feat: prepare puppet for debian

- set yum::versionlock to be only for redhat family
- set puppet-agent require statement to use apt or yum
- remove requirement of downloading puppet7-release-$dist.deb
- create all paths in $base_path for vault certificate
- set correct $PATH for update-ca-certificates
- dynamically set debian release name
- split packages to install from common.yaml to os-specific
- create groups profile to manage local groups
- change sysadmin to be a member of admins group
- setup admins sudo rules
This commit is contained in:
2024-04-13 21:04:08 +10:00
parent 5f8b0ba102
commit d0d67e316a
10 changed files with 86 additions and 28 deletions
+2 -1
View File
@@ -7,9 +7,10 @@ class profiles::accounts::sysadmin(
username => 'sysadmin',
uid => 1000,
gid => 1000,
groups => ['adm', 'wheel', 'systemd-journal'],
groups => ['adm', 'admins', 'systemd-journal'],
sshkeys => $sshkeys,
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
password => $password,
require => Group['admins'],
}
}
+1 -11
View File
@@ -30,27 +30,17 @@ class profiles::apt::puppet7 (
Array[String] $managed_repos,
String $mirror,
String $repo,
String $dist,
) {
$codename = $facts['os']['distro']['codename']
if 'puppet7' in $managed_repos {
$puppet_source = "${mirror}/${repo}-release-${dist}.deb"
# Install the puppet release using dpkg
package { "${repo}-${dist}":
ensure => installed,
name => "${repo}-release",
provider => dpkg,
source => $puppet_source,
}
# deb http://apt.puppet.com bullseye puppet7
apt::source { 'puppet7':
location => $mirror,
repos => $repo,
release => $dist,
release => $codename,
include => {
'src' => false,
'deb' => true,
+1
View File
@@ -34,6 +34,7 @@ class profiles::base (
include profiles::base::motd
include profiles::base::scripts
include profiles::base::hosts
include profiles::base::groups
include profiles::accounts::sysadmin
include profiles::ntp::client
include profiles::dns::base
+12
View File
@@ -0,0 +1,12 @@
# profiles::base::groups
# simple group management
class profiles::base::groups (
Hash $local = {},
) {
$local.each |$group, $data| {
group { $group:
name => $group,
* => $data,
}
}
}
+16 -1
View File
@@ -23,12 +23,26 @@ class profiles::pki::vault (
$alt_names_file = "${base_path}/alt_names"
# ensure the base directory exists
file { $base_path:
file { '/etc/pki':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/pki/tls':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
require => File['/etc/pki']
}
file { $base_path:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
require => File['/etc/pki/tls']
}
# alt_names_file contents
$alt_names_content = concat($effective_alt_names, $effective_ip_sans)
@@ -40,6 +54,7 @@ class profiles::pki::vault (
group => 'root',
mode => '0644',
content => join($alt_names_content, "\n"),
require => File[$base_path]
}
# compare the sorted arrays of altnames from disk (fact) vs what is intended (this run)
+1 -1
View File
@@ -30,7 +30,7 @@ class profiles::pki::vaultca {
# Execute the system command to update the CA trust store
exec { 'update_ca_trust_store':
command => $update_ca_cert_command,
path => ['/bin', '/usr/bin'],
path => ['/bin', '/usr/bin', 'sbin', '/usr/sbin'],
refreshonly => true,
require => File[$ca_cert_target_path],
}
+23 -9
View File
@@ -4,12 +4,6 @@ class profiles::puppet::agent (
String $puppet_version = 'latest',
) {
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::yum::puppet7'],
}
# if puppet-version is anything other than latest, set a versionlock
$puppet_versionlock_ensure = $puppet_version ? {
'latest' => 'absent',
@@ -19,9 +13,29 @@ class profiles::puppet::agent (
'latest' => undef,
default => $puppet_version,
}
yum::versionlock{'puppet-agent':
ensure => $puppet_versionlock_ensure,
version => $puppet_versionlock_version,
case $facts['os']['family'] {
'RedHat': {
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::yum::puppet7'],
}
# versionlock puppet-agent
yum::versionlock{'puppet-agent':
ensure => $puppet_versionlock_ensure,
version => $puppet_versionlock_version,
}
}
'Debian': {
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::apt::puppet7'],
}
}
default: {}
}
# Ensure the puppet service is running