feat: firstrun improvements

- add fact to detect firstrun
- run a limited subset of classes on firstrun
- firstrun: includes:
  - vault ca certificates
  - yum/apt repositories
  - fast-install packages with an exec

modules/libs/lib/facter/firstrun.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add(:firstrun) do
+  confine kernel: 'Linux'
+  setcode do
+    File.exist?('/root/.cache/puppet_firstrun_complete') ? false : true
+  end
+end

site/profiles/manifests/base.pp

@@ -3,59 +3,64 @@ class profiles::base (
   Array  $puppet_servers,
 ) {
 
-  # install the vault ca first
-  include profiles::pki::vaultca
+  # run a limited set of classes on the first run aimed at bootstrapping the new node
+  if $facts['firstrun'] {
+    include profiles::firstrun::init
+  }else{
 
-  # manage the puppet agent
-  include profiles::puppet::agent
+    # install the vault ca first
+    include profiles::pki::vaultca
 
-  # manage puppet clients
-  if ! member($puppet_servers, $trusted['certname']) {
-    include profiles::puppet::client
+    # manage the puppet agent
+    include profiles::puppet::agent
+
+    # manage puppet clients
+    if ! member($puppet_servers, $trusted['certname']) {
+      include profiles::puppet::client
+    }
+
+    # include the base profiles
+    include profiles::base::repos
+    include profiles::packages
+    include profiles::base::facts
+    include profiles::base::motd
+    include profiles::base::scripts
+    include profiles::base::hosts
+    include profiles::base::groups
+    include profiles::base::root
+    include profiles::accounts::sysadmin
+    include profiles::ntp::client
+    include profiles::dns::base
+    include profiles::pki::vault
+    include profiles::cloudinit::init
+    include profiles::metrics::default
+    include profiles::helpers::node_lookup
+    include profiles::consul::client
+
+    # include the python class
+    class { 'python':
+      manage_python_package => true,
+      manage_venv_package   => true,
+      manage_pip_package    => true,
+      use_epel              => false,
+    }
+
+    # all hosts will have sudo applied
+    class { 'sudo':
+      secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
+    }
+
+    # manage virtualised guest agents
+    if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' {
+      include profiles::qemu::agent
+    }
+
+    # include classes from hiera
+    lookup('hiera_classes', Array[String], 'unique').include
+
+    # specifc ordering constraints
+    Class['profiles::pki::vaultca']
+    -> Class['profiles::base::repos']
+    -> Class['profiles::packages']
   }
-
-  # include the base profiles
-  include profiles::base::repos
-  include profiles::packages
-  include profiles::base::facts
-  include profiles::base::motd
-  include profiles::base::scripts
-  include profiles::base::hosts
-  include profiles::base::groups
-  include profiles::base::root
-  include profiles::accounts::sysadmin
-  include profiles::ntp::client
-  include profiles::dns::base
-  include profiles::pki::vault
-  include profiles::cloudinit::init
-  include profiles::metrics::default
-  include profiles::helpers::node_lookup
-  include profiles::consul::client
-
-  # include the python class
-  class { 'python':
-    manage_python_package => true,
-    manage_venv_package   => true,
-    manage_pip_package    => true,
-    use_epel              => false,
-  }
-
-  # all hosts will have sudo applied
-  class { 'sudo':
-    secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
-  }
-
-  # manage virtualised guest agents
-  if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' {
-    include profiles::qemu::agent
-  }
-
-  # include classes from hiera
-  lookup('hiera_classes', Array[String], 'unique').include
-
-  # specifc ordering constraints
-  Class['profiles::pki::vaultca']
-  -> Class['profiles::base::repos']
-  -> Class['profiles::packages']
-
 }

site/profiles/manifests/firstrun/complete.pp

@@ -0,0 +1,11 @@
+# profiles::firstrun::complete
+class profiles::firstrun::complete {
+
+  file {'/root/.cache/puppet_firstrun_complete':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0750',
+    content => 'firstrun completed',
+  }
+}

site/profiles/manifests/firstrun/init.pp

@@ -0,0 +1,19 @@
+# profiles::firstrun::init
+class profiles::firstrun::init {
+
+  # include the required CA certificates
+  include profiles::pki::vaultca
+
+  # fast install packages on the first run
+  include profiles::base::repos
+  include profiles::firstrun::packages
+
+  # mark the firstrun as done
+  include profiles::firstrun::complete
+
+
+  Class['profiles::pki::vaultca']
+  -> Class['profiles::base::repos']
+  -> Class['profiles::firstrun::packages']
+  -> Class['profiles::firstrun::complete']
+}

site/profiles/manifests/firstrun/packages.pp

@@ -0,0 +1,27 @@
+# profiles::firstrun::packages
+class profiles::firstrun::packages {
+  # include the correct package repositories, define the install_packages exec
+  case $facts['os']['family'] {
+    'RedHat': {
+      include profiles::yum::global
+      $install_command = 'dnf install -y'
+    }
+    'Debian': {
+      include profiles::apt::global
+      $install_command = 'apt-get install -y'
+    }
+    default: {
+      fail("Unsupported OS family ${facts['os']['family']}")
+    }
+  }
+
+  # get all the packages to install, and convert into a space separated list
+  $packages = hiera_array('profiles::packages::install', [])
+  $package_list = $packages.join(' ')
+
+  # install all the packages
+  exec { 'install_packages':
+    command => "${install_command} ${package_list}",
+    path    => ['/bin', '/usr/bin'],
+  }
+}