From 76989e45c46bbf7ed21e6706f92cb4552591a904 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Jul 2024 04:09:59 +1000 Subject: [PATCH 1/5] feat: change packages to Hash - change from multiple arrays for managing packages to a hash - change to ensure_packages to prevent duplicate resource conflicts --- site/profiles/manifests/packages.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/site/profiles/manifests/packages.pp b/site/profiles/manifests/packages.pp index dc61d52..d2ef55c 100644 --- a/site/profiles/manifests/packages.pp +++ b/site/profiles/manifests/packages.pp @@ -5,6 +5,7 @@ # - $exclude: An array of package names to be removed from managed hash # class profiles::packages ( +<<<<<<< HEAD Hash $include = {}, Array[String] $exclude = [], ) { @@ -16,4 +17,11 @@ class profiles::packages ( # Manage packages ensure_packages($filtered_include) +======= + Hash $manage = {}, +) { + + # Manage packages + ensure_packages($manage) +>>>>>>> d68d9e2 (feat: change packages to Hash) } From 08241692eec107ab17d5849740258e9840949521 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Jul 2024 00:52:51 +1000 Subject: [PATCH 2/5] feat: add rundeck - add puppet-rundeck module - add rundeck role --- Puppetfile | 1 + hieradata/roles/infra/automation/rundeck.yaml | 1 + site/roles/manifests/infra/automation/rundeck.pp | 10 ++++++++++ 3 files changed, 12 insertions(+) create mode 100644 hieradata/roles/infra/automation/rundeck.yaml create mode 100644 site/roles/manifests/infra/automation/rundeck.pp diff --git a/Puppetfile b/Puppetfile index 6e43b91..76b2d86 100644 --- a/Puppetfile +++ b/Puppetfile @@ -39,6 +39,7 @@ mod 'puppet-network', '2.2.0' mod 'puppet-kmod', '4.0.1' mod 'puppet-filemapper', '4.0.0' mod 'puppet-letsencrypt', '11.0.0' +mod 'puppet-rundeck', '9.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/roles/infra/automation/rundeck.yaml b/hieradata/roles/infra/automation/rundeck.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/hieradata/roles/infra/automation/rundeck.yaml @@ -0,0 +1 @@ +--- diff --git a/site/roles/manifests/infra/automation/rundeck.pp b/site/roles/manifests/infra/automation/rundeck.pp new file mode 100644 index 0000000..e8b8223 --- /dev/null +++ b/site/roles/manifests/infra/automation/rundeck.pp @@ -0,0 +1,10 @@ +# a role to deploy rundeck +class roles::infra::automation::rundeck { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } +} From cb5bb0798f800312d4b0143d2dcd81882133d449 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Jul 2024 02:07:39 +1000 Subject: [PATCH 3/5] feat: add rundeck to ldap - add service account for rundeck - add rundeck_access group --- hieradata/roles/infra/auth/glauth.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml index 49ce487..3fd0003 100644 --- a/hieradata/roles/infra/auth/glauth.yaml +++ b/hieradata/roles/infra/auth/glauth.yaml @@ -59,6 +59,7 @@ glauth::users: - 20014 - 20015 - 20016 + - 20017 loginshell: '/bin/bash' homedir: '/home/benvin' passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a' @@ -134,6 +135,12 @@ glauth::services: othergroups: - 20016 passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2' + svc_rundeck: + service_name: 'svc_rundeck' + mail: 'rundeck@service.main.unkin.net' + uidnumber: 30007 + primarygroup: 20001 + passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525' glauth::groups: users: @@ -163,3 +170,6 @@ glauth::groups: nzbget_access: group_name: 'nzbget_access' gidnumber: 20016 + rundeck_access: + group_name: 'rundeck_access' + gidnumber: 20017 From 26ffe17ee1fa72ff281841bc1cfab498b5999a9a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Jul 2024 02:10:27 +1000 Subject: [PATCH 4/5] feat: add database - add database for rundeck --- hieradata/country/au/region/syd1/infra/sql/galera.eyaml | 1 + hieradata/country/au/region/syd1/infra/sql/galera.yaml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/hieradata/country/au/region/syd1/infra/sql/galera.eyaml b/hieradata/country/au/region/syd1/infra/sql/galera.eyaml index 6904b7f..b94e2fe 100644 --- a/hieradata/country/au/region/syd1/infra/sql/galera.eyaml +++ b/hieradata/country/au/region/syd1/infra/sql/galera.eyaml @@ -1,2 +1,3 @@ --- mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==] +mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=] diff --git a/hieradata/country/au/region/syd1/infra/sql/galera.yaml b/hieradata/country/au/region/syd1/infra/sql/galera.yaml index d84ef52..d10ac39 100644 --- a/hieradata/country/au/region/syd1/infra/sql/galera.yaml +++ b/hieradata/country/au/region/syd1/infra/sql/galera.yaml @@ -13,3 +13,12 @@ mysql::db: - INSERT - UPDATE - DELETE + rundeck: + name: rundeck + user: rundeck + password: "%{alias('mysql::db::rundeck::pass')}" + grant: + - SELECT + - INSERT + - UPDATE + - DELETE From 5354c99b1ef9da75323ef6eaa290545c39572b6a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Jul 2024 02:29:08 +1000 Subject: [PATCH 5/5] feat: add rundeck profile - export mysql user for each rundeck server - ensure the jdbc driver for mariadb is available - exclude jq from default packages (managed by rundeck) - add groups for admin/user for each project in rundeck - add consul service - add vault certificates - add ssh principals - add nginx simpleproxy --- hieradata/roles/infra/auth/glauth.yaml | 16 ++ .../roles/infra/automation/rundeck.eyaml | 5 + hieradata/roles/infra/automation/rundeck.yaml | 201 ++++++++++++++++++ site/profiles/manifests/packages.pp | 8 - site/profiles/manifests/rundeck/server.pp | 89 ++++++++ 5 files changed, 311 insertions(+), 8 deletions(-) create mode 100644 hieradata/roles/infra/automation/rundeck.eyaml create mode 100644 site/profiles/manifests/rundeck/server.pp diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml index 3fd0003..94e9f91 100644 --- a/hieradata/roles/infra/auth/glauth.yaml +++ b/hieradata/roles/infra/auth/glauth.yaml @@ -60,6 +60,7 @@ glauth::users: - 20015 - 20016 - 20017 + - 20018 loginshell: '/bin/bash' homedir: '/home/benvin' passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a' @@ -173,3 +174,18 @@ glauth::groups: rundeck_access: group_name: 'rundeck_access' gidnumber: 20017 + rundeck_globaladmin: + group_name: 'rundeck_globaladmin' + gidnumber: 20018 + rundeck_selfservice_admin: + group_name: 'rundeck_selfservice_admin' + gidnumber: 20019 + rundeck_selfservice_user: + group_name: 'rundeck_selfservice_user' + gidnumber: 20020 + rundeck_infrastructure_admin: + group_name: 'rundeck_infrastructure_admin' + gidnumber: 20021 + rundeck_infrastructure_user: + group_name: 'rundeck_infrastructure_user' + gidnumber: 20022 diff --git a/hieradata/roles/infra/automation/rundeck.eyaml b/hieradata/roles/infra/automation/rundeck.eyaml new file mode 100644 index 0000000..d74d27a --- /dev/null +++ b/hieradata/roles/infra/automation/rundeck.eyaml @@ -0,0 +1,5 @@ +--- +vault::roleid: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJWBYeIT3nEfQCND1lqynQrfRufycLzSlvey/qToKzOWNhD2T3yREP01Jo2wQXKSbG98IsuqVuarVn8hepL55e317Q7ZLxcfvGkXpe25vqNm/nkGhjzaAKBp78NGoTvvNEdNnDd+ZUr/HjytubvNtvSb9xf4kMVWt/LnsWXkT+IfbEABHpdnh+mjG8tcsCYbhmG+k8CBjOumfyb+yORk/unypkRK47guVjmJ2ATck43DPgT4ZAKKEMbj3ExSB2i1wSZgFg0UGciyz2Rz/QZPYVPp37uBJmXW4a4ioZ5siPqGhnHdeGlPP6FH2VufngunTXT7TiCPt7BaczNnjpmHD0jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA8MSKsB4MSJXTosMYWvJSWgDD6sGq3p375Q/oLuqYVxdbGVhQTuKK+V/Y7sCYQwur393Uq2OuGuVSlqikauPSlzs0=] +mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=] +ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAiE2zFn7rxZ4/oTX4JcuukoiC9Eno0GnsQLuVQCZscQNp+Bsi8QCA5SqiHmnMc0inhWPMlifze/0gBxopedMa+hR483tkOEaRqRNnOxehgmg8EWCAYgDwEoSwnoJZSHEI0NDugsO64R4AbqsDmh8iSaeFPdjplr0qhr4cx38xPaSf4B+jgABWaJ1JSoAcGtVlZbLljXzQXbzQNL9FjBWs6F8c/47BBmsImwy06d0OMNGsRvIndoRXBxrQAtQB1J5aIukeMmn6JbBRLGvGQfxRVywkHLrIM9UJYkgMif/1KkoWqg8ApKJFY6x7v+hgo//sVKf4aQ6nF7kov5v8y4VMDjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD6aDrZ76FYm/uLSsSknZeHgDA+G7Hf5BEK/x089V3/XKn82KLnCMdycU1FnDCUXJ5s0HhyjOzKA/vms4vWX4ssnec=] +rundeck_admin_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKiifIR1lY5tD9p5FHwGkc8pOEQ3ZQhZZ/y50gr+jrlUq6I2Jmt+S72eo92eyN/Ej8y9ED5jIfqybs3qmy6p7Ln+6KK7z5+nICZGKhm7/02jmx9qRcfnOH/nm+i+qyugyHFD/xGvjnQkU8FGWK6qMBppNISWGLp8QhuhcYrHjv5ziaP+/Y/+iTlWcqGmIGVNVpRHFov0nXnVuqaAYhkZyFzMX0uBKgNikn3xhXT5mEO7thiqZjMmrTE7xotW39+t8pwcFQT0xAU97v7hVGwO7L9aS+lrCNX+Ex2HZUMC6XbHu6htQhlpOSK7d0mE8IVFpLJZ3Nff1ojV33Xbb+uFxEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDZZ3+/SYor8LZYUX1h9Re1gDCnCli5nSNOIsLmczbqqIGI92JtCCmqggDyaDZ2VdOeKtgYDXaND+0u3d4ikxrW1tg=] diff --git a/hieradata/roles/infra/automation/rundeck.yaml b/hieradata/roles/infra/automation/rundeck.yaml index ed97d53..ce6d2c2 100644 --- a/hieradata/roles/infra/automation/rundeck.yaml +++ b/hieradata/roles/infra/automation/rundeck.yaml @@ -1 +1,202 @@ --- +hiera_include: + - profiles::rundeck::server + - profiles::nginx::simpleproxy + +profiles::packages::exclude: + - jq + +profiles::ssh::sign::principals: + - rundeck.main.unkin.net + - rundeck.service.consul + - rundeck.query.consul + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - rundeck.main.unkin.net + - rundeck.service.consul + - rundeck.query.consul + - "rundeck.service.%{facts.country}-%{facts.region}.consul" + +profiles::nginx::simpleproxy::proxy_port: 4440 +profiles::nginx::simpleproxy::proxy_path: '/' +nginx::client_max_body_size: 20M +# additional altnames +profiles::pki::vault::alt_names: + - rundeck.main.unkin.net + - rundeck.service.consul + - rundeck.query.consul + - "rundeck.service.%{facts.country}-%{facts.region}.consul" + +# configure consul service +consul::services: + rundeck: + service_name: 'rundeck' + tags: + - 'automation' + - 'rundeck' + address: "%{facts.networking.ip}" + port: 443 + checks: + - id: 'glauth_http_check' + name: 'glauth HTTP Check' + http: "http://%{facts.networking.fqdn}:4440" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: rundeck + disposition: write + +profiles::rundeck::server::mysql_backend: true +profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul +profiles::rundeck::server::grails_server_url: https://rundeck.service.consul +profiles::rundeck::server::auth_config: + file: + auth_flag: 'sufficient' + jaas_config: + file: '/etc/rundeck/realm.properties' + realm_config: + admin_user: 'admin' + admin_password: "%{hiera('rundeck_admin_pass')}" + ldap: + jaas_config: + debug: 'true' + providerUrl: 'ldap://ldap.service.consul:389' + bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net' + bindPassword: "%{hiera('ldap_bindpass')}" + authenticationMethod: 'simple' + forceBindingLogin: 'true' + userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net' + userRdnAttribute: 'uid' + userIdAttribute: 'uid' + userPasswordAttribute: 'userPassword' + userObjectClass: 'posixAccount' + roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net' + roleNameAttribute: 'uid' + roleMemberAttribute: 'uniqueMember' + roleObjectClass: 'groupOfUniqueNames' + nestedGroups: 'true' + +profiles::rundeck::server::key_storage_config: + - type: 'db' + path: 'keys' + - type: 'vault-storage' + path: 'vault' + config: + prefix: 'rundeck' + address: https://vault.query.consul:8200 + storageBehaviour: 'vault' + secretBackend: rundeck + engineVersion: '2' + authBackend: approle + approleAuthMount: approle + approleId: "%{hiera('vault::roleid')}" + +profiles::rundeck::server::cli_projects: + Self-Service: + update_method: 'set' + config: + project.description: 'self-service tasks' + project.disable.executions: 'false' + Infrastructure: + config: + project.description: 'infrastructure management' + project.disable.schedule: 'false' + +profiles::rundeck::server::acl_policies: + global_admin_policy: + acl_policies: + - description: 'Global Admin, all access' + context: + application: "rundeck" + for: + project: + - allow: '*' + resource: + - allow: '*' + storage: + - allow: '*' + by: + - group: ['rundeck_globaladmin'] + - description: 'Global Admin, all access' + context: + project: '.*' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + - group: ['rundeck_globaladmin'] + selfservice_admin_policy: + acl_policies: + - description: 'Admin, all access for Self-Service project' + context: + project: 'Self-Service' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + - group: ['rundeck_selfserice_admin'] + selfservice_user_policy: + acl_policies: + - description: 'Users can execute tasks but not edit for Self-Service project' + context: + project: 'Self-Service' + for: + resource: + - allow: ['read'] + adhoc: + - allow: ['run'] + job: + - allow: ['read', 'run'] + node: + - allow: ['read', 'run'] + by: + - group: ['rundeck_selfserice_user'] + infrastructure_admin_policy: + acl_policies: + - description: 'Admin, all access for Infrastructure project' + context: + project: 'Infrastructure' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + - group: ['rundeck_infrastructure_admin'] + infrastructure_user_policy: + acl_policies: + - description: 'Users can execute tasks but not edit for Infrastructure project' + context: + project: 'Infrastructure' + for: + resource: + - allow: ['read'] + adhoc: + - allow: ['run'] + job: + - allow: ['read', 'run'] + node: + - allow: ['read', 'run'] + by: + - group: ['rundeck_infrastructure_user'] diff --git a/site/profiles/manifests/packages.pp b/site/profiles/manifests/packages.pp index d2ef55c..dc61d52 100644 --- a/site/profiles/manifests/packages.pp +++ b/site/profiles/manifests/packages.pp @@ -5,7 +5,6 @@ # - $exclude: An array of package names to be removed from managed hash # class profiles::packages ( -<<<<<<< HEAD Hash $include = {}, Array[String] $exclude = [], ) { @@ -17,11 +16,4 @@ class profiles::packages ( # Manage packages ensure_packages($filtered_include) -======= - Hash $manage = {}, -) { - - # Manage packages - ensure_packages($manage) ->>>>>>> d68d9e2 (feat: change packages to Hash) } diff --git a/site/profiles/manifests/rundeck/server.pp b/site/profiles/manifests/rundeck/server.pp new file mode 100644 index 0000000..28f672a --- /dev/null +++ b/site/profiles/manifests/rundeck/server.pp @@ -0,0 +1,89 @@ +# profiles::rundeck::server +class profiles::rundeck::server ( + Struct[{ + Optional['file'] => Hash[String, Any], + Optional['ldap'] => Hash[String, Any], + Optional['pam'] => Hash[String, Any] + }] $auth_config = {}, + Array[Hash] $key_storage_config = [], + Hash $acl_policies = {}, + Hash $cli_projects = {}, + String $cli_user = 'admin', + String $cli_password = lookup('rundeck_admin_pass'), + Boolean $mysql_backend = true, + String $mysql_user = 'rundeck', + String $mysql_name = 'rundeck', + String $mysql_pass = fqdn_rand_string(16), + Stdlib::Host $mysql_host = '127.0.0.1', + Stdlib::Port $mysql_port = 3306, + Stdlib::Absolutepath $extra_libs_dir = '/var/lib/rundeck/lib', + Stdlib::Absolutepath $jdbc_driver_dest = "${extra_libs_dir}/mariadb-java-client-3.4.1.jar", + Stdlib::HTTPSUrl $jdbc_driver_url = 'https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar', + Stdlib::HTTPSUrl $grails_server_url = "https://${facts['networking']['fqdn']}:4440", + String $jvm_args = '-Xmx1024m -Xms256m -server -Drundeck.jetty.connector.forwarded=true', +){ + + # when using mysql backend + if $mysql_backend { + + # export a mariadb user + @@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}": + ensure => present, + password_hash => mysql::password($mysql_pass), + tag => $facts['region'], + } + + # export a mariadb permission + @@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*": + ensure => present, + table => "${mysql_name}.*", + user => "${mysql_user}@${facts['networking']['fqdn']}", + privileges => ['ALL'], + tag => $facts['region'], + } + + # create the missing /var/lib/rundeck/lib directory + mkdir::p {$extra_libs_dir:} + file {$extra_libs_dir: + ensure => directory, + owner => 'rundeck', + group => 'rundeck', + mode => '0755', + require => Package['rundeck'], + before => Service['rundeckd'], + } + + # download the jdbc driver, place in /var/lib/rundeck/lib + archive { $jdbc_driver_dest: + ensure => present, + source => $jdbc_driver_url, + extract => false, + user => 'rundeck', + group => 'rundeck', + require => File[$extra_libs_dir], + before => Service['rundeckd'], + } + + $database_config = { + 'url' => "jdbc:mysql://${mysql_host}:${mysql_port}/${mysql_name}", + 'username' => $mysql_user, + 'password' => $mysql_pass, + 'driverClassName' => 'org.mariadb.jdbc.Driver', + } + }else{ + $database_config = {} + } + + class { 'rundeck': + grails_server_url => $grails_server_url, + auth_config => $auth_config, + key_storage_config => $key_storage_config, + database_config => $database_config, + cli_user => $cli_user, + cli_password => $cli_password, + jvm_args => $jvm_args, + } + + create_resources('rundeck::config::aclpolicyfile', $acl_policies) + create_resources('rundeck::config::project', $cli_projects) +}