diff --git a/modules/libs/lib/facter/firstrun.rb b/modules/libs/lib/facter/firstrun.rb new file mode 100644 index 0000000..012aafc --- /dev/null +++ b/modules/libs/lib/facter/firstrun.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add(:firstrun) do + confine kernel: 'Linux' + setcode do + File.exist?('/root/.cache/puppet_firstrun_complete') ? false : true + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index a387570..13f6b10 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -3,59 +3,64 @@ class profiles::base ( Array $puppet_servers, ) { - # install the vault ca first - include profiles::pki::vaultca + # run a limited set of classes on the first run aimed at bootstrapping the new node + if $facts['firstrun'] { + include profiles::firstrun::init + }else{ - # manage the puppet agent - include profiles::puppet::agent + # install the vault ca first + include profiles::pki::vaultca - # manage puppet clients - if ! member($puppet_servers, $trusted['certname']) { - include profiles::puppet::client + # manage the puppet agent + include profiles::puppet::agent + + # manage puppet clients + if ! member($puppet_servers, $trusted['certname']) { + include profiles::puppet::client + } + + # include the base profiles + include profiles::base::repos + include profiles::packages + include profiles::base::facts + include profiles::base::motd + include profiles::base::scripts + include profiles::base::hosts + include profiles::base::groups + include profiles::base::root + include profiles::accounts::sysadmin + include profiles::ntp::client + include profiles::dns::base + include profiles::pki::vault + include profiles::cloudinit::init + include profiles::metrics::default + include profiles::helpers::node_lookup + include profiles::consul::client + + # include the python class + class { 'python': + manage_python_package => true, + manage_venv_package => true, + manage_pip_package => true, + use_epel => false, + } + + # all hosts will have sudo applied + class { 'sudo': + secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' + } + + # manage virtualised guest agents + if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { + include profiles::qemu::agent + } + + # include classes from hiera + lookup('hiera_classes', Array[String], 'unique').include + + # specifc ordering constraints + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::packages'] } - - # include the base profiles - include profiles::base::repos - include profiles::packages - include profiles::base::facts - include profiles::base::motd - include profiles::base::scripts - include profiles::base::hosts - include profiles::base::groups - include profiles::base::root - include profiles::accounts::sysadmin - include profiles::ntp::client - include profiles::dns::base - include profiles::pki::vault - include profiles::cloudinit::init - include profiles::metrics::default - include profiles::helpers::node_lookup - include profiles::consul::client - - # include the python class - class { 'python': - manage_python_package => true, - manage_venv_package => true, - manage_pip_package => true, - use_epel => false, - } - - # all hosts will have sudo applied - class { 'sudo': - secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' - } - - # manage virtualised guest agents - if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { - include profiles::qemu::agent - } - - # include classes from hiera - lookup('hiera_classes', Array[String], 'unique').include - - # specifc ordering constraints - Class['profiles::pki::vaultca'] - -> Class['profiles::base::repos'] - -> Class['profiles::packages'] - } diff --git a/site/profiles/manifests/firstrun/complete.pp b/site/profiles/manifests/firstrun/complete.pp new file mode 100644 index 0000000..3c6342d --- /dev/null +++ b/site/profiles/manifests/firstrun/complete.pp @@ -0,0 +1,11 @@ +# profiles::firstrun::complete +class profiles::firstrun::complete { + + file {'/root/.cache/puppet_firstrun_complete': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0750', + content => 'firstrun completed', + } +} diff --git a/site/profiles/manifests/firstrun/init.pp b/site/profiles/manifests/firstrun/init.pp new file mode 100644 index 0000000..6b6fd3a --- /dev/null +++ b/site/profiles/manifests/firstrun/init.pp @@ -0,0 +1,19 @@ +# profiles::firstrun::init +class profiles::firstrun::init { + + # include the required CA certificates + include profiles::pki::vaultca + + # fast install packages on the first run + include profiles::base::repos + include profiles::firstrun::packages + + # mark the firstrun as done + include profiles::firstrun::complete + + + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::firstrun::packages'] + -> Class['profiles::firstrun::complete'] +} diff --git a/site/profiles/manifests/firstrun/packages.pp b/site/profiles/manifests/firstrun/packages.pp new file mode 100644 index 0000000..5bcc6d4 --- /dev/null +++ b/site/profiles/manifests/firstrun/packages.pp @@ -0,0 +1,27 @@ +# profiles::firstrun::packages +class profiles::firstrun::packages { + # include the correct package repositories, define the install_packages exec + case $facts['os']['family'] { + 'RedHat': { + include profiles::yum::global + $install_command = 'dnf install -y' + } + 'Debian': { + include profiles::apt::global + $install_command = 'apt-get install -y' + } + default: { + fail("Unsupported OS family ${facts['os']['family']}") + } + } + + # get all the packages to install, and convert into a space separated list + $packages = hiera_array('profiles::packages::install', []) + $package_list = $packages.join(' ') + + # install all the packages + exec { 'install_packages': + command => "${install_command} ${package_list}", + path => ['/bin', '/usr/bin'], + } +}