From d8dd2fc39ae329ceefbb1a695579858403705880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 14 Aug 2018 12:40:40 +0200 Subject: Modify generate password --- .../lib/puppet/functions/generate_password.rb | 49 ++++++++++++++++++++++ .../puppet/parser/functions/generate_password.rb | 31 -------------- 2 files changed, 49 insertions(+), 31 deletions(-) create mode 100644 modules/base_installation/lib/puppet/functions/generate_password.rb delete mode 100644 modules/base_installation/lib/puppet/parser/functions/generate_password.rb diff --git a/modules/base_installation/lib/puppet/functions/generate_password.rb b/modules/base_installation/lib/puppet/functions/generate_password.rb new file mode 100644 index 0000000..0ccd4d6 --- /dev/null +++ b/modules/base_installation/lib/puppet/functions/generate_password.rb @@ -0,0 +1,49 @@ +require "base64" +require "openssl" + +Puppet::Functions.create_function(:generate_password) do + dispatch :generate_password do + param 'Integer', :size + param 'String', :seed_file + param 'String', :password_key + optional_param 'String', :method + optional_param 'Boolean', :encode + return_type 'String' + end + + def generate_password(size, seed_file, password_key, method = nil, encode = false) + key = get_key(seed_file, password_key) + case method + when nil + pass = generate_string(size, key) + when "curve25519" + pass = generate_string(32, key, binary = true) + pass[0] = (pass[0].ord & 248).chr + pass[31] = ((pass[31].ord & 127) | 64).chr + else + raise "Unknown method" + end + + if encode + Base64.strict_encode64(pass).strip + else + pass + end + end + + def generate_string(size, key, binary = false) + if binary + set = (0 .. 255).map { |i| i.chr } + else + set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a + end + + size.times.collect do |i| + set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size] + end.join + end + + def get_key(seed_file, password_key) + "#{File.open(seed_file).read}:#{password_key}" + end +end diff --git a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb deleted file mode 100644 index 384d81b..0000000 --- a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb +++ /dev/null @@ -1,31 +0,0 @@ -module Puppet::Parser::Functions - newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS -Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry. -Prototype: - generate_password(length, seed_file, password_key) -EOS -) do |*arguments| - arguments = arguments.shift if arguments.first.is_a?(Array) - - raise Puppet::ParseError, "generate_password(): Wrong number of arguments " + - "given (#{arguments.size} for 3)" if arguments.size != 3 - - size = arguments.shift - seed_file = arguments.shift - password_key = arguments.shift - - unless size.class.ancestors.include?(Numeric) or size.is_a?(String) - raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument' - end - - size = size.to_i - - set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a - - key = "#{File.open(seed_file).read}:#{password_key}" - - size.times.collect do |i| - set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size] - end.join -end -end -- cgit v1.2.3 From 81ec6f92f400f667c2ce9d879396bfff00ec5bb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 15 Jul 2018 11:25:27 +0200 Subject: Add file store role --- .gitmodules | 3 +++ environments/global/roles/file_store.yaml | 4 ++++ external_modules/nfs | 1 + modules/role/manifests/file_store.pp | 36 +++++++++++++++++++++++++++++++ 4 files changed, 44 insertions(+) create mode 100644 environments/global/roles/file_store.yaml create mode 160000 external_modules/nfs create mode 100644 modules/role/manifests/file_store.pp diff --git a/.gitmodules b/.gitmodules index f8ff2b7..f5d2bd0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,3 +73,6 @@ [submodule "external_modules/augeasproviders_core"] path = external_modules/augeasproviders_core url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git +[submodule "external_modules/nfs"] + path = external_modules/nfs + url = git://git.immae.eu/github/derdanne/puppet-nfs diff --git a/environments/global/roles/file_store.yaml b/environments/global/roles/file_store.yaml new file mode 100644 index 0000000..c0912e2 --- /dev/null +++ b/environments/global/roles/file_store.yaml @@ -0,0 +1,4 @@ +--- +classes: + role::file_store: ~ +letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" diff --git a/external_modules/nfs b/external_modules/nfs new file mode 160000 index 0000000..2402020 --- /dev/null +++ b/external_modules/nfs @@ -0,0 +1 @@ +Subproject commit 24020205590d9ae942e0acf79c1506b40ab09e40 diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp new file mode 100644 index 0000000..1d3ee49 --- /dev/null +++ b/modules/role/manifests/file_store.pp @@ -0,0 +1,36 @@ +class role::file_store ( + Optional[Array] $nfs_mounts = ["cardano"], + Optional[String] $mountpoint = "/fichiers1", +) { + include "base_installation" + + include "profile::fstab" + include "profile::tools" + include "profile::monitoring" + + unless empty($mountpoint) { + class { "::nfs": + server_enabled => true, + nfs_v4 => true, + nfs_v4_export_root => '/exports', + nfs_v4_export_root_clients => 'localhost(rw)', + require => Mount[$mountpoint], + } + + $nfs_mounts.each |$nfs_mount| { + file { "$mountpoint/$nfs_mount": + ensure => "directory", + mode => "0755", + owner => "nobody", + group => "nobody", + require => Mount[$mountpoint], + } -> + nfs::server::export { "$mountpoint/$nfs_mount": + owner => "nobody", + group => "nobody", + ensure => "present", + clients => "immae.eu(rw,secure,sync,all_squash,sec=krb5p)", + } + } + } +} -- cgit v1.2.3 From 9fcc3f8faac4a24fb97fff87a4a49bf362967fa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 13 Aug 2018 01:12:20 +0200 Subject: Add kerberos client profile --- modules/profile/files/kerberos/krb5_client.conf | 12 ++++++++++++ modules/profile/manifests/kerberos/client.pp | 7 +++++++ modules/role/manifests/file_store.pp | 1 + 3 files changed, 20 insertions(+) create mode 100644 modules/profile/files/kerberos/krb5_client.conf create mode 100644 modules/profile/manifests/kerberos/client.pp diff --git a/modules/profile/files/kerberos/krb5_client.conf b/modules/profile/files/kerberos/krb5_client.conf new file mode 100644 index 0000000..3fce983 --- /dev/null +++ b/modules/profile/files/kerberos/krb5_client.conf @@ -0,0 +1,12 @@ +[libdefaults] + default_realm = IMMAE.EU + +[realms] + IMMAE.EU = { + kdc = kerberos.immae.eu + admin_server = kerberos.immae.eu + } + +[domain_realm] + immae.eu = IMMAE.EU + .immae.eu = IMMAE.EU diff --git a/modules/profile/manifests/kerberos/client.pp b/modules/profile/manifests/kerberos/client.pp new file mode 100644 index 0000000..1f1f2cd --- /dev/null +++ b/modules/profile/manifests/kerberos/client.pp @@ -0,0 +1,7 @@ +class profile::kerberos::client { + ensure_packages(["krb5", "cyrus-sasl-gssapi"]) + + file { "/etc/krb5.conf": + source => "puppet:///modules/profile/kerberos/krb5_client.conf" + } +} diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp index 1d3ee49..ec12d75 100644 --- a/modules/role/manifests/file_store.pp +++ b/modules/role/manifests/file_store.pp @@ -7,6 +7,7 @@ class role::file_store ( include "profile::fstab" include "profile::tools" include "profile::monitoring" + include "profile::kerberos::client" unless empty($mountpoint) { class { "::nfs": -- cgit v1.2.3 From 7f8c632757246813c0a9fdbf0c26ef036ff396be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 14 Aug 2018 19:23:47 +0200 Subject: Add wireguard profile --- modules/profile/manifests/wireguard.pp | 29 ++++++++++++++++++++++ .../profile/templates/wireguard/network.conf.erb | 13 ++++++++++ modules/role/manifests/file_store.pp | 1 + 3 files changed, 43 insertions(+) create mode 100644 modules/profile/manifests/wireguard.pp create mode 100644 modules/profile/templates/wireguard/network.conf.erb diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp new file mode 100644 index 0000000..ad1b081 --- /dev/null +++ b/modules/profile/manifests/wireguard.pp @@ -0,0 +1,29 @@ +class profile::wireguard ( +) { + $password_seed = lookup("base_installation::puppet_pass_seed") + + ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] }) + ensure_packages(["wireguard-tools", "wireguard-dkms"]) + + $host = $facts["ldapvar"]["self"] + if has_key($host["vars"], "wireguard_ip") { + $ips = $host["vars"]["wireguard_ip"] + } else { + $ips = [] + } + + $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true) + + file { "/etc/wireguard/network.conf": + ensure => "file", + mode => "0600", + content => template("profile/wireguard/network.conf.erb"), + require => [Package["wireguard-tools"], Package["wireguard-dkms"]], + } + -> + service { "wg-quick@network": + ensure => "running", + enable => true, + } + +} diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb new file mode 100644 index 0000000..0528050 --- /dev/null +++ b/modules/profile/templates/wireguard/network.conf.erb @@ -0,0 +1,13 @@ +[Interface] +<%- @ips.each do |ip| %> +Address = <%= ip %> +<% end -%> +PrivateKey = <%= @private_key %> + +<%- @facts["ldapvar"]["other"].each do |host| -%> +<%- if (host["vars"]["wireguard_public"] || []).count > 0 %> +[Peer] +PublicKey = host["vars"]["wireguard_public"][0] + +<% end -%> +<%- end -%> diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp index ec12d75..bf4afe7 100644 --- a/modules/role/manifests/file_store.pp +++ b/modules/role/manifests/file_store.pp @@ -8,6 +8,7 @@ class role::file_store ( include "profile::tools" include "profile::monitoring" include "profile::kerberos::client" + include "profile::wireguard" unless empty($mountpoint) { class { "::nfs": -- cgit v1.2.3 From 7dc85dc776e158e26202362f11a72d7491ef07c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 14 Aug 2018 22:49:29 +0200 Subject: Change host_ldap to concat --- modules/base_installation/manifests/puppet.pp | 32 ++++++++++++++--- .../templates/puppet/host_ldap.info.erb | 41 ---------------------- .../templates/puppet/host_ldap_add_top.info.erb | 16 +++++++++ .../templates/puppet/host_ldap_mod_top.info.erb | 23 ++++++++++++ 4 files changed, 67 insertions(+), 45 deletions(-) delete mode 100644 modules/base_installation/templates/puppet/host_ldap.info.erb create mode 100644 modules/base_installation/templates/puppet/host_ldap_add_top.info.erb create mode 100644 modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp index 05fe9a1..10b3773 100644 --- a/modules/base_installation/manifests/puppet.pp +++ b/modules/base_installation/manifests/puppet.pp @@ -109,10 +109,34 @@ class base_installation::puppet ( } $ips = lookup("ips", { 'default_value' => undef }) - file { "$base_installation::puppet_conf_path/host_ldap.info": - content => template("base_installation/puppet/host_ldap.info.erb"), - require => File[$base_installation::puppet_conf_path], - notify => Notify_refresh["notify-ldap-password"], + concat { "$base_installation::puppet_conf_path/host_ldap.info": + ensure => "present", + mode => "0600", + require => File[$base_installation::puppet_conf_path], + notify => Notify_refresh["notify-ldap-password"], + ensure_newline => true, + } + + concat::fragment { "host_ldap add top": + target => "$base_installation::puppet_conf_path/host_ldap.info", + content => template("base_installation/puppet/host_ldap_add_top.info.erb"), + order => "00-01", + } + concat::fragment { "host_ldap add bottom": + target => "$base_installation::puppet_conf_path/host_ldap.info", + content => "EOF", + order => "00-99", + } + + concat::fragment { "host_ldap mod top": + target => "$base_installation::puppet_conf_path/host_ldap.info", + content => template("base_installation/puppet/host_ldap_mod_top.info.erb"), + order => "01-01", + } + concat::fragment { "host_ldap mod bottom": + target => "$base_installation::puppet_conf_path/host_ldap.info", + content => "EOF", + order => "01-99", } notify_refresh { "notify-ldap-password": diff --git a/modules/base_installation/templates/puppet/host_ldap.info.erb b/modules/base_installation/templates/puppet/host_ldap.info.erb deleted file mode 100644 index 7afdf2d..0000000 --- a/modules/base_installation/templates/puppet/host_ldap.info.erb +++ /dev/null @@ -1,41 +0,0 @@ -#### Please add this node to LDAP: -ldapadd -D "cn=root,<%= @ldap_base %>" -W << 'EOF' -dn: <%= @ldap_dn %> -cn: <%= @ldap_cn %> -objectclass: device -objectclass: top -objectclass: simpleSecurityObject -objectclass: puppetClient -<%- unless @ips.empty? -%> -objectclass: ipHost -<% unless @ips["v4"].nil? -%>ipHostNumber: <%= @ips["v4"]["ipAddress"] %><%- end %> -<% unless @ips["v6"].nil? -%>ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %><%- end %> -<%- end -%> -environment: <%= @environment %> -puppetVar: real_hostname=<%= @real_hostname %> -userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> -EOF -#### Or modify an existing entry: -ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF' -dn: <%= @ldap_dn %> -changetype: modify -replace: userPassword -userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> -- -replace: environment -environment: <%= @environment %> -<%- unless @ips.empty? -%> -- -delete: ipHostNumber -<%- unless @ips["v4"].nil? -%> -- -add: ipHostNumber -ipHostNumber: <%= @ips["v4"]["ipAddress"] %> -<%- end -%> -<%- unless @ips["v6"].nil? -%> -- -add: ipHostNumber -ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %> -<%- end -%> -<%- end -%> -EOF diff --git a/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb new file mode 100644 index 0000000..3aafc19 --- /dev/null +++ b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb @@ -0,0 +1,16 @@ +#### Please add this node to LDAP: +ldapadd -D "cn=root,<%= @ldap_base %>" -W << 'EOF' +dn: <%= @ldap_dn %> +cn: <%= @ldap_cn %> +objectclass: device +objectclass: top +objectclass: simpleSecurityObject +objectclass: puppetClient +<%- unless @ips.empty? -%> +objectclass: ipHost +<% unless @ips["v4"].nil? -%>ipHostNumber: <%= @ips["v4"]["ipAddress"] %><%- end %> +<% unless @ips["v6"].nil? -%>ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %><%- end %> +<%- end -%> +environment: <%= @environment %> +puppetVar: real_hostname=<%= @real_hostname %> +userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> diff --git a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb new file mode 100644 index 0000000..d7a1294 --- /dev/null +++ b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb @@ -0,0 +1,23 @@ +#### Or modify an existing entry: +ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF' +dn: <%= @ldap_dn %> +changetype: modify +replace: userPassword +userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %> +- +replace: environment +environment: <%= @environment %> +<%- unless @ips.empty? -%> +- +delete: ipHostNumber +<%- unless @ips["v4"].nil? -%> +- +add: ipHostNumber +ipHostNumber: <%= @ips["v4"]["ipAddress"] %> +<%- end -%> +<%- unless @ips["v6"].nil? -%> +- +add: ipHostNumber +ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %> +<%- end -%> +<%- end -%> -- cgit v1.2.3 From a7b985dd3cc4af68875733eb135335a31504f472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 17 Aug 2018 12:51:33 +0200 Subject: Add cat_files report to notify of important changes --- environments/global/common.yaml | 3 +- .../lib/puppet/reports/cat_files.rb | 17 +++++++++++ modules/base_installation/manifests/init.pp | 33 +++++++++++----------- modules/base_installation/manifests/params.pp | 33 +++++++++++----------- modules/base_installation/manifests/puppet.pp | 28 +++++++++--------- .../templates/puppet/puppet.conf.erb | 2 +- 6 files changed, 69 insertions(+), 47 deletions(-) create mode 100644 modules/base_installation/lib/puppet/reports/cat_files.rb diff --git a/environments/global/common.yaml b/environments/global/common.yaml index 3cc75fa..97bf196 100644 --- a/environments/global/common.yaml +++ b/environments/global/common.yaml @@ -21,8 +21,8 @@ base_installation::ldap_dn: "cn=%{facts.ec2_metadata.hostname},ou=hosts,dc=immae base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}" base_installation::ldap_server: "ldap.immae.eu" base_installation::ldap_uri: "ldaps://ldap.immae.eu" -# FIXME: get all mounts without needing that hack? base_installation::puppet_conf_path: "/etc/puppetlabs/puppet" +base_installation::puppet_notifies_path: "/etc/puppetlabs/notifies" base_installation::puppet_code_path: "/etc/puppetlabs/code" base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed" base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl" @@ -30,6 +30,7 @@ base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"] base_installation::system_timezone: "Europe/Paris" base_installation::system_users: [] # Fetched via ldap base_installation::notify_xmpp: {} +# FIXME: get all mounts without needing that hack? profile::fstab::mounts: - "%{facts.ldapvar.self.vars.mounts.0}" - "%{facts.ldapvar.self.vars.mounts.1}" diff --git a/modules/base_installation/lib/puppet/reports/cat_files.rb b/modules/base_installation/lib/puppet/reports/cat_files.rb new file mode 100644 index 0000000..9d9c068 --- /dev/null +++ b/modules/base_installation/lib/puppet/reports/cat_files.rb @@ -0,0 +1,17 @@ +require 'puppet' + +Puppet::Reports.register_report(:cat_files) do + FOLLOWED_RESOURCES = [ + "File[/etc/puppetlabs/notifies/host_ldap.info]", + ] + + def process + self.resource_statuses.each do |name, status| + if FOLLOWED_RESOURCES.include?(status.resource) && status.events.any? { |e| e.status == "success" } + puts File.open(status.title, "r").read() + end + end + end + +end + diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp index d8abcaf..a1b5ca8 100644 --- a/modules/base_installation/manifests/init.pp +++ b/modules/base_installation/manifests/init.pp @@ -1,20 +1,21 @@ class base_installation ( - Optional[String] $grub_device = $base_installation::params::grub_device, - Optional[String] $ldap_base = $base_installation::params::ldap_base, - Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path, - Optional[String] $ldap_cn = $base_installation::params::ldap_cn, - Optional[String] $ldap_dn = $base_installation::params::ldap_dn, - Optional[String] $ldap_server = $base_installation::params::ldap_server, - Optional[String] $ldap_uri = $base_installation::params::ldap_uri, - Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, - Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path, - Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed, - Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path, - Optional[String] $real_hostname = $base_installation::params::real_hostname, - Optional[String] $system_hostname = $base_installation::params::system_hostname, - Optional[Array[String]] $system_locales = $base_installation::params::system_locales, - Optional[String] $system_timezone = $base_installation::params::system_timezone, - Optional[Array[Hash]] $system_users = $base_installation::params::system_users, + Optional[String] $grub_device = $base_installation::params::grub_device, + Optional[String] $ldap_base = $base_installation::params::ldap_base, + Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path, + Optional[String] $ldap_cn = $base_installation::params::ldap_cn, + Optional[String] $ldap_dn = $base_installation::params::ldap_dn, + Optional[String] $ldap_server = $base_installation::params::ldap_server, + Optional[String] $ldap_uri = $base_installation::params::ldap_uri, + Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, + Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path, + Optional[String] $puppet_notifies_path = $base_installation::params::puppet_notifies_path, + Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed, + Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path, + Optional[String] $real_hostname = $base_installation::params::real_hostname, + Optional[String] $system_hostname = $base_installation::params::system_hostname, + Optional[Array[String]] $system_locales = $base_installation::params::system_locales, + Optional[String] $system_timezone = $base_installation::params::system_timezone, + Optional[Array[Hash]] $system_users = $base_installation::params::system_users, ) inherits base_installation::params { contain ::base_installation::packages contain ::base_installation::locales diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp index 5ade838..f336b65 100644 --- a/modules/base_installation/manifests/params.pp +++ b/modules/base_installation/manifests/params.pp @@ -1,20 +1,21 @@ class base_installation::params { - $puppet_code_path = "/etc/puppetlabs/code" - $puppet_conf_path = "/etc/puppetlabs/puppet" - $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed" - $puppet_ssl_path = "/etc/puppetlabs/ssl" - $grub_device = "/dev/sda" - $ldap_base = "dc=example,dc=com" - $ldap_cn = "node" - $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com" - $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt" - $ldap_uri = "ldaps://ldap.example.com" - $ldap_server = "ldap.example.com" - $real_hostname = "example.com" - $system_hostname = "example.com" - $system_locales = ["en_US.UTF-8"] - $system_timezone = "UTC" - $system_users = [ + $puppet_code_path = "/etc/puppetlabs/code" + $puppet_conf_path = "/etc/puppetlabs/puppet" + $puppet_notifies_path = "/etc/puppetlabs/notifies" + $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed" + $puppet_ssl_path = "/etc/puppetlabs/ssl" + $grub_device = "/dev/sda" + $ldap_base = "dc=example,dc=com" + $ldap_cn = "node" + $ldap_dn = "cn=node,ou=hosts,dc=example,dc=com" + $ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt" + $ldap_uri = "ldaps://ldap.example.com" + $ldap_server = "ldap.example.com" + $real_hostname = "example.com" + $system_hostname = "example.com" + $system_locales = ["en_US.UTF-8"] + $system_timezone = "UTC" + $system_users = [ { userid => 1000, username => "example", diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp index 10b3773..603a961 100644 --- a/modules/base_installation/manifests/puppet.pp +++ b/modules/base_installation/manifests/puppet.pp @@ -103,45 +103,47 @@ class base_installation::puppet ( } } - if file("$base_installation::puppet_conf_path/host_ldap.info", "/dev/null") != "" and + if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and empty($facts["ldapvar"]) { fail("LDAP was activated but facts are not available") } + file { $base_installation::puppet_notifies_path: + ensure => directory, + require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]], + recurse => true, + purge => true, + force => true, + } + $ips = lookup("ips", { 'default_value' => undef }) - concat { "$base_installation::puppet_conf_path/host_ldap.info": + concat { "$base_installation::puppet_notifies_path/host_ldap.info": ensure => "present", mode => "0600", - require => File[$base_installation::puppet_conf_path], - notify => Notify_refresh["notify-ldap-password"], + require => File[$base_installation::puppet_notifies_path], ensure_newline => true, } concat::fragment { "host_ldap add top": - target => "$base_installation::puppet_conf_path/host_ldap.info", + target => "$base_installation::puppet_notifies_path/host_ldap.info", content => template("base_installation/puppet/host_ldap_add_top.info.erb"), order => "00-01", } concat::fragment { "host_ldap add bottom": - target => "$base_installation::puppet_conf_path/host_ldap.info", + target => "$base_installation::puppet_notifies_path/host_ldap.info", content => "EOF", order => "00-99", } concat::fragment { "host_ldap mod top": - target => "$base_installation::puppet_conf_path/host_ldap.info", + target => "$base_installation::puppet_notifies_path/host_ldap.info", content => template("base_installation/puppet/host_ldap_mod_top.info.erb"), order => "01-01", } concat::fragment { "host_ldap mod bottom": - target => "$base_installation::puppet_conf_path/host_ldap.info", + target => "$base_installation::puppet_notifies_path/host_ldap.info", content => "EOF", order => "01-99", } - - notify_refresh { "notify-ldap-password": - message => template("base_installation/puppet/host_ldap.info.erb"), - refreshonly => true - } } } diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb index da39468..38a0c1b 100644 --- a/modules/base_installation/templates/puppet/puppet.conf.erb +++ b/modules/base_installation/templates/puppet/puppet.conf.erb @@ -1,6 +1,6 @@ [main] <% - reports = ["store"] + reports = ["store", "cat_files"] if @xmpp.count > 0 reports << "xmpp" end -- cgit v1.2.3 From cfad76106ad85e170c08a196e7e365a78293aa7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 17 Aug 2018 12:51:55 +0200 Subject: Add wireguard to host_ldap --- modules/profile/manifests/wireguard.pp | 11 +++++++++++ modules/profile/templates/wireguard/network.conf.erb | 12 +++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp index ad1b081..829f82d 100644 --- a/modules/profile/manifests/wireguard.pp +++ b/modules/profile/manifests/wireguard.pp @@ -14,11 +14,22 @@ class profile::wireguard ( $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true) + if file("/usr/bin/wg", "/dev/null") != "" { + $puppet_notifies_path = lookup("base_installation::puppet_notifies_path") + $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey") + concat::fragment { "host_ldap add wireguard": + target => "$puppet_notifies_path/host_ldap.info", + content => "puppetVar: wireguard_public=$public_key", + order => "00-80" + } + } + file { "/etc/wireguard/network.conf": ensure => "file", mode => "0600", content => template("profile/wireguard/network.conf.erb"), require => [Package["wireguard-tools"], Package["wireguard-dkms"]], + notify => Service["wg-quick@network"], } -> service { "wg-quick@network": diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb index 0528050..5327dfd 100644 --- a/modules/profile/templates/wireguard/network.conf.erb +++ b/modules/profile/templates/wireguard/network.conf.erb @@ -1,13 +1,19 @@ [Interface] -<%- @ips.each do |ip| %> +<%- @ips.each do |ip| -%> Address = <%= ip %> -<% end -%> +<%- end -%> PrivateKey = <%= @private_key %> +ListenPort = 51820 <%- @facts["ldapvar"]["other"].each do |host| -%> <%- if (host["vars"]["wireguard_public"] || []).count > 0 %> [Peer] -PublicKey = host["vars"]["wireguard_public"][0] +# <%= host["vars"]["real_hostname"][0] %> +PublicKey = <%= host["vars"]["wireguard_public"][0] %> +<%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%> +AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %> +<%- end -%> +Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820 <% end -%> <%- end -%> -- cgit v1.2.3 From 7d8c507fd252d822cc92ca2168d71f97805cc30a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 17 Aug 2018 17:40:59 +0200 Subject: Make mountpoints configurable --- modules/role/manifests/file_store.pp | 42 ++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp index bf4afe7..d1f6a67 100644 --- a/modules/role/manifests/file_store.pp +++ b/modules/role/manifests/file_store.pp @@ -1,5 +1,5 @@ class role::file_store ( - Optional[Array] $nfs_mounts = ["cardano"], + Optional[Hash] $nfs_mounts = {}, Optional[String] $mountpoint = "/fichiers1", ) { include "base_installation" @@ -7,7 +7,6 @@ class role::file_store ( include "profile::fstab" include "profile::tools" include "profile::monitoring" - include "profile::kerberos::client" include "profile::wireguard" unless empty($mountpoint) { @@ -19,19 +18,44 @@ class role::file_store ( require => Mount[$mountpoint], } - $nfs_mounts.each |$nfs_mount| { + $nfs_mounts.each |$nfs_mount, $hosts| { file { "$mountpoint/$nfs_mount": ensure => "directory", mode => "0755", owner => "nobody", group => "nobody", require => Mount[$mountpoint], - } -> - nfs::server::export { "$mountpoint/$nfs_mount": - owner => "nobody", - group => "nobody", - ensure => "present", - clients => "immae.eu(rw,secure,sync,all_squash,sec=krb5p)", + } + + $hosts.each |$host_cn| { + $host = find_host($facts["ldapvar"]["other"], $host_cn) + if empty($host) { + fail("No host found for nfs") + } elsif has_key($host["vars"], "wireguard_ip") { + $clients = sprintf("%s%s", + join($host["vars"]["wireguard_ip"], "(rw,secure,sync,all_squash) "), + "(rw,secure,sync,all_squash)") + nfs::server::export { "$mountpoint/$nfs_mount": + owner => "nobody", + group => "nobody", + ensure => "present", + clients => $clients, + } + } elsif has_key($host["vars"], "host") { + nfs::server::export { "$mountpoint/$nfs_mount": + owner => "nobody", + group => "nobody", + ensure => "present", + clients => "${host[vars][host][0]}(rw,secure,sync,all_squash)", + } + } else { + nfs::server::export { "$mountpoint/$nfs_mount": + owner => "nobody", + group => "nobody", + ensure => "present", + clients => "${host[vars][real_hostname][0]}(rw,secure,sync,all_squash)", + } + } } } } -- cgit v1.2.3 From 3c90c9020fc4e0257fa4c73f14e609e3559b3771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 18 Aug 2018 14:02:17 +0200 Subject: Move private values --- environments/global/common.yaml | 5 +---- environments/global/roles/cryptoportfolio.yaml | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/environments/global/common.yaml b/environments/global/common.yaml index 97bf196..2f2db35 100644 --- a/environments/global/common.yaml +++ b/environments/global/common.yaml @@ -30,10 +30,7 @@ base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"] base_installation::system_timezone: "Europe/Paris" base_installation::system_users: [] # Fetched via ldap base_installation::notify_xmpp: {} -# FIXME: get all mounts without needing that hack? -profile::fstab::mounts: - - "%{facts.ldapvar.self.vars.mounts.0}" - - "%{facts.ldapvar.self.vars.mounts.1}" +profile::fstab::mounts: [] profile::xmr_stak::mining_pool: "" profile::xmr_stak::wallet: "" profile::mail::mailhub: "" # Fetched via ldap diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml index 138da7a..661af2d 100644 --- a/environments/global/roles/cryptoportfolio.yaml +++ b/environments/global/roles/cryptoportfolio.yaml @@ -6,7 +6,7 @@ role::cryptoportfolio::user: "cryptoportfolio" role::cryptoportfolio::group: "cryptoportfolio" role::cryptoportfolio::home: "/home/cryptoportfolio" role::cryptoportfolio::env: "prod" -role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}" +role::cryptoportfolio::webhook_url: "" role::cryptoportfolio::pg_db: "cryptoportfolio" role::cryptoportfolio::pg_user: "cryptoportfolio" role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}" -- cgit v1.2.3