feat: prepare puppet for debian
- set yum::versionlock to be only for redhat family - set puppet-agent require statement to use apt or yum - remove requirement of downloading puppet7-release-$dist.deb - create all paths in $base_path for vault certificate - set correct $PATH for update-ca-certificates - dynamically set debian release name - split packages to install from common.yaml to os-specific - create groups profile to manage local groups - change sysadmin to be a member of admins group - setup admins sudo rules
This commit is contained in:
@@ -7,9 +7,10 @@ class profiles::accounts::sysadmin(
|
||||
username => 'sysadmin',
|
||||
uid => 1000,
|
||||
gid => 1000,
|
||||
groups => ['adm', 'wheel', 'systemd-journal'],
|
||||
groups => ['adm', 'admins', 'systemd-journal'],
|
||||
sshkeys => $sshkeys,
|
||||
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
|
||||
password => $password,
|
||||
require => Group['admins'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,27 +30,17 @@ class profiles::apt::puppet7 (
|
||||
Array[String] $managed_repos,
|
||||
String $mirror,
|
||||
String $repo,
|
||||
String $dist,
|
||||
) {
|
||||
|
||||
$codename = $facts['os']['distro']['codename']
|
||||
|
||||
if 'puppet7' in $managed_repos {
|
||||
$puppet_source = "${mirror}/${repo}-release-${dist}.deb"
|
||||
|
||||
# Install the puppet release using dpkg
|
||||
package { "${repo}-${dist}":
|
||||
ensure => installed,
|
||||
name => "${repo}-release",
|
||||
provider => dpkg,
|
||||
source => $puppet_source,
|
||||
}
|
||||
|
||||
# deb http://apt.puppet.com bullseye puppet7
|
||||
apt::source { 'puppet7':
|
||||
location => $mirror,
|
||||
repos => $repo,
|
||||
release => $dist,
|
||||
release => $codename,
|
||||
include => {
|
||||
'src' => false,
|
||||
'deb' => true,
|
||||
|
||||
@@ -34,6 +34,7 @@ class profiles::base (
|
||||
include profiles::base::motd
|
||||
include profiles::base::scripts
|
||||
include profiles::base::hosts
|
||||
include profiles::base::groups
|
||||
include profiles::accounts::sysadmin
|
||||
include profiles::ntp::client
|
||||
include profiles::dns::base
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# profiles::base::groups
|
||||
# simple group management
|
||||
class profiles::base::groups (
|
||||
Hash $local = {},
|
||||
) {
|
||||
$local.each |$group, $data| {
|
||||
group { $group:
|
||||
name => $group,
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -23,12 +23,26 @@ class profiles::pki::vault (
|
||||
$alt_names_file = "${base_path}/alt_names"
|
||||
|
||||
# ensure the base directory exists
|
||||
file { $base_path:
|
||||
file { '/etc/pki':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
file { '/etc/pki/tls':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
require => File['/etc/pki']
|
||||
}
|
||||
file { $base_path:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
require => File['/etc/pki/tls']
|
||||
}
|
||||
|
||||
# alt_names_file contents
|
||||
$alt_names_content = concat($effective_alt_names, $effective_ip_sans)
|
||||
@@ -40,6 +54,7 @@ class profiles::pki::vault (
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => join($alt_names_content, "\n"),
|
||||
require => File[$base_path]
|
||||
}
|
||||
|
||||
# compare the sorted arrays of altnames from disk (fact) vs what is intended (this run)
|
||||
|
||||
@@ -30,7 +30,7 @@ class profiles::pki::vaultca {
|
||||
# Execute the system command to update the CA trust store
|
||||
exec { 'update_ca_trust_store':
|
||||
command => $update_ca_cert_command,
|
||||
path => ['/bin', '/usr/bin'],
|
||||
path => ['/bin', '/usr/bin', 'sbin', '/usr/sbin'],
|
||||
refreshonly => true,
|
||||
require => File[$ca_cert_target_path],
|
||||
}
|
||||
|
||||
@@ -4,12 +4,6 @@ class profiles::puppet::agent (
|
||||
String $puppet_version = 'latest',
|
||||
) {
|
||||
|
||||
# Ensure the puppet-agent package is installed and locked to a specific version
|
||||
package { 'puppet-agent':
|
||||
ensure => $puppet_version,
|
||||
require => Class['profiles::yum::puppet7'],
|
||||
}
|
||||
|
||||
# if puppet-version is anything other than latest, set a versionlock
|
||||
$puppet_versionlock_ensure = $puppet_version ? {
|
||||
'latest' => 'absent',
|
||||
@@ -19,9 +13,29 @@ class profiles::puppet::agent (
|
||||
'latest' => undef,
|
||||
default => $puppet_version,
|
||||
}
|
||||
yum::versionlock{'puppet-agent':
|
||||
ensure => $puppet_versionlock_ensure,
|
||||
version => $puppet_versionlock_version,
|
||||
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
# Ensure the puppet-agent package is installed and locked to a specific version
|
||||
package { 'puppet-agent':
|
||||
ensure => $puppet_version,
|
||||
require => Class['profiles::yum::puppet7'],
|
||||
}
|
||||
|
||||
# versionlock puppet-agent
|
||||
yum::versionlock{'puppet-agent':
|
||||
ensure => $puppet_versionlock_ensure,
|
||||
version => $puppet_versionlock_version,
|
||||
}
|
||||
}
|
||||
'Debian': {
|
||||
# Ensure the puppet-agent package is installed and locked to a specific version
|
||||
package { 'puppet-agent':
|
||||
ensure => $puppet_version,
|
||||
require => Class['profiles::apt::puppet7'],
|
||||
}
|
||||
}
|
||||
default: {}
|
||||
}
|
||||
|
||||
# Ensure the puppet service is running
|
||||
|
||||
Reference in New Issue
Block a user