From c8604baa4ecd9aad61de01111775e346f3023fcf Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 1 Jul 2024 19:56:50 +1000
Subject: [PATCH] feat: add glauth role/profile classes

- role added to cobbler
- add role specific hieradata
---
 hieradata/roles/infra/auth/glauth.yaml    | 44 +++++++++++++++++++++++
 site/profiles/manifests/ldap/server.pp    | 10 ++++++
 site/roles/manifests/infra/auth/glauth.pp | 12 +++++++
 3 files changed, 66 insertions(+)
 create mode 100644 hieradata/roles/infra/auth/glauth.yaml
 create mode 100644 site/profiles/manifests/ldap/server.pp
 create mode 100644 site/roles/manifests/infra/auth/glauth.pp

diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml
new file mode 100644
index 0000000..64de7e5
--- /dev/null
+++ b/hieradata/roles/infra/auth/glauth.yaml
@@ -0,0 +1,44 @@
+---
+hiera_include:
+  - glauth
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - ldap.main.unkin.net
+  - ldap.service.consul
+  - ldap.query.consul
+  - "ldap.service.%{facts.country}-%{facts.region}.consul"
+
+glauth::params::download_version: 2.3.2
+glauth::params::ldap_enabled: true
+glauth::params::ldaps_enabled: true
+glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
+glauth::params::behaviors_ignorecapabilities: true
+glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
+glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
+glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
+glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
+glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
+glauth::params::api_key: /etc/pki/tls/vault/private.key
+
+# configure consul service
+consul::services:
+  ldap:
+    service_name: 'ldap'
+    tags:
+      - 'media'
+      - 'ldap'
+    address: "%{facts.networking.ip}"
+    port: 636
+    checks:
+      - id: 'glauth_http_check'
+        name: 'glauth HTTP Check'
+        http: "https://%{facts.networking.fqdn}:5555"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: ldap
+    disposition: write
diff --git a/site/profiles/manifests/ldap/server.pp b/site/profiles/manifests/ldap/server.pp
new file mode 100644
index 0000000..52dabed
--- /dev/null
+++ b/site/profiles/manifests/ldap/server.pp
@@ -0,0 +1,10 @@
+# profiles::ldap::server
+class profiles::ldap::server (
+  Hash $users    = lookup('glauth::users', { default_value => {} }),
+  Hash $services = lookup('glauth::services', { default_value => {} }),
+  Hash $groups   = lookup('glauth::groups', { default_value => {} }),
+) {
+  create_resources('glauth::obj::user', $users)
+  create_resources('glauth::obj::service', $services)
+  create_resources('glauth::obj::group', $groups)
+}
diff --git a/site/roles/manifests/infra/auth/glauth.pp b/site/roles/manifests/infra/auth/glauth.pp
new file mode 100644
index 0000000..fdaa17b
--- /dev/null
+++ b/site/roles/manifests/infra/auth/glauth.pp
@@ -0,0 +1,12 @@
+# a role to deploy glauth
+class roles::infra::auth::glauth {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+    include profiles::ldap::server
+  }
+}