diff --git a/hieradata/roles/infra/cobbler/server.eyaml b/hieradata/roles/infra/cobbler/server.eyaml
new file mode 100644
index 0000000..9f6f432
--- /dev/null
+++ b/hieradata/roles/infra/cobbler/server.eyaml
@@ -0,0 +1,2 @@
+---
+profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=]
diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml
new file mode 100644
index 0000000..4aaea83
--- /dev/null
+++ b/hieradata/roles/infra/cobbler/server.yaml
@@ -0,0 +1,17 @@
+---
+profiles::packages::install:
+ - cobbler
+ - cobbler3.2-web
+ - httpd
+ - syslinux
+ - dnf-plugins-core
+ - debmirror
+ - pykickstart
+ - fence-agents
+ - selinux-policy-devel
+ - ipxe-bootimgs
+
+profiles::pki::vault::alt_names:
+ - cobbler.main.unkin.net
+
+profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net'
diff --git a/site/profiles/manifests/cobbler/ipxebins.pp b/site/profiles/manifests/cobbler/ipxebins.pp
new file mode 100644
index 0000000..125c353
--- /dev/null
+++ b/site/profiles/manifests/cobbler/ipxebins.pp
@@ -0,0 +1,46 @@
+# profiles::cobbler::ipxebins
+class profiles::cobbler::ipxebins {
+
+ # download the custom undionly.kpxe file
+ # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
+ exec { 'download_undionly_kpxe':
+ command => 'wget -O /var/lib/tftpboot/undionly.kpxe http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/undionly.kpxe',
+ path => ['/bin', '/usr/bin'],
+ creates => '/var/lib/tftpboot/undionly.kpxe',
+ }
+
+ # set correct permissions ipxe boot image to tftpboot
+ file { '/var/lib/tftpboot/undionly.kpxe':
+ ensure => 'file',
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ require => [
+ Package['ipxe-bootimgs'],
+ Package['cobbler'],
+ Exec['download_undionly_kpxe']
+ ],
+ }
+
+ # download the custom ipxe.efi file
+ # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
+ exec { 'download_ipxe_efi':
+ command => 'wget -O /var/lib/tftpboot/ipxe.efi http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/ipxe.efi',
+ path => ['/bin', '/usr/bin'],
+ creates => '/var/lib/tftpboot/ipxe.efi',
+ }
+
+ # set correct permissions ipxe boot image to tftpboot
+ file { '/var/lib/tftpboot/ipxe.efi':
+ ensure => 'file',
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ require => [
+ Package['ipxe-bootimgs'],
+ Package['cobbler'],
+ Exec['download_ipxe_efi']
+ ],
+ }
+}
+
diff --git a/site/profiles/manifests/cobbler/server.pp b/site/profiles/manifests/cobbler/server.pp
new file mode 100644
index 0000000..3dba1dc
--- /dev/null
+++ b/site/profiles/manifests/cobbler/server.pp
@@ -0,0 +1,119 @@
+# profiles::cobbler::server
+class profiles::cobbler::server (
+ Stdlib::Fqdn $service_cname,
+ String $default_password_crypted,
+ Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
+ Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
+ Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
+ String $server = $::facts['networking']['ip'],
+ String $next_server = $::facts['networking']['ip'],
+ Boolean $pxe_just_once = true,
+) {
+
+ include profiles::cobbler::ipxebins
+
+ # manage the cobbler settings file
+ file { '/etc/cobbler/settings.yaml':
+ ensure => 'file',
+ content => template('profiles/cobbler/settings.yaml.erb'),
+ group => 'apache',
+ owner => 'root',
+ mode => '0640',
+ require => Package['cobbler'],
+ notify => Service['cobblerd'],
+ }
+
+ # fix permissions in /var/lib/cobbler/web.ss
+ file {'/var/lib/cobbler/web.ss':
+ ensure => 'file',
+ group => 'root',
+ owner => 'apache',
+ mode => '0660',
+ require => Package['cobbler'],
+ notify => Service['cobblerd'],
+ }
+
+ # manage the debmirror config to meet cobbler requirements
+ file { '/etc/debmirror.conf':
+ ensure => 'file',
+ content => template('profiles/cobbler/debmirror.conf.erb'),
+ group => 'root',
+ owner => 'root',
+ mode => '0644',
+ require => Package['debmirror'],
+ }
+
+ # manage the httpd ssl configuration
+ file { '/etc/httpd/conf.d/ssl.conf':
+ ensure => 'file',
+ content => template('profiles/cobbler/httpd_ssl.conf.erb'),
+ group => 'root',
+ owner => 'root',
+ mode => '0644',
+ require => Package['httpd'],
+ notify => Service['httpd'],
+ }
+
+ # manage the main ipxe menu script
+ file { '/var/lib/tftpboot/main.ipxe':
+ ensure => 'file',
+ content => template('profiles/cobbler/main.ipxe.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ require => Package['cobbler'],
+ }
+
+ # ensure cobblerd is running
+ service {'cobblerd':
+ ensure => 'running',
+ enable => true,
+ require => File['/etc/cobbler/settings.yaml'],
+ }
+
+ # ensure httpd is running
+ service {'httpd':
+ ensure => 'running',
+ enable => true,
+ require => File['/etc/httpd/conf.d/ssl.conf'],
+ }
+
+ # export cnames for cobbler
+ profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
+ value => $::facts['networking']['hostname'],
+ type => 'CNAME',
+ record => "${service_cname}.",
+ zone => $::facts['networking']['domain'],
+ order => 10,
+ }
+
+ # manage selinux requirements for cobbler
+ if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+
+ $enable_sebooleans = [
+ 'httpd_can_network_connect_cobbler',
+ 'httpd_serve_cobbler_files',
+ 'cobbler_can_network_connect'
+ ]
+
+ $enable_sebooleans.each |$bool| {
+ selboolean { $bool:
+ value => on,
+ persistent => true,
+ }
+ }
+
+ selinux::fcontext { $tftpboot_path:
+ ensure => 'present',
+ seltype => 'cobbler_var_lib_t',
+ pathspec => "${tftpboot_path}(/.*)?",
+ }
+
+ exec { "restorecon_${tftpboot_path}":
+ path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+ command => "restorecon -Rv ${tftpboot_path}",
+ refreshonly => true,
+ subscribe => Selinux::Fcontext[$tftpboot_path],
+ }
+ }
+}
diff --git a/site/profiles/templates/cobbler/debmirror.conf.erb b/site/profiles/templates/cobbler/debmirror.conf.erb
new file mode 100644
index 0000000..9c66ca1
--- /dev/null
+++ b/site/profiles/templates/cobbler/debmirror.conf.erb
@@ -0,0 +1,79 @@
+# Puppet managed config for debmirror
+
+# The config file is a perl script so take care to follow perl syntax.
+# Any setting in /etc/debmirror.conf overrides these defaults and
+# ~/.debmirror.conf overrides those again. Take only what you need.
+#
+# The syntax is the same as on the command line and variable names
+# loosely match option names. If you don't recognize something here
+# then just stick to the command line.
+#
+# Options specified on the command line override settings in the config
+# files.
+
+# Location of the local mirror (use with care)
+# $mirrordir="/path/to/mirrordir"
+
+# Output options
+$verbose=0;
+$progress=0;
+$debug=0;
+
+# Download options
+$host="ftp.debian.org";
+$user="anonymous";
+$passwd="anonymous@";
+$remoteroot="debian";
+$download_method="ftp";
+# @dists="sid";
+@sections="main,main/debian-installer,contrib,non-free,non-free-firmware";
+# @arches="i386";
+# @ignores="";
+# @excludes="";
+# @includes="";
+# @excludes_deb_section="";
+# @limit_priority="";
+$omit_suite_symlinks=0;
+$skippackages=0;
+# @rsync_extra="doc,tools";
+$i18n=0;
+$getcontents=0;
+$do_source=1;
+$max_batch=0;
+
+# @di_dists="dists";
+# @di_archs="arches";
+
+# Save mirror state between runs; value sets validity of cache in days
+$state_cache_days=0;
+
+# Security/Sanity options
+$ignore_release_gpg=0;
+$ignore_release=0;
+$check_md5sums=0;
+$ignore_small_errors=0;
+
+# Cleanup
+$cleanup=0;
+$post_cleanup=1;
+
+# Locking options
+$timeout=300;
+
+# Rsync options
+$rsync_batch=200;
+$rsync_options="-aIL --partial";
+
+# FTP/HTTP options
+$passive=0;
+# $proxy="http://proxy:port/";
+
+# Dry run
+$dry_run=0;
+
+# Don't keep diff files but use them
+$diff_mode="use";
+
+# The config file must return true or perl complains.
+# Always copy this.
+1;
diff --git a/site/profiles/templates/cobbler/httpd_ssl.conf.erb b/site/profiles/templates/cobbler/httpd_ssl.conf.erb
new file mode 100644
index 0000000..9b95ba5
--- /dev/null
+++ b/site/profiles/templates/cobbler/httpd_ssl.conf.erb
@@ -0,0 +1,203 @@
+# managed by puppet
+#
+# When we also provide SSL we have to listen to the
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# List the protocol versions which clients are allowed to connect with.
+# The OpenSSL system profile is used by default. See
+# update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# The OpenSSL system profile is configured by default. See
+# update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that restarting httpd will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+# require an ECC certificate which can also be configured in
+# parallel.
+SSLCertificateFile <%= @httpd_ssl_certificate %>
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+# ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile <%= @httpd_ssl_privatekey %>
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is sent or allowed to be received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is sent and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
diff --git a/site/profiles/templates/cobbler/main.ipxe.erb b/site/profiles/templates/cobbler/main.ipxe.erb
new file mode 100644
index 0000000..386d262
--- /dev/null
+++ b/site/profiles/templates/cobbler/main.ipxe.erb
@@ -0,0 +1,47 @@
+#!ipxe
+dhcp
+
+# Some menu defaults
+set menu-timeout 5000
+set submenu-timeout ${menu-timeout}
+set menu-default cobbler
+
+:start
+menu iPXE boot menu
+item --gap -- ----------------------------- Cobbler ------------------------------------
+item cobbler Cobbler (kickstart or boot from disk)
+item --gap -- ------------------------- Advanced options -------------------------------
+item --key s shell Drop to iPXE shell
+item --key r reboot Reboot
+item
+item --key x exit Exit iPXE and continue BIOS boot
+choose --timeout ${menu-timeout} --default ${menu-default} selected || goto cancel
+set menu-timeout 0
+goto ${selected}
+
+:cancel
+echo You cancelled the menu, dropping you to a shell
+
+:no_system
+echo No system configuration found for MAC address ${mac}
+goto exit
+
+:shell
+echo Type 'exit' to get the back to the menu
+shell
+set menu-timeout 0
+set submenu-timeout 0
+goto start
+
+:reboot
+reboot
+
+:exit
+exit
+
+###
+### Custom menu entries
+###
+
+:cobbler
+chain --autofree http://${next-server}/cblr/svc/op/gpxe/mac/${net0/mac} || goto no_system
diff --git a/site/profiles/templates/cobbler/settings.yaml.erb b/site/profiles/templates/cobbler/settings.yaml.erb
new file mode 100644
index 0000000..1869444
--- /dev/null
+++ b/site/profiles/templates/cobbler/settings.yaml.erb
@@ -0,0 +1,466 @@
+# Cobbler settings file
+
+# Restart cobblerd and run "cobbler sync" after making changes.
+# This config file is in YAML 1.2 format; see "http://yaml.org".
+
+# If "true", Cobbler will allow insertions of system records that duplicate the "--dns-name" information of other system
+# records. In general, this is undesirable and should be left "false".
+allow_duplicate_hostnames: false
+
+# If "true", Cobbler will allow insertions of system records that duplicate the ip address information of other system
+# records. In general, this is undesirable and should be left "false".
+allow_duplicate_ips: false
+
+# If "true", Cobbler will allow insertions of system records that duplicate the MAC address information of other system
+# records. In general, this is undesirable.
+allow_duplicate_macs: false
+
+# If "true", Cobbler will allow settings to be changed dynamically without a restart of the cobblerd daemon. You can
+# only change this variable by manually editing the settings file, and you MUST restart cobblerd after changing it.
+allow_dynamic_settings: false
+
+# By default, installs are *not* set to send installation logs to the Cobbler server. With "anamon_enabled", automatic
+# installation templates may use the "pre_anamon" snippet to allow remote live monitoring of their installations from
+# the Cobbler server. Installation logs will be stored under "/var/log/cobbler/anamon/".
+# NOTE: This does allow an xmlrpc call to send logs to this directory, without authentication, so enable only if you are
+# ok with this limitation.
+anamon_enabled: false
+
+# If using "authn_pam" in the "modules.conf", this can be configured to change the PAM service authentication will be
+# tested against.
+# The default value is "login".
+authn_pam_service: "login"
+
+# How long the authentication token is valid for, in seconds.
+auth_token_expiration: 3600
+
+# This is a directory of files that Cobbler uses to make templating easier. See the Wiki for more information. Changing
+# this directory should not be required.
+autoinstall_snippets_dir: /var/lib/cobbler/snippets
+autoinstall_templates_dir: /var/lib/cobbler/templates
+
+# location of templates used for boot loader config generation
+boot_loader_conf_template_dir: "/etc/cobbler/boot_loader_conf"
+
+# Email out a report when Cobbler finishes installing a system.
+# enabled: set to true to turn this feature on
+# sender: optional
+# email: which addresses to email
+# smtp_server: used to specify another server for an MTA
+# subject: use the default subject unless overridden
+build_reporting_enabled: false
+build_reporting_sender: ""
+build_reporting_email: [ 'root@localhost' ]
+build_reporting_smtp_server: "localhost"
+build_reporting_subject: ""
+build_reporting_ignorelist: []
+
+# If cache_enabled is true, a cache will keep converted records in memory to make checking them faster. This helps with
+# use cases like writing out large numbers of records. There is a known issue with cache and remote XMLRPC API calls.
+# If you will use Cobbler with config management or infrastructure-as-code tools such as Terraform, it is recommended
+# to disable by setting to false.
+cache_enabled: true
+
+# Cheetah-language autoinstall templates can import Python modules. While this is a useful feature, it is not safe to
+# allow them to import anything they want. This whitelists which modules can be imported through Cheetah. Users can
+# expand this as needed but should never allow modules such as subprocess or those that allow access to the filesystem
+# as Cheetah templates are evaluated by cobblerd as code.
+cheetah_import_whitelist:
+ - "random"
+ - "re"
+ - "time"
+ - "netaddr"
+
+# Default "createrepo_flags" to use for new repositories. If you have createrepo >= 0.4.10, consider
+# "-c cache --update -C", which can dramatically improve your "cobbler reposync" time. "-s sha" enables working with
+# Fedora repos from F11/F12 from EL-4 or EL-5 without python-hashlib installed (which is not available on EL-4)
+createrepo_flags: "-c cache -s sha"
+
+# if no autoinstall template is specified to profile add, use this template
+default_autoinstall: /var/lib/cobbler/templates/default.ks
+
+# configure all installed systems to use these nameservers by default
+# unless defined differently in the profile. For DHCP configurations
+# you probably do /not/ want to supply this.
+default_name_servers: []
+default_name_servers_search: []
+
+# if using the authz_ownership module (see the Wiki), objects
+# created without specifying an owner are assigned to this
+# owner and/or group. Can be a comma seperated list.
+default_ownership:
+ - "admin"
+
+# Cobbler has various sample automatic installation templates stored
+# in /var/lib/cobbler/templates/. This controls
+# what install (root) password is set up for those
+# systems that reference this variable. The factory
+# default is "cobbler" and Cobbler check will warn if
+# this is not changed.
+# The simplest way to change the password is to run
+# openssl passwd -1
+# and put the output between the "" below.
+default_password_crypted: "<%= @default_password_crypted %>"
+
+# the default template type to use in the absence of any
+# other detected template. If you do not specify the template
+# with '#template=' on the first line of your
+# templates/snippets, Cobbler will assume try to use the
+# following template engine to parse the templates.
+#
+# Current valid values are: cheetah, jinja2
+default_template_type: "cheetah"
+
+# for libvirt based installs in koan, if no virt bridge
+# is specified, which bridge do we try? For EL 4/5 hosts
+# this should be xenbr0, for all versions of Fedora, try
+# "virbr0". This can be overriden on a per-profile
+# basis or at the koan command line though this saves
+# typing to just set it here to the most common option.
+default_virt_bridge: xenbr0
+
+# use this as the default disk size for virt guests (GB)
+default_virt_file_size: 5
+
+# use this as the default memory size for virt guests (MB)
+default_virt_ram: 512
+
+# if koan is invoked without --virt-type and no virt-type
+# is set on the profile/system, what virtualization type
+# should be assumed? Values: xenpv, xenfv, qemu, vmware
+# (NOTE: this does not change what virt_type is chosen by import)
+default_virt_type: xenpv
+
+# enable gPXE booting? Enabling this option will cause Cobbler
+# to copy the undionly.kpxe file to the tftp root directory,
+# and if a profile/system is configured to boot via gpxe it will
+# chain load off pxelinux.0.
+# Default: false
+enable_gpxe: false
+
+# controls whether Cobbler will add each new profile entry to the default
+# PXE boot menu. This can be over-ridden on a per-profile
+# basis when adding/editing profiles with --enable-menu=false/true. Users
+# should ordinarily leave this setting enabled unless they are concerned
+# with accidental reinstalls from users who select an entry at the PXE
+# boot menu. Adding a password to the boot menus templates
+# may also be a good solution to prevent unwanted reinstallations
+enable_menu: true
+
+# change this port if Apache is not running plaintext on port
+# 80. Most people can leave this alone.
+http_port: 80
+
+# kernel options that should be present in every Cobbler installation.
+# kernel options can also be applied at the distro/profile/system
+# level.
+kernel_options: {}
+
+# configuration options if using the authn_ldap module. See the
+# the Wiki for details. This can be ignored if you are not using
+# LDAP for WebUI/XMLRPC authentication.
+ldap_server: "ldap.example.com"
+ldap_base_dn: "DC=example,DC=com"
+ldap_port: 389
+ldap_tls: true
+ldap_anonymous_bind: true
+ldap_search_bind_dn: ''
+ldap_search_passwd: ''
+ldap_search_prefix: 'uid='
+ldap_tls_cacertfile: ''
+ldap_tls_keyfile: ''
+ldap_tls_certfile: ''
+
+# Cobbler has a feature that allows for integration with config management
+# systems such as Puppet. The following parameters work in conjunction with
+# --mgmt-classes and are described in further detail at:
+# https://github.com/cobbler/cobbler/wiki/Using-cobbler-with-a-configuration-management-system
+mgmt_classes: []
+mgmt_parameters:
+ from_cobbler: true
+
+# if enabled, this setting ensures that puppet is installed during
+# machine provision, a client certificate is generated and a
+# certificate signing request is made with the puppet master server
+puppet_auto_setup: false
+
+# when puppet starts on a system after installation it needs to have
+# its certificate signed by the puppet master server. Enabling the
+# following feature will ensure that the puppet server signs the
+# certificate after installation if the puppet master server is
+# running on the same machine as Cobbler. This requires
+# puppet_auto_setup above to be enabled
+sign_puppet_certs_automatically: false
+
+# location of the puppet executable, used for revoking certificates
+puppetca_path: "/usr/bin/puppet"
+
+# when a puppet managed machine is reinstalled it is necessary to
+# remove the puppet certificate from the puppet master server before a
+# new certificate is signed (see above). Enabling the following
+# feature will ensure that the certificate for the machine to be
+# installed is removed from the puppet master server if the puppet
+# master server is running on the same machine as Cobbler. This
+# requires puppet_auto_setup above to be enabled
+remove_old_puppet_certs_automatically: false
+
+# choose a --server argument when running puppetd/puppet agent during autoinstall
+#puppet_server: 'puppet'
+
+# let Cobbler know that you're using a newer version of puppet
+# choose version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd'
+#puppet_version: 2
+
+# choose whether to enable puppet parameterized classes or not.
+# puppet versions prior to 2.6.5 do not support parameters
+puppet_parameterized_classes: true
+
+# set to true to enable Cobbler's DHCP management features.
+# the choice of DHCP management engine is in /etc/cobbler/modules.conf
+manage_dhcp: false
+
+# set to true to enable Cobbler's DNS management features.
+# the choice of DNS mangement engine is in /etc/cobbler/modules.conf
+manage_dns: false
+
+# set to path of bind chroot to create bind-chroot compatible bind
+# configuration files. This should be automatically detected.
+bind_chroot_path: ""
+
+# set to the ip address of the master bind DNS server for creating secondary
+# bind configuration files
+bind_master: 127.0.0.1
+
+# set to true to enable Cobbler's TFTP management features.
+# the choice of TFTP mangement engine is in /etc/cobbler/modules.conf
+manage_tftpd: true
+
+# This variable contains the location of the tftpboot directory. If this directory is not present Cobbler does not
+# start.
+# Default: /var/lib/tftpboot
+tftpboot_location: "/var/lib/tftpboot"
+
+# set to true to enable Cobbler's RSYNC management features.
+manage_rsync: false
+
+# if using BIND (named) for DNS management in /etc/cobbler/modules.conf
+# and manage_dns is enabled (above), this lists which zones are managed
+# See the Wiki (https://github.com/cobbler/cobbler/wiki/Dns-management) for more info
+manage_forward_zones: []
+manage_reverse_zones: []
+
+# if using Cobbler with manage_dhcp, put the IP address
+# of the Cobbler server here so that PXE booting guests can find it
+# if you do not set this correctly, this will be manifested in TFTP open timeouts.
+next_server: <%= @next_server %>
+
+# settings for power management features. optional.
+# see https://github.com/cobbler/cobbler/wiki/Power-management to learn more
+# choices (refer to codes.py):
+# apc_snmp bladecenter bullpap drac ether_wake ilo integrity
+# ipmilan lpar rsa virsh wti
+power_management_default_type: 'ipmilan'
+
+# if this setting is set to true, Cobbler systems that pxe boot
+# will request at the end of their installation to toggle the
+# --netboot-enabled record in the Cobbler system record. This eliminates
+# the potential for a PXE boot loop if the system is set to PXE
+# first in it's BIOS order. Enable this if PXE is first in your BIOS
+# boot order, otherwise leave this disabled. See the manpage
+# for --netboot-enabled.
+pxe_just_once: <%= @pxe_just_once %>
+
+# if this setting is set to one, triggers will be executed when systems
+# will request to toggle the --netboot-enabled record at the end of their installation.
+nopxe_with_triggers: true
+
+# This setting is only used by the code that supports using Spacewalk/Satellite
+# authentication within Cobbler Web and Cobbler XMLRPC.
+redhat_management_server: "xmlrpc.rhn.redhat.com"
+
+# if using authn_spacewalk in modules.conf to let Cobbler authenticate
+# against Satellite/Spacewalk's auth system, by default it will not allow per user
+# access into Cobbler Web and Cobbler XMLRPC.
+# in order to permit this, the following setting must be enabled HOWEVER
+# doing so will permit all Spacewalk/Satellite users of certain types to edit all
+# of Cobbler's configuration.
+# these roles are: config_admin and org_admin
+# users should turn this on only if they want this behavior and
+# do not have a cross-multi-org seperation concern. If you have
+# a single org in your satellite, it's probably safe to turn this
+# on and then you can use CobblerWeb alongside a Satellite install.
+redhat_management_permissive: false
+
+# specify the default Red Hat authorization key to use to register
+# system. If left blank, no registration will be attempted. Similarly
+# you can set the --redhat-management-key to blank on any system to
+# keep it from trying to register.
+redhat_management_key: ""
+
+# if set to true, allows /usr/bin/cobbler-register (part of the koan package)
+# to be used to remotely add new Cobbler system records to Cobbler.
+# this effectively allows for registration of new hardware from system
+# records.
+register_new_installs: false
+
+# Flags to use for yum's reposync. If your version of yum reposync
+# does not support -l, you may need to remove that option.
+reposync_flags: "-l -n -d"
+
+# Flags to use for rysync's reposync. If flag 'a' is used then createrepo
+# is not ran after the rsync
+reposync_rsync_flags: "-rltDv --copy-unsafe-links"
+
+# when DHCP and DNS management are enabled, Cobbler sync can automatically
+# restart those services to apply changes. The exception for this is
+# if using ISC for DHCP, then omapi eliminates the need for a restart.
+# omapi, however, is experimental and not recommended for most configurations.
+# If DHCP and DNS are going to be managed, but hosted on a box that
+# is not on this server, disable restarts here and write some other
+# script to ensure that the config files get copied/rsynced to the destination
+# box. This can be done by modifying the restart services trigger.
+# Note that if manage_dhcp and manage_dns are disabled, the respective
+# parameter will have no effect. Most users should not need to change
+# this.
+restart_dns: true
+restart_dhcp: true
+
+# install triggers are scripts in /var/lib/cobbler/triggers/install
+# that are triggered in autoinstall pre and post sections. Any
+# executable script in those directories is run. They can be used
+# to send email or perform other actions. They are currently
+# run as root so if you do not need this functionality you can
+# disable it, though this will also disable "cobbler status" which
+# uses a logging trigger to audit install progress.
+run_install_triggers: true
+
+# enables a trigger which version controls all changes to /var/lib/cobbler
+# when add, edit, or sync events are performed. This can be used
+# to revert to previous database versions, generate RSS feeds, or for
+# other auditing or backup purposes. "git" and "hg" are currently suported,
+# but git is the recommend SCM for use with this feature.
+scm_track_enabled: false
+scm_track_mode: "git"
+scm_track_author: "cobbler "
+scm_push_script: "/bin/true"
+
+# this is the address of the Cobbler server -- as it is used
+# by systems during the install process, it must be the address
+# or hostname of the system as those systems can see the server.
+# if you have a server that appears differently to different subnets
+# (dual homed, etc), you need to read the --server-override section
+# of the manpage for how that works.
+server: <%= @server %>
+
+# If set to true, all commands will be forced to use the localhost address
+# instead of using the above value which can force commands like
+# cobbler sync to open a connection to a remote address if one is in the
+# configuration and would traceback.
+client_use_localhost: false
+
+# If set to "true", all commands to the API (not directly to the XMLRPC server) will go over HTTPS instead of plaintext.
+# Be sure to change the "http_port" setting to the correct value for the web server.
+client_use_https: false
+
+# Should new profiles for virtual machines default to auto booting with the physical host when the physical host
+# reboots? This can be overridden on each profile or system object.
+virt_auto_boot: true
+
+# Cobbler's web directory. Don't change this setting -- see the Wiki on "Relocating your Cobbler install" if your "/var"
+# partition is not large enough.
+webdir: "/var/www/cobbler"
+
+# Directories that will not get wiped and recreated on a "cobbler sync".
+webdir_whitelist:
+ - misc
+ - web
+ - webui
+ - localmirror
+ - repo_mirror
+ - distro_mirror
+ - images
+ - links
+ - pub
+ - repo_profile
+ - repo_system
+ - svc
+ - rendered
+ - .link_cache
+
+# Cobbler's public XMLRPC listens on this port. Change this only
+# if absolutely needed, as you'll have to start supplying a new
+# port option to koan if it is not the default.
+xmlrpc_port: 25151
+
+# "cobbler repo add" commands set Cobbler up with repository
+# information that can be used during autoinstall and is automatically
+# set up in the Cobbler autoinstall templates. By default, these
+# are only available at install time. To make these repositories
+# usable on installed systems (since Cobbler makes a very convenient
+# mirror) set this to true. Most users can safely set this to true. Users
+# who have a dual homed Cobbler server, or are installing laptops that
+# will not always have access to the Cobbler server may wish to leave
+# this as false. In that case, the Cobbler mirrored yum repos are still
+# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
+# configuration can still be done manually. This is just a shortcut.
+yum_post_install_mirror: true
+
+# the default yum priority for all the distros. This is only used if yum-priorities plugin is used.
+# 1=maximum
+# Tweak with caution!
+yum_distro_priority: 1
+
+# Flags to use for yumdownloader. Not all versions may support
+# --resolve.
+yumdownloader_flags: "--resolve"
+
+# sort and indent JSON output to make it more human-readable
+serializer_pretty_json: false
+
+# replication rsync options for distros, autoinstalls, snippets set to override default value of "-avzH"
+replicate_rsync_options: "-avzH"
+
+# replication rsync options for repos set to override default value of "-avzH"
+replicate_repo_rsync_options: "-avzH"
+
+# always write DHCP entries, regardless if netboot is enabled
+always_write_dhcp_entries: false
+
+# External proxy - used by: reposync", "signature update"
+# Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS)
+proxy_url_ext: ""
+
+# Internal proxy - used by systems to reach Cobbler for templates
+# Eg: proxy_url_int: "http://10.0.0.1:8080"
+proxy_url_int: ""
+
+# This is a directory of files that Cobbler uses to include
+# files into Jinja2 templates
+jinja2_includedir: "/var/lib/cobbler/jinja2"
+
+# Up to now, cobblerd used $server's IP address instead of the DNS name in autoinstallation
+# file settings (pxelinux.cfg files) to save bytes, which seemed required for S/390 systems.
+# This behavior can have negative impact on installs with multi-homed Cobbler servers, because
+# not all of the IP addresses may be reachable during system install.
+# This behavior was now made conditional, with default being "off".
+convert_server_to_ip: false
+
+# Leftover settings
+bootloaders_dir: "/var/lib/cobbler/loaders"
+buildisodir: "/var/cache/cobbler/buildiso"
+cobbler_master: ""
+default_virt_disk_driver: "raw"
+grubconfig_dir: "/var/lib/cobbler/grub_config"
+iso_template_dir: "/etc/cobbler/iso"
+
+# Puppet
+puppet_server: ""
+puppet_version: 2
+
+# Signatures
+signature_path: "/var/lib/cobbler/distro_signatures.json"
+signature_url: "https://cobbler.github.io/signatures/3.0.x/latest.json"
+
+# Include other configuration snippets. Overwriting a key from this file in a childfile will overwrite the value from
+# this file.
+include: [ "/etc/cobbler/settings.d/*.settings" ]
diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp
index 438547e..65d8541 100644
--- a/site/roles/manifests/infra/cobbler/server.pp
+++ b/site/roles/manifests/infra/cobbler/server.pp
@@ -2,4 +2,6 @@
class roles::infra::cobbler::server {
include profiles::defaults
include profiles::base
+ include profiles::base::datavol
+ include profiles::cobbler::server
}