Merge branch 'develop' into neoloc/puppet_wrapper

Puppetfile

@@ -1,17 +1,26 @@
 forge 'forge.puppetlabs.com'
 moduledir 'external_modules'
 
-# Forge Modules
+# puppetlabs
 mod 'puppetlabs-stdlib', '9.1.0'
 mod 'puppetlabs-inifile', '6.0.0'
 mod 'puppetlabs-concat', '9.0.0'
-#mod 'eyp-eyplib', '0.1.24'
-#mod 'eyp-systemd', '3.1.0'
-mod 'puppet-systemd', '5.1.0'
-mod 'ghoneycutt-puppet', '3.3.0'
-mod 'puppet-archive', '7.0.0'
-mod 'puppet-chrony', '2.6.0'
 mod 'puppetlabs-vcsrepo', '6.1.0'
 mod 'puppetlabs-yumrepo_core', '2.0.0'
-mod 'puppet-yum', '7.0.0'
 mod 'puppetlabs-apt', '9.1.0'
+mod 'puppetlabs-puppetdb', '7.13.0'
+mod 'puppetlabs-postgresql', '9.1.0'
+mod 'puppetlabs-firewall', '6.0.0'
+mod 'puppetlabs-accounts', '8.1.0'
+
+# puppet
+mod 'puppet-python', '7.0.0'
+mod 'puppet-systemd', '5.1.0'
+mod 'puppet-yum', '7.0.0'
+mod 'puppet-archive', '7.0.0'
+mod 'puppet-chrony', '2.6.0'
+mod 'puppet-puppetboard', '9.0.0'
+
+# other
+mod 'ghoneycutt-puppet', '3.3.0'
+mod 'saz-sudo', '8.0.0'

environment.conf

@@ -1,2 +1,3 @@
 manifest = manifests/site.pp
 modulepath = external_modules:site
+config_version = '/usr/bin/grep signature /etc/puppetlabs/code/environments/$environment/.g10k-deploy.json | /usr/bin/cut -d \" -f 4'

hieradata/common.yaml

@@ -11,10 +11,8 @@ profiles::base::packages::common:
   - mtr
   - ncdu
   - neovim
-  - python3
   - screen
   - strace
-  - sudo
   - tmux
   - vim
   - vnstat
@@ -35,3 +33,13 @@ profiles::puppet::autosign::domains:
 
 profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
+profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
+profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
+profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
+profiles::puppet::g10k::default_environment: 'develop'
+profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
+puppetdb::master::config::create_puppet_service_resource: false
+puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+
+profiles::accounts::sysadmin::sshkeys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net

hieradata/os/AlmaLinux/AlmaLinux8.yaml

@@ -6,3 +6,4 @@ profiles::yum::managed_repos:
   - 'appstream'
   - 'epel'
   - 'puppet7'
+  - 'yum.postgresql.org'

hieradata/os/AlmaLinux/AlmaLinux9.yaml

@@ -6,3 +6,4 @@ profiles::yum::managed_repos:
   - 'appstream'
   - 'epel'
   - 'puppet7'
+  - 'yum.postgresql.org'

site/profiles/manifests/accounts/sysadmin.pp

@@ -0,0 +1,15 @@
+# create the sysadmin user
+class profiles::accounts::sysadmin(
+  Array[String] $sshkeys = [],
+){
+  profiles::base::account {'sysadmin':
+    username    => 'sysadmin',
+    uid         => 1000,
+    gid         => 1000,
+    groups      => ['wheel'],
+    sshkeys     => $sshkeys,
+    sudo_rules  => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
+    password    => '',
+    ignore_pass => true,
+  }
+}

site/profiles/manifests/base.pp

@@ -17,7 +17,7 @@ class profiles::base (
     }
   }
 
-  # install common required applications
+  # include the base packages profile
   class { 'profiles::base::packages':
     packages => hiera('profiles::base::packages::common'),
     ensure   => 'installed',
@@ -25,4 +25,21 @@ class profiles::base (
 
   # include admin scripts
   include profiles::base::scripts
+
+  # include the python class
+  class { 'python':
+    manage_python_package => true,
+    manage_venv_package   => true,
+    manage_pip_package    => true,
+    use_epel              => false,
+  }
+
+  # all hosts will have sudo applied
+  class { 'sudo':
+    secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
+  }
+
+  # default users
+  include profiles::accounts::sysadmin
+
 }

site/profiles/manifests/base/account.pp

@@ -0,0 +1,45 @@
+# a wrapper for puppetlabs-account and saz-sudo
+define profiles::base::account (
+  String $username,
+  Integer $uid,
+  Integer $gid = undef,
+  Boolean $manage_home = true,
+  Boolean $create_group = true,
+  Boolean $purge_sshkeys = true,
+  Boolean $system = false,
+  Boolean $locked = false,
+  String $password = '!!',
+  Boolean $ignore_pass = false,
+  Array[String] $groups = [],
+  Array[String] $sshkeys = [],
+  Array[String] $sudo_rules = [],
+  String $shell = '/usr/bin/bash',
+) {
+
+  # Set gid to uid if gid is undef
+  $final_gid = $gid ? {
+    undef   => $uid,
+    default => $gid,
+  }
+
+  # Manage user
+  accounts::user { $username:
+    uid                      => $uid,
+    gid                      => $final_gid,
+    shell                    => $shell,
+    groups                   => $groups,
+    sshkeys                  => $sshkeys,
+    system                   => $system,
+    locked                   => $locked,
+    password                 => $password,
+    create_group             => $create_group,
+    managehome               => $manage_home,
+    purge_sshkeys            => $purge_sshkeys,
+    ignore_password_if_empty => $ignore_pass,
+  }
+
+  # Manage sudo rules
+  sudo::conf { "${username}_sudo":
+    content => $sudo_rules,
+  }
+}

site/profiles/manifests/puppet/g10k.pp

@@ -30,8 +30,12 @@
 #
 # Limitations:
 # This is designed to work on Unix-like systems only.
-class profiles::puppet::g10k {
+class profiles::puppet::g10k (
-
+  String $bin_path,
+  String $cfg_path,
+  String $environments_path,
+  String $default_environment,
+){
   package { 'unzip':
     ensure => installed,
   }
@@ -50,7 +54,7 @@ class profiles::puppet::g10k {
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
-    content => "#!/usr/bin/bash\n/opt/puppetlabs/bin/g10k -config /etc/puppetlabs/r10k/r10k.yaml\n",
+    content => template('profiles/puppet/g10k/puppet-g10k.erb'),
     require => Archive['/tmp/g10k.zip'],
   }
 

site/profiles/manifests/puppet/puppetboard.pp

@@ -0,0 +1,43 @@
+# Class: profiles::puppet::puppetboard
+#
+# This class manages the configuration of Puppetboard, a web frontend for PuppetDB.
+#
+# Parameters:
+#   - `python_version`: Specifies the Python version used for the virtualenv where Puppetboard runs.
+#   - `manage_virtualenv`: Determines if this class should handle the creation of the virtual environment for Puppetboard.
+#   - `reports_count`: Defines the number of reports to show per node in Puppetboard.
+#   - `offline_mode`: Determines if Puppetboard should work in offline mode or not.
+#   - `default_environment`: Sets the default Puppet environment to filter results in Puppetboard.
+#
+# Usage:
+#   This class can be called directly in your manifests or through Hiera.
+#
+# Example:
+#   To use the default parameters (as shown below), you can declare the class:
+#   
+#   include profiles::puppet::puppetboard
+#
+#   Alternatively, you can customize the parameters:
+#
+#   class { 'profiles::puppet::puppetboard':
+#     python_version => '3.8',
+#     reports_count  => 50,
+#     offline_mode   => false,
+#   }
+#
+class profiles::puppet::puppetboard (
+  String $python_version = '3.6',
+  Boolean $manage_virtualenv = false,
+  Integer $reports_count = 40,
+  Boolean $offline_mode = true,
+  String $default_environment = '*',
+) {
+
+  class { 'puppetboard':
+    python_version      => $python_version,
+    manage_virtualenv   => $manage_virtualenv,
+    reports_count       => $reports_count,
+    offline_mode        => $offline_mode,
+    default_environment => $default_environment,
+  }
+}

site/profiles/manifests/puppet/puppetdb.pp

@@ -0,0 +1,38 @@
+# profiles::puppet::puppetdb
+#
+# This class manages the installation and configuration of PuppetDB
+# and its underlying PostgreSQL database on a single node.
+#
+# It makes use of the puppetlabs-puppetdb module to manage both the
+# PuppetDB service and its PostgreSQL backend.
+#
+class profiles::puppet::puppetdb(
+  String  $puppetdb_host,
+  String  $listen_address = $facts['networking']['ip'],
+) {
+
+  # disable the postgresql dnf module for el8+
+  if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
+    # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
+    package { 'postgresql dnf module':
+        ensure   => 'disabled',
+        name     => 'postgresql',
+        provider => 'dnfmodule',
+        before   => Class['puppetdb::database::postgresql'],
+    }
+  }
+
+  # Install and configure PostgreSQL for PuppetDB
+  class { 'puppetdb::database::postgresql':
+    listen_addresses  => $listen_address,
+    postgresql_ssl_on => false,
+    postgres_version  => '15',
+    puppetdb_server   => $puppetdb_host,
+    before            => Class['puppetdb::server'],
+  }
+
+  class { 'puppetdb::server':
+    database_host     => $listen_address,
+    postgresql_ssl_on => false,
+  }
+}

site/profiles/manifests/puppet/puppetmaster.pp

@@ -27,6 +27,7 @@ class profiles::puppet::puppetmaster {
   include profiles::puppet::g10k
   include profiles::puppet::enc
   include profiles::puppet::autosign
+  include puppetdb::master::config
 
   class { 'profiles::puppet::server':
     vardir              => '/opt/puppetlabs/server/data/puppetserver',
@@ -34,10 +35,20 @@ class profiles::puppet::puppetmaster {
     rundir              => '/var/run/puppetlabs/puppetserver',
     pidfile             => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
     codedir             => '/etc/puppetlabs/code',
-    dns_alt_names  => ['prodinf01n01.main.unkin.net'],
+    dns_alt_names       => [
+      'prodinf01n01.main.unkin.net',
+      'puppet.main.unkin.net',
+      'puppetca.main.unkin.net',
+      'puppetmaster.main.unkin.net',
+      'puppet',
+      'puppetca',
+      'puppetmaster',
+    ],
     server              => 'prodinf01n01.main.unkin.net',
     node_terminus       => 'exec',
     external_nodes      => '/opt/puppetlabs/bin/enc',
     autosign            => '/etc/puppetlabs/puppet/autosign.conf',
+    default_manifest    => '/etc/puppetlabs/code/environments/develop/manifests',
+    default_environment => 'develop',
   }
 }

site/profiles/manifests/puppet/server.pp

@@ -25,6 +25,8 @@ class profiles::puppet::server (
   String $node_terminus,
   String $external_nodes,
   String $autosign,
+  String $default_manifest,
+  String $default_environment,
 ) {
 
   file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -43,6 +45,8 @@ class profiles::puppet::server (
       'node_terminus'       => $node_terminus,
       'external_nodes'      => $external_nodes,
       'autosign'            => $autosign,
+      'default_manifest'    => $default_manifest,
+      'default_environment' => $default_environment,
     }),
     notify  => Service['puppetserver'],
   }

site/profiles/templates/puppet/g10k/puppet-g10k.erb

@@ -0,0 +1,4 @@
+#!/usr/bin/bash
+<%= @bin_path %> -config <%= @cfg_path %>
+rm -f <%= @environments_path %>/production
+ln -s <%= @environments_path %>/<%= @default_environment %> <%= @environments_path %>/production

site/profiles/templates/puppet/server/puppet.conf.epp

@@ -15,3 +15,5 @@ server = <%= $server %>
 node_terminus = exec
 external_nodes = <%= $external_nodes %>
 autosign = <%= $autosign %>
+default_manifest = <%= $default_manifest %>
+default_environment = <%= $default_environment %>

site/roles/manifests/puppet/puppetdb.pp

@@ -0,0 +1,7 @@
+# a role to deploy the puppetdb
+# work in progress
+class roles::puppet::puppetdb {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetdb
+  }