::params::grub_device, 2 Optional[String] $grub_device = $base_installation::params::grub_device,
3 Optional[String] $ldap_base = $base_installation::params::ldap_base, 3 Optional[String] $ldap_base = $base_installation::params::ldap_base,
4 Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path, 4 Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path,
5 Optional[String] $ldap_cn = $base_installation::params::ldap_cn, 5 Optional[String] $ldap_cn = $base_installation::params::ldap_cn,
6 Optional[String] $ldap_dn = $base_installation::params::ldap_dn, 6 Optional[String] $ldap_dn = $base_installation::params::ldap_dn,
7 Optional[String] $ldap_server = $base_installation::params::ldap_server, 7 Optional[String] $ldap_server = $base_installation::params::ldap_server,
8 Optional[String] $ldap_uri = $base_installation::params::ldap_uri, 8 Optional[String] $ldap_uri = $base_installation::params::ldap_uri,
9 Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, 9 Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path,
10 Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path, 10 Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path,
11 Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed, 11 Optional[String] $puppet_notifies_path = $base_installation::params::puppet_notifies_path,
12 Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path, 12 Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed,
13 Optional[String] $real_hostname = $base_installation::params::real_hostname, 13 Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path,
14 Optional[String] $system_hostname = $base_installation::params::system_hostname, 14 Optional[String] $real_hostname = $base_installation::params::real_hostname,
15 Optional[Array[String]] $system_locales = $base_installation::params::system_locales, 15 Optional[String] $system_hostname = $base_installation::params::system_hostname,
16 Optional[String] $system_timezone = $base_installation::params::system_timezone, 16 Optional[Array[String]] $system_locales = $base_installation::params::system_locales,
17 Optional[Array[Hash]] $system_users = $base_installation::params::system_users, 17 Optional[String] $system_timezone = $base_installation::params::system_timezone,
18 Optional[Array[Hash]] $system_users = $base_installation::params::system_users,
18) inherits base_installation::params { 19) inherits base_installation::params {
19 contain ::base_installation::packages 20 contain ::base_installation::packages
20 contain ::base_installation::locales 21 contain ::base_installation::locales
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp
index 5ade838..f336b65 100644
--- a/modules/base_installation/manifests/params.pp
+++ b/modules/base_installation/manifests/params.pp
@@ -1,20 +1,21 @@
1class base_installation::params { 1class base_installation::params {
2 $puppet_code_path = "/etc/puppetlabs/code" 2 $puppet_code_path = "/etc/puppetlabs/code"
3 $puppet_conf_path = "/etc/puppetlabs/puppet" 3 $puppet_conf_path = "/etc/puppetlabs/puppet"
4 $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed" 4 $puppet_notifies_path = "/etc/puppetlabs/notifies"
5 $puppet_ssl_path = "/etc/puppetlabs/ssl" 5 $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
6 $grub_device = "/dev/sda" 6 $puppet_ssl_path = "/etc/puppetlabs/ssl"
7 $ldap_base = "dc=example,dc=com" 7 $grub_device = "/dev/sda"
8 $ldap_cn = "node" 8 $ldap_base = "dc=example,dc=com"
9 $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com" 9 $ldap_cn = "node"
10 $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt" 10 $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com"
11 $ldap_uri = "ldaps://ldap.example.com" 11 $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt"
12 $ldap_server = "ldap.example.com" 12 $ldap_uri = "ldaps://ldap.example.com"
13 $real_hostname = "example.com" 13 $ldap_server = "ldap.example.com"
14 $system_hostname = "example.com" 14 $real_hostname = "example.com"
15 $system_locales = ["en_US.UTF-8"] 15 $system_hostname = "example.com"
16 $system_timezone = "UTC" 16 $system_locales = ["en_US.UTF-8"]
17 $system_users = [ 17 $system_timezone = "UTC"
18 $system_users = [
18 { 19 {
19 userid => 1000, 20 userid => 1000,
20 username => "example", 21 username => "example",
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp
index 05fe9a1..603a961 100644
--- a/modules/base_installation/manifests/puppet.pp
+++ b/modules/base_installation/manifests/puppet.pp
@@ -103,21 +103,47 @@ class base_installation::puppet (
103 } 103 }
104 } 104 }
105 105
106 if file("$base_installation::puppet_conf_path/host_ldap.info", "/dev/null") != "" and 106 if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and
107 empty($facts["ldapvar"]) { 107 empty($facts["ldapvar"]) {
108 fail("LDAP was activated but facts are not available") 108 fail("LDAP was activated but facts are not available")
109 } 109 }
110 110
111 file { $base_installation::puppet_notifies_path:
112 ensure => directory,
113 require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
114 recurse => true,
115 purge => true,
116 force => true,
117 }
118
111 $ips = lookup("ips", { 'default_value' => undef }) 119 $ips = lookup("ips", { 'default_value' => undef })
112 file { "$base_installation::puppet_conf_path/host_ldap.info": 120 concat { "$base_installation::puppet_notifies_path/host_ldap.info":
113 content => template("base_installation/puppet/host_ldap.info.erb"), 121 ensure => "present",
114 require => File[$base_installation::puppet_conf_path], 122 mode => "0600",
115 notify => Notify_refresh["notify-ldap-password"], 123 require => File[$base_installation::puppet_notifies_path],
124 ensure_newline => true,
125 }
126
127 concat::fragment { "host_ldap add top":
128 target => "$base_installation::puppet_notifies_path/host_ldap.info",
129 content => template("base_installation/puppet/host_ldap_add_top.info.erb"),
130 order => "00-01",
131 }
132 concat::fragment { "host_ldap add bottom":
133 target => "$base_installation::puppet_notifies_path/host_ldap.info",
134 content => "EOF",
135 order => "00-99",
116 } 136 }
117 137
118 notify_refresh { "notify-ldap-password": 138 concat::fragment { "host_ldap mod top":
119 message => template("base_installation/puppet/host_ldap.info.erb"), 139 target => "$base_installation::puppet_notifies_path/host_ldap.info",
120 refreshonly => true 140 content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),
141 order => "01-01",
142 }
143 concat::fragment { "host_ldap mod bottom":
144 target => "$base_installation::puppet_notifies_path/host_ldap.info",
145 content => "EOF",
146 order => "01-99",
121 } 147 }
122 } 148 }
123} 149}
diff --git a/modules/base_installation/templates/puppet/host_ldap.info.erb b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
index 7afdf2d..3aafc19 100644
--- a/modules/base_installation/templates/puppet/host_ldap.info.erb
+++ b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
@@ -14,28 +14,3 @@ objectclass: ipHost
14environment: <%= @environment %> 14environment: <%= @environment %>
15puppetVar: real_hostname=<%= @real_hostname %> 15puppetVar: real_hostname=<%= @real_hostname %>
16userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> 16userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
17EOF
18#### Or modify an existing entry:
19ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
20dn: <%= @ldap_dn %>
21changetype: modify
22replace: userPassword
23userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
24-
25replace: environment
26environment: <%= @environment %>
27<%- unless @ips.empty? -%>
28-
29delete: ipHostNumber
30<%- unless @ips["v4"].nil? -%>
31-
32add: ipHostNumber
33ipHostNumber: <%= @ips["v4"]["ipAddress"] %>
34<%- end -%>
35<%- unless @ips["v6"].nil? -%>
36-
37add: ipHostNumber
38ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %>
39<%- end -%>
40<%- end -%>
41EOF
diff --git a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
new file mode 100644
index 0000000..d7a1294
--- /dev/null
+++ b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
@@ -0,0 +1,23 @@
1#### Or modify an existing entry:
2ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
3dn: <%= @ldap_dn %>
4changetype: modify
5replace: userPassword
6userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
7-
8replace: environment
9environment: <%= @environment %>
10<%- unless @ips.empty? -%>
11-
12delete: ipHostNumber
13<%- unless @ips["v4"].nil? -%>
14-
15add: ipHostNumber
16ipHostNumber: <%= @ips["v4"]["ipAddress"] %>
17<%- end -%>
18<%- unless @ips["v6"].nil? -%>
19-
20add: ipHostNumber
21ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %>
22<%- end -%>
23<%- end -%>
diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb
index da39468..38a0c1b 100644
--- a/modules/base_installation/templates/puppet/puppet.conf.erb
+++ b/modules/base_installation/templates/puppet/puppet.conf.erb
@@ -1,6 +1,6 @@
1[main] 1[main]
2<% 2<%
3 reports = ["store"] 3 reports = ["store", "cat_files"]
4 if @xmpp.count > 0 4 if @xmpp.count > 0
5 reports << "xmpp" 5 reports << "xmpp"
6 end 6 end
diff --git a/modules/profile/files/kerberos/krb5_client.conf b/modules/profile/files/kerberos/krb5_client.conf
new file mode 100644
index 0000000..3fce983
--- /dev/null
+++ b/modules/profile/files/kerberos/krb5_client.conf
@@ -0,0 +1,12 @@
1[libdefaults]
2 default_realm = IMMAE.EU
3
4[realms]
5 IMMAE.EU = {
6 kdc = kerberos.immae.eu
7 admin_server = kerberos.immae.eu
8 }
9
10[domain_realm]
11 immae.eu = IMMAE.EU
12 .immae.eu = IMMAE.EU
diff --git a/modules/profile/manifests/kerberos/client.pp b/modules/profile/manifests/kerberos/client.pp
new file mode 100644
index 0000000..1f1f2cd
--- /dev/null
+++ b/modules/profile/manifests/kerberos/client.pp
@@ -0,0 +1,7 @@
1class profile::kerberos::client {
2 ensure_packages(["krb5", "cyrus-sasl-gssapi"])
3
4 file { "/etc/krb5.conf":
5 source => "puppet:///modules/profile/kerberos/krb5_client.conf"
6 }
7}
diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp
new file mode 100644
index 0000000..829f82d
--- /dev/null
+++ b/modules/profile/manifests/wireguard.pp
@@ -0,0 +1,40 @@
1class profile::wireguard (
2) {
3 $password_seed = lookup("base_installation::puppet_pass_seed")
4
5 ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
6 ensure_packages(["wireguard-tools", "wireguard-dkms"])
7
8 $host = $facts["ldapvar"]["self"]
9 if has_key($host["vars"], "wireguard_ip") {
10 $ips = $host["vars"]["wireguard_ip"]
11 } else {
12 $ips = []
13 }
14
15 $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
16
17 if file("/usr/bin/wg", "/dev/null") != "" {
18 $puppet_notifies_path = lookup("base_installation::puppet_notifies_path")
19 $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey")
20 concat::fragment { "host_ldap add wireguard":
21 target => "$puppet_notifies_path/host_ldap.info",
22 content => "puppetVar: wireguard_public=$public_key",
23 order => "00-80"
24 }
25 }
26
27 file { "/etc/wireguard/network.conf":
28 ensure => "file",
29 mode => "0600",
30 content => template("profile/wireguard/network.conf.erb"),
31 require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
32 notify => Service["wg-quick@network"],
33 }
34 ->
35 service { "wg-quick@network":
36 ensure => "running",
37 enable => true,
38 }
39
40}
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb
new file mode 100644
index 0000000..5327dfd
--- /dev/null
+++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -0,0 +1,19 @@
1[Interface]
2<%- @ips.each do |ip| -%>
3Address = <%= ip %>
4<%- end -%>
5PrivateKey = <%= @private_key %>
6ListenPort = 51820
7
8<%- @facts["ldapvar"]["other"].each do |host| -%>
9<%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
10[Peer]
11# <%= host["vars"]["real_hostname"][0] %>
12PublicKey = <%= host["vars"]["wireguard_public"][0] %>
13<%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%>
14AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %>
15<%- end -%>
16Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820
17
18<% end -%>
19<%- end -%>
diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp
new file mode 100644
index 0000000..d1f6a67
--- /dev/null
+++ b/modules/role/manifests/file_store.pp
@@ -0,0 +1,62 @@
1class role::file_store (
2 Optional[Hash] $nfs_mounts = {},
3 Optional[String] $mountpoint = "/fichiers1",
4) {
5 include "base_installation"
6
7 include "profile::fstab"
8 include "profile::tools"
9 include "profile::monitoring"
10 include "profile::wireguard"
11
12 unless empty($mountpoint) {
13 class { "::nfs":
14 server_enabled => true,
15 nfs_v4 => true,
16 nfs_v4_export_root => '/exports',
17 nfs_v4_export_root_clients => 'localhost(rw)',
18 require => Mount[$mountpoint],
19 }
20
21 $nfs_mounts.each |$nfs_mount, $hosts| {
22 file { "$mountpoint/$nfs_mount":
23 ensure => "directory",
24 mode => "0755",
25 owner => "nobody",
26 group => "nobody",
27 require => Mount[$mountpoint],
28 }
29
30 $hosts.each |$host_cn| {
31 $host = find_host($facts["ldapvar"]["other"], $host_cn)
32 if empty($host) {
33 fail("No host found for nfs")
34 } elsif has_key($host["vars"], "wireguard_ip") {
35 $clients = sprintf("%s%s",
36 join($host["vars"]["wireguard_ip"], "(rw,secure,sync,all_squash) "),
37 "(rw,secure,sync,all_squash)")
38 nfs::server::export { "$mountpoint/$nfs_mount":
39 owner => "nobody",
40 group => "nobody",
41 ensure => "present",
42 clients => $clients,
43 }
44 } elsif has_key($host["vars"], "host") {
45 nfs::server::export { "$mountpoint/$nfs_mount":
46 owner => "nobody",
47 group => "nobody",
48 ensure => "present",
49 clients => "${host[vars][host][0]}(rw,secure,sync,all_squash)",
50 }
51 } else {
52 nfs::server::export { "$mountpoint/$nfs_mount":
53 owner => "nobody",
54 group => "nobody",
55 ensure => "present",
56 clients => "${host[vars][real_hostname][0]}(rw,secure,sync,all_squash)",
57 }
58 }
59 }
60 }
61 }
62}