10 Commits

Author SHA1 Message Date
unkinben e20f3bc372 nginx authproxy module 2024-07-05 22:49:22 +10:00
unkinben 8e1622a158 Merge pull request 'neoloc/glauth' (#87) from neoloc/glauth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/87
2024-07-02 18:12:54 +10:00
unkinben fe35baacfd chore: cleanup glauth
- remove datavol, not required
- remove commented out systemd socket
2024-07-02 18:12:08 +10:00
unkinben 6e3802ad57 feat: add users/services/groups 2024-07-01 22:54:22 +10:00
unkinben c8604baa4e feat: add glauth role/profile classes
- role added to cobbler
- add role specific hieradata
2024-07-01 22:42:29 +10:00
unkinben c69e8c487e feat: create glauth module
- manage config directories, config file
- manage systemd service and socket
- manage users, service accounts and groups
- manage defaults for users, services and groups
- manage packages for role
2024-07-01 22:42:12 +10:00
unkinben 0a86986edf Merge pull request 'neoloc/jellyfin' (#86) from neoloc/jellyfin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/86
2024-06-30 21:24:49 +10:00
unkinben 2199e4e3c0 feat: add jellyfin to haproxy 2024-06-30 00:02:44 +10:00
unkinben f81b5753ff feat: add jellyfin role/profile classes 2024-06-30 00:02:16 +10:00
unkinben e437629e12 feat: add jellyfin module 2024-06-30 00:01:38 +10:00
36 changed files with 1010 additions and 0 deletions
@@ -11,6 +11,7 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'jellyfin.main.unkin.net be_jellyfin'
fe_https:
ensure: present
mappings:
@@ -21,6 +22,7 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'jellyfin.main.unkin.net be_jellyfin'
profiles::haproxy::frontends:
fe_http:
@@ -153,6 +155,22 @@ profiles::haproxy::backends:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
@@ -167,6 +185,7 @@ profiles::pki::vault::alt_names:
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
+48
View File
@@ -0,0 +1,48 @@
---
hiera_include:
- jellyfin
- profiles::nginx::simpleproxy
# manage jellyfin
jellyfin::params::service_enable: true
# additional altnames
profiles::pki::vault::alt_names:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8096
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
jellyfin:
service_name: 'jellyfin'
tags:
- 'media'
- 'jellyfin'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jellyfin_http_check'
name: 'jellyfin HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jellyfin
disposition: write
+129
View File
@@ -0,0 +1,129 @@
---
hiera_include:
- glauth
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
glauth::params::download_version: 2.3.2
glauth::params::ldap_enabled: true
glauth::params::ldaps_enabled: true
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
glauth::params::behaviors_ignorecapabilities: true
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::api_key: /etc/pki/tls/vault/private.key
# configure consul service
consul::services:
ldap:
service_name: 'ldap'
tags:
- 'media'
- 'ldap'
address: "%{facts.networking.ip}"
port: 636
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "https://%{facts.networking.fqdn}:5555"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: ldap
disposition: write
glauth::users:
benvin:
user_name: 'benvin'
givenname: 'Ben'
sn: 'Vincent'
mail: 'ben@users.main.unkin.net'
uidnumber: 20000
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
sshkeys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
glauth::services:
svc_jellyfin:
service_name: 'svc_jellyfin'
mail: 'jellyfin@service.main.unkin.net'
uidnumber: 30000
primarygroup: 20001
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
svc_sonarr:
service_name: 'svc_sonarr'
mail: 'sonarr@service.main.unkin.net'
uidnumber: 30001
primarygroup: 20001
passsha256: 'e4068a02bb930c2c2ccfea6b638df1fb4c29c1b083732b92e91da47d5de4a51d'
svc_radarr:
service_name: 'svc_radarr'
mail: 'radarr@service.main.unkin.net'
uidnumber: 30002
primarygroup: 20001
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
svc_lidarr:
service_name: 'svc_lidarr'
mail: 'lidarr@service.main.unkin.net'
uidnumber: 30003
primarygroup: 20001
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
svc_readarr:
service_name: 'svc_readarr'
mail: 'readarr@service.main.unkin.net'
uidnumber: 30004
primarygroup: 20001
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
svc_prowlarr:
service_name: 'svc_prowlarr'
mail: 'prowlarr@service.main.unkin.net'
uidnumber: 30005
primarygroup: 20001
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
glauth::groups:
users:
group_name: 'people'
gidnumber: 20000
services:
group_name: 'services'
gidnumber: 20001
jellyfin_access:
group_name: 'jellyfin_access'
gidnumber: 20010
sonarr_access:
group_name: 'sonarr_access'
gidnumber: 20011
radarr_access:
group_name: 'radarr_access'
gidnumber: 20012
lidarr_access:
group_name: 'lidarr_access'
gidnumber: 20013
readarr_access:
group_name: 'readarr_access'
gidnumber: 20014
prowlarr_access:
group_name: 'prowlarr_access'
gidnumber: 20015
+155
View File
@@ -0,0 +1,155 @@
# configure glauth
class glauth::config (
Boolean $debug = $glauth::debug,
Boolean $syslog = $glauth::syslog,
Boolean $structuredlog = $glauth::structuredlog,
Boolean $watchconfig = $glauth::watchconfig,
Boolean $ldap_enabled = $glauth::ldap_enabled,
Stdlib::IP::Address $ldap_address = $glauth::ldap_address,
Stdlib::Port $ldap_port = $glauth::ldap_port,
Boolean $ldap_tls = $glauth::ldap_tls,
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::ldap_tlscertpath,
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::ldap_tlskeypath,
Boolean $ldaps_enabled = $glauth::ldaps_enabled,
Stdlib::IP::Address $ldaps_address = $glauth::ldaps_address,
Stdlib::Port $ldaps_port = $glauth::ldaps_port,
Stdlib::Absolutepath $ldaps_cert = $glauth::ldaps_cert,
Stdlib::Absolutepath $ldaps_key = $glauth::ldaps_key,
String $backend_datastore = $glauth::backend_datastore,
String $backend_basedn = $glauth::backend_basedn,
String $backend_nameformat = $glauth::backend_nameformat,
String $backend_groupformat = $glauth::backend_groupformat,
Boolean $backend_anonymousdse = $glauth::backend_anonymousdse,
String $backend_sshkeyattr = $glauth::backend_sshkeyattr,
Boolean $behaviors_ignorecapabilities = $glauth::behaviors_ignorecapabilities,
Boolean $behaviors_limitfailedbinds = $glauth::behaviors_limitfailedbinds,
Integer $behaviors_numberoffailedbinds = $glauth::behaviors_numberoffailedbinds,
Integer $behaviors_periodoffailedbinds = $glauth::behaviors_periodoffailedbinds,
Integer $behaviors_blockfailedbindsfor = $glauth::behaviors_blockfailedbindsfor,
Integer $behaviors_prunesourcetableevery = $glauth::behaviors_prunesourcetableevery,
Integer $behaviors_prunesourcesolderthan = $glauth::behaviors_prunesourcesolderthan,
Boolean $api_enabled = $glauth::api_enabled,
Boolean $api_internals = $glauth::api_internals,
Boolean $api_tls = $glauth::api_tls,
Stdlib::IP::Address $api_address = $glauth::api_address,
Stdlib::Port $api_port = $glauth::api_port,
Stdlib::Absolutepath $api_cert = $glauth::api_cert,
Stdlib::Absolutepath $api_key = $glauth::api_key,
String $user = $glauth::user,
String $group = $glauth::group,
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
Stdlib::Absolutepath $config_dir = $glauth::config_dir,
Stdlib::Absolutepath $config_path = $glauth::config_path,
Boolean $manage_defaults = $glauth::manage_defaults,
) {
mkdir::p {$config_dir:}
file { [ $config_dir ]:
ensure => directory,
owner => $user,
group => $group,
}
concat { $config_path:
owner => $user,
group => $group,
mode => '0644',
require => File[$config_dir],
}
if $manage_defaults {
Glauth::Obj::User {
config_path => $config_path,
}
Glauth::Obj::Service {
config_path => $config_path,
}
Glauth::Obj::Group {
config_path => $config_path,
}
}
concat::fragment { 'glauth_general':
target => $config_path,
content => epp('glauth/general.epp', {
'debug' => $debug,
'syslog' => $syslog,
'structuredlog' => $structuredlog,
'watchconfig' => $watchconfig,
}),
order => 10,
}
concat::fragment { 'glauth_ldap':
target => $config_path,
content => epp('glauth/ldap.epp', {
'ldap_enabled' => $ldap_enabled,
'ldap_address' => $ldap_address,
'ldap_port' => $ldap_port,
'ldap_tls' => $ldap_tls,
'ldap_tlscertpath' => $ldap_tlscertpath,
'ldap_tlskeypath' => $ldap_tlskeypath,
}),
order => 20,
}
concat::fragment { 'glauth_ldaps':
target => $config_path,
content => epp('glauth/ldaps.epp', {
'ldaps_enabled' => $ldaps_enabled,
'ldaps_address' => $ldaps_address,
'ldaps_port' => $ldaps_port,
'ldaps_cert' => $ldaps_cert,
'ldaps_key' => $ldaps_key,
}),
order => 30,
}
concat::fragment { 'glauth_backend':
target => $config_path,
content => epp('glauth/backend.epp', {
'backend_datastore' => $backend_datastore,
'backend_basedn' => $backend_basedn,
'backend_nameformat' => $backend_nameformat,
'backend_groupformat' => $backend_groupformat,
'backend_anonymousdse' => $backend_anonymousdse,
'backend_sshkeyattr' => $backend_sshkeyattr,
}),
order => 40,
}
concat::fragment { 'glauth_behaviors':
target => $config_path,
content => epp('glauth/behaviors.epp', {
'ignorecapabilities' => $behaviors_ignorecapabilities,
'limitfailedbinds' => $behaviors_limitfailedbinds,
'numberoffailedbinds' => $behaviors_numberoffailedbinds,
'periodoffailedbinds' => $behaviors_periodoffailedbinds,
'blockfailedbindsfor' => $behaviors_blockfailedbindsfor,
'prunesourcetableevery' => $behaviors_prunesourcetableevery,
'prunesourcesolderthan' => $behaviors_prunesourcesolderthan,
}),
order => 50,
}
concat::fragment { 'glauth_api':
target => $config_path,
content => epp('glauth/api.epp', {
'api_enabled' => $api_enabled,
'api_internals' => $api_internals,
'api_tls' => $api_tls,
'api_address' => $api_address,
'api_port' => $api_port,
'api_cert' => $api_cert,
'api_key' => $api_key,
}),
order => 60,
}
}
+64
View File
@@ -0,0 +1,64 @@
# glauth inititalisation class
class glauth (
Boolean $debug = $glauth::params::debug,
Boolean $syslog = $glauth::params::syslog,
Boolean $structuredlog = $glauth::params::structuredlog,
Boolean $watchconfig = $glauth::params::watchconfig,
Array $packages = $glauth::params::packages,
Boolean $ldap_enabled = $glauth::params::ldap_enabled,
Stdlib::IP::Address $ldap_address = $glauth::params::ldap_address,
Stdlib::Port $ldap_port = $glauth::params::ldap_port,
Boolean $ldap_tls = $glauth::params::ldap_tls,
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::params::ldap_tlscertpath,
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::params::ldap_tlskeypath,
Boolean $ldaps_enabled = $glauth::params::ldaps_enabled,
Stdlib::IP::Address $ldaps_address = $glauth::params::ldaps_address,
Stdlib::Port $ldaps_port = $glauth::params::ldaps_port,
Stdlib::Absolutepath $ldaps_cert = $glauth::params::ldaps_cert,
Stdlib::Absolutepath $ldaps_key = $glauth::params::ldaps_key,
String $backend_datastore = $glauth::params::backend_datastore,
String $backend_basedn = $glauth::params::backend_basedn,
String $backend_nameformat = $glauth::params::backend_nameformat,
String $backend_groupformat = $glauth::params::backend_groupformat,
Boolean $backend_anonymousdse = $glauth::params::backend_anonymousdse,
String $backend_sshkeyattr = $glauth::params::backend_sshkeyattr,
Boolean $behaviors_ignorecapabilities = $glauth::params::behaviors_ignorecapabilities,
Boolean $behaviors_limitfailedbinds = $glauth::params::behaviors_limitfailedbinds,
Integer $behaviors_numberoffailedbinds = $glauth::params::behaviors_numberoffailedbinds,
Integer $behaviors_periodoffailedbinds = $glauth::params::behaviors_periodoffailedbinds,
Integer $behaviors_blockfailedbindsfor = $glauth::params::behaviors_blockfailedbindsfor,
Integer $behaviors_prunesourcetableevery = $glauth::params::behaviors_prunesourcetableevery,
Integer $behaviors_prunesourcesolderthan = $glauth::params::behaviors_prunesourcesolderthan,
Boolean $api_enabled = $glauth::params::api_enabled,
Boolean $api_internals = $glauth::params::api_internals,
Boolean $api_tls = $glauth::params::api_tls,
Stdlib::IP::Address $api_address = $glauth::params::api_address,
Stdlib::Port $api_port = $glauth::params::api_port,
Stdlib::Absolutepath $api_cert = $glauth::params::api_cert,
Stdlib::Absolutepath $api_key = $glauth::params::api_key,
String $user = $glauth::params::user,
String $group = $glauth::params::group,
Stdlib::Absolutepath $bin_dir = $glauth::params::bin_dir,
Stdlib::Absolutepath $bin_path = $glauth::params::bin_path,
Stdlib::Absolutepath $config_dir = $glauth::params::config_dir,
Stdlib::Absolutepath $config_path = $glauth::params::config_path,
Boolean $service_enable = $glauth::params::service_enable,
String $service_name = $glauth::params::service_name,
String $download_version = $glauth::params::download_version,
String $download_url = $glauth::params::download_url,
Boolean $manage_defaults = $glauth::params::manage_defaults,
) inherits glauth::params {
include glauth::install
include glauth::config
include glauth::service
Class['glauth::install'] -> Class['glauth::config'] -> Class['glauth::service']
}
+45
View File
@@ -0,0 +1,45 @@
# install the glauth directories and binary
class glauth::install (
String $user = $glauth::user,
String $group = $glauth::group,
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
Stdlib::Absolutepath $config_dir = $glauth::config_path,
Stdlib::Absolutepath $config_path = $glauth::config_path,
String $download_url = $glauth::download_url,
Array $packages = $glauth::packages,
){
user { $user:
ensure => present,
system => true,
gid => $group,
require => Group[$group],
}
group { $group:
ensure => present,
system => true,
}
ensure_resources('package', $packages => {ensure => 'present'})
archive { 'glauth':
ensure => present,
url => $download_url,
extract => false,
path => $bin_path,
creates => $bin_path,
cleanup => false,
extract_path => $bin_dir,
user => 'root',
group => 'root',
}
file{ $bin_path:
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
require => Archive['glauth'],
}
}
+17
View File
@@ -0,0 +1,17 @@
# define a group object
define glauth::obj::group (
String $group_name,
Integer $gidnumber,
Stdlib::Absolutepath $config_path,
Optional[Array[Integer]] $includegroups = [],
) {
concat::fragment { "glauth_group_${group_name}":
target => $config_path,
content => epp('glauth/obj/group.epp', {
'name' => $group_name,
'gidnumber' => $gidnumber,
'includegroups' => $includegroups,
}),
order => '90',
}
}
+21
View File
@@ -0,0 +1,21 @@
# define a service object
define glauth::obj::service (
String $service_name,
String $mail,
Integer $uidnumber,
Integer $primarygroup,
String $passsha256,
Stdlib::Absolutepath $config_path,
) {
concat::fragment { "glauth_service_${service_name}":
target => $config_path,
content => epp('glauth/obj/service.epp', {
'name' => $service_name,
'mail' => $mail,
'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup,
'passsha256' => $passsha256,
}),
order => '80',
}
}
+39
View File
@@ -0,0 +1,39 @@
# define a user object
define glauth::obj::user (
String $user_name,
String $mail,
Integer $uidnumber,
Integer $primarygroup,
String $passsha256,
Stdlib::Absolutepath $config_path,
String $givenname = '',
String $sn = '',
String $loginshell = '',
String $homedir = '',
Optional[Array[String]] $sshkeys = [],
Optional[Array[String]] $passappsha256 = [],
Optional[Array[Integer]] $othergroups = [],
) {
$formatted_othergroups = $othergroups.empty ? {
true => '[]',
false => "[${othergroups.join(', ')}]",
}
concat::fragment { "glauth_user_${user_name}":
target => $config_path,
content => epp('glauth/obj/user.epp', {
'name' => $user_name,
'givenname' => $givenname,
'sn' => $sn,
'mail' => $mail,
'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup,
'loginshell' => $loginshell,
'homedir' => $homedir,
'passsha256' => $passsha256,
'sshkeys' => $sshkeys,
'passappsha256' => $passappsha256,
'othergroups' => $formatted_othergroups,
}),
order => '70',
}
}
+58
View File
@@ -0,0 +1,58 @@
# params class for glauth
class glauth::params (
Boolean $debug = true,
Boolean $syslog = true,
Boolean $structuredlog = true,
Boolean $watchconfig = true,
Array $packages = [
'openldap-clients',
],
Boolean $ldap_enabled = true,
Stdlib::IP::Address $ldap_address = '0.0.0.0',
Stdlib::Port $ldap_port = 389,
Boolean $ldap_tls = false,
Stdlib::Absolutepath $ldap_tlscertpath = '/etc/glauth/glauth.crt',
Stdlib::Absolutepath $ldap_tlskeypath = '/etc/glauth/glauth.key',
Boolean $ldaps_enabled = false,
Stdlib::IP::Address $ldaps_address = '0.0.0.0',
Stdlib::Port $ldaps_port = 636,
Stdlib::Absolutepath $ldaps_cert = '/etc/glauth/glauth.crt',
Stdlib::Absolutepath $ldaps_key = '/etc/glauth/glauth.key',
String $backend_datastore = 'config',
String $backend_basedn = 'dc=main,dc=unkin,dc=net',
String $backend_nameformat = 'cn',
String $backend_groupformat = 'ou',
Boolean $backend_anonymousdse = true,
String $backend_sshkeyattr = 'sshPublicKey',
Boolean $behaviors_ignorecapabilities = true,
Boolean $behaviors_limitfailedbinds = true,
Integer $behaviors_numberoffailedbinds = 3,
Integer $behaviors_periodoffailedbinds = 10,
Integer $behaviors_blockfailedbindsfor = 60,
Integer $behaviors_prunesourcetableevery = 600,
Integer $behaviors_prunesourcesolderthan = 600,
Boolean $api_enabled = true,
Boolean $api_internals = true,
Boolean $api_tls = true,
Stdlib::IP::Address $api_address = '0.0.0.0',
Stdlib::Port $api_port = 5555,
Stdlib::Absolutepath $api_cert = '/etc/glauth/cert.pem',
Stdlib::Absolutepath $api_key = '/etc/glauth/key.pem',
String $user = 'glauth',
String $group = 'glauth',
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
Stdlib::Absolutepath $bin_path = "${bin_dir}/glauth",
Stdlib::Absolutepath $config_dir = '/etc/glauth',
Stdlib::Absolutepath $config_path = "${config_dir}/glauth.conf",
Boolean $service_enable = true,
String $service_name = 'glauth',
String $download_version = '2.3.2',
String $download_url = "https://git.query.consul/api/packages/unkinben/generic/glauth/${download_version}/glauth-linux-amd64",
Boolean $manage_defaults = true,
){}
+30
View File
@@ -0,0 +1,30 @@
# manage the glauth service/socket
class glauth::service (
$service_enable = $glauth::service_enable,
$service_name = $glauth::service_name,
$user = $glauth::user,
$group = $glauth::group,
$config_path = $glauth::config_path,
$bin_path = $glauth::bin_path,
$ldap_port = $glauth::ldap_port,
$ldaps_port = $glauth::ldaps_port,
$api_port = $glauth::api_port,
){
if $service_enable {
include ::systemd
systemd::unit_file { "${service_name}.service":
content => epp('glauth/systemd.service.epp', {
'bin_path' => $bin_path,
'config_path' => $config_path,
'user' => $user,
'group' => $group,
'service_name' => $service_name,
}),
enable => true,
active => true,
subscribe => Concat[$config_path],
# should also subscribe to tls certs
}
}
}
+10
View File
@@ -0,0 +1,10 @@
#################
# API configuration.
[api]
enabled = <%= $api_enabled %>
internals = <%= $api_internals %>
tls = <%= $api_tls %>
listen = "<%= $api_address %>:<%= $api_port %>"
cert = "<%= $api_cert %>"
key = "<%= $api_key %>"
+10
View File
@@ -0,0 +1,10 @@
#################
# The backend section controls the data store.
[backend]
datastore = "<%= $backend_datastore %>"
baseDN = "<%= $backend_basedn %>"
nameformat = "<%= $backend_nameformat %>"
groupformat = "<%= $backend_groupformat %>"
anonymousdse = <%= $backend_anonymousdse %>
sshkeyattr = "<%= $backend_sshkeyattr %>"
+11
View File
@@ -0,0 +1,11 @@
#################
# Behaviors configuration.
[behaviors]
IgnoreCapabilities = <%= $ignorecapabilities %>
LimitFailedBinds = <%= $limitfailedbinds %>
NumberOfFailedBinds = <%= $numberoffailedbinds %>
PeriodOfFailedBinds = <%= $periodoffailedbinds %>
BlockFailedBindsFor = <%= $blockfailedbindsfor %>
PruneSourceTableEvery = <%= $prunesourcetableevery %>
PruneSourcesOlderThan = <%= $prunesourcesolderthan %>
+7
View File
@@ -0,0 +1,7 @@
#################
# General configuration.
debug = <%= $debug %>
syslog = <%= $syslog %>
structuredlog = <%= $structuredlog %>
watchconfig = <%= $watchconfig %>
+9
View File
@@ -0,0 +1,9 @@
#################
# Server configuration.
[ldap]
enabled = <%= $ldap_enabled %>
listen = "<%= $ldap_address %>:<%= $ldap_port %>"
tls = <%= $ldap_tls %>
tlsCertPath = "<%= $ldap_tlscertpath %>"
tlsKeyPath = "<%= $ldap_tlskeypath %>"
+8
View File
@@ -0,0 +1,8 @@
#################
# Server configuration.
[ldaps]
enabled = <%= $ldaps_enabled %>
listen = "<%= $ldaps_address %>:<%= $ldaps_port %>"
cert = "<%= $ldaps_cert %>"
key = "<%= $ldaps_key %>"
+5
View File
@@ -0,0 +1,5 @@
[[groups]]
name = "<%= $name %>"
gidnumber = <%= $gidnumber %>
<% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
+7
View File
@@ -0,0 +1,7 @@
[[users]]
name = "<%= $name %>"
mail = "<%= $mail %>"
uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %>
passsha256 = "<%= $passsha256 %>"
+14
View File
@@ -0,0 +1,14 @@
[[users]]
name = "<%= $name %>"
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
mail = "<%= $mail %>"
uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %>
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
passsha256 = "<%= $passsha256 %>"
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
othergroups = <%= $othergroups %>
@@ -0,0 +1,14 @@
[Unit]
Description=GLAuth Service
After=network.target
[Service]
User=<%= $user %>
Group=<%= $group %>
ExecStart=<%= $bin_path %> -c <%= $config_path %>
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Also=<%= $service_name %>.socket
@@ -0,0 +1,11 @@
[Unit]
Description=GLAuth Socket
[Socket]
ListenStream=<%= $ldap_port %>
ListenStream=<%= $ldaps_port %>
ListenStream=<%= $api_port %>
NoDelay=true
[Install]
WantedBy=sockets.target
+11
View File
@@ -0,0 +1,11 @@
# manage jellyfin
class jellyfin (
$packages = $jellyfin::params::packages,
$service_enable = $jellyfin::params::service_enable,
) inherits jellyfin::params {
include jellyfin::install
include jellyfin::service
Class['jellyfin::install'] -> Class['jellyfin::service']
}
+14
View File
@@ -0,0 +1,14 @@
# install jellyfin
class jellyfin::install (
$packages = $jellyfin::packages,
) {
$_packages = $packages ? {
Array => true,
default => false,
}
if $_packages {
ensure_packages($packages, {ensure => 'installed'})
}
}
+13
View File
@@ -0,0 +1,13 @@
# jellyfin params
class jellyfin::params (
Array[String] $packages = [
'jellyfin',
'jellyfin-web',
'jellyfin-server',
'SDL2',
'ffmpeg',
'ffmpeg-devel',
],
String $service_name = 'jellyfin',
Boolean $service_enable = true,
) { }
+10
View File
@@ -0,0 +1,10 @@
# manage jellyfin service
class jellyfin::service (
$service_enable = $jellyfin::service_enable,
$service_name = $jellyfin::service_name,
) {
service{$service_name:
ensure => $service_enable,
enable => $service_enable,
}
}
+15
View File
@@ -0,0 +1,15 @@
class nginxproxy::authproxy {
file { $nginxproxy::auth_ldap_config:
ensure => file,
content => epp('nginxproxy/auth-ldap.py.epp', {
'params' => $nginxproxy::auth_ldap_params
}
),
mode => '0644',
}
#package { 'nginx-auth-ldap':
# ensure => 'present',
# provider => 'pip',
#}
}
+67
View File
@@ -0,0 +1,67 @@
# manage configuration for nginxproxy
class nginxproxy::config {
$proxyurl = "${nginxproxy::proxy_scheme}://${nginxproxy::proxy_host}:${nginxproxy::proxy_port}${nginxproxy::proxy_path}"
$server_names = unique([$facts['networking']['fqdn'], $nginxproxy::nginx_vhost] + $nginxproxy::nginx_aliases)
case $nginxproxy::nginx_cert_type {
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
}
case $nginxproxy::nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginxproxy::nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginxproxy::nginx_ssl_port
$listen_ssl_port = $nginxproxy::nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginxproxy::nginx_port
$listen_ssl_port = $nginxproxy::nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
}
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginxproxy::nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginxproxy::nginx_vhost}_error.log",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
'proxy' => $proxyurl,
}
$nginx_parameters = merge($defaults, $extras_hash)
include 'nginx'
create_resources('nginx::resource::server', { $nginxproxy::nginx_vhost => $nginx_parameters })
}
+38
View File
@@ -0,0 +1,38 @@
# manage a nginx proxy with a wraoper module
class nginxproxy (
Stdlib::Fqdn $nginx_vhost = $nginxproxy::params::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $nginxproxy::params::nginx_aliases,
Stdlib::Port $nginx_port = $nginxproxy::params::nginx_port,
Stdlib::Port $nginx_ssl_port = $nginxproxy::params::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $nginxproxy::params::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $nginxproxy::params::nginx_cert_type,
Enum['http','https'] $proxy_scheme = $nginxproxy::params::proxy_scheme,
Stdlib::Port $proxy_port = $nginxproxy::params::proxy_port,
Stdlib::Host $proxy_host = $nginxproxy::params::proxy_host,
String $proxy_path = $nginxproxy::params::proxy_path,
Boolean $simple_mode = $nginxproxy::params::simple_mode,
Array[Hash] $locations = $nginxproxy::params::locations,
Boolean $manage_auth_ldap = $nginxproxy::params::manage_auth_ldap,
Stdlib::Absolutepath $auth_ldap_config = $nginxproxy::params::auth_ldap_config,
Hash $auth_ldap_params = $nginxproxy::params::auth_ldap_params,
) {
if ! $facts['nginx_version'] {
package { 'nginx':
ensure => 'present',
}
} else {
include nginxproxy::config
include nginxproxy::selinux
if $manage_auth_ldap {
include nginxproxy::authproxy
}
if ! $simple_mode {
nginxproxy::locations { 'default':
locations => $locations,
}
}
}
}
+10
View File
@@ -0,0 +1,10 @@
define nginxproxy::locations (
Array[Hash] $locations = [],
) {
$locations.each |$location| {
nginx::resource::location { $location['path']:
server => $nginxproxy::nginx_vhost,
proxy => $location['proxy'],
}
}
}
+18
View File
@@ -0,0 +1,18 @@
# nginxproxy params
class nginxproxy::params (
Stdlib::Fqdn $nginx_vhost = 'localhost',
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
Enum['http','https'] $proxy_scheme = 'http',
Stdlib::Port $proxy_port = 80,
Stdlib::Host $proxy_host = $facts['networking']['ip'],
String $proxy_path = '/',
Boolean $simple_mode = true,
Array[Hash] $locations = [],
Boolean $manage_auth_ldap = false,
Stdlib::Absolutepath $auth_ldap_config = '/etc/nginx/auth-ldap.conf',
Hash $auth_ldap_params = {},
){}
+9
View File
@@ -0,0 +1,9 @@
# manage selinux for nginxproxy
class nginxproxy::selinux {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
}
}
+21
View File
@@ -0,0 +1,21 @@
# profiles::ldap::server
class profiles::ldap::server (
Hash $users = lookup('glauth::users', { default_value => {} }),
Hash $services = lookup('glauth::services', { default_value => {} }),
Hash $groups = lookup('glauth::groups', { default_value => {} }),
) {
Glauth::Obj::User {
config_path => '/etc/glauth/glauth.conf',
}
Glauth::Obj::Service {
config_path => '/etc/glauth/glauth.conf',
}
Glauth::Obj::Group {
config_path => '/etc/glauth/glauth.conf',
}
create_resources('glauth::obj::user', $users)
create_resources('glauth::obj::service', $services)
create_resources('glauth::obj::group', $groups)
}
+31
View File
@@ -0,0 +1,31 @@
# profiles::media::jellyfin
class profiles::media::jellyfin (
Stdlib::Absolutepath $media_root = '/shared/media',
) {
include profiles::ceph::client
# manage the sharedvol
profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
mount => $media_root,
keyring => '/etc/ceph/ceph.client.media.keyring',
cephfs_name => 'media',
cephfs_fs => 'mediafs',
require => Profiles::Ceph::Keyring['media'],
}
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
service => 'be_jellyfin',
ports => [443],
options => [
"cookie ${facts['networking']['hostname']}",
'ssl',
'verify none',
'check',
'inter 2s',
'rise 3',
'fall 2',
]
}
}
@@ -0,0 +1,11 @@
# jellyfin server profile
class roles::apps::media::jellyfin {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::media::jellyfin
}
}
+11
View File
@@ -0,0 +1,11 @@
# a role to deploy glauth
class roles::infra::auth::glauth {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::ldap::server
}
}