feat: add glauth role/profile classes

- role added to cobbler - add role specific hieradata
2024-07-01 19:56:50 +10:00 · 2024-07-01 19:56:50 +10:00 · c8604baa4e
commit c8604baa4e
parent c69e8c487e
3 changed files with 66 additions and 0 deletions
--- a/hieradata/roles/infra/auth/glauth.yaml
+++ b/hieradata/roles/infra/auth/glauth.yaml
@ -0,0 +1,44 @@
+---
+hiera_include:
+  - glauth
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - ldap.main.unkin.net
+  - ldap.service.consul
+  - ldap.query.consul
+  - "ldap.service.%{facts.country}-%{facts.region}.consul"
+
+glauth::params::download_version: 2.3.2
+glauth::params::ldap_enabled: true
+glauth::params::ldaps_enabled: true
+glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
+glauth::params::behaviors_ignorecapabilities: true
+glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
+glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
+glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
+glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
+glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
+glauth::params::api_key: /etc/pki/tls/vault/private.key
+
+# configure consul service
+consul::services:
+  ldap:
+    service_name: 'ldap'
+    tags:
+      - 'media'
+      - 'ldap'
+    address: "%{facts.networking.ip}"
+    port: 636
+    checks:
+      - id: 'glauth_http_check'
+        name: 'glauth HTTP Check'
+        http: "https://%{facts.networking.fqdn}:5555"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: ldap
+    disposition: write
--- a/site/profiles/manifests/ldap/server.pp
+++ b/site/profiles/manifests/ldap/server.pp
@ -0,0 +1,10 @@
+# profiles::ldap::server
+class profiles::ldap::server (
+  Hash $users    = lookup('glauth::users', { default_value => {} }),
+  Hash $services = lookup('glauth::services', { default_value => {} }),
+  Hash $groups   = lookup('glauth::groups', { default_value => {} }),
+) {
+  create_resources('glauth::obj::user', $users)
+  create_resources('glauth::obj::service', $services)
+  create_resources('glauth::obj::group', $groups)
+}
--- a/site/roles/manifests/infra/auth/glauth.pp
+++ b/site/roles/manifests/infra/auth/glauth.pp
@ -0,0 +1,12 @@
+# a role to deploy glauth
+class roles::infra::auth::glauth {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+    include profiles::ldap::server
+  }
+}