From 9536be586441d22f0e13d2147b5dc1f4721a8182 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 20 Jun 2023 20:27:16 +1000 Subject: [PATCH] Inital commit for profile::puppet::* * profile::pupper::server * profile::puppet::puppetmaster * profile::puppet::g10k * profile::puppet::autosign * updated Puppetfile * updated role::puppet::puppetmaster * added profile::puppet::puppetmaster to puppetmaster role * added profile::puppet::server templates --- Puppetfile | 8 ++- hieradata/common.yaml | 3 + site/profile/manifests/puppet/autosign.pp | 54 ++++++++++++++ site/profile/manifests/puppet/g10k.pp | 70 +++++++++++++++++++ site/profile/manifests/puppet/puppetmaster.pp | 41 +++++++++++ site/profile/manifests/puppet/server.pp | 57 +++++++++++++++ .../templates/puppet/server/puppet.conf.epp | 17 +++++ site/role/manifests/puppet/puppetmaster.pp | 3 + 8 files changed, 252 insertions(+), 1 deletion(-) create mode 100644 site/profile/manifests/puppet/autosign.pp create mode 100644 site/profile/manifests/puppet/g10k.pp create mode 100644 site/profile/manifests/puppet/puppetmaster.pp create mode 100644 site/profile/manifests/puppet/server.pp create mode 100644 site/profile/templates/puppet/server/puppet.conf.epp diff --git a/Puppetfile b/Puppetfile index f2c9fc5..8d0d3e0 100644 --- a/Puppetfile +++ b/Puppetfile @@ -2,5 +2,11 @@ forge 'forge.puppetlabs.com' moduledir 'external_modules' # Forge Modules +mod 'puppetlabs-stdlib', '9.1.0' +mod 'puppetlabs-inifile', '6.0.0' +mod 'puppetlabs-concat', '9.0.0' +mod 'eyp-eyplib', '0.1.24' +mod 'eyp-systemd', '3.1.0' +mod 'ghoneycutt-puppet', '3.3.0' +mod 'puppet-archive', '7.0.0' mod 'puppet-chrony', '2.6.0' -mod 'puppetlabs/stdlib' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 50c98bb..7f1cdd7 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -2,3 +2,6 @@ profile::base::ntp_servers: - 0.au.pool.ntp.org - 1.au.pool.ntp.org + +profile::puppet::autosign::subnet_ranges: + - '198.18.17.0/24' diff --git a/site/profile/manifests/puppet/autosign.pp b/site/profile/manifests/puppet/autosign.pp new file mode 100644 index 0000000..56c072a --- /dev/null +++ b/site/profile/manifests/puppet/autosign.pp @@ -0,0 +1,54 @@ +# Class: profile::puppet::autosign +# +# This class manages an autosign script for the Puppet master. +# It sets up a Ruby script that automatically signs Puppet node requests +# originating from certain IP subnet ranges. +# +# Parameters: +# - `subnet_ranges`: An array of IP subnet ranges for which to automatically +# sign certificate requests. +# +# Actions: +# - Ensures the autosign script file is present and has the correct content and permissions. +# +# Usage: +# The class can be declared in a node definition or classified using an ENC or Hiera. +# Example: +# node 'puppet.example.com' { +# class { 'profile::puppet::autosign': +# subnet_ranges => ['198.18.17.0/24', '10.0.0.0/8'], +# } +# } +# +# Requirements: +# - Puppet master must have access to the /opt/puppetlabs/bin directory. +# - The gem 'ipaddr' module must be installed on the Puppet master. +# - The puppet 'puppetlabs/stdlib' module must be installed on the Puppet master. +# +# Limitations: +# This is designed to work on Unix-like systems. +class profile::puppet::autosign ( + Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges, +) { + + $script_content = @(END) + #!/usr/bin/env ruby + + require 'yaml' + require 'ipaddr' + + csr = YAML.load(STDIN.read) + networks = #{subnet_ranges} + + ip = IPAddr.new(csr['facts']['networking']['ip']) + + exit 1 unless networks.any? { |network| IPAddr.new(network).include?(ip) } + exit 0 + END + + file { '/opt/puppetlabs/bin/autosign.rb': + ensure => file, + content => $script_content, + mode => '0755', + } +} diff --git a/site/profile/manifests/puppet/g10k.pp b/site/profile/manifests/puppet/g10k.pp new file mode 100644 index 0000000..cc420c2 --- /dev/null +++ b/site/profile/manifests/puppet/g10k.pp @@ -0,0 +1,70 @@ +# Class: profile::puppet::g10k +# +# This class handles downloading and installation of the g10k tool, a fast +# Git and Forge based Puppet environment and module deployment tool. +# The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'. +# Additionally, it creates a helper script to easily run g10k with the appropriate configuration. +# It also creates a systemd service and timer that runs the g10k script every minute. +# +# Parameters: None +# +# Actions: +# - Downloads the latest g10k release from GitHub. +# - Extracts the download and places the executable in '/opt/puppetlabs/bin'. +# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k. +# - Creates a systemd service and timer that runs the g10k script every minute. +# +# Usage: +# Directly including the class in your node definitions or classify your nodes +# using an ENC or Hiera. +# Example: +# node 'puppet.example.com' { +# include profile::puppet::g10k +# } +# +# Requirements: +# - The 'puppet-archive' module should be installed in your puppetmaster. +# - The 'puppet-systemd' module should be installed on your puppetmaster. +# - '/opt/puppetlabs/bin/' directory must exist and be writable. +# - Puppet master must have access to the GitHub URL. +# +# Limitations: +# This is designed to work on Unix-like systems only. +class profile::puppet::g10k { + + package { 'unzip': + ensure => installed, + } + + archive { '/tmp/g10k.zip': + ensure => present, + source => 'https://github.com/xorpaul/g10k/releases/latest/download/g10k-linux-amd64.zip', + extract => true, + extract_path => '/opt/puppetlabs/bin', + creates => '/opt/puppetlabs/bin/g10k', + cleanup => true, + } + + file { '/opt/puppetlabs/bin/puppet-g10k': + ensure => file, + owner => 'root', + group => 'root', + mode => '0755', + content => "#!/usr/bin/bash\n/opt/puppetlabs/bin/g10k -config /etc/puppetlabs/r10k/r10k.yaml\n", + require => Archive['/tmp/g10k.zip'], + } + + systemd::service { 'puppet-g10k': + description => 'puppet-g10k update service', + execstart => '/opt/puppetlabs/bin/puppet-g10k', + user => 'root', + require => File['/opt/puppetlabs/bin/puppet-g10k'], + } + + systemd::timer { 'puppet-g10k': + description => 'Run puppet-g10k every minute', + unit => 'puppet-g10k.service', + on_calendar => '*:0/1', + require => Systemd::Service['puppet-g10k'], + } +} diff --git a/site/profile/manifests/puppet/puppetmaster.pp b/site/profile/manifests/puppet/puppetmaster.pp new file mode 100644 index 0000000..0e7b481 --- /dev/null +++ b/site/profile/manifests/puppet/puppetmaster.pp @@ -0,0 +1,41 @@ +# Class: profile::puppet::puppetmaster +# +# This class manages the puppetmaster using the ghoneycutt-puppet module. +# It manages the server settings in the puppet.conf file. +# +# Parameters: None +# +# Actions: +# - Sets up the server, main, agent, and master sections in the puppet.conf file +# +# Usage: +# Directly include the class in your node definitions or classify your nodes +# using an ENC or Hiera. +# Example: +# node 'puppet.example.com' { +# include profile::puppet::puppetmaster +# } +# +# Requirements: +# - The 'ghoneycutt/puppet' module should be installed in your Puppet master. +# - Puppet master must have access to the necessary directories. +# +# Limitations: +# This is designed to work on Unix-like systems. +class profile::puppet::puppetmaster { + include profile::puppet::g10k + include profile::puppet::autosign + + class { 'profile::puppet::server': + vardir => '/opt/puppetlabs/server/data/puppetserver', + logdir => '/var/log/puppetlabs/puppetserver', + rundir => '/var/run/puppetlabs/puppetserver', + pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', + codedir => '/etc/puppetlabs/code', + dns_alt_names => ['prodinf01n01.main.unkin.net'], + server => 'prodinf01n01.main.unkin.net', + node_terminus => 'exec', + external_nodes => '/opt/puppetlabs/bin/enc', + autosign => '/etc/puppetlabs/puppet/autosign.rb', + } +} diff --git a/site/profile/manifests/puppet/server.pp b/site/profile/manifests/puppet/server.pp new file mode 100644 index 0000000..235bf88 --- /dev/null +++ b/site/profile/manifests/puppet/server.pp @@ -0,0 +1,57 @@ +# Class: profile::puppet::server +# +# This class manages Puppet server's configuration and service. +# +# Parameters: +# vardir - Directory path for variable data. +# logdir - Directory path for logs. +# rundir - Directory path for run-time data. +# pidfile - File path for the PID file. +# codedir - Directory path for code data. +# dns_alt_names - Array of alternate DNS names for the server. +# server - Server's name. +# node_terminus - Node terminus. +# external_nodes - Path to the external node classifier script. +# autosign - Path to the autosign script. +# +class profile::puppet::server ( + String $vardir, + String $logdir, + String $rundir, + String $pidfile, + String $codedir, + Array[String[1]] $dns_alt_names, + String $server, + String $node_terminus, + String $external_nodes, + String $autosign, +) { + + file { '/etc/puppetlabs/puppet/puppet.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => epp('profile/puppet/server/puppet.conf.epp', { + 'vardir' => $vardir, + 'logdir' => $logdir, + 'rundir' => $rundir, + 'pidfile' => $pidfile, + 'codedir' => $codedir, + 'dns_alt_names' => join($dns_alt_names, ','), + 'server' => $server, + 'node_terminus' => $node_terminus, + 'external_nodes' => $external_nodes, + 'autosign' => $autosign, + }), + notify => Service['puppetserver'], + } + + service { 'puppetserver': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + } +} + diff --git a/site/profile/templates/puppet/server/puppet.conf.epp b/site/profile/templates/puppet/server/puppet.conf.epp new file mode 100644 index 0000000..37f3a5e --- /dev/null +++ b/site/profile/templates/puppet/server/puppet.conf.epp @@ -0,0 +1,17 @@ +[server] +vardir = <%= $vardir %> +logdir = <%= $logdir %> +rundir = <%= $rundir %> +pidfile = <%= $pidfile %> +codedir = <%= $codedir %> + +[main] +dns_alt_names = <%= $dns_alt_names %> + +[agent] +server = <%= $server %> + +[master] +node_terminus = exec +external_nodes = <%= $external_nodes %> +autosign = <%= $autosign %> diff --git a/site/role/manifests/puppet/puppetmaster.pp b/site/role/manifests/puppet/puppetmaster.pp index 1d24efe..f04f3fe 100644 --- a/site/role/manifests/puppet/puppetmaster.pp +++ b/site/role/manifests/puppet/puppetmaster.pp @@ -1,3 +1,6 @@ +# a role to deploy the puppetmaster +# work in progress class role::puppet::puppetmaster { include profile::base + include profile::puppet::puppetmaster }