Inital commit for profile::puppet::*

* profile::pupper::server * profile::puppet::puppetmaster * profile::puppet::g10k * profile::puppet::autosign * updated Puppetfile * updated role::puppet::puppetmaster * added profile::puppet::puppetmaster to puppetmaster role * added profile::puppet::server templates
2023-06-20 20:27:16 +10:00 · 2023-06-20 20:27:16 +10:00 · 9536be5864
commit 9536be5864
parent 46366f4ec6
8 changed files with 252 additions and 1 deletions
--- a/8
+++ b/8
@ -2,5 +2,11 @@ forge 'forge.puppetlabs.com'
 moduledir 'external_modules'

 # Forge Modules
+mod 'puppetlabs-stdlib', '9.1.0'
+mod 'puppetlabs-inifile', '6.0.0'
+mod 'puppetlabs-concat', '9.0.0'
+mod 'eyp-eyplib', '0.1.24'
+mod 'eyp-systemd', '3.1.0'
+mod 'ghoneycutt-puppet', '3.3.0'
+mod 'puppet-archive', '7.0.0'
 mod 'puppet-chrony', '2.6.0'
-mod 'puppetlabs/stdlib'
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -2,3 +2,6 @@
 profile::base::ntp_servers:
  - 0.au.pool.ntp.org
  - 1.au.pool.ntp.org
+
+profile::puppet::autosign::subnet_ranges:
+  - '198.18.17.0/24'
--- a/site/profile/manifests/puppet/autosign.pp
+++ b/site/profile/manifests/puppet/autosign.pp
@ -0,0 +1,54 @@
+# Class: profile::puppet::autosign
+#
+# This class manages an autosign script for the Puppet master.
+# It sets up a Ruby script that automatically signs Puppet node requests
+# originating from certain IP subnet ranges.
+#
+# Parameters:
+#  - `subnet_ranges`: An array of IP subnet ranges for which to automatically
+#     sign certificate requests.
+#
+# Actions:
+# - Ensures the autosign script file is present and has the correct content and permissions.
+#
+# Usage:
+#   The class can be declared in a node definition or classified using an ENC or Hiera.
+#   Example:
+#     node 'puppet.example.com' {
+#       class { 'profile::puppet::autosign':
+#         subnet_ranges => ['198.18.17.0/24', '10.0.0.0/8'],
+#       }
+#     }
+#
+# Requirements:
+# - Puppet master must have access to the /opt/puppetlabs/bin directory.
+# - The gem 'ipaddr' module must be installed on the Puppet master.
+# - The puppet 'puppetlabs/stdlib' module must be installed on the Puppet master.
+#
+# Limitations:
+# This is designed to work on Unix-like systems.
+class profile::puppet::autosign (
+  Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges,
+) {
+
+  $script_content = @(END)
+    #!/usr/bin/env ruby
+
+    require 'yaml'
+    require 'ipaddr'
+
+    csr = YAML.load(STDIN.read)
+    networks = #{subnet_ranges}
+
+    ip = IPAddr.new(csr['facts']['networking']['ip'])
+
+    exit 1 unless networks.any? { |network| IPAddr.new(network).include?(ip) }
+    exit 0
+  END
+
+  file { '/opt/puppetlabs/bin/autosign.rb':
+    ensure  => file,
+    content => $script_content,
+    mode    => '0755',
+  }
+}
--- a/site/profile/manifests/puppet/g10k.pp
+++ b/site/profile/manifests/puppet/g10k.pp
@ -0,0 +1,70 @@
+# Class: profile::puppet::g10k
+#
+# This class handles downloading and installation of the g10k tool, a fast 
+# Git and Forge based Puppet environment and module deployment tool.
+# The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'.
+# Additionally, it creates a helper script to easily run g10k with the appropriate configuration.
+# It also creates a systemd service and timer that runs the g10k script every minute.
+#
+# Parameters: None
+#
+# Actions:
+# - Downloads the latest g10k release from GitHub.
+# - Extracts the download and places the executable in '/opt/puppetlabs/bin'.
+# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k.
+# - Creates a systemd service and timer that runs the g10k script every minute.
+#
+# Usage:
+#   Directly including the class in your node definitions or classify your nodes 
+#   using an ENC or Hiera.
+#   Example:
+#     node 'puppet.example.com' {
+#       include profile::puppet::g10k
+#     }
+#
+# Requirements:
+# - The 'puppet-archive' module should be installed in your puppetmaster.
+# - The 'puppet-systemd' module should be installed on your puppetmaster.
+# - '/opt/puppetlabs/bin/' directory must exist and be writable.
+# - Puppet master must have access to the GitHub URL.
+#
+# Limitations:
+# This is designed to work on Unix-like systems only.
+class profile::puppet::g10k {
+
+  package { 'unzip':
+    ensure => installed,
+  }
+
+  archive { '/tmp/g10k.zip':
+    ensure       => present,
+    source       => 'https://github.com/xorpaul/g10k/releases/latest/download/g10k-linux-amd64.zip',
+    extract      => true,
+    extract_path => '/opt/puppetlabs/bin',
+    creates      => '/opt/puppetlabs/bin/g10k',
+    cleanup      => true,
+  }
+
+  file { '/opt/puppetlabs/bin/puppet-g10k':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => "#!/usr/bin/bash\n/opt/puppetlabs/bin/g10k -config /etc/puppetlabs/r10k/r10k.yaml\n",
+    require => Archive['/tmp/g10k.zip'],
+  }
+
+  systemd::service { 'puppet-g10k':
+    description => 'puppet-g10k update service',
+    execstart   => '/opt/puppetlabs/bin/puppet-g10k',
+    user        => 'root',
+    require     => File['/opt/puppetlabs/bin/puppet-g10k'],
+  }
+
+  systemd::timer { 'puppet-g10k':
+    description => 'Run puppet-g10k every minute',
+    unit        => 'puppet-g10k.service',
+    on_calendar => '*:0/1',
+    require     => Systemd::Service['puppet-g10k'],
+  }
+}
--- a/site/profile/manifests/puppet/puppetmaster.pp
+++ b/site/profile/manifests/puppet/puppetmaster.pp
@ -0,0 +1,41 @@
+# Class: profile::puppet::puppetmaster
+#
+# This class manages the puppetmaster using the ghoneycutt-puppet module.
+# It manages the server settings in the puppet.conf file.
+#
+# Parameters: None
+#
+# Actions:
+# - Sets up the server, main, agent, and master sections in the puppet.conf file
+#
+# Usage:
+#   Directly include the class in your node definitions or classify your nodes 
+#   using an ENC or Hiera.
+#   Example:
+#     node 'puppet.example.com' {
+#       include profile::puppet::puppetmaster
+#     }
+#
+# Requirements:
+# - The 'ghoneycutt/puppet' module should be installed in your Puppet master.
+# - Puppet master must have access to the necessary directories.
+#
+# Limitations:
+# This is designed to work on Unix-like systems.
+class profile::puppet::puppetmaster {
+  include profile::puppet::g10k
+  include profile::puppet::autosign
+
+  class { 'profile::puppet::server':
+    vardir         => '/opt/puppetlabs/server/data/puppetserver',
+    logdir         => '/var/log/puppetlabs/puppetserver',
+    rundir         => '/var/run/puppetlabs/puppetserver',
+    pidfile        => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
+    codedir        => '/etc/puppetlabs/code',
+    dns_alt_names  => ['prodinf01n01.main.unkin.net'],
+    server         => 'prodinf01n01.main.unkin.net',
+    node_terminus  => 'exec',
+    external_nodes => '/opt/puppetlabs/bin/enc',
+    autosign       => '/etc/puppetlabs/puppet/autosign.rb',
+  }
+}
--- a/site/profile/manifests/puppet/server.pp
+++ b/site/profile/manifests/puppet/server.pp
@ -0,0 +1,57 @@
+# Class: profile::puppet::server
+#
+# This class manages Puppet server's configuration and service.
+#
+# Parameters:
+#   vardir - Directory path for variable data.
+#   logdir - Directory path for logs.
+#   rundir - Directory path for run-time data.
+#   pidfile - File path for the PID file.
+#   codedir - Directory path for code data.
+#   dns_alt_names - Array of alternate DNS names for the server.
+#   server - Server's name.
+#   node_terminus - Node terminus.
+#   external_nodes - Path to the external node classifier script.
+#   autosign - Path to the autosign script.
+#
+class profile::puppet::server (
+  String $vardir,
+  String $logdir,
+  String $rundir,
+  String $pidfile,
+  String $codedir,
+  Array[String[1]] $dns_alt_names,
+  String $server,
+  String $node_terminus,
+  String $external_nodes,
+  String $autosign,
+) {
+
+  file { '/etc/puppetlabs/puppet/puppet.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => epp('profile/puppet/server/puppet.conf.epp', {
+      'vardir'         => $vardir,
+      'logdir'         => $logdir,
+      'rundir'         => $rundir,
+      'pidfile'        => $pidfile,
+      'codedir'        => $codedir,
+      'dns_alt_names'  => join($dns_alt_names, ','),
+      'server'         => $server,
+      'node_terminus'  => $node_terminus,
+      'external_nodes' => $external_nodes,
+      'autosign'       => $autosign,
+    }),
+    notify  => Service['puppetserver'],
+  }
+
+  service { 'puppetserver':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+  }
+}
+
--- a/site/profile/templates/puppet/server/puppet.conf.epp
+++ b/site/profile/templates/puppet/server/puppet.conf.epp
@ -0,0 +1,17 @@
+[server]
+vardir = <%= $vardir %>
+logdir = <%= $logdir %>
+rundir = <%= $rundir %>
+pidfile = <%= $pidfile %>
+codedir = <%= $codedir %>
+
+[main]
+dns_alt_names = <%= $dns_alt_names %>
+
+[agent]
+server = <%= $server %>
+
+[master]
+node_terminus = exec
+external_nodes = <%= $external_nodes %>
+autosign = <%= $autosign %>
--- a/site/role/manifests/puppet/puppetmaster.pp
+++ b/site/role/manifests/puppet/puppetmaster.pp
@ -1,3 +1,6 @@
+# a role to deploy the puppetmaster
+# work in progress
 class role::puppet::puppetmaster {
    include profile::base
+    include profile::puppet::puppetmaster
  }