diff --git a/.devcontainer/README.md b/.devcontainer/README.md deleted file mode 100644 index a7193616..00000000 --- a/.devcontainer/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# devcontainer - - -For format details, see https://aka.ms/devcontainer.json. - -For config options, see the README at: -https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet - -``` json -{ - "name": "Puppet Development Kit (Community)", - "dockerFile": "Dockerfile", - - // Set *default* container specific settings.json values on container create. - "settings": { - "terminal.integrated.profiles.linux": { - "bash": { - "path": "bash", - } - } - }, - - // Add the IDs of extensions you want installed when the container is created. - "extensions": [ - "puppet.puppet-vscode", - "rebornix.Ruby" - ], - - // Use 'forwardPorts' to make a list of ports inside the container available locally. - "forwardPorts": [], - - // Use 'postCreateCommand' to run commands after the container is created. - "postCreateCommand": "pdk --version", -} -``` - - - diff --git a/.fixtures.yml b/.fixtures.yml index f664728f..86a9d669 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,11 +1,6 @@ +--- fixtures: forge_modules: - stdlib: "puppetlabs/stdlib" - cron_core: - repo: "puppetlabs/cron_core" - ref: "1.0.0" - puppet_version: ">= 7.0.0" - k5login_core: - repo: "puppetlabs/k5login_core" - ref: "1.0.2" - puppet_version: ">= 7.0.0" + stdlib: puppetlabs/stdlib + cron_core: puppetlabs/cron_core + k5login_core: puppetlabs/k5login_core diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05510ee0..da7bf9aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,10 +1,27 @@ -name: "ci" +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: CI + +# yamllint disable-line rule:truthy +on: + pull_request: {} + push: + branches: + - main + - master + +concurrency: + group: ${{ github.ref_name }} + cancel-in-progress: true + +permissions: + contents: read -on: pull_request - jobs: - Spec: - uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main" + puppet: + name: Puppet + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v4 with: - runs_on: "ubuntu-20.04" - secrets: "inherit" + beaker_hosts: master;replica;client diff --git a/.github/workflows/pr_labels.yaml b/.github/workflows/pr_labels.yaml new file mode 100644 index 00000000..ea852052 --- /dev/null +++ b/.github/workflows/pr_labels.yaml @@ -0,0 +1,14 @@ +--- +name: "Pull Request Labels" +"on": + pull_request: + types: ["opened", "labeled", "unlabeled", "synchronize"] +jobs: + label: + runs-on: "ubuntu-latest" + steps: + - uses: "mheap/github-action-required-labels@v3" + with: + mode: "exactly" + count: 1 + labels: "enhancement, bug, skip-changelog" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..3153ba8d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,22 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: Release + +"on": + push: + tags: + - '*' + +jobs: + release: + name: Release + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v2 + with: + allowed_owner: 'lsst-it' + secrets: + # Configure secrets here: + # https://docs.github.com/en/actions/security-guides/encrypted-secrets + username: ${{ secrets.PUPPET_FORGE_USERNAME }} + api_key: ${{ secrets.PUPPET_FORGE_API_KEY }} diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml new file mode 100644 index 00000000..0c345d10 --- /dev/null +++ b/.github/workflows/shellcheck.yaml @@ -0,0 +1,15 @@ +--- +# yamllint disable rule:quoted-strings +name: shellcheck + +"on": + - push + +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run ShellCheck + uses: ludeeus/action-shellcheck@master diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml new file mode 100644 index 00000000..d0cba14d --- /dev/null +++ b/.github/workflows/yamllint.yaml @@ -0,0 +1,15 @@ +--- +# yamllint disable rule:quoted-strings +name: yamllint + +"on": + - push + +jobs: + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run yamllint + uses: bewuethr/yamllint-action@v1 diff --git a/.gitignore b/.gitignore index 3f155121..84fd904c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,28 +1,23 @@ -.git/ -.*.sw[op] -.metadata -.yardoc -.yardwarns -*.iml -/.bundle/ -/.idea/ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +/pkg/ +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ /.vagrant/ +/.bundle/ +/.ruby-version /coverage/ -/bin/ -/doc/ -/Gemfile.local -/Gemfile.lock -/junit/ /log/ -/pkg/ -/spec/fixtures/manifests/ -/spec/fixtures/modules/* -/tmp/ -/vendor/ -/convert_report.txt -/update_report.txt -.DS_Store -.project -.envrc -/inventory.yaml -/spec/fixtures/litmus_inventory.yaml +/.idea/ +/.dependencies/ +/.librarian/ +/Puppetfile.lock +*.iml +.*.sw? +/.yardoc/ +/Guardfile diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 6d5e786c..00000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -stages: - - syntax - - unit - -default: - cache: - paths: - - vendor/bundle - - before_script: &before_script - - bundle -v - - rm Gemfile.lock || true - - "# Update system gems if requested. This is useful to temporarily workaround troubles in the test runner" - - "# Set `rubygems_version` in the .sync.yml to set a value" - - "# Ignore exit code of SIGPIPE'd yes to not fail with shell's pipefail set" - - '[ -z "$RUBYGEMS_VERSION" ] || (yes || true) | gem update --system $RUBYGEMS_VERSION' - - gem --version - - bundle -v - - bundle install --without system_tests --path vendor/bundle --jobs $(nproc) - -validate lint check rubocop-Ruby 2.5.7-Puppet ~> 6: - stage: syntax - image: ruby:2.5.7 - script: - - bundle exec rake validate lint check rubocop - variables: - PUPPET_GEM_VERSION: '~> 6' - -parallel_spec-Ruby 2.5.7-Puppet ~> 6: - stage: unit - image: ruby:2.5.7 - script: - - bundle exec rake parallel_spec - variables: - PUPPET_GEM_VERSION: '~> 6' - -validate lint check rubocop-Ruby 2.7.2-Puppet ~> 7: - stage: syntax - image: ruby:2.7.2 - script: - - bundle exec rake validate lint check rubocop - variables: - PUPPET_GEM_VERSION: '~> 7' - -parallel_spec-Ruby 2.7.2-Puppet ~> 7: - stage: unit - image: ruby:2.7.2 - script: - - bundle exec rake parallel_spec - variables: - PUPPET_GEM_VERSION: '~> 7' - diff --git a/.mdl_style.rb b/.mdl_style.rb new file mode 100644 index 00000000..55e6b1e9 --- /dev/null +++ b/.mdl_style.rb @@ -0,0 +1,8 @@ +# https://github.com/markdownlint/markdownlint/blob/master/docs/creating_styles.md +# https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md +all +rule "MD013", :code_blocks => false +exclude_rule "MD003" +exclude_rule "MD013" +exclude_rule "MD036" +exclude_rule "MD034" diff --git a/.mdlrc b/.mdlrc new file mode 100644 index 00000000..794536f7 --- /dev/null +++ b/.mdlrc @@ -0,0 +1,5 @@ +# a separate "style" file must be used to pass "parameters" to a rule +# +# https://github.com/markdownlint/markdownlint/blob/master/docs/configuration.md +# https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md +style ".mdl_style.rb" diff --git a/.msync.yml b/.msync.yml index 02353859..76cd4646 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '5.3.0' +modulesync_config_version: '7.1.0' diff --git a/.pdkignore b/.pdkignore deleted file mode 100644 index 584438f9..00000000 --- a/.pdkignore +++ /dev/null @@ -1,43 +0,0 @@ -.git/ -.*.sw[op] -.metadata -.yardoc -.yardwarns -*.iml -/.bundle/ -/.idea/ -/.vagrant/ -/coverage/ -/bin/ -/doc/ -/Gemfile.local -/Gemfile.lock -/junit/ -/log/ -/pkg/ -/spec/fixtures/manifests/ -/spec/fixtures/modules/* -/tmp/ -/vendor/ -/convert_report.txt -/update_report.txt -.DS_Store -.project -.envrc -/inventory.yaml -/spec/fixtures/litmus_inventory.yaml -/.fixtures.yml -/Gemfile -/.gitattributes -/.gitignore -/.pdkignore -/.puppet-lint.rc -/Rakefile -/rakelib/ -/.rspec -/..yml -/.yardopts -/spec/ -/.vscode/ -/.sync.yml -/.devcontainer/ diff --git a/.pmtignore b/.pmtignore index 65f50514..58a04088 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,37 +1,37 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -docs/ -pkg/ -Gemfile -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/ -Rakefile -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.github/ -.librarian/ -Puppetfile.lock +/docs/ +/pkg/ +/Gemfile +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/ +/Rakefile +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.github/ +/.librarian/ +/Puppetfile.lock *.iml -.editorconfig -.fixtures.yml -.gitignore -.msync.yml -.overcommit.yml -.pmtignore -.rspec -.rspec_parallel -.rubocop.yml -.sync.yml +/.editorconfig +/.fixtures.yml +/.gitignore +/.msync.yml +/.overcommit.yml +/.pmtignore +/.rspec +/.rspec_parallel +/.rubocop.yml +/.sync.yml .*.sw? -.yardoc/ -.yardopts -Dockerfile +/.yardoc/ +/.yardopts +/Dockerfile diff --git a/.puppet-lint.rc b/.puppet-lint.rc index cc96ece0..02a3e71d 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -1 +1 @@ ---relative +--fail-on-warnings diff --git a/.rspec b/.rspec index 16f9cdb0..c6cfef19 100644 --- a/.rspec +++ b/.rspec @@ -1,2 +1,6 @@ ---color +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --format documentation +--color +--fail-fast diff --git a/.rubocop.yml b/.rubocop.yml index 5be1f9fa..53ac1898 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,723 +1,6 @@ --- -require: -- rubocop-performance -- rubocop-rspec -AllCops: - DisplayCopNames: true - TargetRubyVersion: '2.6' - Include: - - "**/*.rb" - Exclude: - - bin/* - - ".vendor/**/*" - - "**/Gemfile" - - "**/Rakefile" - - pkg/**/* - - spec/fixtures/**/* - - vendor/**/* - - "**/Puppetfile" - - "**/Vagrantfile" - - "**/Guardfile" -Layout/LineLength: - Description: People have wide screens, use them. - Max: 200 -RSpec/BeforeAfterAll: - Description: Beware of using after(:all) as it may cause state to leak between tests. - A necessary evil in acceptance testing. - Exclude: - - spec/acceptance/**/*.rb -RSpec/HookArgument: - Description: Prefer explicit :each argument, matching existing module's style - EnforcedStyle: each -RSpec/DescribeSymbol: - Exclude: - - spec/unit/facter/**/*.rb -Style/BlockDelimiters: - Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to - be consistent then. - EnforcedStyle: braces_for_chaining -Style/ClassAndModuleChildren: - Description: Compact style reduces the required amount of indentation. - EnforcedStyle: compact -Style/EmptyElse: - Description: Enforce against empty else clauses, but allow `nil` for clarity. - EnforcedStyle: empty -Style/FormatString: - Description: Following the main puppet project's style, prefer the % format format. - EnforcedStyle: percent -Style/FormatStringToken: - Description: Following the main puppet project's style, prefer the simpler template - tokens over annotated ones. - EnforcedStyle: template -Style/Lambda: - Description: Prefer the keyword for easier discoverability. - EnforcedStyle: literal -Style/RegexpLiteral: - Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 - EnforcedStyle: percent_r -Style/TernaryParentheses: - Description: Checks for use of parentheses around ternary conditions. Enforce parentheses - on complex expressions for better readability, but seriously consider breaking - it up. - EnforcedStyle: require_parentheses_when_complex -Style/TrailingCommaInArguments: - Description: Prefer always trailing comma on multiline argument lists. This makes - diffs, and re-ordering nicer. - EnforcedStyleForMultiline: comma -Style/TrailingCommaInArrayLiteral: - Description: Prefer always trailing comma on multiline literals. This makes diffs, - and re-ordering nicer. - EnforcedStyleForMultiline: comma -Style/SymbolArray: - Description: Using percent style obscures symbolic intent of array's contents. - EnforcedStyle: brackets -RSpec/MessageSpies: - EnforcedStyle: receive -Style/Documentation: - Exclude: - - lib/puppet/parser/functions/**/* - - spec/**/* -Style/WordArray: - EnforcedStyle: brackets -Performance/AncestorsInclude: - Enabled: true -Performance/BigDecimalWithNumericArgument: - Enabled: true -Performance/BlockGivenWithExplicitBlock: - Enabled: true -Performance/CaseWhenSplat: - Enabled: true -Performance/ConstantRegexp: - Enabled: true -Performance/MethodObjectAsBlock: - Enabled: true -Performance/RedundantSortBlock: - Enabled: true -Performance/RedundantStringChars: - Enabled: true -Performance/ReverseFirst: - Enabled: true -Performance/SortReverse: - Enabled: true -Performance/Squeeze: - Enabled: true -Performance/StringInclude: - Enabled: true -Performance/Sum: - Enabled: true -Style/CollectionMethods: - Enabled: true -Style/MethodCalledOnDoEndBlock: - Enabled: true -Style/StringMethods: - Enabled: true -Bundler/GemFilename: - Enabled: false -Bundler/InsecureProtocolSource: - Enabled: false -Capybara/CurrentPathExpectation: - Enabled: false -Capybara/VisibilityMatcher: - Enabled: false -Gemspec/DuplicatedAssignment: - Enabled: false -Gemspec/OrderedDependencies: - Enabled: false -Gemspec/RequiredRubyVersion: - Enabled: false -Gemspec/RubyVersionGlobalsUsage: - Enabled: false -Layout/ArgumentAlignment: - Enabled: false -Layout/BeginEndAlignment: - Enabled: false -Layout/ClosingHeredocIndentation: - Enabled: false -Layout/EmptyComment: - Enabled: false -Layout/EmptyLineAfterGuardClause: - Enabled: false -Layout/EmptyLinesAroundArguments: - Enabled: false -Layout/EmptyLinesAroundAttributeAccessor: - Enabled: false -Layout/EndOfLine: - Enabled: false -Layout/FirstArgumentIndentation: - Enabled: false -Layout/HashAlignment: - Enabled: false -Layout/HeredocIndentation: - Enabled: false -Layout/LeadingEmptyLines: - Enabled: false -Layout/SpaceAroundMethodCallOperator: - Enabled: false -Layout/SpaceInsideArrayLiteralBrackets: - Enabled: false -Layout/SpaceInsideReferenceBrackets: - Enabled: false -Lint/BigDecimalNew: - Enabled: false -Lint/BooleanSymbol: - Enabled: false -Lint/ConstantDefinitionInBlock: - Enabled: false -Lint/DeprecatedOpenSSLConstant: - Enabled: false -Lint/DisjunctiveAssignmentInConstructor: - Enabled: false -Lint/DuplicateElsifCondition: - Enabled: false -Lint/DuplicateRequire: - Enabled: false -Lint/DuplicateRescueException: - Enabled: false -Lint/EmptyConditionalBody: - Enabled: false -Lint/EmptyFile: - Enabled: false -Lint/ErbNewArguments: - Enabled: false -Lint/FloatComparison: - Enabled: false -Lint/HashCompareByIdentity: - Enabled: false -Lint/IdentityComparison: - Enabled: false -Lint/InterpolationCheck: - Enabled: false -Lint/MissingCopEnableDirective: - Enabled: false -Lint/MixedRegexpCaptureTypes: - Enabled: false -Lint/NestedPercentLiteral: - Enabled: false -Lint/NonDeterministicRequireOrder: - Enabled: false -Lint/OrderedMagicComments: - Enabled: false -Lint/OutOfRangeRegexpRef: - Enabled: false -Lint/RaiseException: - Enabled: false -Lint/RedundantCopEnableDirective: - Enabled: false -Lint/RedundantRequireStatement: - Enabled: false -Lint/RedundantSafeNavigation: - Enabled: false -Lint/RedundantWithIndex: - Enabled: false -Lint/RedundantWithObject: - Enabled: false -Lint/RegexpAsCondition: - Enabled: false -Lint/ReturnInVoidContext: - Enabled: false -Lint/SafeNavigationConsistency: - Enabled: false -Lint/SafeNavigationWithEmpty: - Enabled: false -Lint/SelfAssignment: - Enabled: false -Lint/SendWithMixinArgument: - Enabled: false -Lint/ShadowedArgument: - Enabled: false -Lint/StructNewOverride: - Enabled: false -Lint/ToJSON: - Enabled: false -Lint/TopLevelReturnWithArgument: - Enabled: false -Lint/TrailingCommaInAttributeDeclaration: - Enabled: false -Lint/UnreachableLoop: - Enabled: false -Lint/UriEscapeUnescape: - Enabled: false -Lint/UriRegexp: - Enabled: false -Lint/UselessMethodDefinition: - Enabled: false -Lint/UselessTimes: - Enabled: false -Metrics/AbcSize: - Enabled: false -Metrics/BlockLength: - Enabled: false -Metrics/BlockNesting: - Enabled: false -Metrics/ClassLength: - Enabled: false -Metrics/CyclomaticComplexity: - Enabled: false -Metrics/MethodLength: - Enabled: false -Metrics/ModuleLength: - Enabled: false -Metrics/ParameterLists: - Enabled: false -Metrics/PerceivedComplexity: - Enabled: false -Migration/DepartmentName: - Enabled: false -Naming/AccessorMethodName: - Enabled: false -Naming/BlockParameterName: - Enabled: false -Naming/HeredocDelimiterCase: - Enabled: false -Naming/HeredocDelimiterNaming: - Enabled: false -Naming/MemoizedInstanceVariableName: - Enabled: false -Naming/MethodParameterName: - Enabled: false -Naming/RescuedExceptionsVariableName: - Enabled: false -Naming/VariableNumber: - Enabled: false -Performance/BindCall: - Enabled: false -Performance/DeletePrefix: - Enabled: false -Performance/DeleteSuffix: - Enabled: false -Performance/InefficientHashSearch: - Enabled: false -Performance/UnfreezeString: - Enabled: false -Performance/UriDefaultParser: - Enabled: false -RSpec/Be: - Enabled: false -RSpec/Capybara/FeatureMethods: - Enabled: false -RSpec/ContainExactly: - Enabled: false -RSpec/ContextMethod: - Enabled: false -RSpec/ContextWording: - Enabled: false -RSpec/DescribeClass: - Enabled: false -RSpec/EmptyHook: - Enabled: false -RSpec/EmptyLineAfterExample: - Enabled: false -RSpec/EmptyLineAfterExampleGroup: - Enabled: false -RSpec/EmptyLineAfterHook: - Enabled: false -RSpec/ExampleLength: - Enabled: false -RSpec/ExampleWithoutDescription: - Enabled: false -RSpec/ExpectChange: - Enabled: false -RSpec/ExpectInHook: - Enabled: false -RSpec/FactoryBot/AttributeDefinedStatically: - Enabled: false -RSpec/FactoryBot/CreateList: - Enabled: false -RSpec/FactoryBot/FactoryClassName: - Enabled: false -RSpec/HooksBeforeExamples: - Enabled: false -RSpec/ImplicitBlockExpectation: - Enabled: false -RSpec/ImplicitSubject: - Enabled: false -RSpec/LeakyConstantDeclaration: - Enabled: false -RSpec/LetBeforeExamples: - Enabled: false -RSpec/MatchArray: - Enabled: false -RSpec/MissingExampleGroupArgument: - Enabled: false -RSpec/MultipleExpectations: - Enabled: false -RSpec/MultipleMemoizedHelpers: - Enabled: false -RSpec/MultipleSubjects: - Enabled: false -RSpec/NestedGroups: - Enabled: false -RSpec/PredicateMatcher: - Enabled: false -RSpec/ReceiveCounts: - Enabled: false -RSpec/ReceiveNever: - Enabled: false -RSpec/RepeatedExampleGroupBody: - Enabled: false -RSpec/RepeatedExampleGroupDescription: - Enabled: false -RSpec/RepeatedIncludeExample: - Enabled: false -RSpec/ReturnFromStub: - Enabled: false -RSpec/SharedExamples: - Enabled: false -RSpec/StubbedMock: - Enabled: false -RSpec/UnspecifiedException: - Enabled: false -RSpec/VariableDefinition: - Enabled: false -RSpec/VoidExpect: - Enabled: false -RSpec/Yield: - Enabled: false -Security/Open: - Enabled: false -Style/AccessModifierDeclarations: - Enabled: false -Style/AccessorGrouping: - Enabled: false -Style/BisectedAttrAccessor: - Enabled: false -Style/CaseLikeIf: - Enabled: false -Style/ClassEqualityComparison: - Enabled: false -Style/ColonMethodDefinition: - Enabled: false -Style/CombinableLoops: - Enabled: false -Style/CommentedKeyword: - Enabled: false -Style/Dir: - Enabled: false -Style/DoubleCopDisableDirective: - Enabled: false -Style/EmptyBlockParameter: - Enabled: false -Style/EmptyLambdaParameter: - Enabled: false -Style/Encoding: - Enabled: false -Style/EvalWithLocation: - Enabled: false -Style/ExpandPathArguments: - Enabled: false -Style/ExplicitBlockArgument: - Enabled: false -Style/ExponentialNotation: - Enabled: false -Style/FloatDivision: - Enabled: false -Style/FrozenStringLiteralComment: - Enabled: false -Style/GlobalStdStream: - Enabled: false -Style/HashAsLastArrayItem: - Enabled: false -Style/HashLikeCase: - Enabled: false -Style/HashTransformKeys: - Enabled: false -Style/HashTransformValues: - Enabled: false -Style/IfUnlessModifier: - Enabled: false -Style/KeywordParametersOrder: - Enabled: false -Style/MinMax: - Enabled: false -Style/MixinUsage: - Enabled: false -Style/MultilineWhenThen: - Enabled: false -Style/NegatedUnless: - Enabled: false -Style/NumericPredicate: - Enabled: false -Style/OptionalBooleanParameter: - Enabled: false -Style/OrAssignment: - Enabled: false -Style/RandomWithOffset: - Enabled: false -Style/RedundantAssignment: - Enabled: false -Style/RedundantCondition: - Enabled: false -Style/RedundantConditional: - Enabled: false -Style/RedundantFetchBlock: - Enabled: false -Style/RedundantFileExtensionInRequire: - Enabled: false -Style/RedundantRegexpCharacterClass: - Enabled: false -Style/RedundantRegexpEscape: - Enabled: false -Style/RedundantSelfAssignment: - Enabled: false -Style/RedundantSort: - Enabled: false -Style/RescueStandardError: - Enabled: false -Style/SingleArgumentDig: - Enabled: false -Style/SlicingWithRange: - Enabled: false -Style/SoleNestedConditional: - Enabled: false -Style/StderrPuts: - Enabled: false -Style/StringConcatenation: - Enabled: false -Style/Strip: - Enabled: false -Style/SymbolProc: - Enabled: false -Style/TrailingBodyOnClass: - Enabled: false -Style/TrailingBodyOnMethodDefinition: - Enabled: false -Style/TrailingBodyOnModule: - Enabled: false -Style/TrailingCommaInHashLiteral: - Enabled: false -Style/TrailingMethodEndStatement: - Enabled: false -Style/UnpackFirst: - Enabled: false -Capybara/MatchStyle: - Enabled: false -Capybara/NegationMatcher: - Enabled: false -Capybara/SpecificActions: - Enabled: false -Capybara/SpecificFinders: - Enabled: false -Capybara/SpecificMatcher: - Enabled: false -Gemspec/DeprecatedAttributeAssignment: - Enabled: false -Gemspec/DevelopmentDependencies: - Enabled: false -Gemspec/RequireMFA: - Enabled: false -Layout/LineContinuationLeadingSpace: - Enabled: false -Layout/LineContinuationSpacing: - Enabled: false -Layout/LineEndStringConcatenationIndentation: - Enabled: false -Layout/SpaceBeforeBrackets: - Enabled: false -Lint/AmbiguousAssignment: - Enabled: false -Lint/AmbiguousOperatorPrecedence: - Enabled: false -Lint/AmbiguousRange: - Enabled: false -Lint/ConstantOverwrittenInRescue: - Enabled: false -Lint/DeprecatedConstants: - Enabled: false -Lint/DuplicateBranch: - Enabled: false -Lint/DuplicateMagicComment: - Enabled: false -Lint/DuplicateRegexpCharacterClassElement: - Enabled: false -Lint/EmptyBlock: - Enabled: false -Lint/EmptyClass: - Enabled: false -Lint/EmptyInPattern: - Enabled: false -Lint/IncompatibleIoSelectWithFiberScheduler: - Enabled: false -Lint/LambdaWithoutLiteralBlock: - Enabled: false -Lint/NoReturnInBeginEndBlocks: - Enabled: false -Lint/NonAtomicFileOperation: - Enabled: false -Lint/NumberedParameterAssignment: - Enabled: false -Lint/OrAssignmentToConstant: - Enabled: false -Lint/RedundantDirGlobSort: - Enabled: false -Lint/RefinementImportMethods: - Enabled: false -Lint/RequireRangeParentheses: - Enabled: false -Lint/RequireRelativeSelfPath: - Enabled: false -Lint/SymbolConversion: - Enabled: false -Lint/ToEnumArguments: - Enabled: false -Lint/TripleQuotes: - Enabled: false -Lint/UnexpectedBlockArity: - Enabled: false -Lint/UnmodifiedReduceAccumulator: - Enabled: false -Lint/UselessRescue: - Enabled: false -Lint/UselessRuby2Keywords: - Enabled: false -Metrics/CollectionLiteralLength: - Enabled: false -Naming/BlockForwarding: - Enabled: false -Performance/CollectionLiteralInLoop: - Enabled: false -Performance/ConcurrentMonotonicTime: - Enabled: false -Performance/MapCompact: - Enabled: false -Performance/RedundantEqualityComparisonBlock: - Enabled: false -Performance/RedundantSplitRegexpArgument: - Enabled: false -Performance/StringIdentifierArgument: - Enabled: false -RSpec/BeEq: - Enabled: false -RSpec/BeNil: - Enabled: false -RSpec/ChangeByZero: - Enabled: false -RSpec/ClassCheck: - Enabled: false -RSpec/DuplicatedMetadata: - Enabled: false -RSpec/ExcessiveDocstringSpacing: - Enabled: false -RSpec/FactoryBot/ConsistentParenthesesStyle: - Enabled: false -RSpec/FactoryBot/FactoryNameStyle: - Enabled: false -RSpec/FactoryBot/SyntaxMethods: - Enabled: false -RSpec/IdenticalEqualityAssertion: - Enabled: false -RSpec/NoExpectationExample: - Enabled: false -RSpec/PendingWithoutReason: - Enabled: false -RSpec/Rails/AvoidSetupHook: - Enabled: false -RSpec/Rails/HaveHttpStatus: - Enabled: false -RSpec/Rails/InferredSpecType: - Enabled: false -RSpec/Rails/MinitestAssertions: - Enabled: false -RSpec/Rails/TravelAround: - Enabled: false -RSpec/RedundantAround: - Enabled: false -RSpec/SkipBlockInsideExample: - Enabled: false -RSpec/SortMetadata: - Enabled: false -RSpec/SubjectDeclaration: - Enabled: false -RSpec/VerifiedDoubleReference: - Enabled: false -Security/CompoundHash: - Enabled: false -Security/IoMethods: - Enabled: false -Style/ArgumentsForwarding: - Enabled: false -Style/ArrayIntersect: - Enabled: false -Style/CollectionCompact: - Enabled: false -Style/ComparableClamp: - Enabled: false -Style/ConcatArrayLiterals: - Enabled: false -Style/DirEmpty: - Enabled: false -Style/DocumentDynamicEvalDefinition: - Enabled: false -Style/EmptyHeredoc: - Enabled: false -Style/EndlessMethod: - Enabled: false -Style/EnvHome: - Enabled: false -Style/FetchEnvVar: - Enabled: false -Style/FileEmpty: - Enabled: false -Style/FileRead: - Enabled: false -Style/FileWrite: - Enabled: false -Style/HashConversion: - Enabled: false -Style/HashExcept: - Enabled: false -Style/IfWithBooleanLiteralBranches: - Enabled: false -Style/InPatternThen: - Enabled: false -Style/MagicCommentFormat: - Enabled: false -Style/MapCompactWithConditionalBlock: - Enabled: false -Style/MapToHash: - Enabled: false -Style/MapToSet: - Enabled: false -Style/MinMaxComparison: - Enabled: false -Style/MultilineInPatternThen: - Enabled: false -Style/NegatedIfElseCondition: - Enabled: false -Style/NestedFileDirname: - Enabled: false -Style/NilLambda: - Enabled: false -Style/NumberedParameters: - Enabled: false -Style/NumberedParametersLimit: - Enabled: false -Style/ObjectThen: - Enabled: false -Style/OpenStructUse: - Enabled: false -Style/OperatorMethodCall: - Enabled: false -Style/QuotedSymbols: - Enabled: false -Style/RedundantArgument: - Enabled: false -Style/RedundantConstantBase: - Enabled: false -Style/RedundantDoubleSplatHashBraces: - Enabled: false -Style/RedundantEach: - Enabled: false -Style/RedundantHeredocDelimiterQuotes: - Enabled: false -Style/RedundantInitialize: - Enabled: false -Style/RedundantSelfAssignmentBranch: - Enabled: false -Style/RedundantStringEscape: - Enabled: false -Style/SelectByRegexp: - Enabled: false -Style/StringChars: - Enabled: false -Style/SwapValues: - Enabled: false +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +inherit_gem: + voxpupuli-test: rubocop.yml diff --git a/.sync.yml b/.sync.yml index a69cd1a7..a82d21d1 100644 --- a/.sync.yml +++ b/.sync.yml @@ -4,6 +4,10 @@ - parameter_documentation - parameter_types +spec/spec_helper_acceptance.rb: + unmanaged: false + configure_beaker: ~ + .github/CONTRIBUTING.md: delete: true .github/ISSUE_TEMPLATE.md: @@ -12,8 +16,11 @@ delete: true .github/SECURITY.md: delete: true +.github/workflows/shellcheck.yaml: + delete: true +.github/workflows/markdownlint.yaml: + delete: true -Gemfile: - required: - ':development': - - gem: github_changelog_generator +.github/workflows/ci.yml: + with: + beaker_hosts: master,replica,client diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 00000000..6816fd8e --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,16 @@ +--- +extends: default + +rules: + # 80 chars should be enough, but don't fail if a line is longer + line-length: false + indentation: + spaces: consistent + indent-sequences: consistent + # do not obsess over comment formatting + comments-indentation: false + comments: + require-starting-space: false + +ignore: | + .rubocop.yml diff --git a/.yardopts b/.yardopts deleted file mode 100644 index 29c933bc..00000000 --- a/.yardopts +++ /dev/null @@ -1 +0,0 @@ ---markup markdown diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 8dd82d63..00000000 --- a/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# MANAGED BY MODULESYNC -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - -FROM ruby:2.7 - -WORKDIR /opt/puppet - -# https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 -RUN mkdir -p /etc/sv - -ARG PUPPET_GEM_VERSION="~> 6.0" -ARG PARALLEL_TEST_PROCESSORS=4 - -# Cache gems -COPY Gemfile . -RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} - -COPY . . - -RUN bundle install -RUN bundle exec rake release_checks - -# Container should not saved -RUN exit 1 diff --git a/Gemfile b/Gemfile index 5c26c690..f59e0788 100644 --- a/Gemfile +++ b/Gemfile @@ -1,74 +1,32 @@ -source ENV['GEM_SOURCE'] || 'https://rubygems.org' +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -def location_for(place_or_version, fake_version = nil) - git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} - file_url_regex = %r{\Afile:\/\/(?.*)} +source ENV['GEM_SOURCE'] || 'https://rubygems.org' - if place_or_version && (git_url = place_or_version.match(git_url_regex)) - [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact - elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) - ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] - else - [place_or_version, { require: false }] - end +group :test do + gem 'voxpupuli-test', '~> 7.0', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false + gem 'puppet_metadata', '~> 5.0', :require => false end group :development do - gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.5.1', require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.6.1', require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.6.3', require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "racc", '~> 1.4.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false - gem "facterdb", '~> 1.18', require: false - gem "metadata-json-lint", '~> 3.0', require: false - gem "puppetlabs_spec_helper", '~> 6.0', require: false - gem "rspec-puppet-facts", '~> 2.0', require: false - gem "codecov", '~> 0.2', require: false - gem "dependency_checker", '~> 1.0.0', require: false - gem "parallel_tests", '= 3.12.1', require: false - gem "pry", '~> 0.10', require: false - gem "simplecov-console", '~> 0.5', require: false - gem "puppet-debugger", '~> 1.0', require: false - gem "rubocop", '= 1.48.1', require: false - gem "rubocop-performance", '= 1.16.0', require: false - gem "rubocop-rspec", '= 2.19.0', require: false - gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw] - gem "github_changelog_generator", require: false + gem 'guard-rake', :require => false + gem 'overcommit', '>= 0.39.1', :require => false end + group :system_tests do - gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw] - gem "serverspec", '~> 2.41', require: false + gem 'voxpupuli-acceptance', '~> 2.2', :require => false end -puppet_version = ENV['PUPPET_GEM_VERSION'] -facter_version = ENV['FACTER_GEM_VERSION'] -hiera_version = ENV['HIERA_GEM_VERSION'] - -gems = {} - -gems['puppet'] = location_for(puppet_version) - -# If facter or hiera versions have been specified via the environment -# variables - -gems['facter'] = location_for(facter_version) if facter_version -gems['hiera'] = location_for(hiera_version) if hiera_version - -gems.each do |gem_name, gem_params| - gem gem_name, *gem_params +group :release do + gem 'voxpupuli-release', '~> 3.0', :require => false end -# Evaluate Gemfile.local and ~/.gemfile if they exist -extra_gemfiles = [ - "#{__FILE__}.local", - File.join(Dir.home, '.gemfile'), -] +gem 'rake', :require => false +gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] + +puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24' +gem 'puppet', puppetversion, :require => false, :groups => [:test] -extra_gemfiles.each do |gemfile| - if File.file?(gemfile) && File.readable?(gemfile) - eval(File.read(gemfile), binding) - end -end # vim: syntax=ruby diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..941cf7d7 --- /dev/null +++ b/LICENSE @@ -0,0 +1,14 @@ +Copyright (C) 2013 Harvard University Information Technology + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . diff --git a/README.md b/README.md index 56220db8..35b27eff 100644 --- a/README.md +++ b/README.md @@ -1,331 +1,52 @@ -# easy_ipa Puppet module -[![Build Status](https://travis-ci.org/Puppet-Finland/puppet-ipa.svg?branch=master)](https://travis-ci.org/Puppet-Finland/puppet-ipa) +# ipa ## Overview -This module will install and configure IPA servers, replicas, and clients. This module was forked from huit-ipa, -and refactored with a focus on simplicity and ease of use. +This module manages [FreeIPA](https://www.freeipa.org/) servers, replicas, and clients. -The following features work great: -- Creating a domain. -- Adding IPA server replicas. -- Joining clients. -- WebUI proxy to https://localhost:8440 (for vagrant testing). - -The following features were stripped out and are currently unavailable: -- Autofs configuration. -- Sudo rule management. -- Host management (beyond simple clinet domain joins). -- Host joins via one time passwords. -- Dns zone management (beyond creating an initial zone). - -## Dependencies -This module requires [puppetlabs/stdlib](https://forge.puppetlabs.com/puppetlabs/stdlib) >= 4.13.0. +This module was forked from [Puppet-Finland/puppet-ipa](https://github.com/Puppet-Finland/puppet-ipa), +which was forked from [jpuskar/puppet-ipa](https://github.com/jpuskar/puppet-ipa), +which was forked from [huit/puppet-ipa](https://github.com/huit/puppet-ipa). ## Usage ### Example usage: -Creating an IPA master, with the WebUI proxied to `https://localhost:8440`. ```puppet -class {'easy_ipa': - ipa_role => 'master', - domain => 'vagrant.example.lan', - ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan', - admin_password => 'vagrant123', - directory_services_password => 'vagrant123', - install_ipa_server => true, - ip_address => '192.168.56.35', - enable_ip_address => true, - enable_hostname => true, - manage_host_entry => true, - install_epel => true, - webui_disable_kerberos => true, - webui_enable_proxy => true, - webui_force_https => true, +class { 'ipa': + ipa_role => 'master', + domain => 'example.com', + admin_password => 'rspecrspec123', + directory_services_password => 'rspecrspec123', + idstart => 70000, + configure_dns_server => false, + configure_ntp => false, } ``` Adding a replica: -```puppet -class {'::easy_ipa': - ipa_role => 'replica', - domain => 'vagrant.example.lan', - ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan', - domain_join_password => 'vagrant123', - install_ipa_server => true, - ip_address => '192.168.56.36', - enable_ip_address => true, - enable_hostname => true, - manage_host_entry => true, - install_epel => true, - ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', -} -``` - -Add monitoring with [monit](https://mmonit.com/monit/). Depends on the -[puppetfinland-monit](https://github.com/Puppet-Finland/monit) module: - -``` -class { '::easy_ipa::monit::server': - email => 'monitoring@domain.com', -} -``` - -Add iptables/ip6tables allow rules: -``` -class { '::easy_ipa::packetfilter::server': - allow_address_ipv4 => '10.0.0.0/8', - allow_address_ipv6 => '::1', -} -``` - -Add a backup job to cron: -``` - easy_ipa::backup { 'full': - type => 'full', - timestamp => false, - monthday => 1, - weekday => undef, - hour => 4, - minute => 15, - email => 'admin@domain.com', - } -``` -Backup type can be 'full' or 'data'. Timestamp is either true (default) or -false. A wrapper script is used as ipa-backup always adds a timestamp to the -backup directory, which makes no sense if an external system (e.g. Bacula) is -handling backup versioning anyways. - -Adding a local named.conf configuration fragment: ```puppet -::easy_ipa::config::named { 'tsig-key': - content => template('profile/named-tsig-key.conf.erb'), +class { 'ipa': + ipa_role => 'replica', + domain => 'example.com', + ipa_master_fqdn => 'master-puppet8.example.com', + admin_password => 'rspecrspec123', + configure_dns_server => false, + configure_ntp => false, + configure_replica_ca => true, } ``` -These can be used for various purposes, for example to add a key which allows -dynamic DNS updates to certain DNS zones. Adding a client: + ```puppet -class {'::easy_ipa': -ipa_role => 'client', -domain => 'vagrant.example.lan', -domain_join_password => 'vagrant123', -install_epel => true, -ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', +class { 'ipa': + ipa_role => 'client', + domain => 'example.com', + domain_join_principal => 'admin', + domain_join_password => 'rspecrspec123', + ipa_master_fqdn => 'master-puppet8.example.com', + configure_ntp => false, } ``` - -### Support for systems without ipa client packages - -This module has partial support configuring ipa clients on operating systems -which lack ipa client package and thus the ipa-client-install script. Right now -Debian 9 is the only operating system supported in this way. Client-side is -configured with the exception that sshd_config is not touched to prevent -configuration overlap with other Puppet modules. Adapt the following procedure -(adapted from [here](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/linux-manual)) -to complete the enrollment of a host into IPA. - -On the IPA master: - - kinit admin - ipa host-add --ip-address=192.168.56.40 ipa-client-4.vagrant.example.lan - ipa host-add-managedby --hosts=ipa-server-1.vagrant.example.lan ipa-client-4.vagrant.example.lan - ipa-getkeytab --server=ipa-server-1.vagrant.example.lan -p host/ipa-client-4.vagrant.example.lan -k /tmp/ipa-client-4.keytab - chmod 644 /tmp/ipa-client-4.keytab - -Copy the keytab to /etc/krb5.keytab on the client host to be enrolled and in there run - - chown root:root /etc/krb5.keytab - chmod 600 /etc/krb5.keytab - -Assuming you had ran Puppet on the client and launching of sssd had failed, try again now: - - systemctl restart sssd - -You should now be able to use kinit normally on the enrolled client: - - kinit admin - -Many of these steps could be automated with exported resources, but getting the -Kerberos keytab back to the enrolled would somewhat be challenging. - -### Mandatory Parameters - -#### `domain` -Mandatory. The name of the IPA domain to create or join. - -#### `ipa_role` -Mandatory. What role the node will be. Options are 'master', 'replica', and 'client'. - -#### `admin_password` -Mandatory if `ipa_role` is set as 'Master' or 'Replica'. -Password which will be assigned to the IPA account named 'admin'. - -#### `directory_services_password` -Mandatory if `ipa_role` is set as 'Master'. -Password which will be passed into the ipa setup's parameter named "--ds-password". - -### Optional Parameters - -#### `autofs_package_name` -Name of the autofs package to install if enabled. - -#### `configure_dns_server` -If true, then the parameter '--setup-dns' is passed to the IPA server installer. -Also, triggers the install of the required dns server packages. - -#### `configure_replica_ca` -If true, then the parameter '--setup-ca' is passed to the IPA replica installer. - -#### `configure_ntp` -If false, then the parameter '--no-ntp' is passed to the IPA server installer. - -#### `custom_dns_forwarders` -Each element in this array is prefixed with '--forwarder ' and passed to the IPA server installer. - -#### `domain_join_principal` -The principal (usually username) used to join a client or replica to the IPA domain. - -#### `domain_join_password` -The password for the domain_join_principal. - -#### `enable_hostname` -If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn' -and passed to the IPA installer. On client installs '--hostname' is populated with `$::fqdn`. - -#### `enable_ip_address` -If true, then the parameter '--ip-address' is populated with the parameter 'ip_address' -and passed to the IPA installer. - -#### `fixed_primary` -If true, then the parameter '--fixed-primary' is passed to the IPA installer. - -#### `idstart` -From the IPA man pages: "The starting user and group id number". Note that this -will clash with installer on RedHat 9. See adjust_login_defs parameter. - -#### `idmax` -From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". - -#### `install_autofs` -If true, then the autofs packages are installed. - -#### `install_epel` -If true, then the epel repo is installed. The epel repo is usually required for sssd packages. - -#### `install_kstart` -If true, then the kstart packages are installed. - -#### `install_ldaputils` -If true, then the ldaputils packages are installed. - -#### `install_sssdtools` -If true, then the sssdtools packages are installed. - -#### `ipa_client_package_name` -Name of the IPA client package. - -#### `ipa_server_package_name` -Name of the IPA server package. - -#### `install_ipa_client` -If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. - -#### `install_ipa_server` -If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. - -#### `install_sssd` -If true, then the sssd packages are installed. - -#### `ip_address` -IP address to pass to the IPA installer. - -#### `ipa_server_fqdn` -Actual fqdn of the IPA server or client. - -#### `kstart_package_name` -Name of the kstart package. - -#### `ldaputils_package_name` -Name of the ldaputils package. - -#### `ipa_master_fqdn` -FQDN of the server to use for a client or replica domain join. - -#### `manage_host_entry` -If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'. - -#### `mkhomedir` -If true, then the parameter '--mkhomedir' is passed to the IPA client installer. - -#### `no_ui_redirect` -If true, then the parameter '--no-ui-redirect' is passed to the IPA server installer. - -#### `realm` -The name of the IPA realm to create or join. - -#### `sssd_package_name` -Name of the sssd package. - -#### `sssdtools_package_name` -Name of the sssdtools package. - -#### ̀gssapi_no_negotiate - -Suppress setting Negotiate headers based on BrowserMatch. Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show authentication popups to users). Example: "Windows". Default undef. - -#### `webui_enable_proxy` -If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows -for the Web UI to be accessed from different ports and hostnames than the default. - -#### `webui_force_https` -If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. -This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard -ports. - -#### `webui_proxy_external_fqdn` -The public or external FQDN used to access the IPA Web UI behind the reverse proxy. - -#### `webui_proxy_https_port` -The HTTPS port to use for the reverse proxy. Cannot be 443. - -#### `adjust_login_defs` -Adjust UID_MAX and GID_MAX in login.defs. This is require on RedHat 9. Default false. - - -## Limitations - -This module has only been tested on Centos 7 and RedHat 9. - -## Testing -A vagrantfile is provided for easy testing. - -Steps to get started: - 1. Install vagrant. - 1. Install virtualbox. - 1. Clone this repo. - 1. Run `vagrant up` in a terminal window from the root of the repo. - 1. Open a browser and navigate to `https://localhost:8440`. - Log in with username `admin` and password `vagrant123`. - -## License -jpuskar/puppet-easy_ipa forked from: -huit/puppet-ipa - Puppet module that can manage an IPA master, replicas and clients. - - Copyright (C) 2013 Harvard University Information Technology - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . diff --git a/REFERENCE.md b/REFERENCE.md index 17968220..6d37cf9d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -8,41 +8,21 @@ #### Public Classes -* [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. -* [`easy_ipa::config::admin_user`](#easy_ipa--config--admin_user): Manage admin user -* [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. -* [`easy_ipa::install`](#easy_ipa--install): Manage easy_ipa install -* [`easy_ipa::install::autofs`](#easy_ipa--install--autofs): Manage autofs -* [`easy_ipa::install::client`](#easy_ipa--install--client): Manage ipa client -* [`easy_ipa::install::client::debian`](#easy_ipa--install--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. -* [`easy_ipa::install::client::manual`](#easy_ipa--install--client--manual): "Manual" configuration of hosts which don't have the freeipa-client package. -* [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install -* [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server -* [`easy_ipa::install::server::replica`](#easy_ipa--install--server--replica): Manage replica install -* [`easy_ipa::install::sssd`](#easy_ipa--install--sssd): Manage sssd install -* [`easy_ipa::monit::server`](#easy_ipa--monit--server): Manage easy_ipa::monit::server -* [`easy_ipa::named`](#easy_ipa--named): Prepare the integrated named-pkcs11 service for local configuration -* [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. -* [`easy_ipa::params`](#easy_ipa--params): Prevent havoc on unsupported operating systems. +* [`ipa`](#ipa): Manages IPA masters, replicas and clients. #### Private Classes -* `easy_ipa::validate_params`: Validates input configs from init.pp. - -### Defined types - -* [`easy_ipa::backup`](#easy_ipa--backup): Define easy_ipa::backup -* [`easy_ipa::config::named`](#easy_ipa--config--named): Add custom named.conf fragment. -* [`easy_ipa::helpers::flushcache`](#easy_ipa--helpers--flushcache): Manage cache flushing - -### Plans - -* [`easy_ipa::update_host_keys`](#easy_ipa--update_host_keys): Update host keys for a domain-joined node in FreeIPA to match real host -keys. +* `ipa::client`: Manage ipa client +* `ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. +* `ipa::server`: Manage IPA server install +* `ipa::server::flushcache`: Manage cache flushing +* `ipa::server::master`: Manage primary server +* `ipa::server::redhat` +* `ipa::server::replica`: Manage replica install ## Classes -### `easy_ipa` +### `ipa` TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks TODO: Class comments. @@ -52,95 +32,65 @@ TODO: configurable admin username. #### Parameters -The following parameters are available in the `easy_ipa` class: - -* [`manage`](#-easy_ipa--manage) -* [`domain`](#-easy_ipa--domain) -* [`ipa_role`](#-easy_ipa--ipa_role) -* [`admin_password`](#-easy_ipa--admin_password) -* [`directory_services_password`](#-easy_ipa--directory_services_password) -* [`allow_zone_overlap`](#-easy_ipa--allow_zone_overlap) -* [`no_dnssec_validation`](#-easy_ipa--no_dnssec_validation) -* [`client_install_ldaputils`](#-easy_ipa--client_install_ldaputils) -* [`configure_dns_server`](#-easy_ipa--configure_dns_server) -* [`configure_replica_ca`](#-easy_ipa--configure_replica_ca) -* [`configure_ntp`](#-easy_ipa--configure_ntp) -* [`configure_ssh`](#-easy_ipa--configure_ssh) -* [`configure_sshd`](#-easy_ipa--configure_sshd) -* [`custom_dns_forwarders`](#-easy_ipa--custom_dns_forwarders) -* [`domain_join_principal`](#-easy_ipa--domain_join_principal) -* [`domain_join_password`](#-easy_ipa--domain_join_password) -* [`enable_dns_updates`](#-easy_ipa--enable_dns_updates) -* [`enable_hostname`](#-easy_ipa--enable_hostname) -* [`enable_ip_address`](#-easy_ipa--enable_ip_address) -* [`fixed_primary`](#-easy_ipa--fixed_primary) -* [`idstart`](#-easy_ipa--idstart) -* [`gssapi_no_negotiate`](#-easy_ipa--gssapi_no_negotiate) -* [`idmax`](#-easy_ipa--idmax) -* [`install_autofs`](#-easy_ipa--install_autofs) -* [`install_epel`](#-easy_ipa--install_epel) -* [`install_kstart`](#-easy_ipa--install_kstart) -* [`install_sssdtools`](#-easy_ipa--install_sssdtools) -* [`install_ipa_client`](#-easy_ipa--install_ipa_client) -* [`install_ipa_server`](#-easy_ipa--install_ipa_server) -* [`install_sssd`](#-easy_ipa--install_sssd) -* [`ip_address`](#-easy_ipa--ip_address) -* [`ipa_server_fqdn`](#-easy_ipa--ipa_server_fqdn) -* [`ipa_master_fqdn`](#-easy_ipa--ipa_master_fqdn) -* [`manage_host_entry`](#-easy_ipa--manage_host_entry) -* [`mkhomedir`](#-easy_ipa--mkhomedir) -* [`no_ui_redirect`](#-easy_ipa--no_ui_redirect) -* [`realm`](#-easy_ipa--realm) -* [`server_install_ldaputils`](#-easy_ipa--server_install_ldaputils) -* [`webui_disable_kerberos`](#-easy_ipa--webui_disable_kerberos) -* [`webui_enable_proxy`](#-easy_ipa--webui_enable_proxy) -* [`webui_force_https`](#-easy_ipa--webui_force_https) -* [`webui_proxy_external_fqdn`](#-easy_ipa--webui_proxy_external_fqdn) -* [`webui_proxy_https_port`](#-easy_ipa--webui_proxy_https_port) -* [`adjust_login_defs`](#-easy_ipa--adjust_login_defs) - -##### `manage` - -Data type: `Boolean` - -(boolean) Manage easy_ipa with Puppet. Defaults to true. Setting this to - to false is useful when a handful of hosts have unsupported - operating systems and you'd rather exclude them from FreeIPA - instead of including the others individually. Use this with - a separate Hiera level (e.g. $::lsbdistcodename) for maximum - convenience. - -Default value: `true` - -##### `domain` +The following parameters are available in the `ipa` class: + +* [`domain`](#-ipa--domain) +* [`ipa_role`](#-ipa--ipa_role) +* [`admin_password`](#-ipa--admin_password) +* [`directory_services_password`](#-ipa--directory_services_password) +* [`allow_zone_overlap`](#-ipa--allow_zone_overlap) +* [`no_dnssec_validation`](#-ipa--no_dnssec_validation) +* [`configure_dns_server`](#-ipa--configure_dns_server) +* [`configure_replica_ca`](#-ipa--configure_replica_ca) +* [`configure_ntp`](#-ipa--configure_ntp) +* [`configure_ssh`](#-ipa--configure_ssh) +* [`configure_sshd`](#-ipa--configure_sshd) +* [`custom_dns_forwarders`](#-ipa--custom_dns_forwarders) +* [`domain_join_principal`](#-ipa--domain_join_principal) +* [`domain_join_password`](#-ipa--domain_join_password) +* [`enable_dns_updates`](#-ipa--enable_dns_updates) +* [`enable_hostname`](#-ipa--enable_hostname) +* [`enable_ip_address`](#-ipa--enable_ip_address) +* [`fixed_primary`](#-ipa--fixed_primary) +* [`idstart`](#-ipa--idstart) +* [`idmax`](#-ipa--idmax) +* [`ip_address`](#-ipa--ip_address) +* [`ipa_server_fqdn`](#-ipa--ipa_server_fqdn) +* [`ipa_master_fqdn`](#-ipa--ipa_master_fqdn) +* [`mkhomedir`](#-ipa--mkhomedir) +* [`no_ui_redirect`](#-ipa--no_ui_redirect) +* [`realm`](#-ipa--realm) +* [`adjust_login_defs`](#-ipa--adjust_login_defs) + +##### `domain` Data type: `Stdlib::Fqdn` (string) The name of the IPA domain to create or join. -##### `ipa_role` +##### `ipa_role` Data type: `Enum['client', 'master', 'replica']` (string) What role the node will be. Options are 'master', 'replica', and 'client'. -##### `admin_password` +##### `admin_password` -Data type: `Optional[String[8]]` +Data type: `Optional[Variant[Sensitive[String[8]],String[8]]]` (string) Password which will be assigned to the IPA account named 'admin'. Default value: `undef` -##### `directory_services_password` +##### `directory_services_password` -Data type: `Optional[String[8]]` +Data type: `Optional[Variant[Sensitive[String[8]],String[8]]]` (string) Password which will be passed into the ipa setup's parameter named "--ds-password". Default value: `undef` -##### `allow_zone_overlap` +##### `allow_zone_overlap` Data type: `Boolean` @@ -151,7 +101,7 @@ Data type: `Boolean` Default value: `false` -##### `no_dnssec_validation` +##### `no_dnssec_validation` Data type: `Boolean` @@ -159,15 +109,7 @@ Data type: `Boolean` Default value: `false` -##### `client_install_ldaputils` - -Data type: `Boolean` - -(boolean) If true, then the ldaputils packages are installed if ipa_role is set to client. - -Default value: `false` - -##### `configure_dns_server` +##### `configure_dns_server` Data type: `Boolean` @@ -176,7 +118,7 @@ Data type: `Boolean` Default value: `true` -##### `configure_replica_ca` +##### `configure_replica_ca` Data type: `Boolean` @@ -184,7 +126,7 @@ Data type: `Boolean` Default value: `false` -##### `configure_ntp` +##### `configure_ntp` Data type: `Boolean` @@ -193,7 +135,7 @@ Data type: `Boolean` Default value: `true` -##### `configure_ssh` +##### `configure_ssh` Data type: `Boolean` @@ -202,7 +144,7 @@ Data type: `Boolean` Default value: `true` -##### `configure_sshd` +##### `configure_sshd` Data type: `Boolean` @@ -211,7 +153,7 @@ Data type: `Boolean` Default value: `true` -##### `custom_dns_forwarders` +##### `custom_dns_forwarders` Data type: `Array[String]` @@ -220,23 +162,23 @@ Data type: `Array[String]` Default value: `[]` -##### `domain_join_principal` +##### `domain_join_principal` -Data type: `String[1]` +Data type: `Variant[Sensitive[String[1]],String[1]]` (string) The principal (usually username) used to join a client or replica to the IPA domain. Default value: `'admin'` -##### `domain_join_password` +##### `domain_join_password` -Data type: `Optional[String[1]]` +Data type: `Optional[Variant[Sensitive[String[1]],String[1]]]` (string) The password for the domain_join_principal. -Default value: `undef` +Default value: `$directory_services_password` -##### `enable_dns_updates` +##### `enable_dns_updates` Data type: `Boolean` @@ -244,7 +186,7 @@ Data type: `Boolean` Default value: `false` -##### `enable_hostname` +##### `enable_hostname` Data type: `Boolean` @@ -253,7 +195,7 @@ Data type: `Boolean` Default value: `true` -##### `enable_ip_address` +##### `enable_ip_address` Data type: `Boolean` @@ -262,7 +204,7 @@ Data type: `Boolean` Default value: `false` -##### `fixed_primary` +##### `fixed_primary` Data type: `Boolean` @@ -270,7 +212,7 @@ Data type: `Boolean` Default value: `false` -##### `idstart` +##### `idstart` Data type: `Integer[10000]` @@ -278,17 +220,7 @@ Data type: `Integer[10000]` Default value: `(fqdn_rand('10737') + 10000` -##### `gssapi_no_negotiate` - -Data type: `Variant[Pattern,Undef]` - -(pattern) Suppress setting Negotiate headers based on BrowserMatch. - Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show - authentication popups to users). Example: "Windows". Default undef. - -Default value: `undef` - -##### `idmax` +##### `idmax` Data type: `Variant[Integer,Undef]` @@ -296,63 +228,7 @@ Data type: `Variant[Integer,Undef]` Default value: `undef` -##### `install_autofs` - -Data type: `Boolean` - -(boolean) If true, then the autofs packages are installed. - -Default value: `false` - -##### `install_epel` - -Data type: `Boolean` - -(boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. - -Default value: `true` - -##### `install_kstart` - -Data type: `Boolean` - -(boolean) If true, then the kstart packages are installed. - -Default value: `true` - -##### `install_sssdtools` - -Data type: `Boolean` - -(boolean) If true, then the sssdtools packages are installed. - -Default value: `true` - -##### `install_ipa_client` - -Data type: `Boolean` - -(boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. - -Default value: `true` - -##### `install_ipa_server` - -Data type: `Boolean` - -(boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. - -Default value: `true` - -##### `install_sssd` - -Data type: `Boolean` - -(boolean) If true, then the sssd packages are installed. - -Default value: `true` - -##### `ip_address` +##### `ip_address` Data type: `Optional[Stdlib::IP::Address]` @@ -360,15 +236,15 @@ Data type: `Optional[Stdlib::IP::Address]` Default value: `undef` -##### `ipa_server_fqdn` +##### `ipa_server_fqdn` Data type: `String` (string) Actual fqdn of the IPA server or client. -Default value: `$facts['networking']['fqdn']` +Default value: `fact('networking.fqdn')` -##### `ipa_master_fqdn` +##### `ipa_master_fqdn` Data type: `Optional[Stdlib::Fqdn]` @@ -376,15 +252,7 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `manage_host_entry` - -Data type: `Boolean` - -(boolean) If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'. - -Default value: `false` - -##### `mkhomedir` +##### `mkhomedir` Data type: `Boolean` @@ -393,7 +261,7 @@ installers. Default value: `true` -##### `no_ui_redirect` +##### `no_ui_redirect` Data type: `Boolean` @@ -401,7 +269,7 @@ Data type: `Boolean` Default value: `false` -##### `realm` +##### `realm` Data type: `Optional[Stdlib::Fqdn]` @@ -409,58 +277,7 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `server_install_ldaputils` - -Data type: `Boolean` - -(boolean) If true, then the ldaputils packages are installed if ipa_role is not set to client. - -Default value: `true` - -##### `webui_disable_kerberos` - -Data type: `Boolean` - -Disable webui kerberos. - -Default value: `false` - -##### `webui_enable_proxy` - -Data type: `Boolean` - -(boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows - for the Web UI to be accessed from different ports and hostnames than the default. - -Default value: `false` - -##### `webui_force_https` - -Data type: `Boolean` - -(boolean) If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. - This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard - ports. - -Default value: `false` - -##### `webui_proxy_external_fqdn` - -Data type: `String` - -(string) The public or external FQDN used to access the IPA Web UI behind the reverse proxy. - -Default value: `'localhost'` - -##### `webui_proxy_https_port` - -Data type: `String` - -(integer) The HTTPS port to use for the reverse proxy. Cannot be 443. - -Default value: `'8440'` - -##### `adjust_login_defs` +##### `adjust_login_defs` Data type: `Boolean` @@ -468,282 +285,3 @@ Data type: `Boolean` Default value: `false` -### `easy_ipa::config::admin_user` - -Manage admin user - -### `easy_ipa::config::webui` - -Configures port and redirect overrides for the IPA server web UI. - -### `easy_ipa::install` - -Manage easy_ipa install - -### `easy_ipa::install::autofs` - -Manage autofs - -### `easy_ipa::install::client` - -Manage ipa client - -### `easy_ipa::install::client::debian` - -This code is needed as the --mkhomedir parameter passed to ipa-client-install does -not configure PAM even though it does install the required packages. - -Currently Ubuntu 14.04/16.04 and Debian 8/9 are supported. - -### `easy_ipa::install::client::manual` - -"Manual" configuration of hosts which don't have the freeipa-client package. - -### `easy_ipa::install::server` - -Manage IPA server install - -### `easy_ipa::install::server::master` - -Manage primary server - -### `easy_ipa::install::server::replica` - -Manage replica install - -### `easy_ipa::install::sssd` - -Manage sssd install - -### `easy_ipa::monit::server` - -Monitor FreeIPA server processes using monit - -This class depends on puppetfinland-monit module - -#### Parameters - -The following parameters are available in the `easy_ipa::monit::server` class: - -* [`email`](#-easy_ipa--monit--server--email) - -##### `email` - -Data type: `String` - -Email address to send notifications to. Defaults to top-scope variable -$::servermonitor. - -Default value: `$facts['servermonitor']` - -### `easy_ipa::named` - -fragments. - -This is only supposed to work on RHEL/CentOS. - -### `easy_ipa::packetfilter::server` - -Install packet filtering rules for FreeIPA. - -#### Parameters - -The following parameters are available in the `easy_ipa::packetfilter::server` class: - -* [`allow_address_ipv4`](#-easy_ipa--packetfilter--server--allow_address_ipv4) -* [`allow_address_ipv6`](#-easy_ipa--packetfilter--server--allow_address_ipv6) - -##### `allow_address_ipv4` - -Data type: `Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]]` - -IPv4 address to allow access from. - -Default value: `'127.0.0.1'` - -##### `allow_address_ipv6` - -Data type: `Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]]` - -IPv6 address to allow access from. - -Default value: `'::1'` - -### `easy_ipa::params` - -Traditionally this file would be used to abstract away operating system -differences. Right now the main purpose is to prevent easy_ipa classes from -causing havoc (e.g. partial configurations) on unsupported operating systems -by failing early rather than later. - -## Defined types - -### `easy_ipa::backup` - -Backup FreeIPA from cron - -#### Parameters - -The following parameters are available in the `easy_ipa::backup` defined type: - -* [`title`](#-easy_ipa--backup--title) -* [`type`](#-easy_ipa--backup--type) -* [`timestamp`](#-easy_ipa--backup--timestamp) -* [`monthday`](#-easy_ipa--backup--monthday) -* [`weekday`](#-easy_ipa--backup--weekday) -* [`hour`](#-easy_ipa--backup--hour) -* [`minute`](#-easy_ipa--backup--minute) -* [`email`](#-easy_ipa--backup--email) - -##### `title` - -The resource title is used as part of the the name for the cronjob. - -##### `type` - -Data type: `Enum['full','data']` - -Backup type. Either 'full' (offline) or 'data' (online). - -##### `timestamp` - -Data type: `Boolean` - -Keep the default timestamp in the backup directory. Valid values are true -(default) and false. Set this to false if you have and external system (e.g. -bacula) that fetches the backups periodically and handles versioning on its -own. - -Default value: `true` - -##### `monthday` - -Data type: `Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]]` - -Standard parameter for the cron resource. - -Default value: `'*'` - -##### `weekday` - -Data type: `Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]]` - -Standard parameter for the cron resource. - -Default value: `'*'` - -##### `hour` - -Data type: `Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]]` - -Standard parameter for the cron resource. - -##### `minute` - -Data type: `Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]]` - -Standard parameter for the cron resource - -##### `email` - -Data type: `String` - -Email to send cron notifications to. Defaults to $::servermonitor. - -Default value: `$facts['servermonitor']` - -### `easy_ipa::config::named` - -Add custom named.conf fragment. - -#### Parameters - -The following parameters are available in the `easy_ipa::config::named` defined type: - -* [`basename`](#-easy_ipa--config--named--basename) -* [`content`](#-easy_ipa--config--named--content) -* [`notify_named`](#-easy_ipa--config--named--notify_named) - -##### `basename` - -Data type: `String` - -(string) Basename of the configuration fragment, without the ".conf" at the end. Defaults to $title. - -Default value: `$title` - -##### `content` - -Data type: `String` - -(string) The value to pass to the File resource's "content" parameter. For example -template('profile/templates/tsig-key.erb'). - -##### `notify_named` - -Data type: `Boolean` - -(boolean) Whether to restart named-pkcs11 on config changes. Defaults to false. - -Default value: `false` - -### `easy_ipa::helpers::flushcache` - -Manage cache flushing - -## Plans - -### `easy_ipa::update_host_keys` - -Useful when real keys and keys in IPA device account have gone - out of sync, e.g. due to rebuilding the server from a snapshot. - - This gets a kerberos ticket from the IPA server first, then gathers - the SSH keys from IPA clients from their SSH facts, then runs appropriate - "ipa host-mod" commands for each IPA client on the IPA server. - - Note that it is assumed that the IPA client host name is equal to the $::fqdn - fact. - -#### Parameters - -The following parameters are available in the `easy_ipa::update_host_keys` plan: - -* [`ipa_clients`](#-easy_ipa--update_host_keys--ipa_clients) -* [`ipa_server`](#-easy_ipa--update_host_keys--ipa_server) -* [`ipa_user`](#-easy_ipa--update_host_keys--ipa_user) -* [`ipa_password`](#-easy_ipa--update_host_keys--ipa_password) -* [`noop`](#-easy_ipa--update_host_keys--noop) - -##### `ipa_clients` - -Data type: `TargetSpec` - -One of more IPA clients whose host keys to puload - -##### `ipa_server` - -Data type: `TargetSpec` - -A host which has the "ipa" tools installed. Not necessarily an IPA server. - -##### `ipa_user` - -Data type: `String` - -An IPA user with permission to run "ipa host-mod". - -##### `ipa_password` - -Data type: `String` - -IPA user's password - -##### `noop` - -Data type: `Boolean` - -If true then only imulate what would be done - -Default value: `true` - diff --git a/Rakefile b/Rakefile index 74415a96..620c2b6a 100644 --- a/Rakefile +++ b/Rakefile @@ -1,88 +1,44 @@ -# frozen_string_literal: true - -require 'bundler' -require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus' -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-syntax/tasks/puppet-syntax' -require 'github_changelog_generator/task' if Gem.loaded_specs.key? 'github_changelog_generator' -require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings' - -def changelog_user - return unless Rake.application.top_level_tasks.include? "changelog" - returnVal = nil || JSON.load(File.read('metadata.json'))['author'] - raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? - puts "GitHubChangelogGenerator user:#{returnVal}" - returnVal -end - -def changelog_project - return unless Rake.application.top_level_tasks.include? "changelog" - - returnVal = nil - returnVal ||= begin - metadata_source = JSON.load(File.read('metadata.json'))['source'] - metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z}) - - metadata_source_match && metadata_source_match[1] +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +# Attempt to load voxpupuli-test (which pulls in puppetlabs_spec_helper), +# otherwise attempt to load it directly. +begin + require 'voxpupuli/test/rake' +rescue LoadError + begin + require 'puppetlabs_spec_helper/rake_tasks' + rescue LoadError end - - raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil? - - puts "GitHubChangelogGenerator project:#{returnVal}" - returnVal end -def changelog_future_release - return unless Rake.application.top_level_tasks.include? "changelog" - returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version'] - raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? - puts "GitHubChangelogGenerator future_release:#{returnVal}" - returnVal +# load optional tasks for acceptance +# only available if gem group releases is installed +begin + require 'voxpupuli/acceptance/rake' +rescue LoadError end -PuppetLint.configuration.send('disable_relative') - - -if Gem.loaded_specs.key? 'github_changelog_generator' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? - config.user = "#{changelog_user}" - config.project = "#{changelog_project}" - config.future_release = "#{changelog_future_release}" - config.exclude_labels = ['maintenance'] - config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." - config.add_pr_wo_labels = true - config.issues = false - config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB" - config.configure_sections = { - "Changed" => { - "prefix" => "### Changed", - "labels" => ["backwards-incompatible"], - }, - "Added" => { - "prefix" => "### Added", - "labels" => ["enhancement", "feature"], - }, - "Fixed" => { - "prefix" => "### Fixed", - "labels" => ["bug", "documentation", "bugfix"], - }, - } - end +# load optional tasks for releases +# only available if gem group releases is installed +begin + require 'voxpupuli/release/rake_tasks' +rescue LoadError + # voxpupuli-release not present else - desc 'Generate a Changelog from GitHub' - task :changelog do - raise < 1.15' - condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')" -EOM + GCGConfig.user = 'lsst-it' + GCGConfig.project = 'puppet-ipa' +end + +desc "Run main 'test' task and report merged results to coveralls" +task test_with_coveralls: [:test] do + if Dir.exist?(File.expand_path('../lib', __FILE__)) + require 'coveralls/rake/task' + Coveralls::RakeTask.new + Rake::Task['coveralls:push'].invoke + else + puts 'Skipping reporting to coveralls. Module has no lib dir' end end +# vim: syntax=ruby diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index decea26e..00000000 --- a/Vagrantfile +++ /dev/null @@ -1,217 +0,0 @@ -# -*- mode: ruby -*- -# rsync patterns -vagrant_ignore = [ - 'bin*', - 'pkg*', - 'spec/fixtures*', -] - -Vagrant.configure("2") do |config| - config.vagrant.plugins = ["vagrant-vbguest"] - config.vm.network "private_network", type: "dhcp", name: "vboxnet0" - config.vbguest.auto_update = false - - config.vm.define "ipa-server-1" do |box| - box.vm.box = "centos/7" - box.vm.box_version = "2004.01" - # Exclude certain directories to avoid issues - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-server-1.vagrant.example.lan' - # Assign this VM to a host-only network IP, allowing you to access it - # via the IP. - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1536 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - # Fix Virtualbox Guest Additions installation issue - # https://github.com/hashicorp/vagrant/issues/12095 - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.network "private_network", ip: "192.168.56.35" - box.vm.network "forwarded_port", guest: 8000, host: 8000 - box.vm.network "forwarded_port", guest: 8440, host: 8440 - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - # common.sh synchronizes latest code, so do not disable it while testing - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/centos.sh" - box.vm.provision "shell", path: "vagrant/ipa-server-1.sh" - end - - config.vm.define "ipa-server-2" do |box| - box.vm.box = "centos/7" - box.vm.box_version = "2004.01" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-server-2.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1536 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.network "private_network", ip: "192.168.56.36" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/centos.sh" - box.vm.provision "shell", path: "vagrant/ipa-server-2.sh" - end - - config.vm.define "ipa-client-1" do |box| - box.vm.box = "centos/7" - box.vm.box_version = "2004.01" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-1.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.network "private_network", ip: "192.168.56.37" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/centos.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-2" do |box| - box.vm.box = "ubuntu/xenial64" - box.vm.box_version = "20211001.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-2.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.38" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-3" do |box| - box.vm.box = "ubuntu/trusty64" - box.vm.box_version = "20190514.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-3.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.39" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-4" do |box| - box.vm.box = "generic/debian9" - box.vm.box_version = "4.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-4.vagrant.example.lan' - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.40" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-5" do |box| - box.vm.box = "ubuntu/bionic64" - box.vm.box_version = "20220424.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-5.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.41" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-6" do |box| - box.vm.box = "generic/debian10" - box.vm.box_version = "4.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-6.vagrant.example.lan' - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.10/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.42" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - #box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-7" do |box| - box.vm.box = "generic/debian11" - box.vm.box_version = "4.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-7.vagrant.example.lan' - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.10/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.43" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-8" do |box| - box.vm.box = "ubuntu/jammy64" - box.vm.box_version = "20220419.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-8.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.44" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end -end diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index a70c01eb..00000000 --- a/appveyor.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -version: 1.1.x.{build} -skip_branch_with_pr: true -branches: - only: - - main - - release -skip_commits: - message: /^\(?doc\)?.*/ -clone_depth: 10 -init: - - SET - - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' - - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' - - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' - - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' -environment: - matrix: - - - RUBY_VERSION: 25-x64 - CHECK: validate lint check rubocop - - - PUPPET_GEM_VERSION: ~> 6.0 - RUBY_VERSION: 25 - CHECK: parallel_spec - - - PUPPET_GEM_VERSION: ~> 6.0 - RUBY_VERSION: 25-x64 - CHECK: parallel_spec -matrix: - fast_finish: true -install: - - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% - - bundle install --jobs 4 --retry 2 --without system_tests - - type Gemfile.lock -build: off -test_script: - - bundle exec puppet -V - - ruby -v - - gem -v - - bundle -v - - bundle exec rake %CHECK% -notifications: - - provider: Email - to: - - nobody@nowhere.com - on_build_success: false - on_build_failure: false - on_build_status_changed: false diff --git a/data/common.yaml b/data/common.yaml index 2fbf0ffd..068519c3 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1 +1,4 @@ ---- {} +--- +ipa::server::package_name: + - ipa-server + - kstart diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml new file mode 100644 index 00000000..0f07c699 --- /dev/null +++ b/data/os/Debian.yaml @@ -0,0 +1,4 @@ +--- +ipa::client::package_name: + - freeipa-client + - kstart diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml new file mode 100644 index 00000000..a2636528 --- /dev/null +++ b/data/os/RedHat.yaml @@ -0,0 +1,4 @@ +--- +ipa::client::package_name: + - ipa-client + - kstart diff --git a/examples/client.pp b/examples/client.pp new file mode 100644 index 00000000..f08d40ee --- /dev/null +++ b/examples/client.pp @@ -0,0 +1,11 @@ +require epel # provides kstart package on el + +Yumrepo <||> +-> class { 'ipa': + ipa_role => 'client', + domain => 'example.com', + domain_join_principal => 'admin', + domain_join_password => 'rspecrspec123', + ipa_master_fqdn => 'master-puppet8.example.com', + configure_ntp => false, # chronyd usually fails under gha +} diff --git a/examples/init.pp b/examples/init.pp deleted file mode 100644 index 8f8fc5de..00000000 --- a/examples/init.pp +++ /dev/null @@ -1 +0,0 @@ -include easy_ipa diff --git a/examples/master.pp b/examples/master.pp new file mode 100644 index 00000000..85fd8633 --- /dev/null +++ b/examples/master.pp @@ -0,0 +1,13 @@ +require epel # provides kstart package on el +require cron # master/replica needs cron to be installed + +Yumrepo <||> +-> class { 'ipa': + ipa_role => 'master', + domain => 'example.com', + admin_password => 'rspecrspec123', + directory_services_password => 'rspecrspec123', + idstart => 70000, + configure_dns_server => false, + configure_ntp => false, # chronyd usually fails under gha +} diff --git a/examples/replica.pp b/examples/replica.pp new file mode 100644 index 00000000..71c8a19b --- /dev/null +++ b/examples/replica.pp @@ -0,0 +1,13 @@ +require epel # provides kstart package on el +require cron # master/replica needs cron to be installed + +Yumrepo <||> +-> class { 'ipa': + ipa_role => 'replica', + domain => 'example.com', + ipa_master_fqdn => 'master-puppet8.example.com', + admin_password => 'rspecrspec123', + configure_dns_server => false, + configure_ntp => false, + configure_replica_ca => true, +} diff --git a/lib/facter/gid_max.rb b/lib/facter/gid_max.rb deleted file mode 100644 index 0eddc9f6..00000000 --- a/lib/facter/gid_max.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true - -Facter.add(:gid_max) do - setcode do - lines = File.readlines('/etc/login.defs') - lines.find { |line| line.start_with?('GID_MAX') }.split[1].strip.to_i - end -end diff --git a/lib/facter/uid_max.rb b/lib/facter/uid_max.rb deleted file mode 100644 index 9b668b30..00000000 --- a/lib/facter/uid_max.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true - -Facter.add(:uid_max) do - setcode do - lines = File.readlines('/etc/login.defs') - lines.find { |line| line.start_with?('UID_MAX') }.split[1].strip.to_i - end -end diff --git a/manifests/backup.pp b/manifests/backup.pp deleted file mode 100644 index f828f243..00000000 --- a/manifests/backup.pp +++ /dev/null @@ -1,57 +0,0 @@ -# -# @summary Define easy_ipa::backup -# -# Backup FreeIPA from cron -# -# @param title -# The resource title is used as part of the the name for the cronjob. -# @param type -# Backup type. Either 'full' (offline) or 'data' (online). -# @param timestamp -# Keep the default timestamp in the backup directory. Valid values are true -# (default) and false. Set this to false if you have and external system (e.g. -# bacula) that fetches the backups periodically and handles versioning on its -# own. -# @param monthday -# Standard parameter for the cron resource. -# @param weekday -# Standard parameter for the cron resource. -# @param hour -# Standard parameter for the cron resource. -# @param minute -# Standard parameter for the cron resource -# @param email -# Email to send cron notifications to. Defaults to $::servermonitor. -# -define easy_ipa::backup ( - Enum['full','data'] $type, - Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]] $hour, - Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]] $minute, - Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]] $weekday = '*', - Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]] $monthday = '*', - String $email = $facts['servermonitor'], - Boolean $timestamp = true, -) { - $script = 'ipa-backup-wrapper.sh' - $command = "${script} ${type} ${timestamp}" - - ensure_resource('file', $script, { - 'ensure' => 'present', - 'name' => "/usr/local/bin/${script}", - 'content' => template("easy_ipa/${script}.erb"), - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0755', - }) - - cron { "ipa-${title}-backup": - user => 'root', - command => $command, - monthday => $monthday, - weekday => $weekday, - hour => $hour, - minute => $minute, - environment => ['PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin', "MAILTO=${email}"], - require => File[$script], - } -} diff --git a/manifests/client.pp b/manifests/client.pp new file mode 100644 index 00000000..914807aa --- /dev/null +++ b/manifests/client.pp @@ -0,0 +1,93 @@ +# +# @summary Manage ipa client +# +# @param package_name +# The name of the package(s) to install. +# +# @param force_join +# Force the client to join the domain even if it is already joined. +# +# @api private +class ipa::client ( + Array[String] $package_name = undef, + Boolean $force_join = false, +) { + assert_private() + + unless $ipa::domain_join_password { + fail("When creating a ${ipa::ipa_role} the parameter named domain_join_password cannot be empty.") + } + unless $ipa::ipa_master_fqdn { + fail("When creating a ${ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") + } + + stdlib::ensure_packages($package_name) + + if $ipa::mkhomedir { + $client_install_cmd_opts_mkhomedir = '--mkhomedir' + } else { + $client_install_cmd_opts_mkhomedir = '' + } + + if $ipa::fixed_primary { + $client_install_cmd_opts_fixed_primary = '--fixed-primary' + } else { + $client_install_cmd_opts_fixed_primary = '' + } + + if $ipa::configure_ntp { + $client_install_cmd_opts_no_ntp = '' + } else { + $client_install_cmd_opts_no_ntp = '--no-ntp' + } + + if $ipa::enable_dns_updates { + $client_install_cmd_opts_dns_updates = '--enable-dns-updates' + } else { + $client_install_cmd_opts_dns_updates = '' + } + + if $ipa::enable_hostname { + $client_install_cmd_opts_hostname = "--hostname=${fact('networking.fqdn')}" + } else { + $client_install_cmd_opts_hostname = '' + } + + if $force_join { + $client_install_cmd_opts_force_join= '--force-join' + } else { + $client_install_cmd_opts_force_join = '' + } + + $client_install_cmd = "\ +/usr/sbin/ipa-client-install \ + --server=${ipa::ipa_master_fqdn} \ + --realm=${ipa::final_realm} \ + --domain=${ipa::domain} \ + --principal='${ipa::domain_join_principal.unwrap}' \ + --password=\"\${IPA_DOMAIN_JOIN_PASSWORD}\" \ + ${client_install_cmd_opts_dns_updates} \ + ${client_install_cmd_opts_hostname} \ + ${client_install_cmd_opts_mkhomedir} \ + ${client_install_cmd_opts_fixed_primary} \ + ${client_install_cmd_opts_no_ntp} \ + ${client_install_cmd_opts_force_join} \ + ${ipa::opt_no_ssh} \ + ${ipa::opt_no_sshd} \ + --unattended" + + exec { 'ipa-client-install': + environment => "IPA_DOMAIN_JOIN_PASSWORD=${ipa::domain_join_password.unwrap}", + command => $client_install_cmd, + timeout => 0, + unless => "cat /etc/ipa/default.conf | grep -i \"${ipa::domain}\"", + creates => '/etc/ipa/default.conf', + logoutput => on_failure, + provider => shell, + require => Package[$package_name], + } + + if fact('os.family') == 'Debian' and $ipa::mkhomedir { + contain ipa::client::debian + } +} diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp new file mode 100644 index 00000000..787c8224 --- /dev/null +++ b/manifests/client/debian.pp @@ -0,0 +1,32 @@ +# +# @summary Ensure that home directories get created on Debian and Ubuntu clients. +# +# This code is needed as the --mkhomedir parameter passed to ipa-client-install does +# not configure PAM even though it does install the required packages. +# +# @api private +class ipa::client::debian { + assert_private() + + # Ensure that required packages are present even if they do not get pulled + # in as freeipa-client package dependencies + stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) + + # This should preferably be in a separate Puppet module + service { 'oddjobd': + ensure => 'running', + enable => true, + name => 'oddjobd', + } + $arch = $facts['os']['hardware'] + $mkhomedir_line = "session optional /lib/${arch}-linux-gnu/security/pam_oddjob_mkhomedir.so" + $notify = Service['oddjobd'] + + file_line { 'mkhomedir': + ensure => 'present', + path => '/etc/pam.d/common-session', + line => $mkhomedir_line, + after => '^# end of pam-auth-update config', + notify => $notify, + } +} diff --git a/manifests/config/admin_user.pp b/manifests/config/admin_user.pp deleted file mode 100644 index ea46a176..00000000 --- a/manifests/config/admin_user.pp +++ /dev/null @@ -1,76 +0,0 @@ -# -# @summary Manage admin user -# -class easy_ipa::config::admin_user { - $uid_number = $easy_ipa::idstart - $home_dir_path = '/home/admin' - $keytab_path = "${home_dir_path}/admin.keytab" - $k5login_path = "${home_dir_path}/.k5login" - - # Ensure admin homedir and keytab files. - file { $home_dir_path: - ensure => directory, - mode => '0700', - owner => $uid_number, - group => $uid_number, - recurse => true, - require => Exec["server_install_${easy_ipa::ipa_server_fqdn}"], - } - - file { $k5login_path: - owner => $uid_number, - group => $uid_number, - seluser => 'user_u', - } - - # chown/chmod *after* file is created by kadmin.local - file { $keytab_path: - owner => $uid_number, - group => $uid_number, - mode => '0600', - } - - # Gives admin user the host/fqdn principal. - k5login { $k5login_path: - principals => $easy_ipa::master_principals, - notify => File[$k5login_path], - require => File[$home_dir_path], - } - - # Set keytab for admin user. - # kadmin.local must be run as `root` to log to `/var/log/kadmind.log` - $configure_admin_keytab_cmd = "/usr/sbin/kadmin.local -q \"ktadd -norandkey -k ${keytab_path} admin\" " - # kvno must be run as the `admin` user to function - $configure_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c \"/usr/bin/kvno -k ${keytab_path} admin@${easy_ipa::final_realm}\"" - exec { 'configure_admin_keytab': - command => $configure_admin_keytab_cmd, - cwd => $home_dir_path, - unless => $configure_admin_keytab_cmd_unless, - require => File[$home_dir_path], - notify => File[$keytab_path], - } - - $k5start_admin_keytab_cmd = "/sbin/runuser -l admin -c \"/usr/bin/k5start -f ${keytab_path} -U\"" - $k5start_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c /usr/bin/klist | grep -i krbtgt\\/${easy_ipa::final_realm}\\@" - exec { 'k5start_admin_keytab': - command => $k5start_admin_keytab_cmd, - cwd => $home_dir_path, - unless => $k5start_admin_keytab_cmd_unless, - require => [ - File[$k5login_path], - File[$keytab_path], - Cron['k5start_admin'], - ], - } - - # Automatically refreshes admin keytab. - cron { 'k5start_admin': - command => "/usr/bin/k5start -f ${keytab_path} -U > /dev/null 2>&1", - user => 'admin', - minute => '*/1', - require => [ - File[$k5login_path], - File[$keytab_path], - ], - } -} diff --git a/manifests/config/named.pp b/manifests/config/named.pp deleted file mode 100644 index f38f1b24..00000000 --- a/manifests/config/named.pp +++ /dev/null @@ -1,45 +0,0 @@ -# -# @summary Add custom named.conf fragment. -# -# @param basename -# (string) Basename of the configuration fragment, without the ".conf" at the end. Defaults to $title. -# @param content -# (string) The value to pass to the File resource's "content" parameter. For example -# template('profile/templates/tsig-key.erb'). -# @param notify_named -# (boolean) Whether to restart named-pkcs11 on config changes. Defaults to false. -# -define easy_ipa::config::named ( - String $content, - String $basename = $title, - Boolean $notify_named = false -) { - include easy_ipa::params - include easy_ipa::named - - $named_conf_d = $easy_ipa::params::named_conf_d - - $notify = $notify_named ? { - true => Service['named-pkcs11'], - false => undef, - default => undef, - } - - file { "${named_conf_d}/${basename}.conf": - ensure => 'file', - content => $content, - owner => 'root', - group => 'named', - mode => '0640', - require => File[$named_conf_d], - notify => $notify, - } - - file_line { "named-include-${basename}.conf": - ensure => 'present', - path => '/etc/named.conf', - line => "include \"${named_conf_d}/${basename}.conf\";", - after => '^/* End of IPA-managed part. */$', - notify => $notify, - } -} diff --git a/manifests/config/webui.pp b/manifests/config/webui.pp deleted file mode 100644 index 43aedb73..00000000 --- a/manifests/config/webui.pp +++ /dev/null @@ -1,65 +0,0 @@ -# Configures port and redirect overrides for the IPA server web UI. -class easy_ipa::config::webui { - if $easy_ipa::webui_enable_proxy { - #ref: https://www.redhat.com/archives/freeipa-users/2016-June/msg00128.html - $proxy_server_internal_fqdn = $easy_ipa::ipa_server_fqdn - $proxy_server_external_fqdn = $easy_ipa::webui_proxy_external_fqdn - $proxy_https_port = $easy_ipa::webui_proxy_https_port - - $proxy_server_external_fqdn_and_port = "${proxy_server_external_fqdn}:${proxy_https_port}" - - $proxy_internal_uri = "https://${proxy_server_internal_fqdn}" - $proxy_external_uri = "https://${proxy_server_external_fqdn}:${proxy_https_port}" - $proxy_server_name = "https://${easy_ipa::ipa_server_fqdn}:${proxy_https_port}" - $proxy_referrer_regex = regsubst( - $proxy_external_uri, - '\.', - '\.', - 'G', - ) - - # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0 - # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0 - # These are not needed for versions newer than 4.7.10 - if versioncmp($facts['ipa_server_version'], '4.7.0') < 0 { - exec { 'semanage-port-http_port_t': - command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}", - unless => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"", - path => ['/bin','/sbin','/usr/bin','/usr/sbin'], - } - - file_line { 'webui_additional_https_port_listener': - ensure => present, - path => '/etc/httpd/conf.d/nss.conf', - line => "Listen ${proxy_https_port}", - after => 'Listen\ 443', - notify => Service['httpd'], - } - - file { '/etc/httpd/conf.d/ipa-rewrite.conf': - ensure => file, - replace => true, - content => template('easy_ipa/ipa-rewrite.conf.erb'), - notify => Service['httpd'], - } - - file { '/etc/httpd/conf.d/ipa-webui-proxy.conf': - ensure => file, - replace => true, - content => template('easy_ipa/ipa-webui-proxy.conf.erb'), - notify => Service['httpd'], - require => Exec['semanage-port-http_port_t'], - } - } - } - - if $easy_ipa::gssapi_no_negotiate { - file_line { 'disable_negotiate_headers': - ensure => present, - path => '/etc/httpd/conf.d/ipa.conf', - line => " BrowserMatch \"${easy_ipa::gssapi_no_negotiate}\" gssapi-no-negotiate", - notify => Service['httpd'], - after => '^\s*AuthType\sGSSAPI$', - } - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 89864b2a..e6b5e97a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,12 +1,5 @@ # @summary Manages IPA masters, replicas and clients. # -# @param manage -# (boolean) Manage easy_ipa with Puppet. Defaults to true. Setting this to -# to false is useful when a handful of hosts have unsupported -# operating systems and you'd rather exclude them from FreeIPA -# instead of including the others individually. Use this with -# a separate Hiera level (e.g. $::lsbdistcodename) for maximum -# convenience. # @param domain # (string) The name of the IPA domain to create or join. # @param ipa_role @@ -27,9 +20,6 @@ # @param no_dnssec_validation # (boolean) if set to true, DNSSEC validation is disabled. # -# @param client_install_ldaputils -# (boolean) If true, then the ldaputils packages are installed if ipa_role is set to client. -# # @param configure_dns_server # (boolean) If true, then the parameter '--setup-dns' is passed to the IPA server installer. # Also, triggers the install of the required dns server packages. @@ -76,35 +66,9 @@ # @param idstart # (integer) From the IPA man pages: "The starting user and group id number". # -# @param gssapi_no_negotiate -# (pattern) Suppress setting Negotiate headers based on BrowserMatch. -# Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show -# authentication popups to users). Example: "Windows". Default undef. -# # @param idmax # (integer) From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". # -# @param install_autofs -# (boolean) If true, then the autofs packages are installed. -# -# @param install_epel -# (boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. -# -# @param install_kstart -# (boolean) If true, then the kstart packages are installed. -# -# @param install_sssdtools -# (boolean) If true, then the sssdtools packages are installed. -# -# @param install_ipa_client -# (boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. -# -# @param install_ipa_server -# (boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. -# -# @param install_sssd -# (boolean) If true, then the sssd packages are installed. -# # @param ip_address # (string) IP address to pass to the IPA installer. # @@ -114,9 +78,6 @@ # @param ipa_master_fqdn # (string) FQDN of the server to use for a client or replica domain join. # -# @param manage_host_entry -# (boolean) If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'. -# # @param mkhomedir # (boolean) If true, then the parameter '--mkhomedir' is passed to the IPA server and client # installers. @@ -127,27 +88,6 @@ # @param realm # (string) The name of the IPA realm to create or join. # -# @param server_install_ldaputils -# (boolean) If true, then the ldaputils packages are installed if ipa_role is not set to client. -# -# @param webui_disable_kerberos -# Disable webui kerberos. -# -# @param webui_enable_proxy -# (boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows -# for the Web UI to be accessed from different ports and hostnames than the default. -# -# @param webui_force_https -# (boolean) If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. -# This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard -# ports. -# -# @param webui_proxy_external_fqdn -# (string) The public or external FQDN used to access the IPA Web UI behind the reverse proxy. -# -# @param webui_proxy_https_port -# (integer) The HTTPS port to use for the reverse proxy. Cannot be 443. -# # @param adjust_login_defs # (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false. # @@ -157,107 +97,83 @@ # TODO: Variable scope and passing. # TODO: configurable admin username. # -class easy_ipa ( +class ipa ( Stdlib::Fqdn $domain, Enum['client', 'master', 'replica'] $ipa_role, - Boolean $manage = true, - Optional[String[8]] $admin_password = undef, - Optional[String[8]] $directory_services_password = undef, - Boolean $allow_zone_overlap = false, - Boolean $no_dnssec_validation = false, - Boolean $client_install_ldaputils = false, - Boolean $configure_dns_server = true, - Boolean $configure_replica_ca = false, - Boolean $configure_ntp = true, - Boolean $configure_ssh = true, - Boolean $configure_sshd = true, - Array[String] $custom_dns_forwarders = [], - String[1] $domain_join_principal = 'admin', - Optional[String[1]] $domain_join_password = undef, - Boolean $enable_dns_updates = false, - Boolean $enable_hostname = true, - Boolean $enable_ip_address = false, - Boolean $fixed_primary = false, - Variant[Pattern,Undef] $gssapi_no_negotiate = undef, - Integer[10000] $idstart = (fqdn_rand('10737') + 10000), - Variant[Integer,Undef] $idmax = undef, - Boolean $install_autofs = false, - Boolean $install_epel = true, - Boolean $install_kstart = true, - Boolean $install_sssdtools = true, - Boolean $install_ipa_client = true, - Boolean $install_ipa_server = true, - Boolean $install_sssd = true, - Optional[Stdlib::IP::Address] $ip_address = undef, - String $ipa_server_fqdn = $facts['networking']['fqdn'], - Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, - Boolean $manage_host_entry = false, - Boolean $mkhomedir = true, - Boolean $no_ui_redirect = false, - Optional[Stdlib::Fqdn] $realm = undef, - Boolean $server_install_ldaputils = true, - Boolean $webui_disable_kerberos = false, - Boolean $webui_enable_proxy = false, - Boolean $webui_force_https = false, - String $webui_proxy_external_fqdn = 'localhost', - String $webui_proxy_https_port = '8440', - Boolean $adjust_login_defs = false, + Optional[Variant[Sensitive[String[8]],String[8]]] $admin_password = undef, + Optional[Variant[Sensitive[String[8]],String[8]]] $directory_services_password = undef, + Boolean $allow_zone_overlap = false, + Boolean $no_dnssec_validation = false, + Boolean $configure_dns_server = true, + Boolean $configure_replica_ca = false, + Boolean $configure_ntp = true, + Boolean $configure_ssh = true, + Boolean $configure_sshd = true, + Array[String] $custom_dns_forwarders = [], + Variant[Sensitive[String[1]],String[1]] $domain_join_principal = 'admin', + Optional[Variant[Sensitive[String[1]],String[1]]] $domain_join_password = $directory_services_password, + Boolean $enable_dns_updates = false, + Boolean $enable_hostname = true, + Boolean $enable_ip_address = false, + Boolean $fixed_primary = false, + Integer[10000] $idstart = (fqdn_rand('10737') + 10000), + Variant[Integer,Undef] $idmax = undef, + Optional[Stdlib::IP::Address] $ip_address = undef, + String $ipa_server_fqdn = fact('networking.fqdn'), + Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, + Boolean $mkhomedir = true, + Boolean $no_ui_redirect = false, + Optional[Stdlib::Fqdn] $realm = undef, + Boolean $adjust_login_defs = false, ) { - if $manage { - # Include per-OS parameters and fail on unsupported OS - include easy_ipa::params - - $final_realm = $realm ? { - undef => upcase($domain), - default => $realm, - } + if $ipa::idmax and $ipa::idmax < $ipa::idstart { + fail('Parameter "idmax" must be an integer greater than parameter "idstart".') + } - $master_principals = suffix( - prefix([$ipa_server_fqdn], - 'host/' - ), - "@${final_realm}" - ) + $final_realm = $realm ? { + undef => upcase($domain), + default => $realm, + } - $final_domain_join_password = $domain_join_password ? { - undef => $directory_services_password, - default => $domain_join_password, - } + if $ipa_role == 'client' { + $final_configure_dns_server = false + } else { + $final_configure_dns_server = $configure_dns_server + } - if $ipa_role == 'client' { - $final_configure_dns_server = false - } else { - $final_configure_dns_server = $configure_dns_server - } + $opt_no_ssh = $configure_ssh ? { + true => '', + default => '--no-ssh', + } - $opt_no_ssh = $configure_ssh ? { - true => '', - default => '--no-ssh', - } + $opt_no_sshd = $configure_sshd ? { + true => '', + default => '--no-sshd', + } - $opt_no_sshd = $configure_sshd ? { - true => '', - default => '--no-sshd', - } + if $ipa::adjust_login_defs { + $uid_max_value = $ipa::idstart -1 + $gid_max_value = $ipa::idstart -1 - if $adjust_login_defs { - file_line { - default: - path => '/etc/login.defs', - replace => true, - ; - 'adjust uid max': - line => "UID_MAX\t11999", - match => '^UID_MAX\s*60000$', - ; - 'adjust gid max': - line => "GID_MAX\t11999", - match => '^GID_MAX\s*60000$', - ; - } + file_line { + default: + path => '/etc/login.defs', + replace => true, + ; + 'adjust uid max': + line => "UID_MAX\t${uid_max_value}", + match => '^UID_MAX.*$', + ; + 'adjust gid max': + line => "GID_MAX\t${gid_max_value}", + match => '^GID_MAX.*$', + ; } + } - require easy_ipa::validate_params - contain easy_ipa::install + if $ipa::ipa_role == 'master' or $ipa::ipa_role == 'replica' { + contain 'ipa::server' + } elsif $ipa::ipa_role == 'client' { + contain 'ipa::client' } } diff --git a/manifests/install.pp b/manifests/install.pp deleted file mode 100644 index b5bc30a6..00000000 --- a/manifests/install.pp +++ /dev/null @@ -1,53 +0,0 @@ -# -# @summary Manage easy_ipa install -# -class easy_ipa::install { - if $easy_ipa::install_epel and $facts['os']['family'] == 'RedHat' { - ensure_resource( - 'package', - 'epel-release', - { 'ensure' => 'present' }, - ) - } - - if $easy_ipa::manage_host_entry { - host { $easy_ipa::ipa_server_fqdn: - ip => $easy_ipa::ip_address, - } - } - - # Note: sssd.conf handled by ipa-server-install. - if $easy_ipa::install_sssd { - contain 'easy_ipa::install::sssd' - } - - if $easy_ipa::install_autofs { - contain 'easy_ipa::install::autofs' - } - - if $easy_ipa::install_sssdtools { - package { $easy_ipa::params::sssdtools_package_name: - ensure => present, - } - } - - if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { - if $easy_ipa::final_configure_dns_server { - $dns_packages = [ - 'ipa-server-dns', - 'bind-dyndb-ldap', - ] - package { $dns_packages: - ensure => present, - } - } - - if $easy_ipa::install_ipa_server { - contain 'easy_ipa::install::server' - } - } elsif $easy_ipa::ipa_role == 'client' { - if $easy_ipa::install_ipa_client { - contain 'easy_ipa::install::client' - } - } -} diff --git a/manifests/install/autofs.pp b/manifests/install/autofs.pp deleted file mode 100644 index 8fb72039..00000000 --- a/manifests/install/autofs.pp +++ /dev/null @@ -1,13 +0,0 @@ -# -# @summary Manage autofs -# -class easy_ipa::install::autofs { - package { $easy_ipa::params::autofs_package_name: - ensure => present, - } - - service { 'autofs': - ensure => 'running', - enable => true, - } -} diff --git a/manifests/install/client.pp b/manifests/install/client.pp deleted file mode 100644 index b5185e30..00000000 --- a/manifests/install/client.pp +++ /dev/null @@ -1,102 +0,0 @@ -# -# @summary Manage ipa client -# -class easy_ipa::install::client { - package { 'ipa-client': - ensure => $easy_ipa::params::ipa_client_package_ensure, - name => $easy_ipa::params::ipa_client_package_name, - } - - package { $easy_ipa::params::kstart_package_name: - ensure => present, - } - - if $easy_ipa::client_install_ldaputils { - package { $easy_ipa::params::ldaputils_package_name: - ensure => present, - } - } - - if $easy_ipa::mkhomedir { - $client_install_cmd_opts_mkhomedir = '--mkhomedir' - } else { - $client_install_cmd_opts_mkhomedir = '' - } - - if $easy_ipa::fixed_primary { - $client_install_cmd_opts_fixed_primary = '--fixed-primary' - } else { - $client_install_cmd_opts_fixed_primary = '' - } - - if $easy_ipa::configure_ntp { - $client_install_cmd_opts_no_ntp = '' - } else { - $client_install_cmd_opts_no_ntp = '--no-ntp' - } - - if $easy_ipa::enable_dns_updates { - $client_install_cmd_opts_dns_updates = '--enable-dns-updates' - } else { - $client_install_cmd_opts_dns_updates = '' - } - - if $easy_ipa::enable_hostname { - $client_install_cmd_opts_hostname = "--hostname=${facts['networking']['fqdn']}" - } else { - $client_install_cmd_opts_hostname = '' - } - - if $facts['ipa_force_join'] { - $client_install_cmd_opts_force_join= '--force-join' - } else { - $client_install_cmd_opts_force_join = '' - } - - $client_install_cmd = "\ -/usr/sbin/ipa-client-install \ - --server=${easy_ipa::ipa_master_fqdn} \ - --realm=${easy_ipa::final_realm} \ - --domain=${easy_ipa::domain} \ - --principal='${easy_ipa::domain_join_principal}' \ - --password='${easy_ipa::final_domain_join_password}' \ - ${client_install_cmd_opts_dns_updates} \ - ${client_install_cmd_opts_hostname} \ - ${client_install_cmd_opts_mkhomedir} \ - ${client_install_cmd_opts_fixed_primary} \ - ${client_install_cmd_opts_no_ntp} \ - ${client_install_cmd_opts_force_join} \ - ${easy_ipa::opt_no_ssh} \ - ${easy_ipa::opt_no_sshd} \ - --unattended" - - # Some platforms require "manual" setup as they don't have the freeipa-client - # package. - # - if $easy_ipa::params::ipa_client_package_ensure == 'present' { - exec { "client_install_${facts['networking']['fqdn']}": - command => $client_install_cmd, - timeout => 0, - unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - before => Service['sssd'], - provider => 'shell', - require => Package['ipa-client'], - } - } else { - contain easy_ipa::install::client::manual - } - - if $facts['os']['family'] == 'Debian' and $easy_ipa::mkhomedir { - contain easy_ipa::install::client::debian - } - - if $easy_ipa::install_sssd { - service { 'sssd': - ensure => 'running', - enable => true, - require => Package[$easy_ipa::params::sssd_package_name], - } - } -} diff --git a/manifests/install/client/debian.pp b/manifests/install/client/debian.pp deleted file mode 100644 index bb437790..00000000 --- a/manifests/install/client/debian.pp +++ /dev/null @@ -1,41 +0,0 @@ -# -# @summary Ensure that home directories get created on Debian and Ubuntu clients. -# -# This code is needed as the --mkhomedir parameter passed to ipa-client-install does -# not configure PAM even though it does install the required packages. -# -# Currently Ubuntu 14.04/16.04 and Debian 8/9 are supported. -# -class easy_ipa::install::client::debian { - case $facts['os']['distro']['codename'] { - /^(xenial|stretch|bionic|focal|buster|bullseye|jammy)$/: { - # Ensure that required packages are present even if they do not get pulled - # in as freeipa-client package dependencies - ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) - - # This should preferably be in a separate Puppet module - service { 'oddjobd': - ensure => 'running', - enable => true, - name => 'oddjobd', - } - $mkhomedir_line = 'session optional /lib/x86_64-linux-gnu/security/pam_oddjob_mkhomedir.so' - $notify = Service['oddjobd'] - } - /^(trusty|jessie)$/: { - $mkhomedir_line = 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' - $notify = undef - } - default: { - fail('ERROR: unsupported Debian/Ubuntu version!') - } - } - - file_line { 'mkhomedir': - ensure => 'present', - path => '/etc/pam.d/common-session', - line => $mkhomedir_line, - after => '^# end of pam-auth-update config', - notify => $notify, - } -} diff --git a/manifests/install/client/manual.pp b/manifests/install/client/manual.pp deleted file mode 100644 index 9587c31d..00000000 --- a/manifests/install/client/manual.pp +++ /dev/null @@ -1,32 +0,0 @@ -# -# @summary "Manual" configuration of hosts which don't have the freeipa-client package. -# -class easy_ipa::install::client::manual { - # Generate LDAP base DN from the domain (e.g. dc=vagrant,dc=example,dc=lan) - $ldap_base_temp = regsubst($easy_ipa::domain, '\.',',dc=', 'G') - $ldap_base = regsubst($ldap_base_temp, '^', 'dc=') - - File { - ensure => 'present', - owner => 'root', - group => 'root', - mode => '0644', - } - - file { '/etc/krb5.conf': - content => template('easy_ipa/krb5.conf.erb'), - } - - file { '/etc/ldap/ldap.conf': - content => template('easy_ipa/ldap.conf.erb'), - } - - file { '/etc/sssd/sssd.conf': - content => template('easy_ipa/sssd.conf.erb'), - mode => '0600', - } - - package { 'krb5-user': - ensure => 'present', - } -} diff --git a/manifests/install/server.pp b/manifests/install/server.pp deleted file mode 100644 index 61f67443..00000000 --- a/manifests/install/server.pp +++ /dev/null @@ -1,157 +0,0 @@ -# -# @summary Manage IPA server install -# -class easy_ipa::install::server { - package { $easy_ipa::params::ipa_server_package_name: - ensure => present, - } - - package { $easy_ipa::params::kstart_package_name: - ensure => present, - } - - if $easy_ipa::server_install_ldaputils { - package { $easy_ipa::params::ldaputils_package_name: - ensure => present, - } - } - - $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}" - - # Newer installers clash with both default UID_MAX and GID_MAX - # Note: SUB_* only affect user/group mapping in containers, so not of - # concern here - if $easy_ipa::adjust_login_defs { - if $easy_ipa::idstart < $facts['uid_max'] { - $uid_max_value = $easy_ipa::idstart -1 - } - if $easy_ipa::idstart < $facts['gid_max'] { - $gid_max_value = $easy_ipa::idstart -1 - } - file_line { - default: - path => '/etc/login.defs', - replace => true, - ; - 'adjust uid max': - line => "UID_MAX\t${uid_max_value}", - match => '^UID_MAX.*$', - ; - 'adjust gid max': - line => "GID_MAX\t${gid_max_value}", - match => '^GID_MAX.*$', - ; - } - } - - $server_install_cmd_opts_idmax = $easy_ipa::idmax ? { - undef => '', - default => "--idmax=${easy_ipa::idmax}" - } - - if $easy_ipa::allow_zone_overlap { - $server_install_cmd_opts_zone_overlap = '--allow-zone-overlap' - } else { - $server_install_cmd_opts_zone_overlap = '' - } - - if $easy_ipa::no_dnssec_validation { - $server_install_cmd_opts_dnssec_validation = '--no-dnssec-validation' - } else { - $server_install_cmd_opts_dnssec_validation = '' - } - - if $easy_ipa::enable_hostname { - $server_install_cmd_opts_hostname = "--hostname=${easy_ipa::ipa_server_fqdn}" - } else { - $server_install_cmd_opts_hostname = '' - } - - if $easy_ipa::enable_ip_address { - $server_install_cmd_opts_ip_address = "--ip-address ${easy_ipa::ip_address}" - } else { - $server_install_cmd_opts_ip_address = '' - } - - if $easy_ipa::final_configure_dns_server { - $server_install_cmd_opts_setup_dns = '--setup-dns' - } else { - $server_install_cmd_opts_setup_dns = '' - } - - if $easy_ipa::configure_replica_ca { - $server_install_cmd_opts_setup_ca = '--setup-ca' - } else { - $server_install_cmd_opts_setup_ca = '' - } - - if $easy_ipa::configure_ntp { - $server_install_cmd_opts_no_ntp = '' - } else { - $server_install_cmd_opts_no_ntp = '--no-ntp' - } - - if $easy_ipa::final_configure_dns_server { - if size($easy_ipa::custom_dns_forwarders) > 0 { - $server_install_cmd_opts_forwarders = join( - prefix( - $easy_ipa::custom_dns_forwarders, - '--forwarder '), - ' ' - ) - } - else { - $server_install_cmd_opts_forwarders = '--no-forwarders' - } - } - else { - $server_install_cmd_opts_forwarders = '' - } - - if $easy_ipa::no_ui_redirect { - $server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect' - } else { - $server_install_cmd_opts_no_ui_redirect = '' - } - - if $easy_ipa::mkhomedir { - $server_install_cmd_opts_mkhomedir = '--mkhomedir' - } else { - $server_install_cmd_opts_mkhomedir = '' - } - - if $easy_ipa::ipa_role == 'master' { - contain 'easy_ipa::install::server::master' - Class['easy_ipa::install::server::master'] - -> Class['easy_ipa::config::webui'] - } elsif $easy_ipa::ipa_role == 'replica' { - contain 'easy_ipa::install::server::replica' - Class['easy_ipa::install::server::replica'] - -> Class['easy_ipa::config::webui'] - } - - ensure_resource ( - 'service', - 'httpd', - { ensure => 'running' }, - ) - - contain 'easy_ipa::config::webui' - - service { 'ipa': - ensure => 'running', - enable => true, - require => Exec["server_install_${easy_ipa::ipa_server_fqdn}"], - } - - if $easy_ipa::install_sssd { - service { 'sssd': - ensure => 'running', - enable => true, - require => Package[$easy_ipa::params::sssd_package_name], - } - } - - easy_ipa::helpers::flushcache { "server_${easy_ipa::ipa_server_fqdn}": } - contain easy_ipa::config::admin_user -} diff --git a/manifests/install/server/master.pp b/manifests/install/server/master.pp deleted file mode 100644 index 9904cf94..00000000 --- a/manifests/install/server/master.pp +++ /dev/null @@ -1,45 +0,0 @@ -# -# @summary Manage primary server -# -class easy_ipa::install::server::master { - $server_install_cmd = "\ -/usr/sbin/ipa-server-install \ - ${easy_ipa::install::server::server_install_cmd_opts_hostname} \ - --realm=${easy_ipa::final_realm} \ - --domain=${easy_ipa::domain} \ - --admin-password='${easy_ipa::admin_password}' \ - --ds-password='${easy_ipa::directory_services_password}' \ - ${easy_ipa::install::server::server_install_cmd_opts_zone_overlap} \ - ${easy_ipa::install::server::server_install_cmd_opts_dnssec_validation} \ - ${easy_ipa::install::server::server_install_cmd_opts_setup_dns} \ - ${easy_ipa::install::server::server_install_cmd_opts_forwarders} \ - ${easy_ipa::install::server::server_install_cmd_opts_ip_address} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ntp} \ - ${easy_ipa::install::server::server_install_cmd_opts_idstart} \ - ${easy_ipa::install::server::server_install_cmd_opts_idmax} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ui_redirect} \ - ${easy_ipa::install::server::server_install_cmd_opts_mkhomedir} \ - ${easy_ipa::opt_no_ssh} \ - ${easy_ipa::opt_no_sshd} \ - --unattended" - - file { '/etc/ipa/primary': - ensure => 'file', - content => 'Added by IPA Puppet module. Designates primary master. Do not remove.', - } - -> exec { "server_install_${easy_ipa::ipa_server_fqdn}": - command => $server_install_cmd, - timeout => 0, - unless => '/usr/sbin/ipactl status >/dev/null 2>&1', - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], - before => Service['sssd'], - } - -> cron { 'k5start_root': #allows scp to replicas as root - command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', - user => 'root', - minute => '*/1', - require => Package[$easy_ipa::params::kstart_package_name], - } -} diff --git a/manifests/install/server/replica.pp b/manifests/install/server/replica.pp deleted file mode 100644 index 58c48f51..00000000 --- a/manifests/install/server/replica.pp +++ /dev/null @@ -1,46 +0,0 @@ -# -# @summary Manage replica install -# -class easy_ipa::install::server::replica { - $replica_install_cmd = "\ -/usr/sbin/ipa-replica-install \ - --principal=${easy_ipa::domain_join_principal} \ - --admin-password='${easy_ipa::final_domain_join_password}' \ - ${easy_ipa::install::server::server_install_cmd_opts_hostname} \ - --realm=${easy_ipa::final_realm} \ - --domain=${easy_ipa::domain} \ - --server=${easy_ipa::ipa_master_fqdn} \ - ${easy_ipa::install::server::server_install_cmd_opts_zone_overlap} \ - ${easy_ipa::install::server::server_install_cmd_opts_dnssec_validation} \ - ${easy_ipa::install::server::server_install_cmd_opts_setup_dns} \ - ${easy_ipa::install::server::server_install_cmd_opts_setup_ca} \ - ${easy_ipa::install::server::server_install_cmd_opts_forwarders} \ - ${easy_ipa::install::server::server_install_cmd_opts_ip_address} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ntp} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ui_redirect} \ - ${easy_ipa::install::server::server_install_cmd_opts_mkhomedir} \ - ${easy_ipa::opt_no_ssh} \ - ${easy_ipa::opt_no_sshd} \ - --unattended" - - # TODO: config-show and grep for IPA\ masters - file { '/etc/ipa/primary': - ensure => 'file', - content => 'Added by IPA Puppet module. Designates primary master. Do not remove.', - } - -> exec { "server_install_${easy_ipa::ipa_server_fqdn}": - command => $replica_install_cmd, - timeout => 0, - unless => '/usr/sbin/ipactl status >/dev/null 2>&1', - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], - before => Service['sssd'], - } - -> cron { 'k5start_root': - command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', - user => 'root', - minute => '*/1', - require => Package[$easy_ipa::params::kstart_package_name], - } -} diff --git a/manifests/install/sssd.pp b/manifests/install/sssd.pp deleted file mode 100644 index f28d3f7b..00000000 --- a/manifests/install/sssd.pp +++ /dev/null @@ -1,8 +0,0 @@ -# -# @summary Manage sssd install -# -class easy_ipa::install::sssd { - package { $easy_ipa::params::sssd_package_name: - ensure => present, - } -} diff --git a/manifests/monit/server.pp b/manifests/monit/server.pp deleted file mode 100644 index 6e9a6081..00000000 --- a/manifests/monit/server.pp +++ /dev/null @@ -1,33 +0,0 @@ -# -# @summary Manage easy_ipa::monit::server -# -# Monitor FreeIPA server processes using monit -# -# This class depends on puppetfinland-monit module -# -# @param email -# Email address to send notifications to. Defaults to top-scope variable -# $::servermonitor. -# -class easy_ipa::monit::server ( - String $email = $facts['servermonitor'], -) { - @monit::fragment { 'ipa.monit': - ensure => 'present', - modulename => 'easy_ipa', - basename => 'ipa', - tag => 'default', - } - - @file { 'ipa.sh': - ensure => 'file', - name => "${facts['monit::params::fragment_dir']}/ipa.sh", - content => template('easy_ipa/ipa.sh.erb'), - owner => 'root', - group => 'root', - mode => '0700', - notify => Class['monit::service'], - require => Class['monit'], - tag => 'monit', - } -} diff --git a/manifests/named.pp b/manifests/named.pp deleted file mode 100644 index d745630c..00000000 --- a/manifests/named.pp +++ /dev/null @@ -1,27 +0,0 @@ -# -# @summary Prepare the integrated named-pkcs11 service for local configuration -# fragments. -# -# This is only supposed to work on RHEL/CentOS. -# -class easy_ipa::named { - include easy_ipa::params - - unless $facts['os']['family'] == 'RedHat' { - fail('ERROR: class ::easy_ipa::named supports only RedHat/CentOS') - } - - $named_conf_d = $easy_ipa::params::named_conf_d - - service { 'named-pkcs11': - require => Class['easy_ipa'], - } - - file { $named_conf_d: - ensure => 'directory', - owner => 'root', - group => 'named', - mode => '0750', - require => Class['easy_ipa'], - } -} diff --git a/manifests/packetfilter/server.pp b/manifests/packetfilter/server.pp deleted file mode 100644 index c8e8c488..00000000 --- a/manifests/packetfilter/server.pp +++ /dev/null @@ -1,62 +0,0 @@ -# -# @summary Install packet filtering rules for FreeIPA. -# -# @param allow_address_ipv4 -# IPv4 address to allow access from. -# -# @param allow_address_ipv6 -# IPv6 address to allow access from. -# -class easy_ipa::packetfilter::server ( - Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]] $allow_address_ipv4 = '127.0.0.1', - Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]] $allow_address_ipv6 = '::1' -) { - # Convert string parameters to arrays - $allow_addresses_ipv4 = any2array($allow_address_ipv4) - $allow_addresses_ipv6 = any2array($allow_address_ipv6) - - # A hash containing the data for packet filtering rules - $services = { 'dns' => { 'tcp' => 53, 'udp' => 53 }, - 'http' => { 'tcp' => 80 }, - 'https' => { 'tcp' => 443 }, - 'kerberos' => { 'tcp' => 88, 'udp' => 88 }, - 'kerberos passwd' => { 'tcp' => 464, 'udp' => 464 }, - 'ldaps' => { 'tcp' => 636 }, - 'ldap' => { 'tcp' => 389 }, - 'ntp' => { 'udp' => 123 }, - 'webcache' => { 'tcp' => 8080 }, - } - - Firewall { - chain => 'INPUT', - action => 'accept', - } - - $services.each |$service| { - $service[1].each |$rule| { - $service_name = $service[0] - $protocol = $rule[0] - $dport = $rule[1] - - $allow_addresses_ipv4.each |$addr_v4| { - @firewall { "008 ipv4 accept ${service_name} ${protocol} ${dport} from ${addr_v4}": - provider => 'iptables', - proto => $protocol, - source => $addr_v4, - dport => $dport, - tag => 'default', - } - } - - $allow_addresses_ipv6.each |$addr_v6| { - @firewall { "008 ipv6 accept ${service_name} ${protocol} ${dport} from ${addr_v6}": - provider => 'ip6tables', - proto => $protocol, - source => $addr_v6, - dport => $dport, - tag => 'default', - } - } - } - } -} diff --git a/manifests/params.pp b/manifests/params.pp deleted file mode 100644 index fd451248..00000000 --- a/manifests/params.pp +++ /dev/null @@ -1,37 +0,0 @@ -# -# @summary Prevent havoc on unsupported operating systems. -# -# Traditionally this file would be used to abstract away operating system -# differences. Right now the main purpose is to prevent easy_ipa classes from -# causing havoc (e.g. partial configurations) on unsupported operating systems -# by failing early rather than later. -# -class easy_ipa::params { - case $facts['os']['family'] { - 'RedHat': { - $ldaputils_package_name = 'openldap-clients' - $ipa_client_package_name = 'ipa-client' - $ipa_client_package_ensure = 'present' - $named_conf_d = '/etc/named/conf.d' - } - 'Debian': { - case $facts['os']['distro']['codename'] { - /(trusty|xenial|bionic|buster|focal|bullseye|jammy)/: { $ipa_client_package_ensure = 'present' } - /(stretch)/: { $ipa_client_package_ensure = 'absent' } - default: { fail('ERROR: unsupported operating system') } - } - $ldaputils_package_name = 'ldap-utils' - $ipa_client_package_name = 'freeipa-client' - } - default: { - fail('ERROR: unsupported operating system!') - } - } - - # These package names are the same on RedHat and Debian derivatives - $autofs_package_name = 'autofs' - $ipa_server_package_name = 'ipa-server' - $kstart_package_name = 'kstart' - $sssd_package_name = 'sssd-common' - $sssdtools_package_name = 'sssd-tools' -} diff --git a/manifests/server.pp b/manifests/server.pp new file mode 100644 index 00000000..80ede9c7 --- /dev/null +++ b/manifests/server.pp @@ -0,0 +1,133 @@ +# +# @summary Manage IPA server install +# +# @param package_name +# The name of the package(s) to install. +# +# @api private +class ipa::server ( + Array[String] $package_name = undef, +) { + assert_private() + + if $ipa::ipa_role != 'master' { # if replica or client + unless $ipa::ipa_master_fqdn { + fail("When creating a ${ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") + } + unless $ipa::admin_password { + fail("When creating a ${ipa::ipa_role} the parameter named admin_password cannot be empty.") + } + } + + if fact('os.family') == 'RedHat' { + require ipa::server::redhat + } + + stdlib::ensure_packages($package_name) + + $dns_packages = [ + 'ipa-server-dns', + 'bind-dyndb-ldap', + ] + + if $ipa::final_configure_dns_server { + stdlib::ensure_packages($dns_packages) + } + + $server_install_cmd_opts_idstart = "--idstart=${ipa::idstart}" + + $server_install_cmd_opts_idmax = $ipa::idmax ? { + undef => '', + default => "--idmax=${ipa::idmax}" + } + + if $ipa::allow_zone_overlap { + $server_install_cmd_opts_zone_overlap = '--allow-zone-overlap' + } else { + $server_install_cmd_opts_zone_overlap = '' + } + + if $ipa::no_dnssec_validation { + $server_install_cmd_opts_dnssec_validation = '--no-dnssec-validation' + } else { + $server_install_cmd_opts_dnssec_validation = '' + } + + if $ipa::enable_hostname { + $server_install_cmd_opts_hostname = "--hostname=${ipa::ipa_server_fqdn}" + } else { + $server_install_cmd_opts_hostname = '' + } + + if $ipa::enable_ip_address { + $server_install_cmd_opts_ip_address = "--ip-address ${ipa::ip_address}" + } else { + $server_install_cmd_opts_ip_address = '' + } + + if $ipa::final_configure_dns_server { + $server_install_cmd_opts_setup_dns = '--setup-dns' + } else { + $server_install_cmd_opts_setup_dns = '' + } + + if $ipa::configure_replica_ca { + $server_install_cmd_opts_setup_ca = '--setup-ca' + } else { + $server_install_cmd_opts_setup_ca = '' + } + + if $ipa::configure_ntp { + $server_install_cmd_opts_no_ntp = '' + } else { + $server_install_cmd_opts_no_ntp = '--no-ntp' + } + + if $ipa::final_configure_dns_server { + if size($ipa::custom_dns_forwarders) > 0 { + $server_install_cmd_opts_forwarders = join( + prefix( + $ipa::custom_dns_forwarders, + '--forwarder '), + ' ' + ) + } + else { + $server_install_cmd_opts_forwarders = '--no-forwarders' + } + } + else { + $server_install_cmd_opts_forwarders = '' + } + + if $ipa::no_ui_redirect { + $server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect' + } else { + $server_install_cmd_opts_no_ui_redirect = '' + } + + if $ipa::mkhomedir { + $server_install_cmd_opts_mkhomedir = '--mkhomedir' + } else { + $server_install_cmd_opts_mkhomedir = '' + } + + if $ipa::ipa_role == 'master' { + contain 'ipa::server::master' + + Class['ipa::server::master'] + -> Service['ipa'] + } elsif $ipa::ipa_role == 'replica' { + contain 'ipa::server::replica' + + Class['ipa::server::replica'] + -> Service['ipa'] + } + + include ipa::server::flushcache + + service { 'ipa': + ensure => running, + enable => true, + } +} diff --git a/manifests/helpers/flushcache.pp b/manifests/server/flushcache.pp similarity index 71% rename from manifests/helpers/flushcache.pp rename to manifests/server/flushcache.pp index 23451ca4..8d6807ce 100644 --- a/manifests/helpers/flushcache.pp +++ b/manifests/server/flushcache.pp @@ -1,16 +1,19 @@ # # @summary Manage cache flushing # -define easy_ipa::helpers::flushcache { +# @api private +class ipa::server::flushcache { + assert_private() + #TODO: nscd should be called on both platforms. - if $::facts['os']['family'] == 'RedHat' { + if fact('os.family') == 'RedHat' { $ipa_fluch_cache_cmd = "\ if [ -x /usr/sbin/sss_cache ]; then \ /usr/sbin/sss_cache -UGNA >/dev/null 2>&1 ; \ else \ /usr/bin/find /var/lib/sss/db -type f -exec rm -f \"{}\" ; ; \ fi" - } elsif $::facts['os']['family'] == 'Debian' { + } elsif fact('os.family') == 'Debian' { $ipa_fluch_cache_cmd = "\ if [ -x /usr/sbin/nscd ]; then \ /usr/sbin/nscd -i passwd -i group -i netgroup -i automount >/dev/null 2>&1 ; \ @@ -20,13 +23,12 @@ /usr/bin/find /var/lib/sss/db -type f -exec rm -f \"{}\" ; ; \ fi" } else { - fail('The class easy_ipa::flushcache is only written for RedHat and Debian.') + fail('The class ipa::flushcache is only written for RedHat and Debian.') } - exec { "ipa_flushcache_${title}": + exec { 'ipa_flushcache': command => "/bin/bash -c ${ipa_fluch_cache_cmd}", returns => ['0','1','2'], - notify => Service['sssd'], refreshonly => true, } } diff --git a/manifests/server/master.pp b/manifests/server/master.pp new file mode 100644 index 00000000..6be127cf --- /dev/null +++ b/manifests/server/master.pp @@ -0,0 +1,46 @@ +# +# @summary Manage primary server +# +# @api private +class ipa::server::master { + assert_private() + + $server_install_cmd = "\ +/usr/sbin/ipa-server-install \ + ${ipa::server::server_install_cmd_opts_hostname} \ + --realm=${ipa::final_realm} \ + --domain=${ipa::domain} \ + --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ + --ds-password=\"\${IPA_DS_PASSWORD}\" \ + ${ipa::server::server_install_cmd_opts_zone_overlap} \ + ${ipa::server::server_install_cmd_opts_dnssec_validation} \ + ${ipa::server::server_install_cmd_opts_setup_dns} \ + ${ipa::server::server_install_cmd_opts_forwarders} \ + ${ipa::server::server_install_cmd_opts_ip_address} \ + ${ipa::server::server_install_cmd_opts_no_ntp} \ + ${ipa::server::server_install_cmd_opts_idstart} \ + ${ipa::server::server_install_cmd_opts_idmax} \ + ${ipa::server::server_install_cmd_opts_no_ui_redirect} \ + ${ipa::server::server_install_cmd_opts_mkhomedir} \ + ${ipa::opt_no_ssh} \ + ${ipa::opt_no_sshd} \ + --unattended" + + exec { 'ipa-server-install': + environment => [ + "IPA_ADMIN_PASSWORD=${ipa::admin_password.unwrap}", + "IPA_DS_PASSWORD=${ipa::directory_services_password.unwrap}", + ], + command => $server_install_cmd, + timeout => 0, + unless => '/usr/sbin/ipactl status >/dev/null 2>&1', + creates => '/etc/ipa/default.conf', + logoutput => on_failure, + notify => Class[ipa::server::flushcache], + } + -> cron { 'k5start_root': #allows scp to replicas as root + command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', + user => 'root', + minute => '*/1', + } +} diff --git a/manifests/server/redhat.pp b/manifests/server/redhat.pp new file mode 100644 index 00000000..2c7e92d6 --- /dev/null +++ b/manifests/server/redhat.pp @@ -0,0 +1,11 @@ +# @api private +class ipa::server::redhat { + assert_private() + + if versioncmp(fact('os.release.major'), '8') == 0 { + package { 'idm': + ensure => 'DL1', + provider => 'dnfmodule', + } + } +} diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp new file mode 100644 index 00000000..3881577c --- /dev/null +++ b/manifests/server/replica.pp @@ -0,0 +1,43 @@ +# +# @summary Manage replica install +# +# @api private +class ipa::server::replica { + assert_private() + + $replica_install_cmd = "\ +/usr/sbin/ipa-replica-install \ + --principal=${ipa::domain_join_principal.unwrap} \ + --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ + ${ipa::server::server_install_cmd_opts_hostname} \ + --realm=${ipa::final_realm} \ + --domain=${ipa::domain} \ + --server=${ipa::ipa_master_fqdn} \ + ${ipa::server::server_install_cmd_opts_zone_overlap} \ + ${ipa::server::server_install_cmd_opts_dnssec_validation} \ + ${ipa::server::server_install_cmd_opts_setup_dns} \ + ${ipa::server::server_install_cmd_opts_setup_ca} \ + ${ipa::server::server_install_cmd_opts_forwarders} \ + ${ipa::server::server_install_cmd_opts_ip_address} \ + ${ipa::server::server_install_cmd_opts_no_ntp} \ + ${ipa::server::server_install_cmd_opts_no_ui_redirect} \ + ${ipa::server::server_install_cmd_opts_mkhomedir} \ + ${ipa::opt_no_ssh} \ + ${ipa::opt_no_sshd} \ + --unattended" + + exec { 'ipa-replica-install': + environment => "IPA_ADMIN_PASSWORD=${ipa::admin_password.unwrap}", + command => $replica_install_cmd, + timeout => 0, + unless => '/usr/sbin/ipactl status >/dev/null 2>&1', + creates => '/etc/ipa/default.conf', + logoutput => on_failure, + notify => Class[ipa::server::flushcache], + } + -> cron { 'k5start_root': + command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', + user => 'root', + minute => '*/1', + } +} diff --git a/manifests/validate_params.pp b/manifests/validate_params.pp deleted file mode 100644 index 38437da6..00000000 --- a/manifests/validate_params.pp +++ /dev/null @@ -1,24 +0,0 @@ -# Validates input configs from init.pp. -# @api private -class easy_ipa::validate_params { - assert_private() - - if $easy_ipa::manage_host_entry { - unless $easy_ipa::ip_address { - fail('When using the parameter manage_host_entry, the parameter ip_address is mandatory.') - } - } - - if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { - fail('Parameter "idmax" must be an integer greater than parameter "idstart".') - } - - if $easy_ipa::ipa_role != 'master' { # if replica or client - unless $easy_ipa::final_domain_join_password { - fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") - } - unless $easy_ipa::ipa_master_fqdn { - fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") - } - } -} diff --git a/metadata.json b/metadata.json index 20b7e186..8f32100e 100644 --- a/metadata.json +++ b/metadata.json @@ -1,20 +1,20 @@ { - "name": "puppetfinland-easy_ipa", - "version": "3.1.0", - "author": "Puppet-Finland team", - "summary": "Manages IPA servers and clients.", - "license": "Apache-2.0", - "source": "https://github.com/Puppet-Finland/puppet-ipa", - "project_page": "https://github.com/Puppet-Finland/puppet-ipa", - "issues_url": "https://github.com/Puppet-Finland/puppet-ipa", + "name": "lsst-ipa", + "version": "4.0.0", + "author": "AURA/LSST/Rubin Observatory", + "summary": "Manages FreeIPA servers, replicas, and clients", + "license": "GPL-3.0", + "source": "https://github.com/lsst-it/puppet-ipa", + "project_page": "https://github.com/lsst-it/puppet-ipa", + "issues_url": "https://github.com/lsst-it/puppet-ipa", "dependencies": [ { "name": "puppetlabs-stdlib", - "version_requirement": ">= 4.19.0 < 10.0.0" + "version_requirement": ">= 9.0.0 < 10.0.0" }, { "name": "puppetlabs-cron_core", - "version_requirement": ">=1.0.0 < 2.0.0" + "version_requirement": ">=1.0.0 < 3.0.0" }, { "name": "puppetlabs-k5login_core", @@ -23,16 +23,15 @@ ], "operatingsystem_support": [ { - "operatingsystem": "CentOS", + "operatingsystem": "AlmaLinux", "operatingsystemrelease": [ - "7", - "8" + "8", + "9" ] }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ - "7", "8", "9" ] @@ -47,33 +46,27 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "10", - "11" + "11", + "12" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ - "18.04", - "20.04", - "22.04" + "22.04", + "24.04" ] } ], "requirements": [ { "name": "puppet", - "version_requirement": ">= 7.0.0 < 9.0.0" + "version_requirement": ">= 8.0.0 < 9.0.0" } ], "tags": [ "ipa", - "easyipa", - "easy ipa", "freeipa", "free ipa" - ], - "pdk-version": "3.0.0", - "template-url": "pdk-default#3.0.0", - "template-ref": "tags/3.0.0-0-g056e50d" + ] } diff --git a/pdk.yaml b/pdk.yaml deleted file mode 100644 index 4bef4bd0..00000000 --- a/pdk.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ignore: [] diff --git a/plans/update_host_keys.pp b/plans/update_host_keys.pp deleted file mode 100644 index da8ab1ed..00000000 --- a/plans/update_host_keys.pp +++ /dev/null @@ -1,66 +0,0 @@ -# -# @summary Update host keys for a domain-joined node in FreeIPA to match real host -# keys. -# -# Useful when real keys and keys in IPA device account have gone -# out of sync, e.g. due to rebuilding the server from a snapshot. -# -# This gets a kerberos ticket from the IPA server first, then gathers -# the SSH keys from IPA clients from their SSH facts, then runs appropriate -# "ipa host-mod" commands for each IPA client on the IPA server. -# -# Note that it is assumed that the IPA client host name is equal to the $::fqdn -# fact. -# -# @param ipa_clients -# One of more IPA clients whose host keys to puload -# @param ipa_server -# A host which has the "ipa" tools installed. Not necessarily an IPA server. -# @param ipa_user -# An IPA user with permission to run "ipa host-mod". -# @param ipa_password -# IPA user's password -# @param noop -# If true then only imulate what would be done -# -plan easy_ipa::update_host_keys -( - TargetSpec $ipa_clients, - TargetSpec $ipa_server, - String $ipa_user, - String $ipa_password, - Boolean $noop = true, -) { - # Part #1: get a kerberos ticket on the IPA server - if $noop { - out::message('No-op: get kerberos ticket on the IPA server') - } else { - out::message('Get kerberos ticket on the IPA server') - $kinit_resultset = run_command("sh -c \'echo ${ipa_password}|kinit -V ${ipa_user} 2>&1\'", $ipa_server, '_catch_errors' => true) - $kinit_stdout = $kinit_resultset.first.value['stdout'] - out::message($kinit_stdout) - } - - # Part 2: collect SSH facts from IPA clients - out::message('Gathering facts from the IPA clients') - run_plan('facts', 'targets' => $ipa_clients) - - get_targets($ipa_clients).each |$ipa_client| { - $ed25519 = $ipa_client.facts['ssh']['ed25519']['key'] - $ecdsa = $ipa_client.facts['ssh']['ecdsa']['key'] - $rsa = $ipa_client.facts['ssh']['rsa']['key'] - $dsa = $ipa_client.facts['ssh']['dsa']['key'] - - $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns" # lint:ignore:140chars - - if $noop { - out::message("No-op: would run \"${ipa_host_mod_cmd}\" on IPA server") - } else { - # lint:ignore:manifest_whitespace_opening_bracket_before # lint:ignore:140chars - $ipa_host_mod_resultset = run_command($ipa_host_mod_cmd, $ipa_server, '_catch_errors' => true) ['stdout','stderr'].each |$output| { - # lint:endignore - out::message($ipa_host_mod_resultset.first.value[$output]) - } - } - } -} diff --git a/spec/acceptance/master_spec.rb b/spec/acceptance/master_spec.rb new file mode 100644 index 00000000..e56ccb8c --- /dev/null +++ b/spec/acceptance/master_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +# server/replica is only supported on Redhat +if fact_on('master', 'os.family') == 'RedHat' + describe 'ipa master' do + include_examples 'the example', 'master.pp', 'master' + end + + # replica setup timesout under gha + # describe 'ipa replica' do + # include_examples 'the example', 'replica.pp', 'replica' + # end + + describe 'ipa client' do + include_examples 'the example', 'client.pp', 'client' + end +end diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index d0d62775..1954421c 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -2,31 +2,23 @@ require 'spec_helper' -describe 'easy_ipa', type: :class do - context 'on Windows' do - let(:facts) do - { os: { family: 'Windows' } } - end - let(:params) do - { - ipa_role: 'master', - domain: 'rspec.example.lan', - } - end - - it { is_expected.to raise_error(Puppet::Error, %r{ERROR: unsupported operating system}) } - end - +describe 'ipa', type: :class do on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do facts.merge( networking: { fqdn: 'ipa.rpsec.example.lan', - }, + } ) end + if facts[:os]['family'] == 'RedHat' + let(:client_package) { 'ipa-client' } + else + let(:client_package) { 'freeipa-client' } + end + context 'as bad_val role' do let(:params) do { @@ -43,38 +35,24 @@ { ipa_role: 'master', domain: 'rspec.example.lan', - admin_password: 'rspecrspec123', - directory_services_password: 'rspecrspec123', + admin_password: sensitive('rspec-admin-password'), + directory_services_password: sensitive('rspedc-ds-password'), } end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install') } - it { is_expected.to contain_class('easy_ipa::install::server') } - it { is_expected.to contain_class('easy_ipa::install::sssd') } - it { is_expected.to contain_class('easy_ipa::install::server::master') } - it { is_expected.to contain_class('easy_ipa::config::webui') } - it { is_expected.to contain_class('easy_ipa::validate_params') } + it { is_expected.to contain_class('ipa::server') } + it { is_expected.to contain_class('ipa::server::master') } - it { is_expected.not_to contain_class('easy_ipa::install::autofs') } - it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::install::client') } + it { is_expected.not_to contain_class('ipa::server::replica') } + it { is_expected.not_to contain_class('ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } it { is_expected.to contain_package('bind-dyndb-ldap') } it { is_expected.to contain_package('kstart') } it { is_expected.to contain_package('ipa-server') } - it { is_expected.to contain_package('sssd-common') } - - it { is_expected.not_to contain_package('ipa-client') } - case facts[:os]['family'] - when 'RedHat' - it { is_expected.to contain_package('epel-release') } - it { is_expected.to contain_package('openldap-clients') } - when 'Debian' - it { is_expected.to contain_package('ldap-utils') } - end + it { is_expected.not_to contain_package(client_package) } end context 'with idmax' do @@ -84,11 +62,15 @@ end it do - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, - ) - .with_command(%r{--idstart=10000}) - .with_command(%r{--idmax=20000}) + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' + ). + with_command(%r{--idstart=10000}). + with_command(%r{--idmax=20000}) end end @@ -98,10 +80,14 @@ end it do - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ).with_command(%r{--idstart=10000}) - is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idmax}) + is_expected.not_to contain_exec('ipa-server-install').with_command(%r{--idmax}) end end @@ -111,7 +97,7 @@ super().merge(configure_ssh: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) } + it { is_expected.not_to contain_exec('ipa-server-install').with_command(%r{--no-ssh(?!d)}) } end context 'false' do @@ -120,8 +106,12 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ).with_command(%r{--no-ssh(?!d)}) } end @@ -133,7 +123,7 @@ super().merge(configure_sshd: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) } + it { is_expected.not_to contain_exec('ipa-server-install').with_command(%r{--no-sshd}) } end context 'false' do @@ -142,8 +132,12 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ).with_command(%r{--no-sshd}) } end @@ -166,20 +160,12 @@ it { is_expected.to raise_error(Puppet::Error, %r{"idmax" must be an integer greater than parameter "idstart"}) } end - context 'with manage_host_entry but not ip_address' do - let(:params) do - super().merge(manage_host_entry: true) - end - - it { is_expected.to raise_error(Puppet::Error, %r{parameter ip_address is mandatory}) } - end - context 'without admin_password' do let(:params) do super().merge(admin_password: nil) end - it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type Undef or String[8]'))) } + it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type'))) } end context 'without directory_services_password' do @@ -187,7 +173,7 @@ super().merge(directory_services_password: nil) end - it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type Undef or String[8]'))) } + it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type'))) } end context 'with bad ip_address' do @@ -221,37 +207,23 @@ ipa_role: 'replica', domain: 'rspec.example.lan', ipa_master_fqdn: 'ipa-server-1.rspec.example.lan', - domain_join_password: 'rspecrspec123', + admin_password: 'rspec-admin-password', } end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install') } - it { is_expected.to contain_class('easy_ipa::install::server') } - it { is_expected.to contain_class('easy_ipa::install::sssd') } - it { is_expected.to contain_class('easy_ipa::install::server::replica') } - it { is_expected.to contain_class('easy_ipa::config::webui') } - it { is_expected.to contain_class('easy_ipa::validate_params') } + it { is_expected.to contain_class('ipa::server') } + it { is_expected.to contain_class('ipa::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::install::autofs') } - it { is_expected.not_to contain_class('easy_ipa::install::server::master') } - it { is_expected.not_to contain_class('easy_ipa::install::client') } + it { is_expected.not_to contain_class('ipa::server::master') } + it { is_expected.not_to contain_class('ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } it { is_expected.to contain_package('bind-dyndb-ldap') } it { is_expected.to contain_package('kstart') } it { is_expected.to contain_package('ipa-server') } - it { is_expected.to contain_package('sssd-common') } - it { is_expected.not_to contain_package('ipa-client') } - - case facts[:os]['family'] - when 'RedHat' - it { is_expected.to contain_package('epel-release') } - it { is_expected.to contain_package('openldap-clients') } - when 'Debian' - it { is_expected.to contain_package('ldap-utils') } - end + it { is_expected.not_to contain_package(client_package) } end context 'configure_ssh' do @@ -260,7 +232,7 @@ super().merge(configure_ssh: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) } + it { is_expected.not_to contain_exec('ipa-replica-install').with_command(%r{--no-ssh(?!d)}) } end context 'false' do @@ -269,8 +241,9 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-replica-install').with( + environment: ['IPA_ADMIN_PASSWORD=rspec-admin-password'], + logoutput: 'on_failure' ).with_command(%r{--no-ssh(?!d)}) } end @@ -282,7 +255,7 @@ super().merge(configure_sshd: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) } + it { is_expected.not_to contain_exec('ipa-replica-install').with_command(%r{--no-sshd}) } end context 'false' do @@ -291,8 +264,9 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-replica-install').with( + environment: ['IPA_ADMIN_PASSWORD=rspec-admin-password'], + logoutput: 'on_failure' ).with_command(%r{--no-sshd}) } end @@ -314,12 +288,12 @@ it { is_expected.to raise_error(Puppet::Error, %r{expects a match for Stdlib::Fqdn}) } end - context 'missing domain_join_password' do + context 'missing admin_password' do let(:params) do - super().reject { |k| k == :domain_join_password } + super().reject { |k| k == :admin_password } end - it { is_expected.to raise_error(Puppet::Error, %r{domain_join_password cannot be empty}) } + it { is_expected.to raise_error(Puppet::Error, %r{admin_password cannot be empty}) } end end @@ -329,36 +303,22 @@ ipa_role: 'client', domain: 'rspec.example.lan', ipa_master_fqdn: 'ipa-server-1.rspec.example.lan', - domain_join_password: 'rspecrspec123', + domain_join_password: 'rspec-domain-join-password', } end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install') } - it { is_expected.to contain_class('easy_ipa::install::sssd') } - it { is_expected.to contain_class('easy_ipa::install::client') } - it { is_expected.to contain_class('easy_ipa::validate_params') } - - it { is_expected.not_to contain_class('easy_ipa::install::autofs') } - it { is_expected.not_to contain_class('easy_ipa::install::server') } - it { is_expected.not_to contain_class('easy_ipa::install::server::master') } - it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::config::webui') } - - it { is_expected.to contain_package('ipa-client').that_comes_before('Exec[client_install_ipa.rpsec.example.lan]') } - it { is_expected.to contain_package('sssd-common') } + it { is_expected.to contain_class('ipa::client') } + + it { is_expected.not_to contain_class('ipa::server') } + it { is_expected.not_to contain_class('ipa::server::master') } + it { is_expected.not_to contain_class('ipa::server::replica') } + + it { is_expected.to contain_package(client_package).that_comes_before('Exec[ipa-client-install]') } it { is_expected.to contain_package('kstart') } it { is_expected.not_to contain_package('ipa-server-dns') } it { is_expected.not_to contain_package('bind-dyndb-ldap') } it { is_expected.not_to contain_package('ipa-server') } - - case facts[:os]['family'] - when 'RedHat' - it { is_expected.to contain_package('epel-release') } - it { is_expected.not_to contain_package('openldap-clients') } - when 'Debian' - it { is_expected.not_to contain_package('ldap-utils') } - end end context 'configure_ssh' do @@ -367,7 +327,7 @@ super().merge(configure_ssh: true) end - it { is_expected.not_to contain_exec('client_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) } + it { is_expected.not_to contain_exec('ipa-client-install').with_command(%r{--no-ssh(?!d)}) } end context 'false' do @@ -376,8 +336,9 @@ end it { - is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-client-install').with( + environment: 'IPA_DOMAIN_JOIN_PASSWORD=rspec-domain-join-password', + logoutput: 'on_failure' ).with_command(%r{--no-ssh(?!d)}) } end @@ -389,7 +350,7 @@ super().merge(configure_sshd: true) end - it { is_expected.not_to contain_exec('client_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) } + it { is_expected.not_to contain_exec('ipa-client-install').with_command(%r{--no-sshd}) } end context 'false' do @@ -398,8 +359,9 @@ end it { - is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with( - logoutput: false, + is_expected.to contain_exec('ipa-client-install').with( + environment: 'IPA_DOMAIN_JOIN_PASSWORD=rspec-domain-join-password', + logoutput: 'on_failure' ).with_command(%r{--no-sshd}) } end diff --git a/spec/default_facts.yml b/spec/default_facts.yml deleted file mode 100644 index f777abfc..00000000 --- a/spec/default_facts.yml +++ /dev/null @@ -1,8 +0,0 @@ -# Use default_module_facts.yml for module specific facts. -# -# Facts specified here will override the values provided by rspec-puppet-facts. ---- -ipaddress: "172.16.254.254" -ipaddress6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA" -is_pe: false -macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 6820cebe..9efb4ae6 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,74 +1,20 @@ # frozen_string_literal: true -RSpec.configure do |c| - c.mock_with :rspec -end - -require 'puppetlabs_spec_helper/module_spec_helper' -require 'rspec-puppet-facts' - -require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -include RspecPuppetFacts +# puppetlabs_spec_helper will set up coverage if the env variable is set. +# We want to do this if lib exists and it hasn't been explicitly set. +ENV['COVERAGE'] ||= 'yes' if Dir.exist?(File.expand_path('../lib', __dir__)) -default_facts = { - puppetversion: Puppet.version, - facterversion: Facter.version, -} +require 'voxpupuli/test/spec_helper' -default_fact_files = [ - File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), - File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), -] +add_mocked_facts! -default_fact_files.each do |f| - next unless File.exist?(f) && File.readable?(f) && File.size?(f) - - begin - default_facts.merge!(YAML.safe_load(File.read(f), permitted_classes: [], permitted_symbols: [], aliases: true)) - rescue StandardError => e - RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" +if File.exist?(File.join(__dir__, 'default_module_facts.yml')) + facts = YAML.safe_load(File.read(File.join(__dir__, 'default_module_facts.yml'))) + facts&.each do |name, value| + add_custom_fact name.to_sym, value end end - -# read default_facts and merge them over what is provided by facterdb -default_facts.each do |fact, value| - add_custom_fact fact, value -end - -RSpec.configure do |c| - c.default_facts = default_facts - c.before :each do - # set to strictest setting for testing - # by default Puppet runs at warning level - Puppet.settings[:strict] = :warning - Puppet.settings[:strict_variables] = true - end - c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT'] - c.after(:suite) do - RSpec::Puppet::Coverage.report!(0) - end - - # Filter backtrace noise - backtrace_exclusion_patterns = [ - %r{spec_helper}, - %r{gems}, - ] - - if c.respond_to?(:backtrace_exclusion_patterns) - c.backtrace_exclusion_patterns = backtrace_exclusion_patterns - elsif c.respond_to?(:backtrace_clean_patterns) - c.backtrace_clean_patterns = backtrace_exclusion_patterns - end -end - -# Ensures that a module is defined -# @param module_name Name of the module -def ensure_module_defined(module_name) - module_name.split('::').reduce(Object) do |last_module, next_module| - last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) - last_module.const_get(next_module, false) - end -end - -# 'spec_overrides' from sync.yml will appear below this line +Dir['./spec/support/spec/**/*.rb'].sort.each { |f| require f } diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 00000000..f803ae59 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +require 'voxpupuli/acceptance/spec_helper_acceptance' + +Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f } diff --git a/spec/support/acceptance/setup.rb b/spec/support/acceptance/setup.rb new file mode 100644 index 00000000..62a67889 --- /dev/null +++ b/spec/support/acceptance/setup.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +configure_beaker(modules: :metadata) do |host| + on(host, 'sysctl -w net.ipv6.conf.lo.disable_ipv6=0') + install_puppet_module_via_pmt_on(host, 'puppet/cron') + install_puppet_module_via_pmt_on(host, 'puppet/epel') +end diff --git a/templates/ipa-backup-wrapper.sh.erb b/templates/ipa-backup-wrapper.sh.erb deleted file mode 100755 index c5434b8c..00000000 --- a/templates/ipa-backup-wrapper.sh.erb +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh -# -# Script to work around the fact that ipa-backup always adds timestamps to the -# backups. This is not intended to be used standalone, but from Puppet-managed -# cronjobs. -# -# NOTE: this script will destroy old timestamped backup directories if timestamp -# is set to false. - -TYPE=$1 -TIMESTAMP=$2 - -PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin - -BASEDIR="/var/lib/ipa/backup" - -if [ "$TYPE" = "full" ]; then - BACKUP_COMMAND="ipa-backup" -elif [ "$TYPE" = "data" ]; then - BACKUP_COMMAND="ipa-backup --online --data" -else - echo "ERROR: unknown backup type $TYPE" - exit 1 -fi - -if [ "$TIMESTAMP" = "true" ]; then - # ipa-backup outputs only to stderr so we can't simply redirect to /dev/null - # and expect cron to email us about errors. - $BACKUP_COMMAND 2> /dev/null || echo "ERROR: $BACKUP_COMMAND failed!" - -elif [ "$TIMESTAMP" = "false" ]; then - # Remove all old backups - find $BASEDIR -mindepth 1 -maxdepth 1 -type d -name "ipa-${TYPE}*" -exec rm -rf {} \; - - # Take the backup (and report only failures) - $BACKUP_COMMAND 2> /dev/null || echo "ERROR: $BACKUP_COMMAND failed!" - - # Get rid of the timestamp - find $BASEDIR -mindepth 1 -maxdepth 1 -type d -name "ipa-${TYPE}*" -exec mv {} $BASEDIR/ipa-$TYPE \; -else - echo "ERROR: $TIMESTAMP is not valid value for timestamp!" - exit 1 -fi diff --git a/templates/ipa-rewrite.conf.erb b/templates/ipa-rewrite.conf.erb deleted file mode 100644 index 8e245858..00000000 --- a/templates/ipa-rewrite.conf.erb +++ /dev/null @@ -1,27 +0,0 @@ -# VERSION 6 - DO NOT REMOVE THIS LINE - -# ref: https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name - -RewriteEngine on - -# By default forward all requests to /ipa. If you don't want IPA -# to be the default on your web server comment this line out. -RewriteRule ^/$ <%= @proxy_internal_uri %>/ipa/ui [L,NC,R=301] - -# Redirect to the fully-qualified hostname. Not redirecting to secure -# port so configuration files can be retrieved without requiring SSL. -RewriteCond %{HTTP_HOST} !^<%= @proxy_server_internal_fqdn %>$ [NC] -RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301] - -# Redirect to the secure port if not displaying an error or retrieving -# configuration. - RewriteCond %{SERVER_PORT} !^443$ - RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) - RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$ - RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301,NC] - -# Rewrite for plugin index, make it like it's a static file -RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT] - -<%= @template_referrer_line %> -RequestHeader edit Referer ^<%= @proxy_referrer_regex %>/ <%= @proxy_internal_uri %>/ diff --git a/templates/ipa-webui-proxy.conf.erb b/templates/ipa-webui-proxy.conf.erb deleted file mode 100644 index 17340a59..00000000 --- a/templates/ipa-webui-proxy.conf.erb +++ /dev/null @@ -1,17 +0,0 @@ -> - NSSEngine on - NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha - NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 - NSSNickname Server-Cert - NSSCertificateDatabase /etc/httpd/alias - - NSSProxyEngine On - NSSProxyCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha - ProxyRequests Off - ServerName <%= @proxy_server_name %> - - ProxyPass / https://<%= @proxy_server_internal_fqdn %>/ - ProxyPassReverse / https://<%= @proxy_server_internal_fqdn %>/ - ProxyPassReverse / http://<%= @proxy_server_internal_fqdn %>/ - ProxyPassReverseCookieDomain <%= @proxy_server_internal_fqdn %> <%= @proxy_server_external_fqdn %> - diff --git a/templates/ipa.monit.erb b/templates/ipa.monit.erb deleted file mode 100644 index 35a0117c..00000000 --- a/templates/ipa.monit.erb +++ /dev/null @@ -1,5 +0,0 @@ -### THIS FILE IS MANAGED BY PUPPET. ANY MANUAL CHANGES WILL GET OVERWRITTEN. -# -check program ipa with path <%= scope['::monit::params::fragment_dir'] %>/ipa.sh timeout 30 seconds - if status != 0 then alert - alert <%= scope['::easy_ipa::monit::server::email'] %> diff --git a/templates/ipa.sh.erb b/templates/ipa.sh.erb deleted file mode 100644 index 6a0549df..00000000 --- a/templates/ipa.sh.erb +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# -# Simple script for detecting if any of the IPA services are in stopped state - -PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin - -ipactl status 2> /dev/null|grep STOPPED > /tmp/ipactl-status.log - -# This means some service is STOPPED -if [ $? -eq 0 ]; then - cat /tmp/ipactl-status.log - exit 1 -else - exit 0 -fi diff --git a/templates/krb5.conf.erb b/templates/krb5.conf.erb deleted file mode 100644 index 474033bc..00000000 --- a/templates/krb5.conf.erb +++ /dev/null @@ -1,29 +0,0 @@ -# FILE MANAGED BY PUPPET. ALL MANUAL CHANGES WILL BE OVERWRITTEN. - -includedir /var/lib/sss/pubconf/krb5.include.d/ - -[libdefaults] - default_realm = <%= scope['easy_ipa::final_realm'] %> - dns_lookup_realm = false - dns_lookup_kdc = false - rdns = false - ticket_lifetime = 24h - forwardable = true - udp_preference_limit = 0 - default_ccache_name = KEYRING:persistent:%{uid} - - -[realms] - <%= scope['easy_ipa::final_realm'] %> = { - kdc = <%= scope['easy_ipa::ipa_master_fqdn'] %>:88 - master_kdc = <%= scope['easy_ipa::ipa_master_fqdn'] %>:88 - admin_server = <%= scope['easy_ipa::ipa_master_fqdn'] %>:749 - default_domain = <%= scope['easy_ipa::domain'] %> - pkinit_anchors = FILE:/etc/ipa/ca.crt - - } - -[domain_realm] - .<%= scope['easy_ipa::domain'] %> = <%= scope['easy_ipa::final_realm'] %> - <%= scope['easy_ipa::domain'] %> = <%= scope['easy_ipa::final_realm'] %> - diff --git a/templates/ldap.conf.erb b/templates/ldap.conf.erb deleted file mode 100644 index 925411dc..00000000 --- a/templates/ldap.conf.erb +++ /dev/null @@ -1,31 +0,0 @@ -# FILE MANAGED BY PUPPET. ALL MANUAL CHANGES WILL BE OVERWRITTEN. - -# We do not want to break your existing configuration, hence: -# URI, BASE and TLS_CACERT have been added if they were not set. -# In case any of them were set, a comment with trailing note -# "# modified by IPA" note has been inserted. -# To use IPA server with openLDAP tools, please comment out your -# existing configuration for these options and uncomment the -# corresponding lines generated by IPA. - - -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -#BASE dc=example,dc=com -#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -#TLS_CACERT /etc/ipa/ca.crt # modified by IPA -TLS_CACERT /etc/ssl/certs/ca-certificates.crt - -URI ldaps://<%= scope['easy_ipa::ipa_master_fqdn'] %> -BASE <%= @ldap_base %> diff --git a/templates/sssd.conf.erb b/templates/sssd.conf.erb deleted file mode 100755 index bd92bd4b..00000000 --- a/templates/sssd.conf.erb +++ /dev/null @@ -1,31 +0,0 @@ -[domain/<%= scope['easy_ipa::domain'] %>] - -cache_credentials = True -krb5_store_password_if_offline = True -ipa_domain = <%= scope['easy_ipa::domain'] %> -id_provider = ipa -auth_provider = ipa -access_provider = ipa -ipa_hostname = <%= @fqdn %> -chpass_provider = ipa -ipa_server = _srv_, <%= scope['easy_ipa::ipa_master_fqdn'] %> -ldap_tls_cacert = /etc/ipa/ca.crt -[sssd] -services = nss, sudo, pam, ssh - -domains = <%= scope['easy_ipa::domain'] %> -[nss] -homedir_substring = /home - -[pam] - -[sudo] - -[autofs] - -[ssh] - -[pac] - -[ifp] - diff --git a/vagrant/centos.sh b/vagrant/centos.sh deleted file mode 100644 index cae51f3b..00000000 --- a/vagrant/centos.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -echo Final provisioning... -export FACTER_is_vagrant='true' - -yum -y upgrade - -# Recent CentOS images have NetworkManager enabled. As it breaks IPA server's -# /etc/resolv.conf we don't want to use it. -puppet apply -e "service { 'NetworkManager': ensure => 'stopped', enable => false, }" diff --git a/vagrant/common.sh b/vagrant/common.sh deleted file mode 100644 index a4cb1541..00000000 --- a/vagrant/common.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -export PATH=$PATH:/opt/puppetlabs/bin -puppet module install puppetlabs-stdlib -puppet module install puppetlabs-concat -puppet module install crayfishx-firewalld -puppet module install puppet-selinux -puppet module install puppet-systemd -puppet module install saz-resolv_conf --version 5.0.0 --ignore-dependencies -puppet module install puppetlabs-apt --ignore-dependencies -puppet module install puppetlabs-firewall -puppet module install puppetlabs-k5login_core -if [ -d /tmp/modules/easy_ipa ]; then rm -rf /tmp/modules/easy_ipa; fi -mkdir -p /tmp/modules/easy_ipa -cp -r /vagrant/* /tmp/modules/easy_ipa diff --git a/vagrant/debian.sh b/vagrant/debian.sh deleted file mode 100644 index df196468..00000000 --- a/vagrant/debian.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -echo I am provisioning... -export FACTER_is_vagrant='true' - -DEBIAN_FRONTEND=noninteractive -apt-get dist-upgrade -y - -# For Debian systems, the freeipa-client package is only available in the backports repository. -# It needs to be enabled manually. -DESCR="$(lsb_release -d | awk '{ print $2}')" -if [ `echo $DESCR|grep Debian` ]; then - puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e \ - "class { 'apt::backports': }" -fi \ No newline at end of file diff --git a/vagrant/install-puppet.sh b/vagrant/install-puppet.sh deleted file mode 100644 index f33710eb..00000000 --- a/vagrant/install-puppet.sh +++ /dev/null @@ -1,137 +0,0 @@ -#!/bin/sh -# This is a heavily stripped down version of puppet-puppetmaster/vagrant/prepare.sh -# -# Gist based on commit 9a429d77f11aa6d of terraform-aws_instance_wrapper - -# Exit on any error -set -e - -# Default settings -HOST_NAME="false" -PUPPET_ENV="production" -START_AGENT="false" - -export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin - -CWD=`pwd` - -set_hostname() { - hostnamectl set-hostname $1 -} - -detect_osfamily() { - if [ -f /etc/redhat-release ]; then - OSFAMILY='redhat' - RELEASE=$(cat /etc/redhat-release) - if [ "`echo $RELEASE | grep -E 7\.[0-9]+`" ]; then - REDHAT_VERSION="7" - REDHAT_RELEASE="el-7" - elif [ "`echo $RELEASE | grep -E 8\.[0-9]+`" ]; then - REDHAT_VERSION="8" - REDHAT_RELEASE="el-8" - else - echo "Unsupported Redhat/Centos/Fedora version." - exit 1 - fi - elif [ "`lsb_release -d | grep -E '(Ubuntu|Debian)'`" ]; then - OSFAMILY='debian' - DESCR="$(lsb_release -d | awk '{ print $2}')" - if [ `echo $DESCR|grep Ubuntu` ]; then - UBUNTU_VERSION="$(lsb_release -c | awk '{ print $2}')" - # TODO: Remove when Puppet makes a jammy release - if [ "$UBUNTU_VERSION" = "jammy" ]; then - UBUNTU_VERSION="focal" - fi - elif [ `echo $DESCR|grep Debian` ]; then - DEBIAN_VERSION="$(lsb_release -c | awk '{ print $2}')" - else - echo "Unsupported Debian family operating system. Supported are Debian and Ubuntu" - exit 1 - fi - else - echo "ERROR: unsupported osfamily. Supported are Debian and RedHat" - exit 1 - fi -} - -install_dependencies() { - if [ "${REDHAT_VERSION}" = "30" ]; then - dnf -y install libxcrypt-compat - fi -} - -setup_puppet() { - if [ -x /opt/puppetlabs/bin/puppet ]; then - true - else - if [ $REDHAT_RELEASE ]; then - RELEASE_URL="https://yum.puppetlabs.com/puppet6/puppet6-release-${REDHAT_RELEASE}.noarch.rpm" - rpm -hiv "${RELEASE_URL}" || (c=$?; echo "Failed to install ${RELEASE_URL}"; (exit $c)) - yum -y install puppet-agent || (c=$?; echo "Failed to install puppet agent"; (exit $c)) - if systemctl list-unit-files --type=service | grep firewalld; then - systemctl stop firewalld - systemctl disable firewalld - systemctl mask firewalld - fi - else - if [ $UBUNTU_VERSION ]; then - APT_URL="https://apt.puppetlabs.com/puppet6-release-${UBUNTU_VERSION}.deb" - fi - if [ $DEBIAN_VERSION ]; then - APT_URL="https://apt.puppetlabs.com/puppet6-release-${DEBIAN_VERSION}.deb" - fi - # https://serverfault.com/questions/500764/dpkg-reconfigure-unable-to-re-open-stdin-no-file-or-directory - export DEBIAN_FRONTEND=noninteractive - FILE="$(mktemp -d)/puppet-release.db" - wget "${APT_URL}" -qO $FILE || (c=$?; echo "Failed to retrieve ${APT_URL}"; (exit $c)) - # The apt-daily and apt-daily-upgrade services have a nasty habit of - # launching immediately on boot. This prevents the installer from updating - # the package caches itself, which causes some packages to be missing and - # subsequently causing puppetmaster-installer to fail. So, wait for those - # two services to run before attempting to run the installer. There are - # ways to use systemd-run to accomplish this rather nicely: - # - # https://unix.stackexchange.com/questions/315502/how-to-disable-apt-daily-service-on-ubuntu-cloud-vm-image - # - # However, that approach fails on Ubuntu 16.04 (and earlier) as well as - # Debian 9, so it is not practical. This approach uses a simple polling - # method and built-in tools. - APT_READY=no - while [ "$APT_READY" = "no" ]; do - # This checks three things to prevent package installation failures, in this order: - # - # 1) Is "apt-get update" running? - # 2) Is "apt-get install" running? - # 3) Is "dpkg" running? - # - # The "apt-get install" commands locks dpkg as well, but the last check ensures that dpkg running outside of apt does not cause havoc. - # - fuser -s /var/lib/apt/lists/lock || fuser -s /var/cache/apt/archives/lock || fuser -s /var/lib/dpkg/lock || APT_READY=yes - sleep 1 - done - - dpkg --install $FILE; rm $FILE; apt-get update || (c=$?; echo "Failed to install from ${FILE}"; (exit $c)) - apt-get -y install puppet-agent || (c=$?; echo "Failed to install puppet agent"; (exit $c)) - fi - fi -} - -set_puppet_agent_environment() { - puppet config set --section agent environment $1 -} - -run_puppet_agent() { - systemctl enable puppet - systemctl start puppet -} - -if [ "${HOST_NAME}" != "false" ]; then - set_hostname $HOST_NAME -fi -detect_osfamily -install_dependencies -setup_puppet -set_puppet_agent_environment $PUPPET_ENV -if [ "${START_AGENT}" = "true" ]; then - run_puppet_agent -fi diff --git a/vagrant/ipa-client.sh b/vagrant/ipa-client.sh deleted file mode 100644 index 191c733c..00000000 --- a/vagrant/ipa-client.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - case \$facts['os']['distro']['codename'] {\ - /(stretch|trusty|xenial)/: {\ - class { 'resolv_conf':\ - nameservers => ['192.168.56.35'],\ - }\ - }\ - /(bionic|buster|focal|bullseye|jammy)/: {\ - class { 'systemd':\ - manage_resolved => true,\ - dns => ['192.168.56.35'],\ - }\ - }\ - }" -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class {'::easy_ipa':\ - ipa_role => 'client',\ - domain => 'vagrant.example.lan',\ - domain_join_password => 'vagrant123',\ - install_epel => true,\ - ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',\ - }" diff --git a/vagrant/ipa-server-1.sh b/vagrant/ipa-server-1.sh deleted file mode 100644 index c8ef082e..00000000 --- a/vagrant/ipa-server-1.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class {'::easy_ipa':\ - ipa_role => 'master',\ - domain => 'vagrant.example.lan',\ - ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan',\ - admin_password => 'vagrant123',\ - directory_services_password => 'vagrant123',\ - install_ipa_server => true,\ - ip_address => '192.168.56.35',\ - enable_ip_address => true,\ - enable_hostname => true,\ - manage_host_entry => true,\ - install_epel => true,\ - webui_disable_kerberos => true,\ - webui_enable_proxy => true,\ - webui_force_https => true,\ - idstart => 14341,\ - }" diff --git a/vagrant/ipa-server-2.sh b/vagrant/ipa-server-2.sh deleted file mode 100644 index 8b6d5313..00000000 --- a/vagrant/ipa-server-2.sh +++ /dev/null @@ -1,25 +0,0 @@ -#/bin/sh -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class { 'resolv_conf':\ - nameservers => ['192.168.56.35'],\ - }" -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - host {'ipa-server-1.vagrant.example.lan':\ - ensure => present,\ - ip => '192.168.56.35',\ - }" -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class {'::easy_ipa':\ - ipa_role => 'replica',\ - domain => 'vagrant.example.lan',\ - ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan',\ - domain_join_password => 'vagrant123',\ - install_ipa_server => true,\ - ip_address => '192.168.56.36',\ - enable_ip_address => true,\ - enable_hostname => true,\ - manage_host_entry => true,\ - install_epel => true,\ - ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',\ - idstart => 14341,\ - }"