diff --git a/hieradata/roles/infra/cobbler/server.eyaml b/hieradata/roles/infra/cobbler/server.eyaml index 9f6f432..6ccffe3 100644 --- a/hieradata/roles/infra/cobbler/server.eyaml +++ b/hieradata/roles/infra/cobbler/server.eyaml @@ -1,2 +1,2 @@ --- -profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] +profiles::cobbler::params::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml index 4aaea83..9fac228 100644 --- a/hieradata/roles/infra/cobbler/server.yaml +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -14,4 +14,4 @@ profiles::packages::install: profiles::pki::vault::alt_names: - cobbler.main.unkin.net -profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net' +profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' diff --git a/site/profiles/manifests/cobbler/config.pp b/site/profiles/manifests/cobbler/config.pp new file mode 100644 index 0000000..9b5c2af --- /dev/null +++ b/site/profiles/manifests/cobbler/config.pp @@ -0,0 +1,75 @@ +# profiles::cobbler::config +class profiles::cobbler::config { + + include profiles::cobbler::params + + $default_password_crypted = $profiles::cobbler::params::default_password_crypted + $httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate + $httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey + $pxe_just_once = $profiles::cobbler::params::pxe_just_once + $service_cname = $profiles::cobbler::params::service_cname + $next_server = $profiles::cobbler::params::next_server + $server = $profiles::cobbler::params::server + + # manage the cobbler settings file + file { '/etc/cobbler/settings.yaml': + ensure => 'file', + content => template('profiles/cobbler/settings.yaml.erb'), + group => 'apache', + owner => 'root', + mode => '0640', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the debmirror config to meet cobbler requirements + file { '/etc/debmirror.conf': + ensure => 'file', + content => template('profiles/cobbler/debmirror.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['debmirror'], + } + + # manage the httpd ssl configuration + file { '/etc/httpd/conf.d/ssl.conf': + ensure => 'file', + content => template('profiles/cobbler/httpd_ssl.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['httpd'], + notify => Service['httpd'], + } + + # fix permissions in /var/lib/cobbler/web.ss + file {'/var/lib/cobbler/web.ss': + ensure => 'file', + group => 'root', + owner => 'apache', + mode => '0660', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the main ipxe menu script + file { '/var/lib/tftpboot/main.ipxe': + ensure => 'file', + content => template('profiles/cobbler/main.ipxe.erb'), + owner => 'root', + group => 'root', + mode => '0644', + require => Package['cobbler'], + } + + # export cnames for cobbler + #profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": + # value => $::facts['networking']['hostname'], + # type => 'CNAME', + # record => "${service_cname}.", + # zone => $::facts['networking']['domain'], + # order => 10, + #} + +} diff --git a/site/profiles/manifests/cobbler/init.pp b/site/profiles/manifests/cobbler/init.pp new file mode 100644 index 0000000..24b1555 --- /dev/null +++ b/site/profiles/manifests/cobbler/init.pp @@ -0,0 +1,17 @@ +# profiles::cobbler::init +class profiles::cobbler::init ( +) { + # wait for enc_role to be populated, needed for hieradata to match + if $facts['enc_role'] == 'roles::infra::cobbler::server' { + include profiles::cobbler::config + include profiles::cobbler::install + include profiles::cobbler::ipxebins + include profiles::cobbler::selinux + include profiles::cobbler::service + + Class['profiles::cobbler::install'] + -> Class['profiles::cobbler::config'] + -> Class['profiles::cobbler::ipxebins'] + -> Class['profiles::cobbler::selinux'] + } +} diff --git a/site/profiles/manifests/cobbler/install.pp b/site/profiles/manifests/cobbler/install.pp new file mode 100644 index 0000000..df41ed6 --- /dev/null +++ b/site/profiles/manifests/cobbler/install.pp @@ -0,0 +1,9 @@ +# profiles::cobbler::install +class profiles::cobbler::install { + + include profiles::cobbler::params + + $packages = $profiles::cobbler::params::packages + + ensure_packages($packages, { ensure => 'present' }) +} diff --git a/site/profiles/manifests/cobbler/ipxebins.pp b/site/profiles/manifests/cobbler/ipxebins.pp index 125c353..1fc0bf9 100644 --- a/site/profiles/manifests/cobbler/ipxebins.pp +++ b/site/profiles/manifests/cobbler/ipxebins.pp @@ -1,6 +1,8 @@ # profiles::cobbler::ipxebins class profiles::cobbler::ipxebins { + include profiles::cobbler::params + # download the custom undionly.kpxe file # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1 exec { 'download_undionly_kpxe': diff --git a/site/profiles/manifests/cobbler/params.pp b/site/profiles/manifests/cobbler/params.pp new file mode 100644 index 0000000..ca5ddfd --- /dev/null +++ b/site/profiles/manifests/cobbler/params.pp @@ -0,0 +1,24 @@ +# profiles::cobbler::params +class profiles::cobbler::params ( + Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', + Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', + Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', + Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'], + String $default_password_crypted = 'changeme', + String $server = $::facts['networking']['ip'], + String $next_server = $::facts['networking']['ip'], + Boolean $pxe_just_once = true, + Array $packages = [ + 'cobbler', + 'cobbler3.2-web', + 'httpd', + 'syslinux', + 'dnf-plugins-core', + 'debmirror', + 'pykickstart', + 'fence-agents', + 'selinux-policy-devel', + 'ipxe-bootimgs', + ] +){ +} diff --git a/site/profiles/manifests/cobbler/selinux.pp b/site/profiles/manifests/cobbler/selinux.pp new file mode 100644 index 0000000..a8b0d61 --- /dev/null +++ b/site/profiles/manifests/cobbler/selinux.pp @@ -0,0 +1,37 @@ +# profiles::cobbler::selinux +class profiles::cobbler::selinux inherits profiles::cobbler::params { + + include profiles::cobbler::params + + $tftpboot_path = $profiles::cobbler::params::tftpboot_path + + # manage selinux requirements for cobbler + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + $enable_sebooleans = [ + 'httpd_can_network_connect_cobbler', + 'httpd_serve_cobbler_files', + 'cobbler_can_network_connect' + ] + + $enable_sebooleans.each |$bool| { + selboolean { $bool: + value => on, + persistent => true, + } + } + + selinux::fcontext { $tftpboot_path: + ensure => 'present', + seltype => 'cobbler_var_lib_t', + pathspec => "${tftpboot_path}(/.*)?", + } + + exec { "restorecon_${tftpboot_path}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${tftpboot_path}", + refreshonly => true, + subscribe => Selinux::Fcontext[$tftpboot_path], + } + } +} diff --git a/site/profiles/manifests/cobbler/server.pp b/site/profiles/manifests/cobbler/server.pp deleted file mode 100644 index 3dba1dc..0000000 --- a/site/profiles/manifests/cobbler/server.pp +++ /dev/null @@ -1,119 +0,0 @@ -# profiles::cobbler::server -class profiles::cobbler::server ( - Stdlib::Fqdn $service_cname, - String $default_password_crypted, - Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', - Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', - Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', - String $server = $::facts['networking']['ip'], - String $next_server = $::facts['networking']['ip'], - Boolean $pxe_just_once = true, -) { - - include profiles::cobbler::ipxebins - - # manage the cobbler settings file - file { '/etc/cobbler/settings.yaml': - ensure => 'file', - content => template('profiles/cobbler/settings.yaml.erb'), - group => 'apache', - owner => 'root', - mode => '0640', - require => Package['cobbler'], - notify => Service['cobblerd'], - } - - # fix permissions in /var/lib/cobbler/web.ss - file {'/var/lib/cobbler/web.ss': - ensure => 'file', - group => 'root', - owner => 'apache', - mode => '0660', - require => Package['cobbler'], - notify => Service['cobblerd'], - } - - # manage the debmirror config to meet cobbler requirements - file { '/etc/debmirror.conf': - ensure => 'file', - content => template('profiles/cobbler/debmirror.conf.erb'), - group => 'root', - owner => 'root', - mode => '0644', - require => Package['debmirror'], - } - - # manage the httpd ssl configuration - file { '/etc/httpd/conf.d/ssl.conf': - ensure => 'file', - content => template('profiles/cobbler/httpd_ssl.conf.erb'), - group => 'root', - owner => 'root', - mode => '0644', - require => Package['httpd'], - notify => Service['httpd'], - } - - # manage the main ipxe menu script - file { '/var/lib/tftpboot/main.ipxe': - ensure => 'file', - content => template('profiles/cobbler/main.ipxe.erb'), - owner => 'root', - group => 'root', - mode => '0644', - require => Package['cobbler'], - } - - # ensure cobblerd is running - service {'cobblerd': - ensure => 'running', - enable => true, - require => File['/etc/cobbler/settings.yaml'], - } - - # ensure httpd is running - service {'httpd': - ensure => 'running', - enable => true, - require => File['/etc/httpd/conf.d/ssl.conf'], - } - - # export cnames for cobbler - profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": - value => $::facts['networking']['hostname'], - type => 'CNAME', - record => "${service_cname}.", - zone => $::facts['networking']['domain'], - order => 10, - } - - # manage selinux requirements for cobbler - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - $enable_sebooleans = [ - 'httpd_can_network_connect_cobbler', - 'httpd_serve_cobbler_files', - 'cobbler_can_network_connect' - ] - - $enable_sebooleans.each |$bool| { - selboolean { $bool: - value => on, - persistent => true, - } - } - - selinux::fcontext { $tftpboot_path: - ensure => 'present', - seltype => 'cobbler_var_lib_t', - pathspec => "${tftpboot_path}(/.*)?", - } - - exec { "restorecon_${tftpboot_path}": - path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], - command => "restorecon -Rv ${tftpboot_path}", - refreshonly => true, - subscribe => Selinux::Fcontext[$tftpboot_path], - } - } -} diff --git a/site/profiles/manifests/cobbler/service.pp b/site/profiles/manifests/cobbler/service.pp new file mode 100644 index 0000000..63b2645 --- /dev/null +++ b/site/profiles/manifests/cobbler/service.pp @@ -0,0 +1,17 @@ +# profiles::cobbler::service +class profiles::cobbler::service inherits profiles::cobbler::params { + + # ensure cobblerd is running + service {'cobblerd': + ensure => 'running', + enable => true, + require => File['/etc/cobbler/settings.yaml'], + } + + # ensure httpd is running + service {'httpd': + ensure => 'running', + enable => true, + require => File['/etc/httpd/conf.d/ssl.conf'], + } +} diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp index 65d8541..0c515d3 100644 --- a/site/roles/manifests/infra/cobbler/server.pp +++ b/site/roles/manifests/infra/cobbler/server.pp @@ -3,5 +3,5 @@ class roles::infra::cobbler::server { include profiles::defaults include profiles::base include profiles::base::datavol - include profiles::cobbler::server + include profiles::cobbler::init }