From 537ee9f3ceb62bc054f8688fa352a746c54d9f0d Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 15 Nov 2023 14:49:04 +0100 Subject: [PATCH 01/78] Update for stdlib >= 9.0.0 Signed-off-by: Frank Lichtenheld --- manifests/install/client/debian.pp | 2 +- metadata.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/install/client/debian.pp b/manifests/install/client/debian.pp index bb437790..5eb5e706 100644 --- a/manifests/install/client/debian.pp +++ b/manifests/install/client/debian.pp @@ -11,7 +11,7 @@ /^(xenial|stretch|bionic|focal|buster|bullseye|jammy)$/: { # Ensure that required packages are present even if they do not get pulled # in as freeipa-client package dependencies - ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) + stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) # This should preferably be in a separate Puppet module service { 'oddjobd': diff --git a/metadata.json b/metadata.json index 20b7e186..ee13cbe0 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppetlabs-stdlib", - "version_requirement": ">= 4.19.0 < 10.0.0" + "version_requirement": ">= 9.0.0 < 10.0.0" }, { "name": "puppetlabs-cron_core", From 963f5210b2f44e4267a27951e3072bd1b67577c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Thu, 16 Nov 2023 09:41:21 +0200 Subject: [PATCH 02/78] Bump version to 3.1.1 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index ee13cbe0..9915d503 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetfinland-easy_ipa", - "version": "3.1.0", + "version": "3.1.1", "author": "Puppet-Finland team", "summary": "Manages IPA servers and clients.", "license": "Apache-2.0", From 53ca79b4973405a6c9f5f4590beccc12137c9232 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 24 Nov 2023 15:40:26 +0100 Subject: [PATCH 03/78] Simplify domain_join_password logic --- manifests/init.pp | 7 +------ manifests/install/client.pp | 2 +- manifests/install/server/replica.pp | 2 +- manifests/validate_params.pp | 2 +- 4 files changed, 4 insertions(+), 9 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 89864b2a..7bc3c7fa 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -173,7 +173,7 @@ Boolean $configure_sshd = true, Array[String] $custom_dns_forwarders = [], String[1] $domain_join_principal = 'admin', - Optional[String[1]] $domain_join_password = undef, + Optional[String[1]] $domain_join_password = $directory_services_password, Boolean $enable_dns_updates = false, Boolean $enable_hostname = true, Boolean $enable_ip_address = false, @@ -219,11 +219,6 @@ "@${final_realm}" ) - $final_domain_join_password = $domain_join_password ? { - undef => $directory_services_password, - default => $domain_join_password, - } - if $ipa_role == 'client' { $final_configure_dns_server = false } else { diff --git a/manifests/install/client.pp b/manifests/install/client.pp index b5185e30..8b11e1d0 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -59,7 +59,7 @@ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ --principal='${easy_ipa::domain_join_principal}' \ - --password='${easy_ipa::final_domain_join_password}' \ + --password='${easy_ipa::domain_join_password}' \ ${client_install_cmd_opts_dns_updates} \ ${client_install_cmd_opts_hostname} \ ${client_install_cmd_opts_mkhomedir} \ diff --git a/manifests/install/server/replica.pp b/manifests/install/server/replica.pp index 58c48f51..2380b931 100644 --- a/manifests/install/server/replica.pp +++ b/manifests/install/server/replica.pp @@ -5,7 +5,7 @@ $replica_install_cmd = "\ /usr/sbin/ipa-replica-install \ --principal=${easy_ipa::domain_join_principal} \ - --admin-password='${easy_ipa::final_domain_join_password}' \ + --admin-password='${easy_ipa::domain_join_password}' \ ${easy_ipa::install::server::server_install_cmd_opts_hostname} \ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ diff --git a/manifests/validate_params.pp b/manifests/validate_params.pp index 38437da6..c8446ba1 100644 --- a/manifests/validate_params.pp +++ b/manifests/validate_params.pp @@ -14,7 +14,7 @@ } if $easy_ipa::ipa_role != 'master' { # if replica or client - unless $easy_ipa::final_domain_join_password { + unless $easy_ipa::domain_join_password { fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") } unless $easy_ipa::ipa_master_fqdn { From 83675a739865c2362a821c475af7028fed28dc4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Tue, 28 Nov 2023 12:51:45 +0200 Subject: [PATCH 04/78] Unbreak unit tests by updating .fixtures.yml The unit tests started failing after stdlib 9.0.0 was made a requirement. Fix this by updating the unit test dependencies. URL: https://github.com/Puppet-Finland/puppet-ipa/pull/54 --- .fixtures.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index f664728f..339e58b5 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,11 @@ fixtures: forge_modules: - stdlib: "puppetlabs/stdlib" + stdlib: + repo: "puppetlabs/stdlib" + ref: "9.4.1" cron_core: repo: "puppetlabs/cron_core" - ref: "1.0.0" + ref: "1.2.1" puppet_version: ">= 7.0.0" k5login_core: repo: "puppetlabs/k5login_core" From 0fe7f47dc65e65f588f55b2093bf53538ef5eeb7 Mon Sep 17 00:00:00 2001 From: Robert Grizzell Date: Tue, 28 Nov 2023 23:30:26 -0600 Subject: [PATCH 05/78] Add support for Debian 12 Bookworm --- manifests/install/client/debian.pp | 4 ++-- manifests/params.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/install/client/debian.pp b/manifests/install/client/debian.pp index 5eb5e706..2b74a69d 100644 --- a/manifests/install/client/debian.pp +++ b/manifests/install/client/debian.pp @@ -1,6 +1,6 @@ # # @summary Ensure that home directories get created on Debian and Ubuntu clients. -# +# # This code is needed as the --mkhomedir parameter passed to ipa-client-install does # not configure PAM even though it does install the required packages. # @@ -8,7 +8,7 @@ # class easy_ipa::install::client::debian { case $facts['os']['distro']['codename'] { - /^(xenial|stretch|bionic|focal|buster|bullseye|jammy)$/: { + /^(xenial|stretch|bionic|focal|buster|bullseye|jammy|bookworm)$/: { # Ensure that required packages are present even if they do not get pulled # in as freeipa-client package dependencies stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) diff --git a/manifests/params.pp b/manifests/params.pp index fd451248..d9e8e81d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -16,7 +16,7 @@ } 'Debian': { case $facts['os']['distro']['codename'] { - /(trusty|xenial|bionic|buster|focal|bullseye|jammy)/: { $ipa_client_package_ensure = 'present' } + /(trusty|xenial|bionic|buster|focal|bullseye|jammy|bookworm)/: { $ipa_client_package_ensure = 'present' } /(stretch)/: { $ipa_client_package_ensure = 'absent' } default: { fail('ERROR: unsupported operating system') } } From f60c4893e44cf3d361bc0d9e9a90634146bf4a6a Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 25 Sep 2024 18:23:51 +0200 Subject: [PATCH 06/78] Remove hardcoded Debian/Ubuntu codenames This is really useless now, since all supported releases do the same thing. It only serves to make it harder to use this module on new versions of Ubuntu and Debian. So removing all of this. Signed-off-by: Frank Lichtenheld --- manifests/install/client/debian.pp | 33 +++++++++--------------------- manifests/params.pp | 6 +----- metadata.json | 6 ++++-- 3 files changed, 15 insertions(+), 30 deletions(-) diff --git a/manifests/install/client/debian.pp b/manifests/install/client/debian.pp index 2b74a69d..4e613eb9 100644 --- a/manifests/install/client/debian.pp +++ b/manifests/install/client/debian.pp @@ -4,32 +4,19 @@ # This code is needed as the --mkhomedir parameter passed to ipa-client-install does # not configure PAM even though it does install the required packages. # -# Currently Ubuntu 14.04/16.04 and Debian 8/9 are supported. -# class easy_ipa::install::client::debian { - case $facts['os']['distro']['codename'] { - /^(xenial|stretch|bionic|focal|buster|bullseye|jammy|bookworm)$/: { - # Ensure that required packages are present even if they do not get pulled - # in as freeipa-client package dependencies - stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) + # Ensure that required packages are present even if they do not get pulled + # in as freeipa-client package dependencies + stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) - # This should preferably be in a separate Puppet module - service { 'oddjobd': - ensure => 'running', - enable => true, - name => 'oddjobd', - } - $mkhomedir_line = 'session optional /lib/x86_64-linux-gnu/security/pam_oddjob_mkhomedir.so' - $notify = Service['oddjobd'] - } - /^(trusty|jessie)$/: { - $mkhomedir_line = 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' - $notify = undef - } - default: { - fail('ERROR: unsupported Debian/Ubuntu version!') - } + # This should preferably be in a separate Puppet module + service { 'oddjobd': + ensure => 'running', + enable => true, + name => 'oddjobd', } + $mkhomedir_line = "session optional /lib/x86_64-linux-gnu/security/pam_oddjob_mkhomedir.so" + $notify = Service['oddjobd'] file_line { 'mkhomedir': ensure => 'present', diff --git a/manifests/params.pp b/manifests/params.pp index d9e8e81d..5c8ba21c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -15,11 +15,7 @@ $named_conf_d = '/etc/named/conf.d' } 'Debian': { - case $facts['os']['distro']['codename'] { - /(trusty|xenial|bionic|buster|focal|bullseye|jammy|bookworm)/: { $ipa_client_package_ensure = 'present' } - /(stretch)/: { $ipa_client_package_ensure = 'absent' } - default: { fail('ERROR: unsupported operating system') } - } + $ipa_client_package_ensure = 'present' $ldaputils_package_name = 'ldap-utils' $ipa_client_package_name = 'freeipa-client' } diff --git a/metadata.json b/metadata.json index 9915d503..bf54703d 100644 --- a/metadata.json +++ b/metadata.json @@ -48,7 +48,8 @@ "operatingsystem": "Debian", "operatingsystemrelease": [ "10", - "11" + "11", + "12" ] }, { @@ -56,7 +57,8 @@ "operatingsystemrelease": [ "18.04", "20.04", - "22.04" + "22.04", + "24.04" ] } ], From 832ff5b76deb0ec65008927bbf0deb8739770ab8 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 25 Sep 2024 18:25:19 +0200 Subject: [PATCH 07/78] install::client::debian: Handle non-amd64 installations Tested on amd64 and arm64. Signed-off-by: Frank Lichtenheld --- manifests/install/client/debian.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/install/client/debian.pp b/manifests/install/client/debian.pp index 4e613eb9..e053dc38 100644 --- a/manifests/install/client/debian.pp +++ b/manifests/install/client/debian.pp @@ -15,7 +15,8 @@ enable => true, name => 'oddjobd', } - $mkhomedir_line = "session optional /lib/x86_64-linux-gnu/security/pam_oddjob_mkhomedir.so" + $arch = $facts['os']['hardware'] + $mkhomedir_line = "session optional /lib/${arch}-linux-gnu/security/pam_oddjob_mkhomedir.so" $notify = Service['oddjobd'] file_line { 'mkhomedir': From da808a92e732156cf82b07b00f99e692a61ff65a Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 14:05:59 -0700 Subject: [PATCH 08/78] enable gha acceptance tests --- .sync.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.sync.yml b/.sync.yml index a69cd1a7..0beffd4e 100644 --- a/.sync.yml +++ b/.sync.yml @@ -4,6 +4,10 @@ - parameter_documentation - parameter_types +spec/spec_helper_acceptance.rb: + unmanaged: false + configure_beaker: ~ + .github/CONTRIBUTING.md: delete: true .github/ISSUE_TEMPLATE.md: @@ -12,8 +16,3 @@ delete: true .github/SECURITY.md: delete: true - -Gemfile: - required: - ':development': - - gem: github_changelog_generator From 3fe045fb59640427dad565ed3367486d38d65fb4 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 14:19:07 -0700 Subject: [PATCH 09/78] disable shellcheck & markdownlint Too many errors... --- .sync.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.sync.yml b/.sync.yml index 0beffd4e..a32a02c5 100644 --- a/.sync.yml +++ b/.sync.yml @@ -16,3 +16,7 @@ spec/spec_helper_acceptance.rb: delete: true .github/SECURITY.md: delete: true +.github/workflows/shellcheck.yaml: + delete: true +.github/workflows/markdownlint.yaml: + delete: true From 3976bb6d4b75255a185c268222f241e4ac05e858 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 14:22:59 -0700 Subject: [PATCH 10/78] Update from voxpupuli modulesync_config --- .github/workflows/ci.yml | 22 +- .github/workflows/pr_labels.yaml | 14 + .github/workflows/release.yml | 22 + .github/workflows/yamllint.yaml | 15 + .gitignore | 45 +- .gitlab-ci.yml | 53 --- .mdl_style.rb | 8 + .mdlrc | 5 + .msync.yml | 2 +- .pdkignore | 43 -- .pmtignore | 64 +-- .puppet-lint.rc | 2 +- .rspec | 5 +- .rubocop.yml | 727 +------------------------------ .yamllint.yaml | 16 + .yardopts | 1 - Dockerfile | 24 - Gemfile | 80 +--- Rakefile | 114 ++--- appveyor.yml | 49 --- pdk.yaml | 2 - spec/default_facts.yml | 8 - spec/spec_helper.rb | 78 +--- spec/spec_helper_acceptance.rb | 8 + 24 files changed, 231 insertions(+), 1176 deletions(-) create mode 100644 .github/workflows/pr_labels.yaml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/yamllint.yaml delete mode 100644 .gitlab-ci.yml create mode 100644 .mdl_style.rb create mode 100644 .mdlrc delete mode 100644 .pdkignore create mode 100644 .yamllint.yaml delete mode 100644 .yardopts delete mode 100644 Dockerfile delete mode 100644 appveyor.yml delete mode 100644 pdk.yaml delete mode 100644 spec/default_facts.yml create mode 100644 spec/spec_helper_acceptance.rb diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05510ee0..a3e46cf2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,10 +1,16 @@ -name: "ci" +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: CI + +"on": pull_request + +concurrency: + group: ${{ github.ref_name }} + cancel-in-progress: true -on: pull_request - jobs: - Spec: - uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main" - with: - runs_on: "ubuntu-20.04" - secrets: "inherit" + puppet: + name: Puppet + uses: voxpupuli/gha-puppet/.github/workflows/basic.yml@v2 diff --git a/.github/workflows/pr_labels.yaml b/.github/workflows/pr_labels.yaml new file mode 100644 index 00000000..ea852052 --- /dev/null +++ b/.github/workflows/pr_labels.yaml @@ -0,0 +1,14 @@ +--- +name: "Pull Request Labels" +"on": + pull_request: + types: ["opened", "labeled", "unlabeled", "synchronize"] +jobs: + label: + runs-on: "ubuntu-latest" + steps: + - uses: "mheap/github-action-required-labels@v3" + with: + mode: "exactly" + count: 1 + labels: "enhancement, bug, skip-changelog" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..3153ba8d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,22 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: Release + +"on": + push: + tags: + - '*' + +jobs: + release: + name: Release + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v2 + with: + allowed_owner: 'lsst-it' + secrets: + # Configure secrets here: + # https://docs.github.com/en/actions/security-guides/encrypted-secrets + username: ${{ secrets.PUPPET_FORGE_USERNAME }} + api_key: ${{ secrets.PUPPET_FORGE_API_KEY }} diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml new file mode 100644 index 00000000..d0cba14d --- /dev/null +++ b/.github/workflows/yamllint.yaml @@ -0,0 +1,15 @@ +--- +# yamllint disable rule:quoted-strings +name: yamllint + +"on": + - push + +jobs: + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run yamllint + uses: bewuethr/yamllint-action@v1 diff --git a/.gitignore b/.gitignore index 3f155121..84fd904c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,28 +1,23 @@ -.git/ -.*.sw[op] -.metadata -.yardoc -.yardwarns -*.iml -/.bundle/ -/.idea/ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +/pkg/ +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ /.vagrant/ +/.bundle/ +/.ruby-version /coverage/ -/bin/ -/doc/ -/Gemfile.local -/Gemfile.lock -/junit/ /log/ -/pkg/ -/spec/fixtures/manifests/ -/spec/fixtures/modules/* -/tmp/ -/vendor/ -/convert_report.txt -/update_report.txt -.DS_Store -.project -.envrc -/inventory.yaml -/spec/fixtures/litmus_inventory.yaml +/.idea/ +/.dependencies/ +/.librarian/ +/Puppetfile.lock +*.iml +.*.sw? +/.yardoc/ +/Guardfile diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 6d5e786c..00000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -stages: - - syntax - - unit - -default: - cache: - paths: - - vendor/bundle - - before_script: &before_script - - bundle -v - - rm Gemfile.lock || true - - "# Update system gems if requested. This is useful to temporarily workaround troubles in the test runner" - - "# Set `rubygems_version` in the .sync.yml to set a value" - - "# Ignore exit code of SIGPIPE'd yes to not fail with shell's pipefail set" - - '[ -z "$RUBYGEMS_VERSION" ] || (yes || true) | gem update --system $RUBYGEMS_VERSION' - - gem --version - - bundle -v - - bundle install --without system_tests --path vendor/bundle --jobs $(nproc) - -validate lint check rubocop-Ruby 2.5.7-Puppet ~> 6: - stage: syntax - image: ruby:2.5.7 - script: - - bundle exec rake validate lint check rubocop - variables: - PUPPET_GEM_VERSION: '~> 6' - -parallel_spec-Ruby 2.5.7-Puppet ~> 6: - stage: unit - image: ruby:2.5.7 - script: - - bundle exec rake parallel_spec - variables: - PUPPET_GEM_VERSION: '~> 6' - -validate lint check rubocop-Ruby 2.7.2-Puppet ~> 7: - stage: syntax - image: ruby:2.7.2 - script: - - bundle exec rake validate lint check rubocop - variables: - PUPPET_GEM_VERSION: '~> 7' - -parallel_spec-Ruby 2.7.2-Puppet ~> 7: - stage: unit - image: ruby:2.7.2 - script: - - bundle exec rake parallel_spec - variables: - PUPPET_GEM_VERSION: '~> 7' - diff --git a/.mdl_style.rb b/.mdl_style.rb new file mode 100644 index 00000000..55e6b1e9 --- /dev/null +++ b/.mdl_style.rb @@ -0,0 +1,8 @@ +# https://github.com/markdownlint/markdownlint/blob/master/docs/creating_styles.md +# https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md +all +rule "MD013", :code_blocks => false +exclude_rule "MD003" +exclude_rule "MD013" +exclude_rule "MD036" +exclude_rule "MD034" diff --git a/.mdlrc b/.mdlrc new file mode 100644 index 00000000..794536f7 --- /dev/null +++ b/.mdlrc @@ -0,0 +1,5 @@ +# a separate "style" file must be used to pass "parameters" to a rule +# +# https://github.com/markdownlint/markdownlint/blob/master/docs/configuration.md +# https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md +style ".mdl_style.rb" diff --git a/.msync.yml b/.msync.yml index 02353859..76cd4646 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '5.3.0' +modulesync_config_version: '7.1.0' diff --git a/.pdkignore b/.pdkignore deleted file mode 100644 index 584438f9..00000000 --- a/.pdkignore +++ /dev/null @@ -1,43 +0,0 @@ -.git/ -.*.sw[op] -.metadata -.yardoc -.yardwarns -*.iml -/.bundle/ -/.idea/ -/.vagrant/ -/coverage/ -/bin/ -/doc/ -/Gemfile.local -/Gemfile.lock -/junit/ -/log/ -/pkg/ -/spec/fixtures/manifests/ -/spec/fixtures/modules/* -/tmp/ -/vendor/ -/convert_report.txt -/update_report.txt -.DS_Store -.project -.envrc -/inventory.yaml -/spec/fixtures/litmus_inventory.yaml -/.fixtures.yml -/Gemfile -/.gitattributes -/.gitignore -/.pdkignore -/.puppet-lint.rc -/Rakefile -/rakelib/ -/.rspec -/..yml -/.yardopts -/spec/ -/.vscode/ -/.sync.yml -/.devcontainer/ diff --git a/.pmtignore b/.pmtignore index 65f50514..58a04088 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,37 +1,37 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -docs/ -pkg/ -Gemfile -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/ -Rakefile -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.github/ -.librarian/ -Puppetfile.lock +/docs/ +/pkg/ +/Gemfile +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/ +/Rakefile +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.github/ +/.librarian/ +/Puppetfile.lock *.iml -.editorconfig -.fixtures.yml -.gitignore -.msync.yml -.overcommit.yml -.pmtignore -.rspec -.rspec_parallel -.rubocop.yml -.sync.yml +/.editorconfig +/.fixtures.yml +/.gitignore +/.msync.yml +/.overcommit.yml +/.pmtignore +/.rspec +/.rspec_parallel +/.rubocop.yml +/.sync.yml .*.sw? -.yardoc/ -.yardopts -Dockerfile +/.yardoc/ +/.yardopts +/Dockerfile diff --git a/.puppet-lint.rc b/.puppet-lint.rc index cc96ece0..02a3e71d 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -1 +1 @@ ---relative +--fail-on-warnings diff --git a/.rspec b/.rspec index 16f9cdb0..f634583d 100644 --- a/.rspec +++ b/.rspec @@ -1,2 +1,5 @@ ---color +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --format documentation +--color diff --git a/.rubocop.yml b/.rubocop.yml index 5be1f9fa..53ac1898 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,723 +1,6 @@ --- -require: -- rubocop-performance -- rubocop-rspec -AllCops: - DisplayCopNames: true - TargetRubyVersion: '2.6' - Include: - - "**/*.rb" - Exclude: - - bin/* - - ".vendor/**/*" - - "**/Gemfile" - - "**/Rakefile" - - pkg/**/* - - spec/fixtures/**/* - - vendor/**/* - - "**/Puppetfile" - - "**/Vagrantfile" - - "**/Guardfile" -Layout/LineLength: - Description: People have wide screens, use them. - Max: 200 -RSpec/BeforeAfterAll: - Description: Beware of using after(:all) as it may cause state to leak between tests. - A necessary evil in acceptance testing. - Exclude: - - spec/acceptance/**/*.rb -RSpec/HookArgument: - Description: Prefer explicit :each argument, matching existing module's style - EnforcedStyle: each -RSpec/DescribeSymbol: - Exclude: - - spec/unit/facter/**/*.rb -Style/BlockDelimiters: - Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to - be consistent then. - EnforcedStyle: braces_for_chaining -Style/ClassAndModuleChildren: - Description: Compact style reduces the required amount of indentation. - EnforcedStyle: compact -Style/EmptyElse: - Description: Enforce against empty else clauses, but allow `nil` for clarity. - EnforcedStyle: empty -Style/FormatString: - Description: Following the main puppet project's style, prefer the % format format. - EnforcedStyle: percent -Style/FormatStringToken: - Description: Following the main puppet project's style, prefer the simpler template - tokens over annotated ones. - EnforcedStyle: template -Style/Lambda: - Description: Prefer the keyword for easier discoverability. - EnforcedStyle: literal -Style/RegexpLiteral: - Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 - EnforcedStyle: percent_r -Style/TernaryParentheses: - Description: Checks for use of parentheses around ternary conditions. Enforce parentheses - on complex expressions for better readability, but seriously consider breaking - it up. - EnforcedStyle: require_parentheses_when_complex -Style/TrailingCommaInArguments: - Description: Prefer always trailing comma on multiline argument lists. This makes - diffs, and re-ordering nicer. - EnforcedStyleForMultiline: comma -Style/TrailingCommaInArrayLiteral: - Description: Prefer always trailing comma on multiline literals. This makes diffs, - and re-ordering nicer. - EnforcedStyleForMultiline: comma -Style/SymbolArray: - Description: Using percent style obscures symbolic intent of array's contents. - EnforcedStyle: brackets -RSpec/MessageSpies: - EnforcedStyle: receive -Style/Documentation: - Exclude: - - lib/puppet/parser/functions/**/* - - spec/**/* -Style/WordArray: - EnforcedStyle: brackets -Performance/AncestorsInclude: - Enabled: true -Performance/BigDecimalWithNumericArgument: - Enabled: true -Performance/BlockGivenWithExplicitBlock: - Enabled: true -Performance/CaseWhenSplat: - Enabled: true -Performance/ConstantRegexp: - Enabled: true -Performance/MethodObjectAsBlock: - Enabled: true -Performance/RedundantSortBlock: - Enabled: true -Performance/RedundantStringChars: - Enabled: true -Performance/ReverseFirst: - Enabled: true -Performance/SortReverse: - Enabled: true -Performance/Squeeze: - Enabled: true -Performance/StringInclude: - Enabled: true -Performance/Sum: - Enabled: true -Style/CollectionMethods: - Enabled: true -Style/MethodCalledOnDoEndBlock: - Enabled: true -Style/StringMethods: - Enabled: true -Bundler/GemFilename: - Enabled: false -Bundler/InsecureProtocolSource: - Enabled: false -Capybara/CurrentPathExpectation: - Enabled: false -Capybara/VisibilityMatcher: - Enabled: false -Gemspec/DuplicatedAssignment: - Enabled: false -Gemspec/OrderedDependencies: - Enabled: false -Gemspec/RequiredRubyVersion: - Enabled: false -Gemspec/RubyVersionGlobalsUsage: - Enabled: false -Layout/ArgumentAlignment: - Enabled: false -Layout/BeginEndAlignment: - Enabled: false -Layout/ClosingHeredocIndentation: - Enabled: false -Layout/EmptyComment: - Enabled: false -Layout/EmptyLineAfterGuardClause: - Enabled: false -Layout/EmptyLinesAroundArguments: - Enabled: false -Layout/EmptyLinesAroundAttributeAccessor: - Enabled: false -Layout/EndOfLine: - Enabled: false -Layout/FirstArgumentIndentation: - Enabled: false -Layout/HashAlignment: - Enabled: false -Layout/HeredocIndentation: - Enabled: false -Layout/LeadingEmptyLines: - Enabled: false -Layout/SpaceAroundMethodCallOperator: - Enabled: false -Layout/SpaceInsideArrayLiteralBrackets: - Enabled: false -Layout/SpaceInsideReferenceBrackets: - Enabled: false -Lint/BigDecimalNew: - Enabled: false -Lint/BooleanSymbol: - Enabled: false -Lint/ConstantDefinitionInBlock: - Enabled: false -Lint/DeprecatedOpenSSLConstant: - Enabled: false -Lint/DisjunctiveAssignmentInConstructor: - Enabled: false -Lint/DuplicateElsifCondition: - Enabled: false -Lint/DuplicateRequire: - Enabled: false -Lint/DuplicateRescueException: - Enabled: false -Lint/EmptyConditionalBody: - Enabled: false -Lint/EmptyFile: - Enabled: false -Lint/ErbNewArguments: - Enabled: false -Lint/FloatComparison: - Enabled: false -Lint/HashCompareByIdentity: - Enabled: false -Lint/IdentityComparison: - Enabled: false -Lint/InterpolationCheck: - Enabled: false -Lint/MissingCopEnableDirective: - Enabled: false -Lint/MixedRegexpCaptureTypes: - Enabled: false -Lint/NestedPercentLiteral: - Enabled: false -Lint/NonDeterministicRequireOrder: - Enabled: false -Lint/OrderedMagicComments: - Enabled: false -Lint/OutOfRangeRegexpRef: - Enabled: false -Lint/RaiseException: - Enabled: false -Lint/RedundantCopEnableDirective: - Enabled: false -Lint/RedundantRequireStatement: - Enabled: false -Lint/RedundantSafeNavigation: - Enabled: false -Lint/RedundantWithIndex: - Enabled: false -Lint/RedundantWithObject: - Enabled: false -Lint/RegexpAsCondition: - Enabled: false -Lint/ReturnInVoidContext: - Enabled: false -Lint/SafeNavigationConsistency: - Enabled: false -Lint/SafeNavigationWithEmpty: - Enabled: false -Lint/SelfAssignment: - Enabled: false -Lint/SendWithMixinArgument: - Enabled: false -Lint/ShadowedArgument: - Enabled: false -Lint/StructNewOverride: - Enabled: false -Lint/ToJSON: - Enabled: false -Lint/TopLevelReturnWithArgument: - Enabled: false -Lint/TrailingCommaInAttributeDeclaration: - Enabled: false -Lint/UnreachableLoop: - Enabled: false -Lint/UriEscapeUnescape: - Enabled: false -Lint/UriRegexp: - Enabled: false -Lint/UselessMethodDefinition: - Enabled: false -Lint/UselessTimes: - Enabled: false -Metrics/AbcSize: - Enabled: false -Metrics/BlockLength: - Enabled: false -Metrics/BlockNesting: - Enabled: false -Metrics/ClassLength: - Enabled: false -Metrics/CyclomaticComplexity: - Enabled: false -Metrics/MethodLength: - Enabled: false -Metrics/ModuleLength: - Enabled: false -Metrics/ParameterLists: - Enabled: false -Metrics/PerceivedComplexity: - Enabled: false -Migration/DepartmentName: - Enabled: false -Naming/AccessorMethodName: - Enabled: false -Naming/BlockParameterName: - Enabled: false -Naming/HeredocDelimiterCase: - Enabled: false -Naming/HeredocDelimiterNaming: - Enabled: false -Naming/MemoizedInstanceVariableName: - Enabled: false -Naming/MethodParameterName: - Enabled: false -Naming/RescuedExceptionsVariableName: - Enabled: false -Naming/VariableNumber: - Enabled: false -Performance/BindCall: - Enabled: false -Performance/DeletePrefix: - Enabled: false -Performance/DeleteSuffix: - Enabled: false -Performance/InefficientHashSearch: - Enabled: false -Performance/UnfreezeString: - Enabled: false -Performance/UriDefaultParser: - Enabled: false -RSpec/Be: - Enabled: false -RSpec/Capybara/FeatureMethods: - Enabled: false -RSpec/ContainExactly: - Enabled: false -RSpec/ContextMethod: - Enabled: false -RSpec/ContextWording: - Enabled: false -RSpec/DescribeClass: - Enabled: false -RSpec/EmptyHook: - Enabled: false -RSpec/EmptyLineAfterExample: - Enabled: false -RSpec/EmptyLineAfterExampleGroup: - Enabled: false -RSpec/EmptyLineAfterHook: - Enabled: false -RSpec/ExampleLength: - Enabled: false -RSpec/ExampleWithoutDescription: - Enabled: false -RSpec/ExpectChange: - Enabled: false -RSpec/ExpectInHook: - Enabled: false -RSpec/FactoryBot/AttributeDefinedStatically: - Enabled: false -RSpec/FactoryBot/CreateList: - Enabled: false -RSpec/FactoryBot/FactoryClassName: - Enabled: false -RSpec/HooksBeforeExamples: - Enabled: false -RSpec/ImplicitBlockExpectation: - Enabled: false -RSpec/ImplicitSubject: - Enabled: false -RSpec/LeakyConstantDeclaration: - Enabled: false -RSpec/LetBeforeExamples: - Enabled: false -RSpec/MatchArray: - Enabled: false -RSpec/MissingExampleGroupArgument: - Enabled: false -RSpec/MultipleExpectations: - Enabled: false -RSpec/MultipleMemoizedHelpers: - Enabled: false -RSpec/MultipleSubjects: - Enabled: false -RSpec/NestedGroups: - Enabled: false -RSpec/PredicateMatcher: - Enabled: false -RSpec/ReceiveCounts: - Enabled: false -RSpec/ReceiveNever: - Enabled: false -RSpec/RepeatedExampleGroupBody: - Enabled: false -RSpec/RepeatedExampleGroupDescription: - Enabled: false -RSpec/RepeatedIncludeExample: - Enabled: false -RSpec/ReturnFromStub: - Enabled: false -RSpec/SharedExamples: - Enabled: false -RSpec/StubbedMock: - Enabled: false -RSpec/UnspecifiedException: - Enabled: false -RSpec/VariableDefinition: - Enabled: false -RSpec/VoidExpect: - Enabled: false -RSpec/Yield: - Enabled: false -Security/Open: - Enabled: false -Style/AccessModifierDeclarations: - Enabled: false -Style/AccessorGrouping: - Enabled: false -Style/BisectedAttrAccessor: - Enabled: false -Style/CaseLikeIf: - Enabled: false -Style/ClassEqualityComparison: - Enabled: false -Style/ColonMethodDefinition: - Enabled: false -Style/CombinableLoops: - Enabled: false -Style/CommentedKeyword: - Enabled: false -Style/Dir: - Enabled: false -Style/DoubleCopDisableDirective: - Enabled: false -Style/EmptyBlockParameter: - Enabled: false -Style/EmptyLambdaParameter: - Enabled: false -Style/Encoding: - Enabled: false -Style/EvalWithLocation: - Enabled: false -Style/ExpandPathArguments: - Enabled: false -Style/ExplicitBlockArgument: - Enabled: false -Style/ExponentialNotation: - Enabled: false -Style/FloatDivision: - Enabled: false -Style/FrozenStringLiteralComment: - Enabled: false -Style/GlobalStdStream: - Enabled: false -Style/HashAsLastArrayItem: - Enabled: false -Style/HashLikeCase: - Enabled: false -Style/HashTransformKeys: - Enabled: false -Style/HashTransformValues: - Enabled: false -Style/IfUnlessModifier: - Enabled: false -Style/KeywordParametersOrder: - Enabled: false -Style/MinMax: - Enabled: false -Style/MixinUsage: - Enabled: false -Style/MultilineWhenThen: - Enabled: false -Style/NegatedUnless: - Enabled: false -Style/NumericPredicate: - Enabled: false -Style/OptionalBooleanParameter: - Enabled: false -Style/OrAssignment: - Enabled: false -Style/RandomWithOffset: - Enabled: false -Style/RedundantAssignment: - Enabled: false -Style/RedundantCondition: - Enabled: false -Style/RedundantConditional: - Enabled: false -Style/RedundantFetchBlock: - Enabled: false -Style/RedundantFileExtensionInRequire: - Enabled: false -Style/RedundantRegexpCharacterClass: - Enabled: false -Style/RedundantRegexpEscape: - Enabled: false -Style/RedundantSelfAssignment: - Enabled: false -Style/RedundantSort: - Enabled: false -Style/RescueStandardError: - Enabled: false -Style/SingleArgumentDig: - Enabled: false -Style/SlicingWithRange: - Enabled: false -Style/SoleNestedConditional: - Enabled: false -Style/StderrPuts: - Enabled: false -Style/StringConcatenation: - Enabled: false -Style/Strip: - Enabled: false -Style/SymbolProc: - Enabled: false -Style/TrailingBodyOnClass: - Enabled: false -Style/TrailingBodyOnMethodDefinition: - Enabled: false -Style/TrailingBodyOnModule: - Enabled: false -Style/TrailingCommaInHashLiteral: - Enabled: false -Style/TrailingMethodEndStatement: - Enabled: false -Style/UnpackFirst: - Enabled: false -Capybara/MatchStyle: - Enabled: false -Capybara/NegationMatcher: - Enabled: false -Capybara/SpecificActions: - Enabled: false -Capybara/SpecificFinders: - Enabled: false -Capybara/SpecificMatcher: - Enabled: false -Gemspec/DeprecatedAttributeAssignment: - Enabled: false -Gemspec/DevelopmentDependencies: - Enabled: false -Gemspec/RequireMFA: - Enabled: false -Layout/LineContinuationLeadingSpace: - Enabled: false -Layout/LineContinuationSpacing: - Enabled: false -Layout/LineEndStringConcatenationIndentation: - Enabled: false -Layout/SpaceBeforeBrackets: - Enabled: false -Lint/AmbiguousAssignment: - Enabled: false -Lint/AmbiguousOperatorPrecedence: - Enabled: false -Lint/AmbiguousRange: - Enabled: false -Lint/ConstantOverwrittenInRescue: - Enabled: false -Lint/DeprecatedConstants: - Enabled: false -Lint/DuplicateBranch: - Enabled: false -Lint/DuplicateMagicComment: - Enabled: false -Lint/DuplicateRegexpCharacterClassElement: - Enabled: false -Lint/EmptyBlock: - Enabled: false -Lint/EmptyClass: - Enabled: false -Lint/EmptyInPattern: - Enabled: false -Lint/IncompatibleIoSelectWithFiberScheduler: - Enabled: false -Lint/LambdaWithoutLiteralBlock: - Enabled: false -Lint/NoReturnInBeginEndBlocks: - Enabled: false -Lint/NonAtomicFileOperation: - Enabled: false -Lint/NumberedParameterAssignment: - Enabled: false -Lint/OrAssignmentToConstant: - Enabled: false -Lint/RedundantDirGlobSort: - Enabled: false -Lint/RefinementImportMethods: - Enabled: false -Lint/RequireRangeParentheses: - Enabled: false -Lint/RequireRelativeSelfPath: - Enabled: false -Lint/SymbolConversion: - Enabled: false -Lint/ToEnumArguments: - Enabled: false -Lint/TripleQuotes: - Enabled: false -Lint/UnexpectedBlockArity: - Enabled: false -Lint/UnmodifiedReduceAccumulator: - Enabled: false -Lint/UselessRescue: - Enabled: false -Lint/UselessRuby2Keywords: - Enabled: false -Metrics/CollectionLiteralLength: - Enabled: false -Naming/BlockForwarding: - Enabled: false -Performance/CollectionLiteralInLoop: - Enabled: false -Performance/ConcurrentMonotonicTime: - Enabled: false -Performance/MapCompact: - Enabled: false -Performance/RedundantEqualityComparisonBlock: - Enabled: false -Performance/RedundantSplitRegexpArgument: - Enabled: false -Performance/StringIdentifierArgument: - Enabled: false -RSpec/BeEq: - Enabled: false -RSpec/BeNil: - Enabled: false -RSpec/ChangeByZero: - Enabled: false -RSpec/ClassCheck: - Enabled: false -RSpec/DuplicatedMetadata: - Enabled: false -RSpec/ExcessiveDocstringSpacing: - Enabled: false -RSpec/FactoryBot/ConsistentParenthesesStyle: - Enabled: false -RSpec/FactoryBot/FactoryNameStyle: - Enabled: false -RSpec/FactoryBot/SyntaxMethods: - Enabled: false -RSpec/IdenticalEqualityAssertion: - Enabled: false -RSpec/NoExpectationExample: - Enabled: false -RSpec/PendingWithoutReason: - Enabled: false -RSpec/Rails/AvoidSetupHook: - Enabled: false -RSpec/Rails/HaveHttpStatus: - Enabled: false -RSpec/Rails/InferredSpecType: - Enabled: false -RSpec/Rails/MinitestAssertions: - Enabled: false -RSpec/Rails/TravelAround: - Enabled: false -RSpec/RedundantAround: - Enabled: false -RSpec/SkipBlockInsideExample: - Enabled: false -RSpec/SortMetadata: - Enabled: false -RSpec/SubjectDeclaration: - Enabled: false -RSpec/VerifiedDoubleReference: - Enabled: false -Security/CompoundHash: - Enabled: false -Security/IoMethods: - Enabled: false -Style/ArgumentsForwarding: - Enabled: false -Style/ArrayIntersect: - Enabled: false -Style/CollectionCompact: - Enabled: false -Style/ComparableClamp: - Enabled: false -Style/ConcatArrayLiterals: - Enabled: false -Style/DirEmpty: - Enabled: false -Style/DocumentDynamicEvalDefinition: - Enabled: false -Style/EmptyHeredoc: - Enabled: false -Style/EndlessMethod: - Enabled: false -Style/EnvHome: - Enabled: false -Style/FetchEnvVar: - Enabled: false -Style/FileEmpty: - Enabled: false -Style/FileRead: - Enabled: false -Style/FileWrite: - Enabled: false -Style/HashConversion: - Enabled: false -Style/HashExcept: - Enabled: false -Style/IfWithBooleanLiteralBranches: - Enabled: false -Style/InPatternThen: - Enabled: false -Style/MagicCommentFormat: - Enabled: false -Style/MapCompactWithConditionalBlock: - Enabled: false -Style/MapToHash: - Enabled: false -Style/MapToSet: - Enabled: false -Style/MinMaxComparison: - Enabled: false -Style/MultilineInPatternThen: - Enabled: false -Style/NegatedIfElseCondition: - Enabled: false -Style/NestedFileDirname: - Enabled: false -Style/NilLambda: - Enabled: false -Style/NumberedParameters: - Enabled: false -Style/NumberedParametersLimit: - Enabled: false -Style/ObjectThen: - Enabled: false -Style/OpenStructUse: - Enabled: false -Style/OperatorMethodCall: - Enabled: false -Style/QuotedSymbols: - Enabled: false -Style/RedundantArgument: - Enabled: false -Style/RedundantConstantBase: - Enabled: false -Style/RedundantDoubleSplatHashBraces: - Enabled: false -Style/RedundantEach: - Enabled: false -Style/RedundantHeredocDelimiterQuotes: - Enabled: false -Style/RedundantInitialize: - Enabled: false -Style/RedundantSelfAssignmentBranch: - Enabled: false -Style/RedundantStringEscape: - Enabled: false -Style/SelectByRegexp: - Enabled: false -Style/StringChars: - Enabled: false -Style/SwapValues: - Enabled: false +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +inherit_gem: + voxpupuli-test: rubocop.yml diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 00000000..6816fd8e --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,16 @@ +--- +extends: default + +rules: + # 80 chars should be enough, but don't fail if a line is longer + line-length: false + indentation: + spaces: consistent + indent-sequences: consistent + # do not obsess over comment formatting + comments-indentation: false + comments: + require-starting-space: false + +ignore: | + .rubocop.yml diff --git a/.yardopts b/.yardopts deleted file mode 100644 index 29c933bc..00000000 --- a/.yardopts +++ /dev/null @@ -1 +0,0 @@ ---markup markdown diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 8dd82d63..00000000 --- a/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# MANAGED BY MODULESYNC -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - -FROM ruby:2.7 - -WORKDIR /opt/puppet - -# https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 -RUN mkdir -p /etc/sv - -ARG PUPPET_GEM_VERSION="~> 6.0" -ARG PARALLEL_TEST_PROCESSORS=4 - -# Cache gems -COPY Gemfile . -RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} - -COPY . . - -RUN bundle install -RUN bundle exec rake release_checks - -# Container should not saved -RUN exit 1 diff --git a/Gemfile b/Gemfile index 5c26c690..f8aae124 100644 --- a/Gemfile +++ b/Gemfile @@ -1,74 +1,32 @@ -source ENV['GEM_SOURCE'] || 'https://rubygems.org' +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -def location_for(place_or_version, fake_version = nil) - git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} - file_url_regex = %r{\Afile:\/\/(?.*)} +source ENV['GEM_SOURCE'] || 'https://rubygems.org' - if place_or_version && (git_url = place_or_version.match(git_url_regex)) - [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact - elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) - ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] - else - [place_or_version, { require: false }] - end +group :test do + gem 'voxpupuli-test', '~> 7.0', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false + gem 'puppet_metadata', '~> 3.5', :require => false end group :development do - gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.5.1', require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.6.1', require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.6.3', require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "racc", '~> 1.4.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false - gem "facterdb", '~> 1.18', require: false - gem "metadata-json-lint", '~> 3.0', require: false - gem "puppetlabs_spec_helper", '~> 6.0', require: false - gem "rspec-puppet-facts", '~> 2.0', require: false - gem "codecov", '~> 0.2', require: false - gem "dependency_checker", '~> 1.0.0', require: false - gem "parallel_tests", '= 3.12.1', require: false - gem "pry", '~> 0.10', require: false - gem "simplecov-console", '~> 0.5', require: false - gem "puppet-debugger", '~> 1.0', require: false - gem "rubocop", '= 1.48.1', require: false - gem "rubocop-performance", '= 1.16.0', require: false - gem "rubocop-rspec", '= 2.19.0', require: false - gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw] - gem "github_changelog_generator", require: false + gem 'guard-rake', :require => false + gem 'overcommit', '>= 0.39.1', :require => false end + group :system_tests do - gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw] - gem "serverspec", '~> 2.41', require: false + gem 'voxpupuli-acceptance', '~> 2.2', :require => false end -puppet_version = ENV['PUPPET_GEM_VERSION'] -facter_version = ENV['FACTER_GEM_VERSION'] -hiera_version = ENV['HIERA_GEM_VERSION'] - -gems = {} - -gems['puppet'] = location_for(puppet_version) - -# If facter or hiera versions have been specified via the environment -# variables - -gems['facter'] = location_for(facter_version) if facter_version -gems['hiera'] = location_for(hiera_version) if hiera_version - -gems.each do |gem_name, gem_params| - gem gem_name, *gem_params +group :release do + gem 'voxpupuli-release', '~> 3.0', :require => false end -# Evaluate Gemfile.local and ~/.gemfile if they exist -extra_gemfiles = [ - "#{__FILE__}.local", - File.join(Dir.home, '.gemfile'), -] +gem 'rake', :require => false +gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] + +puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24' +gem 'puppet', puppetversion, :require => false, :groups => [:test] -extra_gemfiles.each do |gemfile| - if File.file?(gemfile) && File.readable?(gemfile) - eval(File.read(gemfile), binding) - end -end # vim: syntax=ruby diff --git a/Rakefile b/Rakefile index 74415a96..620c2b6a 100644 --- a/Rakefile +++ b/Rakefile @@ -1,88 +1,44 @@ -# frozen_string_literal: true - -require 'bundler' -require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus' -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-syntax/tasks/puppet-syntax' -require 'github_changelog_generator/task' if Gem.loaded_specs.key? 'github_changelog_generator' -require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings' - -def changelog_user - return unless Rake.application.top_level_tasks.include? "changelog" - returnVal = nil || JSON.load(File.read('metadata.json'))['author'] - raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? - puts "GitHubChangelogGenerator user:#{returnVal}" - returnVal -end - -def changelog_project - return unless Rake.application.top_level_tasks.include? "changelog" - - returnVal = nil - returnVal ||= begin - metadata_source = JSON.load(File.read('metadata.json'))['source'] - metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z}) - - metadata_source_match && metadata_source_match[1] +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +# Attempt to load voxpupuli-test (which pulls in puppetlabs_spec_helper), +# otherwise attempt to load it directly. +begin + require 'voxpupuli/test/rake' +rescue LoadError + begin + require 'puppetlabs_spec_helper/rake_tasks' + rescue LoadError end - - raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil? - - puts "GitHubChangelogGenerator project:#{returnVal}" - returnVal end -def changelog_future_release - return unless Rake.application.top_level_tasks.include? "changelog" - returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version'] - raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? - puts "GitHubChangelogGenerator future_release:#{returnVal}" - returnVal +# load optional tasks for acceptance +# only available if gem group releases is installed +begin + require 'voxpupuli/acceptance/rake' +rescue LoadError end -PuppetLint.configuration.send('disable_relative') - - -if Gem.loaded_specs.key? 'github_changelog_generator' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? - config.user = "#{changelog_user}" - config.project = "#{changelog_project}" - config.future_release = "#{changelog_future_release}" - config.exclude_labels = ['maintenance'] - config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." - config.add_pr_wo_labels = true - config.issues = false - config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB" - config.configure_sections = { - "Changed" => { - "prefix" => "### Changed", - "labels" => ["backwards-incompatible"], - }, - "Added" => { - "prefix" => "### Added", - "labels" => ["enhancement", "feature"], - }, - "Fixed" => { - "prefix" => "### Fixed", - "labels" => ["bug", "documentation", "bugfix"], - }, - } - end +# load optional tasks for releases +# only available if gem group releases is installed +begin + require 'voxpupuli/release/rake_tasks' +rescue LoadError + # voxpupuli-release not present else - desc 'Generate a Changelog from GitHub' - task :changelog do - raise < 1.15' - condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')" -EOM + GCGConfig.user = 'lsst-it' + GCGConfig.project = 'puppet-ipa' +end + +desc "Run main 'test' task and report merged results to coveralls" +task test_with_coveralls: [:test] do + if Dir.exist?(File.expand_path('../lib', __FILE__)) + require 'coveralls/rake/task' + Coveralls::RakeTask.new + Rake::Task['coveralls:push'].invoke + else + puts 'Skipping reporting to coveralls. Module has no lib dir' end end +# vim: syntax=ruby diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index a70c01eb..00000000 --- a/appveyor.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -version: 1.1.x.{build} -skip_branch_with_pr: true -branches: - only: - - main - - release -skip_commits: - message: /^\(?doc\)?.*/ -clone_depth: 10 -init: - - SET - - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' - - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' - - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' - - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' -environment: - matrix: - - - RUBY_VERSION: 25-x64 - CHECK: validate lint check rubocop - - - PUPPET_GEM_VERSION: ~> 6.0 - RUBY_VERSION: 25 - CHECK: parallel_spec - - - PUPPET_GEM_VERSION: ~> 6.0 - RUBY_VERSION: 25-x64 - CHECK: parallel_spec -matrix: - fast_finish: true -install: - - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% - - bundle install --jobs 4 --retry 2 --without system_tests - - type Gemfile.lock -build: off -test_script: - - bundle exec puppet -V - - ruby -v - - gem -v - - bundle -v - - bundle exec rake %CHECK% -notifications: - - provider: Email - to: - - nobody@nowhere.com - on_build_success: false - on_build_failure: false - on_build_status_changed: false diff --git a/pdk.yaml b/pdk.yaml deleted file mode 100644 index 4bef4bd0..00000000 --- a/pdk.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ignore: [] diff --git a/spec/default_facts.yml b/spec/default_facts.yml deleted file mode 100644 index f777abfc..00000000 --- a/spec/default_facts.yml +++ /dev/null @@ -1,8 +0,0 @@ -# Use default_module_facts.yml for module specific facts. -# -# Facts specified here will override the values provided by rspec-puppet-facts. ---- -ipaddress: "172.16.254.254" -ipaddress6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA" -is_pe: false -macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 6820cebe..9efb4ae6 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,74 +1,20 @@ # frozen_string_literal: true -RSpec.configure do |c| - c.mock_with :rspec -end - -require 'puppetlabs_spec_helper/module_spec_helper' -require 'rspec-puppet-facts' - -require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -include RspecPuppetFacts +# puppetlabs_spec_helper will set up coverage if the env variable is set. +# We want to do this if lib exists and it hasn't been explicitly set. +ENV['COVERAGE'] ||= 'yes' if Dir.exist?(File.expand_path('../lib', __dir__)) -default_facts = { - puppetversion: Puppet.version, - facterversion: Facter.version, -} +require 'voxpupuli/test/spec_helper' -default_fact_files = [ - File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), - File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), -] +add_mocked_facts! -default_fact_files.each do |f| - next unless File.exist?(f) && File.readable?(f) && File.size?(f) - - begin - default_facts.merge!(YAML.safe_load(File.read(f), permitted_classes: [], permitted_symbols: [], aliases: true)) - rescue StandardError => e - RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" +if File.exist?(File.join(__dir__, 'default_module_facts.yml')) + facts = YAML.safe_load(File.read(File.join(__dir__, 'default_module_facts.yml'))) + facts&.each do |name, value| + add_custom_fact name.to_sym, value end end - -# read default_facts and merge them over what is provided by facterdb -default_facts.each do |fact, value| - add_custom_fact fact, value -end - -RSpec.configure do |c| - c.default_facts = default_facts - c.before :each do - # set to strictest setting for testing - # by default Puppet runs at warning level - Puppet.settings[:strict] = :warning - Puppet.settings[:strict_variables] = true - end - c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT'] - c.after(:suite) do - RSpec::Puppet::Coverage.report!(0) - end - - # Filter backtrace noise - backtrace_exclusion_patterns = [ - %r{spec_helper}, - %r{gems}, - ] - - if c.respond_to?(:backtrace_exclusion_patterns) - c.backtrace_exclusion_patterns = backtrace_exclusion_patterns - elsif c.respond_to?(:backtrace_clean_patterns) - c.backtrace_clean_patterns = backtrace_exclusion_patterns - end -end - -# Ensures that a module is defined -# @param module_name Name of the module -def ensure_module_defined(module_name) - module_name.split('::').reduce(Object) do |last_module, next_module| - last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) - last_module.const_get(next_module, false) - end -end - -# 'spec_overrides' from sync.yml will appear below this line +Dir['./spec/support/spec/**/*.rb'].sort.each { |f| require f } diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 00000000..f803ae59 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +require 'voxpupuli/acceptance/spec_helper_acceptance' + +Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f } From bc8d77f702a733fa665c3cd02c7b92cab545ff48 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:59:16 -0700 Subject: [PATCH 11/78] fix rubocop errors --- spec/classes/ipa_spec.rb | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index d0d62775..12ba5279 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -23,7 +23,7 @@ facts.merge( networking: { fqdn: 'ipa.rpsec.example.lan', - }, + } ) end @@ -85,10 +85,10 @@ it do is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, - ) - .with_command(%r{--idstart=10000}) - .with_command(%r{--idmax=20000}) + logoutput: false + ). + with_command(%r{--idstart=10000}). + with_command(%r{--idmax=20000}) end end @@ -99,7 +99,7 @@ it do is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--idstart=10000}) is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idmax}) end @@ -121,7 +121,7 @@ it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--no-ssh(?!d)}) } end @@ -143,7 +143,7 @@ it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--no-sshd}) } end @@ -270,7 +270,7 @@ it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--no-ssh(?!d)}) } end @@ -292,7 +292,7 @@ it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--no-sshd}) } end @@ -377,7 +377,7 @@ it { is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--no-ssh(?!d)}) } end @@ -399,7 +399,7 @@ it { is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with( - logoutput: false, + logoutput: false ).with_command(%r{--no-sshd}) } end From cd01a462fef19da598842897bd17fd323bf8eb71 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 15 Aug 2022 11:52:18 -0700 Subject: [PATCH 12/78] enable idm:DL1 appstream on EL8 --- manifests/install/server.pp | 4 ++++ manifests/install/server/redhat.pp | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 manifests/install/server/redhat.pp diff --git a/manifests/install/server.pp b/manifests/install/server.pp index 61f67443..d5a6539d 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -2,6 +2,10 @@ # @summary Manage IPA server install # class easy_ipa::install::server { + if fact('os.family') == 'RedHat' { + require easy_ipa::install::server::redhat + } + package { $easy_ipa::params::ipa_server_package_name: ensure => present, } diff --git a/manifests/install/server/redhat.pp b/manifests/install/server/redhat.pp new file mode 100644 index 00000000..1ee80f96 --- /dev/null +++ b/manifests/install/server/redhat.pp @@ -0,0 +1,11 @@ +# @api private +class easy_ipa::install::server::redhat { + assert_private() + + if versioncmp(fact('os.release.major'), '8') == 0 { + package { 'idm': + ensure => 'DL1', + provider => 'dnfmodule', + } + } +} From d040ed13a91f74eaff9272d67a8393830edcd825 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 15 Aug 2022 13:00:23 -0700 Subject: [PATCH 13/78] mv dns package install to install::server class Because: a) these are server only packages b) on EL8 they are not available until after idm:DL1 is enabled. --- manifests/install.pp | 10 ---------- manifests/install/server.pp | 9 +++++++++ 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/manifests/install.pp b/manifests/install.pp index b5bc30a6..06a1d4d5 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -32,16 +32,6 @@ } if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { - if $easy_ipa::final_configure_dns_server { - $dns_packages = [ - 'ipa-server-dns', - 'bind-dyndb-ldap', - ] - package { $dns_packages: - ensure => present, - } - } - if $easy_ipa::install_ipa_server { contain 'easy_ipa::install::server' } diff --git a/manifests/install/server.pp b/manifests/install/server.pp index d5a6539d..056a9ff3 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -6,6 +6,15 @@ require easy_ipa::install::server::redhat } + $dns_packages = [ + 'ipa-server-dns', + 'bind-dyndb-ldap', + ] + + if $easy_ipa::final_configure_dns_server { + ensure_packages($dns_packages) + } + package { $easy_ipa::params::ipa_server_package_name: ensure => present, } From c1e3191eb4d0942323949c9059b27f3b8e464482 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 16 Aug 2022 15:32:04 -0700 Subject: [PATCH 14/78] rm creation of /etc/ipa/primary -- file has no purpose --- manifests/install/server/master.pp | 6 +----- manifests/install/server/replica.pp | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/manifests/install/server/master.pp b/manifests/install/server/master.pp index 9904cf94..c2f7ff81 100644 --- a/manifests/install/server/master.pp +++ b/manifests/install/server/master.pp @@ -23,11 +23,7 @@ ${easy_ipa::opt_no_sshd} \ --unattended" - file { '/etc/ipa/primary': - ensure => 'file', - content => 'Added by IPA Puppet module. Designates primary master. Do not remove.', - } - -> exec { "server_install_${easy_ipa::ipa_server_fqdn}": + exec { "server_install_${easy_ipa::ipa_server_fqdn}": command => $server_install_cmd, timeout => 0, unless => '/usr/sbin/ipactl status >/dev/null 2>&1', diff --git a/manifests/install/server/replica.pp b/manifests/install/server/replica.pp index 2380b931..7f31a9d9 100644 --- a/manifests/install/server/replica.pp +++ b/manifests/install/server/replica.pp @@ -24,11 +24,7 @@ --unattended" # TODO: config-show and grep for IPA\ masters - file { '/etc/ipa/primary': - ensure => 'file', - content => 'Added by IPA Puppet module. Designates primary master. Do not remove.', - } - -> exec { "server_install_${easy_ipa::ipa_server_fqdn}": + exec { "server_install_${easy_ipa::ipa_server_fqdn}": command => $replica_install_cmd, timeout => 0, unless => '/usr/sbin/ipactl status >/dev/null 2>&1', From 41844f1a76f4dd2e962abe60b14ef0f81d5739e9 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 16 Aug 2022 16:16:29 -0700 Subject: [PATCH 15/78] rm easy_ipa::install_kstart param -- unused --- README.md | 3 --- REFERENCE.md | 10 +--------- manifests/init.pp | 4 ---- 3 files changed, 1 insertion(+), 16 deletions(-) diff --git a/README.md b/README.md index 56220db8..3a790b5f 100644 --- a/README.md +++ b/README.md @@ -216,9 +216,6 @@ If true, then the autofs packages are installed. #### `install_epel` If true, then the epel repo is installed. The epel repo is usually required for sssd packages. -#### `install_kstart` -If true, then the kstart packages are installed. - #### `install_ldaputils` If true, then the ldaputils packages are installed. diff --git a/REFERENCE.md b/REFERENCE.md index 17968220..8d1efbf6 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -27,6 +27,7 @@ #### Private Classes +* `easy_ipa::install::server::redhat` * `easy_ipa::validate_params`: Validates input configs from init.pp. ### Defined types @@ -79,7 +80,6 @@ The following parameters are available in the `easy_ipa` class: * [`idmax`](#-easy_ipa--idmax) * [`install_autofs`](#-easy_ipa--install_autofs) * [`install_epel`](#-easy_ipa--install_epel) -* [`install_kstart`](#-easy_ipa--install_kstart) * [`install_sssdtools`](#-easy_ipa--install_sssdtools) * [`install_ipa_client`](#-easy_ipa--install_ipa_client) * [`install_ipa_server`](#-easy_ipa--install_ipa_server) @@ -312,14 +312,6 @@ Data type: `Boolean` Default value: `true` -##### `install_kstart` - -Data type: `Boolean` - -(boolean) If true, then the kstart packages are installed. - -Default value: `true` - ##### `install_sssdtools` Data type: `Boolean` diff --git a/manifests/init.pp b/manifests/init.pp index 7bc3c7fa..02867a17 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -90,9 +90,6 @@ # @param install_epel # (boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. # -# @param install_kstart -# (boolean) If true, then the kstart packages are installed. -# # @param install_sssdtools # (boolean) If true, then the sssdtools packages are installed. # @@ -183,7 +180,6 @@ Variant[Integer,Undef] $idmax = undef, Boolean $install_autofs = false, Boolean $install_epel = true, - Boolean $install_kstart = true, Boolean $install_sssdtools = true, Boolean $install_ipa_client = true, Boolean $install_ipa_server = true, From 0e895e52a6132599f216513c5876ab0ab47e3337 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 31 Aug 2022 15:15:20 -0700 Subject: [PATCH 16/78] rm easy_ipa::config::admin_user -- admin user account is unused --- REFERENCE.md | 9 +--- manifests/config/admin_user.pp | 76 ---------------------------------- manifests/init.pp | 7 ---- manifests/install/server.pp | 1 - 4 files changed, 1 insertion(+), 92 deletions(-) delete mode 100644 manifests/config/admin_user.pp diff --git a/REFERENCE.md b/REFERENCE.md index 8d1efbf6..1e9f46da 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -9,7 +9,6 @@ #### Public Classes * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. -* [`easy_ipa::config::admin_user`](#easy_ipa--config--admin_user): Manage admin user * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. * [`easy_ipa::install`](#easy_ipa--install): Manage easy_ipa install * [`easy_ipa::install::autofs`](#easy_ipa--install--autofs): Manage autofs @@ -234,7 +233,7 @@ Data type: `Optional[String[1]]` (string) The password for the domain_join_principal. -Default value: `undef` +Default value: `$directory_services_password` ##### `enable_dns_updates` @@ -460,10 +459,6 @@ Data type: `Boolean` Default value: `false` -### `easy_ipa::config::admin_user` - -Manage admin user - ### `easy_ipa::config::webui` Configures port and redirect overrides for the IPA server web UI. @@ -485,8 +480,6 @@ Manage ipa client This code is needed as the --mkhomedir parameter passed to ipa-client-install does not configure PAM even though it does install the required packages. -Currently Ubuntu 14.04/16.04 and Debian 8/9 are supported. - ### `easy_ipa::install::client::manual` "Manual" configuration of hosts which don't have the freeipa-client package. diff --git a/manifests/config/admin_user.pp b/manifests/config/admin_user.pp deleted file mode 100644 index ea46a176..00000000 --- a/manifests/config/admin_user.pp +++ /dev/null @@ -1,76 +0,0 @@ -# -# @summary Manage admin user -# -class easy_ipa::config::admin_user { - $uid_number = $easy_ipa::idstart - $home_dir_path = '/home/admin' - $keytab_path = "${home_dir_path}/admin.keytab" - $k5login_path = "${home_dir_path}/.k5login" - - # Ensure admin homedir and keytab files. - file { $home_dir_path: - ensure => directory, - mode => '0700', - owner => $uid_number, - group => $uid_number, - recurse => true, - require => Exec["server_install_${easy_ipa::ipa_server_fqdn}"], - } - - file { $k5login_path: - owner => $uid_number, - group => $uid_number, - seluser => 'user_u', - } - - # chown/chmod *after* file is created by kadmin.local - file { $keytab_path: - owner => $uid_number, - group => $uid_number, - mode => '0600', - } - - # Gives admin user the host/fqdn principal. - k5login { $k5login_path: - principals => $easy_ipa::master_principals, - notify => File[$k5login_path], - require => File[$home_dir_path], - } - - # Set keytab for admin user. - # kadmin.local must be run as `root` to log to `/var/log/kadmind.log` - $configure_admin_keytab_cmd = "/usr/sbin/kadmin.local -q \"ktadd -norandkey -k ${keytab_path} admin\" " - # kvno must be run as the `admin` user to function - $configure_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c \"/usr/bin/kvno -k ${keytab_path} admin@${easy_ipa::final_realm}\"" - exec { 'configure_admin_keytab': - command => $configure_admin_keytab_cmd, - cwd => $home_dir_path, - unless => $configure_admin_keytab_cmd_unless, - require => File[$home_dir_path], - notify => File[$keytab_path], - } - - $k5start_admin_keytab_cmd = "/sbin/runuser -l admin -c \"/usr/bin/k5start -f ${keytab_path} -U\"" - $k5start_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c /usr/bin/klist | grep -i krbtgt\\/${easy_ipa::final_realm}\\@" - exec { 'k5start_admin_keytab': - command => $k5start_admin_keytab_cmd, - cwd => $home_dir_path, - unless => $k5start_admin_keytab_cmd_unless, - require => [ - File[$k5login_path], - File[$keytab_path], - Cron['k5start_admin'], - ], - } - - # Automatically refreshes admin keytab. - cron { 'k5start_admin': - command => "/usr/bin/k5start -f ${keytab_path} -U > /dev/null 2>&1", - user => 'admin', - minute => '*/1', - require => [ - File[$k5login_path], - File[$keytab_path], - ], - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 02867a17..d251426f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -208,13 +208,6 @@ default => $realm, } - $master_principals = suffix( - prefix([$ipa_server_fqdn], - 'host/' - ), - "@${final_realm}" - ) - if $ipa_role == 'client' { $final_configure_dns_server = false } else { diff --git a/manifests/install/server.pp b/manifests/install/server.pp index 056a9ff3..0837d730 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -166,5 +166,4 @@ } easy_ipa::helpers::flushcache { "server_${easy_ipa::ipa_server_fqdn}": } - contain easy_ipa::config::admin_user } From 61789959bc3675013ce428ca6003064d947c4520 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Sep 2023 15:04:45 -0700 Subject: [PATCH 17/78] rm easy_ipa::webui_disable_kerberos param -- unused --- README.md | 1 - REFERENCE.md | 9 --------- manifests/init.pp | 4 ---- 3 files changed, 14 deletions(-) diff --git a/README.md b/README.md index 3a790b5f..67ee1eae 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,6 @@ class {'easy_ipa': enable_hostname => true, manage_host_entry => true, install_epel => true, - webui_disable_kerberos => true, webui_enable_proxy => true, webui_force_https => true, } diff --git a/REFERENCE.md b/REFERENCE.md index 1e9f46da..fe98838c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -91,7 +91,6 @@ The following parameters are available in the `easy_ipa` class: * [`no_ui_redirect`](#-easy_ipa--no_ui_redirect) * [`realm`](#-easy_ipa--realm) * [`server_install_ldaputils`](#-easy_ipa--server_install_ldaputils) -* [`webui_disable_kerberos`](#-easy_ipa--webui_disable_kerberos) * [`webui_enable_proxy`](#-easy_ipa--webui_enable_proxy) * [`webui_force_https`](#-easy_ipa--webui_force_https) * [`webui_proxy_external_fqdn`](#-easy_ipa--webui_proxy_external_fqdn) @@ -408,14 +407,6 @@ Data type: `Boolean` Default value: `true` -##### `webui_disable_kerberos` - -Data type: `Boolean` - -Disable webui kerberos. - -Default value: `false` - ##### `webui_enable_proxy` Data type: `Boolean` diff --git a/manifests/init.pp b/manifests/init.pp index d251426f..5ed923cf 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -127,9 +127,6 @@ # @param server_install_ldaputils # (boolean) If true, then the ldaputils packages are installed if ipa_role is not set to client. # -# @param webui_disable_kerberos -# Disable webui kerberos. -# # @param webui_enable_proxy # (boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows # for the Web UI to be accessed from different ports and hostnames than the default. @@ -192,7 +189,6 @@ Boolean $no_ui_redirect = false, Optional[Stdlib::Fqdn] $realm = undef, Boolean $server_install_ldaputils = true, - Boolean $webui_disable_kerberos = false, Boolean $webui_enable_proxy = false, Boolean $webui_force_https = false, String $webui_proxy_external_fqdn = 'localhost', From 5696e30bf944a78cb3b06decbd36c75257e8c947 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Sep 2023 15:07:30 -0700 Subject: [PATCH 18/78] rm easy_ipa::webui_force_https param -- unused --- README.md | 6 ------ REFERENCE.md | 11 ----------- manifests/init.pp | 6 ------ 3 files changed, 23 deletions(-) diff --git a/README.md b/README.md index 67ee1eae..b4259896 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,6 @@ class {'easy_ipa': manage_host_entry => true, install_epel => true, webui_enable_proxy => true, - webui_force_https => true, } ``` @@ -277,11 +276,6 @@ Suppress setting Negotiate headers based on BrowserMatch. Not sending these head If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows for the Web UI to be accessed from different ports and hostnames than the default. -#### `webui_force_https` -If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. -This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard -ports. - #### `webui_proxy_external_fqdn` The public or external FQDN used to access the IPA Web UI behind the reverse proxy. diff --git a/REFERENCE.md b/REFERENCE.md index fe98838c..7cbf6a3d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -92,7 +92,6 @@ The following parameters are available in the `easy_ipa` class: * [`realm`](#-easy_ipa--realm) * [`server_install_ldaputils`](#-easy_ipa--server_install_ldaputils) * [`webui_enable_proxy`](#-easy_ipa--webui_enable_proxy) -* [`webui_force_https`](#-easy_ipa--webui_force_https) * [`webui_proxy_external_fqdn`](#-easy_ipa--webui_proxy_external_fqdn) * [`webui_proxy_https_port`](#-easy_ipa--webui_proxy_https_port) * [`adjust_login_defs`](#-easy_ipa--adjust_login_defs) @@ -416,16 +415,6 @@ Data type: `Boolean` Default value: `false` -##### `webui_force_https` - -Data type: `Boolean` - -(boolean) If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. - This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard - ports. - -Default value: `false` - ##### `webui_proxy_external_fqdn` Data type: `String` diff --git a/manifests/init.pp b/manifests/init.pp index 5ed923cf..0192d68c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -131,11 +131,6 @@ # (boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows # for the Web UI to be accessed from different ports and hostnames than the default. # -# @param webui_force_https -# (boolean) If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https. -# This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard -# ports. -# # @param webui_proxy_external_fqdn # (string) The public or external FQDN used to access the IPA Web UI behind the reverse proxy. # @@ -190,7 +185,6 @@ Optional[Stdlib::Fqdn] $realm = undef, Boolean $server_install_ldaputils = true, Boolean $webui_enable_proxy = false, - Boolean $webui_force_https = false, String $webui_proxy_external_fqdn = 'localhost', String $webui_proxy_https_port = '8440', Boolean $adjust_login_defs = false, From 86aed086896a4d311dc802316a4ddaabec39c029 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 15 Aug 2022 11:32:08 -0700 Subject: [PATCH 19/78] add trivial acceptance spec --- .github/workflows/ci.yml | 4 +++- examples/init.pp | 1 - examples/master.pp | 11 +++++++++++ spec/acceptance/master_spec.rb | 16 ++++++++++++++++ spec/support/acceptance/setup.rb | 15 +++++++++++++++ 5 files changed, 45 insertions(+), 2 deletions(-) delete mode 100644 examples/init.pp create mode 100644 examples/master.pp create mode 100644 spec/acceptance/master_spec.rb create mode 100644 spec/support/acceptance/setup.rb diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3e46cf2..afe68f82 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,4 +13,6 @@ concurrency: jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/basic.yml@v2 + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2 + with: + pidfile_workaround: 'false' diff --git a/examples/init.pp b/examples/init.pp deleted file mode 100644 index 8f8fc5de..00000000 --- a/examples/init.pp +++ /dev/null @@ -1 +0,0 @@ -include easy_ipa diff --git a/examples/master.pp b/examples/master.pp new file mode 100644 index 00000000..b3cef643 --- /dev/null +++ b/examples/master.pp @@ -0,0 +1,11 @@ +include cron # easy_ipa needs cron to be installed + +class { 'easy_ipa': + ipa_role => 'master', + domain => 'rspec.example.lan', + admin_password => 'rspecrspec123', + directory_services_password => 'rspecrspec123', + idstart => 70000, + configure_dns_server => false, + configure_ntp => false, +} diff --git a/spec/acceptance/master_spec.rb b/spec/acceptance/master_spec.rb new file mode 100644 index 00000000..04909764 --- /dev/null +++ b/spec/acceptance/master_spec.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +# server/replica is only supported on Redhat +if fact_on('master', 'os.family') == 'RedHat' + describe 'easy_ipa class' do + include_examples 'the example', 'master.pp', 'master' + end +end + +if fact_on('client', 'os.family') == 'RedHat' + describe 'easy_ipa class' do + include_examples 'the example', 'client.pp', 'client' + end +end diff --git a/spec/support/acceptance/setup.rb b/spec/support/acceptance/setup.rb new file mode 100644 index 00000000..dd32964d --- /dev/null +++ b/spec/support/acceptance/setup.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +configure_beaker(modules: :metadata) do |host| + on(host, 'sysctl -w net.ipv6.conf.lo.disable_ipv6=0') + # disable sticky bit owner enforcement for ipa 4.6/EL7 + # https://bugzilla.redhat.com/show_bug.cgi?id=1677027 + # https://pagure.io/freeipa/c/87496d647706462fa8a10bbea5637104153146b2 + on(host, 'sysctl -w fs.protected_regular=0') + install_puppet_module_via_pmt_on(host, 'puppet/cron') + + if fact_on(host, 'os.family') == 'RedHat' && fact_on(host, 'os.release.major') == '7' + # https://cstan.io/?p=12175&lang=en + on(host, 'yum update -y') + end +end From 87ff6693a46e4e4ea69fae38bf7d0d7e7769cea5 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 14:50:16 -0700 Subject: [PATCH 20/78] rm monit support --- REFERENCE.md | 22 ---------------------- manifests/monit/server.pp | 33 --------------------------------- templates/ipa.monit.erb | 5 ----- templates/ipa.sh.erb | 15 --------------- 4 files changed, 75 deletions(-) delete mode 100644 manifests/monit/server.pp delete mode 100644 templates/ipa.monit.erb delete mode 100644 templates/ipa.sh.erb diff --git a/REFERENCE.md b/REFERENCE.md index 7cbf6a3d..5c6bf2ed 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -19,7 +19,6 @@ * [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server * [`easy_ipa::install::server::replica`](#easy_ipa--install--server--replica): Manage replica install * [`easy_ipa::install::sssd`](#easy_ipa--install--sssd): Manage sssd install -* [`easy_ipa::monit::server`](#easy_ipa--monit--server): Manage easy_ipa::monit::server * [`easy_ipa::named`](#easy_ipa--named): Prepare the integrated named-pkcs11 service for local configuration * [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. * [`easy_ipa::params`](#easy_ipa--params): Prevent havoc on unsupported operating systems. @@ -480,27 +479,6 @@ Manage replica install Manage sssd install -### `easy_ipa::monit::server` - -Monitor FreeIPA server processes using monit - -This class depends on puppetfinland-monit module - -#### Parameters - -The following parameters are available in the `easy_ipa::monit::server` class: - -* [`email`](#-easy_ipa--monit--server--email) - -##### `email` - -Data type: `String` - -Email address to send notifications to. Defaults to top-scope variable -$::servermonitor. - -Default value: `$facts['servermonitor']` - ### `easy_ipa::named` fragments. diff --git a/manifests/monit/server.pp b/manifests/monit/server.pp deleted file mode 100644 index 6e9a6081..00000000 --- a/manifests/monit/server.pp +++ /dev/null @@ -1,33 +0,0 @@ -# -# @summary Manage easy_ipa::monit::server -# -# Monitor FreeIPA server processes using monit -# -# This class depends on puppetfinland-monit module -# -# @param email -# Email address to send notifications to. Defaults to top-scope variable -# $::servermonitor. -# -class easy_ipa::monit::server ( - String $email = $facts['servermonitor'], -) { - @monit::fragment { 'ipa.monit': - ensure => 'present', - modulename => 'easy_ipa', - basename => 'ipa', - tag => 'default', - } - - @file { 'ipa.sh': - ensure => 'file', - name => "${facts['monit::params::fragment_dir']}/ipa.sh", - content => template('easy_ipa/ipa.sh.erb'), - owner => 'root', - group => 'root', - mode => '0700', - notify => Class['monit::service'], - require => Class['monit'], - tag => 'monit', - } -} diff --git a/templates/ipa.monit.erb b/templates/ipa.monit.erb deleted file mode 100644 index 35a0117c..00000000 --- a/templates/ipa.monit.erb +++ /dev/null @@ -1,5 +0,0 @@ -### THIS FILE IS MANAGED BY PUPPET. ANY MANUAL CHANGES WILL GET OVERWRITTEN. -# -check program ipa with path <%= scope['::monit::params::fragment_dir'] %>/ipa.sh timeout 30 seconds - if status != 0 then alert - alert <%= scope['::easy_ipa::monit::server::email'] %> diff --git a/templates/ipa.sh.erb b/templates/ipa.sh.erb deleted file mode 100644 index 6a0549df..00000000 --- a/templates/ipa.sh.erb +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# -# Simple script for detecting if any of the IPA services are in stopped state - -PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin - -ipactl status 2> /dev/null|grep STOPPED > /tmp/ipactl-status.log - -# This means some service is STOPPED -if [ $? -eq 0 ]; then - cat /tmp/ipactl-status.log - exit 1 -else - exit 0 -fi From 6175331350c951b662469d9ad7891dabecf88a86 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 14:55:01 -0700 Subject: [PATCH 21/78] rm easy_ipa::install::client::manual -- no test coverage It is unknown if this code is working. --- REFERENCE.md | 5 ----- manifests/install/client.pp | 5 ----- manifests/install/client/manual.pp | 32 ------------------------------ templates/krb5.conf.erb | 29 --------------------------- templates/ldap.conf.erb | 31 ----------------------------- templates/sssd.conf.erb | 31 ----------------------------- 6 files changed, 133 deletions(-) delete mode 100644 manifests/install/client/manual.pp delete mode 100644 templates/krb5.conf.erb delete mode 100644 templates/ldap.conf.erb delete mode 100755 templates/sssd.conf.erb diff --git a/REFERENCE.md b/REFERENCE.md index 5c6bf2ed..c62f7d83 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -14,7 +14,6 @@ * [`easy_ipa::install::autofs`](#easy_ipa--install--autofs): Manage autofs * [`easy_ipa::install::client`](#easy_ipa--install--client): Manage ipa client * [`easy_ipa::install::client::debian`](#easy_ipa--install--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. -* [`easy_ipa::install::client::manual`](#easy_ipa--install--client--manual): "Manual" configuration of hosts which don't have the freeipa-client package. * [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install * [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server * [`easy_ipa::install::server::replica`](#easy_ipa--install--server--replica): Manage replica install @@ -459,10 +458,6 @@ Manage ipa client This code is needed as the --mkhomedir parameter passed to ipa-client-install does not configure PAM even though it does install the required packages. -### `easy_ipa::install::client::manual` - -"Manual" configuration of hosts which don't have the freeipa-client package. - ### `easy_ipa::install::server` Manage IPA server install diff --git a/manifests/install/client.pp b/manifests/install/client.pp index 8b11e1d0..de7c087b 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -70,9 +70,6 @@ ${easy_ipa::opt_no_sshd} \ --unattended" - # Some platforms require "manual" setup as they don't have the freeipa-client - # package. - # if $easy_ipa::params::ipa_client_package_ensure == 'present' { exec { "client_install_${facts['networking']['fqdn']}": command => $client_install_cmd, @@ -84,8 +81,6 @@ provider => 'shell', require => Package['ipa-client'], } - } else { - contain easy_ipa::install::client::manual } if $facts['os']['family'] == 'Debian' and $easy_ipa::mkhomedir { diff --git a/manifests/install/client/manual.pp b/manifests/install/client/manual.pp deleted file mode 100644 index 9587c31d..00000000 --- a/manifests/install/client/manual.pp +++ /dev/null @@ -1,32 +0,0 @@ -# -# @summary "Manual" configuration of hosts which don't have the freeipa-client package. -# -class easy_ipa::install::client::manual { - # Generate LDAP base DN from the domain (e.g. dc=vagrant,dc=example,dc=lan) - $ldap_base_temp = regsubst($easy_ipa::domain, '\.',',dc=', 'G') - $ldap_base = regsubst($ldap_base_temp, '^', 'dc=') - - File { - ensure => 'present', - owner => 'root', - group => 'root', - mode => '0644', - } - - file { '/etc/krb5.conf': - content => template('easy_ipa/krb5.conf.erb'), - } - - file { '/etc/ldap/ldap.conf': - content => template('easy_ipa/ldap.conf.erb'), - } - - file { '/etc/sssd/sssd.conf': - content => template('easy_ipa/sssd.conf.erb'), - mode => '0600', - } - - package { 'krb5-user': - ensure => 'present', - } -} diff --git a/templates/krb5.conf.erb b/templates/krb5.conf.erb deleted file mode 100644 index 474033bc..00000000 --- a/templates/krb5.conf.erb +++ /dev/null @@ -1,29 +0,0 @@ -# FILE MANAGED BY PUPPET. ALL MANUAL CHANGES WILL BE OVERWRITTEN. - -includedir /var/lib/sss/pubconf/krb5.include.d/ - -[libdefaults] - default_realm = <%= scope['easy_ipa::final_realm'] %> - dns_lookup_realm = false - dns_lookup_kdc = false - rdns = false - ticket_lifetime = 24h - forwardable = true - udp_preference_limit = 0 - default_ccache_name = KEYRING:persistent:%{uid} - - -[realms] - <%= scope['easy_ipa::final_realm'] %> = { - kdc = <%= scope['easy_ipa::ipa_master_fqdn'] %>:88 - master_kdc = <%= scope['easy_ipa::ipa_master_fqdn'] %>:88 - admin_server = <%= scope['easy_ipa::ipa_master_fqdn'] %>:749 - default_domain = <%= scope['easy_ipa::domain'] %> - pkinit_anchors = FILE:/etc/ipa/ca.crt - - } - -[domain_realm] - .<%= scope['easy_ipa::domain'] %> = <%= scope['easy_ipa::final_realm'] %> - <%= scope['easy_ipa::domain'] %> = <%= scope['easy_ipa::final_realm'] %> - diff --git a/templates/ldap.conf.erb b/templates/ldap.conf.erb deleted file mode 100644 index 925411dc..00000000 --- a/templates/ldap.conf.erb +++ /dev/null @@ -1,31 +0,0 @@ -# FILE MANAGED BY PUPPET. ALL MANUAL CHANGES WILL BE OVERWRITTEN. - -# We do not want to break your existing configuration, hence: -# URI, BASE and TLS_CACERT have been added if they were not set. -# In case any of them were set, a comment with trailing note -# "# modified by IPA" note has been inserted. -# To use IPA server with openLDAP tools, please comment out your -# existing configuration for these options and uncomment the -# corresponding lines generated by IPA. - - -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -#BASE dc=example,dc=com -#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -#TLS_CACERT /etc/ipa/ca.crt # modified by IPA -TLS_CACERT /etc/ssl/certs/ca-certificates.crt - -URI ldaps://<%= scope['easy_ipa::ipa_master_fqdn'] %> -BASE <%= @ldap_base %> diff --git a/templates/sssd.conf.erb b/templates/sssd.conf.erb deleted file mode 100755 index bd92bd4b..00000000 --- a/templates/sssd.conf.erb +++ /dev/null @@ -1,31 +0,0 @@ -[domain/<%= scope['easy_ipa::domain'] %>] - -cache_credentials = True -krb5_store_password_if_offline = True -ipa_domain = <%= scope['easy_ipa::domain'] %> -id_provider = ipa -auth_provider = ipa -access_provider = ipa -ipa_hostname = <%= @fqdn %> -chpass_provider = ipa -ipa_server = _srv_, <%= scope['easy_ipa::ipa_master_fqdn'] %> -ldap_tls_cacert = /etc/ipa/ca.crt -[sssd] -services = nss, sudo, pam, ssh - -domains = <%= scope['easy_ipa::domain'] %> -[nss] -homedir_substring = /home - -[pam] - -[sudo] - -[autofs] - -[ssh] - -[pac] - -[ifp] - From 7ae4075b58004c5c6430da602cb250173413c302 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:02:49 -0700 Subject: [PATCH 22/78] rm {client,server}_install_ldaputils params Along with support for installing openldap as no functionality in this module depends upon the ldap packages being installed. --- REFERENCE.md | 18 ------------------ manifests/init.pp | 8 -------- manifests/install/client.pp | 6 ------ manifests/install/server.pp | 6 ------ manifests/params.pp | 2 -- spec/classes/ipa_spec.rb | 9 --------- 6 files changed, 49 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index c62f7d83..8983e8b6 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -59,7 +59,6 @@ The following parameters are available in the `easy_ipa` class: * [`directory_services_password`](#-easy_ipa--directory_services_password) * [`allow_zone_overlap`](#-easy_ipa--allow_zone_overlap) * [`no_dnssec_validation`](#-easy_ipa--no_dnssec_validation) -* [`client_install_ldaputils`](#-easy_ipa--client_install_ldaputils) * [`configure_dns_server`](#-easy_ipa--configure_dns_server) * [`configure_replica_ca`](#-easy_ipa--configure_replica_ca) * [`configure_ntp`](#-easy_ipa--configure_ntp) @@ -88,7 +87,6 @@ The following parameters are available in the `easy_ipa` class: * [`mkhomedir`](#-easy_ipa--mkhomedir) * [`no_ui_redirect`](#-easy_ipa--no_ui_redirect) * [`realm`](#-easy_ipa--realm) -* [`server_install_ldaputils`](#-easy_ipa--server_install_ldaputils) * [`webui_enable_proxy`](#-easy_ipa--webui_enable_proxy) * [`webui_proxy_external_fqdn`](#-easy_ipa--webui_proxy_external_fqdn) * [`webui_proxy_https_port`](#-easy_ipa--webui_proxy_https_port) @@ -154,14 +152,6 @@ Data type: `Boolean` Default value: `false` -##### `client_install_ldaputils` - -Data type: `Boolean` - -(boolean) If true, then the ldaputils packages are installed if ipa_role is set to client. - -Default value: `false` - ##### `configure_dns_server` Data type: `Boolean` @@ -396,14 +386,6 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `server_install_ldaputils` - -Data type: `Boolean` - -(boolean) If true, then the ldaputils packages are installed if ipa_role is not set to client. - -Default value: `true` - ##### `webui_enable_proxy` Data type: `Boolean` diff --git a/manifests/init.pp b/manifests/init.pp index 0192d68c..fad3515b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,9 +27,6 @@ # @param no_dnssec_validation # (boolean) if set to true, DNSSEC validation is disabled. # -# @param client_install_ldaputils -# (boolean) If true, then the ldaputils packages are installed if ipa_role is set to client. -# # @param configure_dns_server # (boolean) If true, then the parameter '--setup-dns' is passed to the IPA server installer. # Also, triggers the install of the required dns server packages. @@ -124,9 +121,6 @@ # @param realm # (string) The name of the IPA realm to create or join. # -# @param server_install_ldaputils -# (boolean) If true, then the ldaputils packages are installed if ipa_role is not set to client. -# # @param webui_enable_proxy # (boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows # for the Web UI to be accessed from different ports and hostnames than the default. @@ -154,7 +148,6 @@ Optional[String[8]] $directory_services_password = undef, Boolean $allow_zone_overlap = false, Boolean $no_dnssec_validation = false, - Boolean $client_install_ldaputils = false, Boolean $configure_dns_server = true, Boolean $configure_replica_ca = false, Boolean $configure_ntp = true, @@ -183,7 +176,6 @@ Boolean $mkhomedir = true, Boolean $no_ui_redirect = false, Optional[Stdlib::Fqdn] $realm = undef, - Boolean $server_install_ldaputils = true, Boolean $webui_enable_proxy = false, String $webui_proxy_external_fqdn = 'localhost', String $webui_proxy_https_port = '8440', diff --git a/manifests/install/client.pp b/manifests/install/client.pp index de7c087b..efad9579 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -11,12 +11,6 @@ ensure => present, } - if $easy_ipa::client_install_ldaputils { - package { $easy_ipa::params::ldaputils_package_name: - ensure => present, - } - } - if $easy_ipa::mkhomedir { $client_install_cmd_opts_mkhomedir = '--mkhomedir' } else { diff --git a/manifests/install/server.pp b/manifests/install/server.pp index 0837d730..f06be14c 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -23,12 +23,6 @@ ensure => present, } - if $easy_ipa::server_install_ldaputils { - package { $easy_ipa::params::ldaputils_package_name: - ensure => present, - } - } - $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}" # Newer installers clash with both default UID_MAX and GID_MAX diff --git a/manifests/params.pp b/manifests/params.pp index 5c8ba21c..22860eb8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,14 +9,12 @@ class easy_ipa::params { case $facts['os']['family'] { 'RedHat': { - $ldaputils_package_name = 'openldap-clients' $ipa_client_package_name = 'ipa-client' $ipa_client_package_ensure = 'present' $named_conf_d = '/etc/named/conf.d' } 'Debian': { $ipa_client_package_ensure = 'present' - $ldaputils_package_name = 'ldap-utils' $ipa_client_package_name = 'freeipa-client' } default: { diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 12ba5279..33f81a2b 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -71,9 +71,6 @@ case facts[:os]['family'] when 'RedHat' it { is_expected.to contain_package('epel-release') } - it { is_expected.to contain_package('openldap-clients') } - when 'Debian' - it { is_expected.to contain_package('ldap-utils') } end end @@ -248,9 +245,6 @@ case facts[:os]['family'] when 'RedHat' it { is_expected.to contain_package('epel-release') } - it { is_expected.to contain_package('openldap-clients') } - when 'Debian' - it { is_expected.to contain_package('ldap-utils') } end end @@ -355,9 +349,6 @@ case facts[:os]['family'] when 'RedHat' it { is_expected.to contain_package('epel-release') } - it { is_expected.not_to contain_package('openldap-clients') } - when 'Debian' - it { is_expected.not_to contain_package('ldap-utils') } end end From f1a4789011fb26340203e2512af7a0e0019ee735 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:20:38 -0700 Subject: [PATCH 23/78] drop support for debian 10 -- no freeipa-client package --- metadata.json | 1 - 1 file changed, 1 deletion(-) diff --git a/metadata.json b/metadata.json index bf54703d..f4a7f1e3 100644 --- a/metadata.json +++ b/metadata.json @@ -47,7 +47,6 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "10", "11", "12" ] From 46ad61d94810c169269320c38b885950cbc26fc0 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:23:22 -0700 Subject: [PATCH 24/78] rm uid_max & gid_max facts These facts are unnecessary for declarative puppet code. --- lib/facter/gid_max.rb | 8 -------- lib/facter/uid_max.rb | 8 -------- manifests/install/server.pp | 9 +++------ 3 files changed, 3 insertions(+), 22 deletions(-) delete mode 100644 lib/facter/gid_max.rb delete mode 100644 lib/facter/uid_max.rb diff --git a/lib/facter/gid_max.rb b/lib/facter/gid_max.rb deleted file mode 100644 index 0eddc9f6..00000000 --- a/lib/facter/gid_max.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true - -Facter.add(:gid_max) do - setcode do - lines = File.readlines('/etc/login.defs') - lines.find { |line| line.start_with?('GID_MAX') }.split[1].strip.to_i - end -end diff --git a/lib/facter/uid_max.rb b/lib/facter/uid_max.rb deleted file mode 100644 index 9b668b30..00000000 --- a/lib/facter/uid_max.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true - -Facter.add(:uid_max) do - setcode do - lines = File.readlines('/etc/login.defs') - lines.find { |line| line.start_with?('UID_MAX') }.split[1].strip.to_i - end -end diff --git a/manifests/install/server.pp b/manifests/install/server.pp index f06be14c..890c5cc9 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -29,12 +29,9 @@ # Note: SUB_* only affect user/group mapping in containers, so not of # concern here if $easy_ipa::adjust_login_defs { - if $easy_ipa::idstart < $facts['uid_max'] { - $uid_max_value = $easy_ipa::idstart -1 - } - if $easy_ipa::idstart < $facts['gid_max'] { - $gid_max_value = $easy_ipa::idstart -1 - } + $uid_max_value = $easy_ipa::idstart -1 + $gid_max_value = $easy_ipa::idstart -1 + file_line { default: path => '/etc/login.defs', From 6f9658dadd5875884b4624b405c66d3cfd2346c6 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:30:15 -0700 Subject: [PATCH 25/78] fix & dedup /etc/login.defs logic --- manifests/init.pp | 13 ++++++++----- manifests/install/server.pp | 23 ----------------------- 2 files changed, 8 insertions(+), 28 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index fad3515b..56c55125 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -206,19 +206,22 @@ default => '--no-sshd', } - if $adjust_login_defs { + if $easy_ipa::adjust_login_defs { + $uid_max_value = $easy_ipa::idstart -1 + $gid_max_value = $easy_ipa::idstart -1 + file_line { default: path => '/etc/login.defs', replace => true, ; 'adjust uid max': - line => "UID_MAX\t11999", - match => '^UID_MAX\s*60000$', + line => "UID_MAX\t${uid_max_value}", + match => '^UID_MAX.*$', ; 'adjust gid max': - line => "GID_MAX\t11999", - match => '^GID_MAX\s*60000$', + line => "GID_MAX\t${gid_max_value}", + match => '^GID_MAX.*$', ; } } diff --git a/manifests/install/server.pp b/manifests/install/server.pp index 890c5cc9..fc4b99ff 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -25,29 +25,6 @@ $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}" - # Newer installers clash with both default UID_MAX and GID_MAX - # Note: SUB_* only affect user/group mapping in containers, so not of - # concern here - if $easy_ipa::adjust_login_defs { - $uid_max_value = $easy_ipa::idstart -1 - $gid_max_value = $easy_ipa::idstart -1 - - file_line { - default: - path => '/etc/login.defs', - replace => true, - ; - 'adjust uid max': - line => "UID_MAX\t${uid_max_value}", - match => '^UID_MAX.*$', - ; - 'adjust gid max': - line => "GID_MAX\t${gid_max_value}", - match => '^GID_MAX.*$', - ; - } - } - $server_install_cmd_opts_idmax = $easy_ipa::idmax ? { undef => '', default => "--idmax=${easy_ipa::idmax}" From 156da8adb2a25265b2a9ba21924417ec1e39ae8d Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:34:57 -0700 Subject: [PATCH 26/78] rm easy_ipa::manage_host_entry param -- this should be in a role/profile --- README.md | 2 -- REFERENCE.md | 9 --------- manifests/init.pp | 4 ---- manifests/install.pp | 6 ------ manifests/validate_params.pp | 6 ------ spec/classes/ipa_spec.rb | 8 -------- 6 files changed, 35 deletions(-) diff --git a/README.md b/README.md index b4259896..65bbdbf3 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,6 @@ class {'easy_ipa': ip_address => '192.168.56.35', enable_ip_address => true, enable_hostname => true, - manage_host_entry => true, install_epel => true, webui_enable_proxy => true, } @@ -55,7 +54,6 @@ class {'::easy_ipa': ip_address => '192.168.56.36', enable_ip_address => true, enable_hostname => true, - manage_host_entry => true, install_epel => true, ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', } diff --git a/REFERENCE.md b/REFERENCE.md index 8983e8b6..d5e03cc9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -83,7 +83,6 @@ The following parameters are available in the `easy_ipa` class: * [`ip_address`](#-easy_ipa--ip_address) * [`ipa_server_fqdn`](#-easy_ipa--ipa_server_fqdn) * [`ipa_master_fqdn`](#-easy_ipa--ipa_master_fqdn) -* [`manage_host_entry`](#-easy_ipa--manage_host_entry) * [`mkhomedir`](#-easy_ipa--mkhomedir) * [`no_ui_redirect`](#-easy_ipa--no_ui_redirect) * [`realm`](#-easy_ipa--realm) @@ -353,14 +352,6 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `manage_host_entry` - -Data type: `Boolean` - -(boolean) If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'. - -Default value: `false` - ##### `mkhomedir` Data type: `Boolean` diff --git a/manifests/init.pp b/manifests/init.pp index 56c55125..fc522e93 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -108,9 +108,6 @@ # @param ipa_master_fqdn # (string) FQDN of the server to use for a client or replica domain join. # -# @param manage_host_entry -# (boolean) If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'. -# # @param mkhomedir # (boolean) If true, then the parameter '--mkhomedir' is passed to the IPA server and client # installers. @@ -172,7 +169,6 @@ Optional[Stdlib::IP::Address] $ip_address = undef, String $ipa_server_fqdn = $facts['networking']['fqdn'], Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, - Boolean $manage_host_entry = false, Boolean $mkhomedir = true, Boolean $no_ui_redirect = false, Optional[Stdlib::Fqdn] $realm = undef, diff --git a/manifests/install.pp b/manifests/install.pp index 06a1d4d5..bf2b0730 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -10,12 +10,6 @@ ) } - if $easy_ipa::manage_host_entry { - host { $easy_ipa::ipa_server_fqdn: - ip => $easy_ipa::ip_address, - } - } - # Note: sssd.conf handled by ipa-server-install. if $easy_ipa::install_sssd { contain 'easy_ipa::install::sssd' diff --git a/manifests/validate_params.pp b/manifests/validate_params.pp index c8446ba1..480fefc5 100644 --- a/manifests/validate_params.pp +++ b/manifests/validate_params.pp @@ -3,12 +3,6 @@ class easy_ipa::validate_params { assert_private() - if $easy_ipa::manage_host_entry { - unless $easy_ipa::ip_address { - fail('When using the parameter manage_host_entry, the parameter ip_address is mandatory.') - } - } - if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { fail('Parameter "idmax" must be an integer greater than parameter "idstart".') } diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 33f81a2b..11115d56 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -163,14 +163,6 @@ it { is_expected.to raise_error(Puppet::Error, %r{"idmax" must be an integer greater than parameter "idstart"}) } end - context 'with manage_host_entry but not ip_address' do - let(:params) do - super().merge(manage_host_entry: true) - end - - it { is_expected.to raise_error(Puppet::Error, %r{parameter ip_address is mandatory}) } - end - context 'without admin_password' do let(:params) do super().merge(admin_password: nil) From 14b7bcd257d1b706c1c41b7107a1c74416788b18 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:37:10 -0700 Subject: [PATCH 27/78] rm easy_ipa::manage param -- this should be in a role/profile --- REFERENCE.md | 14 -------- manifests/init.pp | 86 +++++++++++++++++++++-------------------------- 2 files changed, 38 insertions(+), 62 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index d5e03cc9..1019d6ab 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -52,7 +52,6 @@ TODO: configurable admin username. The following parameters are available in the `easy_ipa` class: -* [`manage`](#-easy_ipa--manage) * [`domain`](#-easy_ipa--domain) * [`ipa_role`](#-easy_ipa--ipa_role) * [`admin_password`](#-easy_ipa--admin_password) @@ -91,19 +90,6 @@ The following parameters are available in the `easy_ipa` class: * [`webui_proxy_https_port`](#-easy_ipa--webui_proxy_https_port) * [`adjust_login_defs`](#-easy_ipa--adjust_login_defs) -##### `manage` - -Data type: `Boolean` - -(boolean) Manage easy_ipa with Puppet. Defaults to true. Setting this to - to false is useful when a handful of hosts have unsupported - operating systems and you'd rather exclude them from FreeIPA - instead of including the others individually. Use this with - a separate Hiera level (e.g. $::lsbdistcodename) for maximum - convenience. - -Default value: `true` - ##### `domain` Data type: `Stdlib::Fqdn` diff --git a/manifests/init.pp b/manifests/init.pp index fc522e93..45323e0b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,12 +1,5 @@ # @summary Manages IPA masters, replicas and clients. # -# @param manage -# (boolean) Manage easy_ipa with Puppet. Defaults to true. Setting this to -# to false is useful when a handful of hosts have unsupported -# operating systems and you'd rather exclude them from FreeIPA -# instead of including the others individually. Use this with -# a separate Hiera level (e.g. $::lsbdistcodename) for maximum -# convenience. # @param domain # (string) The name of the IPA domain to create or join. # @param ipa_role @@ -140,7 +133,6 @@ class easy_ipa ( Stdlib::Fqdn $domain, Enum['client', 'master', 'replica'] $ipa_role, - Boolean $manage = true, Optional[String[8]] $admin_password = undef, Optional[String[8]] $directory_services_password = undef, Boolean $allow_zone_overlap = false, @@ -177,52 +169,50 @@ String $webui_proxy_https_port = '8440', Boolean $adjust_login_defs = false, ) { - if $manage { - # Include per-OS parameters and fail on unsupported OS - include easy_ipa::params + # Include per-OS parameters and fail on unsupported OS + include easy_ipa::params - $final_realm = $realm ? { - undef => upcase($domain), - default => $realm, - } + $final_realm = $realm ? { + undef => upcase($domain), + default => $realm, + } - if $ipa_role == 'client' { - $final_configure_dns_server = false - } else { - $final_configure_dns_server = $configure_dns_server - } + if $ipa_role == 'client' { + $final_configure_dns_server = false + } else { + $final_configure_dns_server = $configure_dns_server + } - $opt_no_ssh = $configure_ssh ? { - true => '', - default => '--no-ssh', - } + $opt_no_ssh = $configure_ssh ? { + true => '', + default => '--no-ssh', + } - $opt_no_sshd = $configure_sshd ? { - true => '', - default => '--no-sshd', - } + $opt_no_sshd = $configure_sshd ? { + true => '', + default => '--no-sshd', + } - if $easy_ipa::adjust_login_defs { - $uid_max_value = $easy_ipa::idstart -1 - $gid_max_value = $easy_ipa::idstart -1 + if $easy_ipa::adjust_login_defs { + $uid_max_value = $easy_ipa::idstart -1 + $gid_max_value = $easy_ipa::idstart -1 - file_line { - default: - path => '/etc/login.defs', - replace => true, - ; - 'adjust uid max': - line => "UID_MAX\t${uid_max_value}", - match => '^UID_MAX.*$', - ; - 'adjust gid max': - line => "GID_MAX\t${gid_max_value}", - match => '^GID_MAX.*$', - ; - } + file_line { + default: + path => '/etc/login.defs', + replace => true, + ; + 'adjust uid max': + line => "UID_MAX\t${uid_max_value}", + match => '^UID_MAX.*$', + ; + 'adjust gid max': + line => "GID_MAX\t${gid_max_value}", + match => '^GID_MAX.*$', + ; } - - require easy_ipa::validate_params - contain easy_ipa::install } + + require easy_ipa::validate_params + contain easy_ipa::install } From 1d0f251caf207bd63699b0e331162f66529a30f3 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:42:51 -0700 Subject: [PATCH 28/78] rm easy_ipa::install_autofs param This should be managed with a forge module. E.g. puppet/autofs --- REFERENCE.md | 14 -------------- manifests/init.pp | 4 ---- manifests/install.pp | 4 ---- manifests/install/autofs.pp | 13 ------------- manifests/params.pp | 1 - spec/classes/ipa_spec.rb | 3 --- 6 files changed, 39 deletions(-) delete mode 100644 manifests/install/autofs.pp diff --git a/REFERENCE.md b/REFERENCE.md index 1019d6ab..43b7ee5c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11,7 +11,6 @@ * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. * [`easy_ipa::install`](#easy_ipa--install): Manage easy_ipa install -* [`easy_ipa::install::autofs`](#easy_ipa--install--autofs): Manage autofs * [`easy_ipa::install::client`](#easy_ipa--install--client): Manage ipa client * [`easy_ipa::install::client::debian`](#easy_ipa--install--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. * [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install @@ -73,7 +72,6 @@ The following parameters are available in the `easy_ipa` class: * [`idstart`](#-easy_ipa--idstart) * [`gssapi_no_negotiate`](#-easy_ipa--gssapi_no_negotiate) * [`idmax`](#-easy_ipa--idmax) -* [`install_autofs`](#-easy_ipa--install_autofs) * [`install_epel`](#-easy_ipa--install_epel) * [`install_sssdtools`](#-easy_ipa--install_sssdtools) * [`install_ipa_client`](#-easy_ipa--install_ipa_client) @@ -266,14 +264,6 @@ Data type: `Variant[Integer,Undef]` Default value: `undef` -##### `install_autofs` - -Data type: `Boolean` - -(boolean) If true, then the autofs packages are installed. - -Default value: `false` - ##### `install_epel` Data type: `Boolean` @@ -404,10 +394,6 @@ Configures port and redirect overrides for the IPA server web UI. Manage easy_ipa install -### `easy_ipa::install::autofs` - -Manage autofs - ### `easy_ipa::install::client` Manage ipa client diff --git a/manifests/init.pp b/manifests/init.pp index 45323e0b..1f59b6f0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -74,9 +74,6 @@ # @param idmax # (integer) From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". # -# @param install_autofs -# (boolean) If true, then the autofs packages are installed. -# # @param install_epel # (boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. # @@ -152,7 +149,6 @@ Variant[Pattern,Undef] $gssapi_no_negotiate = undef, Integer[10000] $idstart = (fqdn_rand('10737') + 10000), Variant[Integer,Undef] $idmax = undef, - Boolean $install_autofs = false, Boolean $install_epel = true, Boolean $install_sssdtools = true, Boolean $install_ipa_client = true, diff --git a/manifests/install.pp b/manifests/install.pp index bf2b0730..c8a8cef2 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -15,10 +15,6 @@ contain 'easy_ipa::install::sssd' } - if $easy_ipa::install_autofs { - contain 'easy_ipa::install::autofs' - } - if $easy_ipa::install_sssdtools { package { $easy_ipa::params::sssdtools_package_name: ensure => present, diff --git a/manifests/install/autofs.pp b/manifests/install/autofs.pp deleted file mode 100644 index 8fb72039..00000000 --- a/manifests/install/autofs.pp +++ /dev/null @@ -1,13 +0,0 @@ -# -# @summary Manage autofs -# -class easy_ipa::install::autofs { - package { $easy_ipa::params::autofs_package_name: - ensure => present, - } - - service { 'autofs': - ensure => 'running', - enable => true, - } -} diff --git a/manifests/params.pp b/manifests/params.pp index 22860eb8..eb5437c9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -23,7 +23,6 @@ } # These package names are the same on RedHat and Debian derivatives - $autofs_package_name = 'autofs' $ipa_server_package_name = 'ipa-server' $kstart_package_name = 'kstart' $sssd_package_name = 'sssd-common' diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 11115d56..f8e1af13 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -56,7 +56,6 @@ it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_class('easy_ipa::validate_params') } - it { is_expected.not_to contain_class('easy_ipa::install::autofs') } it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } it { is_expected.not_to contain_class('easy_ipa::install::client') } @@ -222,7 +221,6 @@ it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_class('easy_ipa::validate_params') } - it { is_expected.not_to contain_class('easy_ipa::install::autofs') } it { is_expected.not_to contain_class('easy_ipa::install::server::master') } it { is_expected.not_to contain_class('easy_ipa::install::client') } @@ -325,7 +323,6 @@ it { is_expected.to contain_class('easy_ipa::install::client') } it { is_expected.to contain_class('easy_ipa::validate_params') } - it { is_expected.not_to contain_class('easy_ipa::install::autofs') } it { is_expected.not_to contain_class('easy_ipa::install::server') } it { is_expected.not_to contain_class('easy_ipa::install::server::master') } it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } From f6e40dded4fb9dd3a239ae64395263fb8d4346de Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:56:24 -0700 Subject: [PATCH 29/78] rm easy_ipa::install_sssdtools params No functionality in this module depends upon the sssd-tools package being installed. --- REFERENCE.md | 9 --------- manifests/init.pp | 4 ---- manifests/install.pp | 6 ------ manifests/params.pp | 1 - 4 files changed, 20 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 43b7ee5c..028278a4 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -73,7 +73,6 @@ The following parameters are available in the `easy_ipa` class: * [`gssapi_no_negotiate`](#-easy_ipa--gssapi_no_negotiate) * [`idmax`](#-easy_ipa--idmax) * [`install_epel`](#-easy_ipa--install_epel) -* [`install_sssdtools`](#-easy_ipa--install_sssdtools) * [`install_ipa_client`](#-easy_ipa--install_ipa_client) * [`install_ipa_server`](#-easy_ipa--install_ipa_server) * [`install_sssd`](#-easy_ipa--install_sssd) @@ -272,14 +271,6 @@ Data type: `Boolean` Default value: `true` -##### `install_sssdtools` - -Data type: `Boolean` - -(boolean) If true, then the sssdtools packages are installed. - -Default value: `true` - ##### `install_ipa_client` Data type: `Boolean` diff --git a/manifests/init.pp b/manifests/init.pp index 1f59b6f0..4412c13d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,9 +77,6 @@ # @param install_epel # (boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. # -# @param install_sssdtools -# (boolean) If true, then the sssdtools packages are installed. -# # @param install_ipa_client # (boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. # @@ -150,7 +147,6 @@ Integer[10000] $idstart = (fqdn_rand('10737') + 10000), Variant[Integer,Undef] $idmax = undef, Boolean $install_epel = true, - Boolean $install_sssdtools = true, Boolean $install_ipa_client = true, Boolean $install_ipa_server = true, Boolean $install_sssd = true, diff --git a/manifests/install.pp b/manifests/install.pp index c8a8cef2..29f55184 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -15,12 +15,6 @@ contain 'easy_ipa::install::sssd' } - if $easy_ipa::install_sssdtools { - package { $easy_ipa::params::sssdtools_package_name: - ensure => present, - } - } - if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { if $easy_ipa::install_ipa_server { contain 'easy_ipa::install::server' diff --git a/manifests/params.pp b/manifests/params.pp index eb5437c9..dfe9ab31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -26,5 +26,4 @@ $ipa_server_package_name = 'ipa-server' $kstart_package_name = 'kstart' $sssd_package_name = 'sssd-common' - $sssdtools_package_name = 'sssd-tools' } From 7e40adc16756997d8f5b20dd6af6342d7750d95e Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 15:57:50 -0700 Subject: [PATCH 30/78] add almalinux 8 & 9 support --- metadata.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/metadata.json b/metadata.json index f4a7f1e3..83e418fd 100644 --- a/metadata.json +++ b/metadata.json @@ -22,6 +22,13 @@ } ], "operatingsystem_support": [ + { + "operatingsystem": "AlmaLinux", + "operatingsystemrelease": [ + "8", + "9" + ] + }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ From 8bdd629a021951d1a6c90c90aed02888d5c82249 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 16:13:32 -0700 Subject: [PATCH 31/78] rm easy_ipa::install_epel param This should be managed with a forge module. E.g. puppet/epel --- README.md | 3 --- REFERENCE.md | 9 --------- examples/master.pp | 6 ++++-- manifests/init.pp | 4 ---- manifests/install.pp | 8 -------- spec/classes/ipa_spec.rb | 15 --------------- spec/support/acceptance/setup.rb | 1 + 7 files changed, 5 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 65bbdbf3..c0056f65 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,6 @@ class {'easy_ipa': ip_address => '192.168.56.35', enable_ip_address => true, enable_hostname => true, - install_epel => true, webui_enable_proxy => true, } ``` @@ -54,7 +53,6 @@ class {'::easy_ipa': ip_address => '192.168.56.36', enable_ip_address => true, enable_hostname => true, - install_epel => true, ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', } ``` @@ -109,7 +107,6 @@ class {'::easy_ipa': ipa_role => 'client', domain => 'vagrant.example.lan', domain_join_password => 'vagrant123', -install_epel => true, ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', } ``` diff --git a/REFERENCE.md b/REFERENCE.md index 028278a4..ce05050c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -72,7 +72,6 @@ The following parameters are available in the `easy_ipa` class: * [`idstart`](#-easy_ipa--idstart) * [`gssapi_no_negotiate`](#-easy_ipa--gssapi_no_negotiate) * [`idmax`](#-easy_ipa--idmax) -* [`install_epel`](#-easy_ipa--install_epel) * [`install_ipa_client`](#-easy_ipa--install_ipa_client) * [`install_ipa_server`](#-easy_ipa--install_ipa_server) * [`install_sssd`](#-easy_ipa--install_sssd) @@ -263,14 +262,6 @@ Data type: `Variant[Integer,Undef]` Default value: `undef` -##### `install_epel` - -Data type: `Boolean` - -(boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. - -Default value: `true` - ##### `install_ipa_client` Data type: `Boolean` diff --git a/examples/master.pp b/examples/master.pp index b3cef643..2c3efab7 100644 --- a/examples/master.pp +++ b/examples/master.pp @@ -1,6 +1,8 @@ -include cron # easy_ipa needs cron to be installed +require epel # provides kstart package on el +require cron # easy_ipa needs cron to be installed -class { 'easy_ipa': +Yumrepo <||> +-> class { 'easy_ipa': ipa_role => 'master', domain => 'rspec.example.lan', admin_password => 'rspecrspec123', diff --git a/manifests/init.pp b/manifests/init.pp index 4412c13d..ad38813e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -74,9 +74,6 @@ # @param idmax # (integer) From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". # -# @param install_epel -# (boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages. -# # @param install_ipa_client # (boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. # @@ -146,7 +143,6 @@ Variant[Pattern,Undef] $gssapi_no_negotiate = undef, Integer[10000] $idstart = (fqdn_rand('10737') + 10000), Variant[Integer,Undef] $idmax = undef, - Boolean $install_epel = true, Boolean $install_ipa_client = true, Boolean $install_ipa_server = true, Boolean $install_sssd = true, diff --git a/manifests/install.pp b/manifests/install.pp index 29f55184..df0f7ff6 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -2,14 +2,6 @@ # @summary Manage easy_ipa install # class easy_ipa::install { - if $easy_ipa::install_epel and $facts['os']['family'] == 'RedHat' { - ensure_resource( - 'package', - 'epel-release', - { 'ensure' => 'present' }, - ) - } - # Note: sssd.conf handled by ipa-server-install. if $easy_ipa::install_sssd { contain 'easy_ipa::install::sssd' diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index f8e1af13..537bad5e 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -66,11 +66,6 @@ it { is_expected.to contain_package('sssd-common') } it { is_expected.not_to contain_package('ipa-client') } - - case facts[:os]['family'] - when 'RedHat' - it { is_expected.to contain_package('epel-release') } - end end context 'with idmax' do @@ -231,11 +226,6 @@ it { is_expected.to contain_package('sssd-common') } it { is_expected.not_to contain_package('ipa-client') } - - case facts[:os]['family'] - when 'RedHat' - it { is_expected.to contain_package('epel-release') } - end end context 'configure_ssh' do @@ -334,11 +324,6 @@ it { is_expected.not_to contain_package('ipa-server-dns') } it { is_expected.not_to contain_package('bind-dyndb-ldap') } it { is_expected.not_to contain_package('ipa-server') } - - case facts[:os]['family'] - when 'RedHat' - it { is_expected.to contain_package('epel-release') } - end end context 'configure_ssh' do diff --git a/spec/support/acceptance/setup.rb b/spec/support/acceptance/setup.rb index dd32964d..3123009c 100644 --- a/spec/support/acceptance/setup.rb +++ b/spec/support/acceptance/setup.rb @@ -7,6 +7,7 @@ # https://pagure.io/freeipa/c/87496d647706462fa8a10bbea5637104153146b2 on(host, 'sysctl -w fs.protected_regular=0') install_puppet_module_via_pmt_on(host, 'puppet/cron') + install_puppet_module_via_pmt_on(host, 'puppet/epel') if fact_on(host, 'os.family') == 'RedHat' && fact_on(host, 'os.release.major') == '7' # https://cstan.io/?p=12175&lang=en From 7eb17298b6737374be5af1737832554a5048e3ff Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 16:27:46 -0700 Subject: [PATCH 32/78] fix check errors Resolves: .devcontainer/README.md has trailing whitespace on line 4 --- .devcontainer/README.md | 38 -------------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 .devcontainer/README.md diff --git a/.devcontainer/README.md b/.devcontainer/README.md deleted file mode 100644 index a7193616..00000000 --- a/.devcontainer/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# devcontainer - - -For format details, see https://aka.ms/devcontainer.json. - -For config options, see the README at: -https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet - -``` json -{ - "name": "Puppet Development Kit (Community)", - "dockerFile": "Dockerfile", - - // Set *default* container specific settings.json values on container create. - "settings": { - "terminal.integrated.profiles.linux": { - "bash": { - "path": "bash", - } - } - }, - - // Add the IDs of extensions you want installed when the container is created. - "extensions": [ - "puppet.puppet-vscode", - "rebornix.Ruby" - ], - - // Use 'forwardPorts' to make a list of ports inside the container available locally. - "forwardPorts": [], - - // Use 'postCreateCommand' to run commands after the container is created. - "postCreateCommand": "pdk --version", -} -``` - - - From e6aa5b84c87c14cc2a95bcc23abad328bdd5605e Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:06:00 -0700 Subject: [PATCH 33/78] rm easy_ipa::install_sssd params This is unneccasary as the ipa-server package has a dep on sssd packages and `ipa-server-install` will cause the sssd service to be started. If the `sssd` service needs a resource, this should be managed with a forge module. E.g. puppet/sssd --- REFERENCE.md | 14 -------------- manifests/helpers/flushcache.pp | 1 - manifests/init.pp | 4 ---- manifests/install.pp | 5 ----- manifests/install/client.pp | 9 --------- manifests/install/server.pp | 8 -------- manifests/install/server/master.pp | 1 - manifests/install/server/replica.pp | 1 - manifests/install/sssd.pp | 8 -------- manifests/params.pp | 1 - spec/classes/ipa_spec.rb | 6 ------ 11 files changed, 58 deletions(-) delete mode 100644 manifests/install/sssd.pp diff --git a/REFERENCE.md b/REFERENCE.md index ce05050c..17d27e93 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -16,7 +16,6 @@ * [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install * [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server * [`easy_ipa::install::server::replica`](#easy_ipa--install--server--replica): Manage replica install -* [`easy_ipa::install::sssd`](#easy_ipa--install--sssd): Manage sssd install * [`easy_ipa::named`](#easy_ipa--named): Prepare the integrated named-pkcs11 service for local configuration * [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. * [`easy_ipa::params`](#easy_ipa--params): Prevent havoc on unsupported operating systems. @@ -74,7 +73,6 @@ The following parameters are available in the `easy_ipa` class: * [`idmax`](#-easy_ipa--idmax) * [`install_ipa_client`](#-easy_ipa--install_ipa_client) * [`install_ipa_server`](#-easy_ipa--install_ipa_server) -* [`install_sssd`](#-easy_ipa--install_sssd) * [`ip_address`](#-easy_ipa--ip_address) * [`ipa_server_fqdn`](#-easy_ipa--ipa_server_fqdn) * [`ipa_master_fqdn`](#-easy_ipa--ipa_master_fqdn) @@ -278,14 +276,6 @@ Data type: `Boolean` Default value: `true` -##### `install_sssd` - -Data type: `Boolean` - -(boolean) If true, then the sssd packages are installed. - -Default value: `true` - ##### `ip_address` Data type: `Optional[Stdlib::IP::Address]` @@ -397,10 +387,6 @@ Manage primary server Manage replica install -### `easy_ipa::install::sssd` - -Manage sssd install - ### `easy_ipa::named` fragments. diff --git a/manifests/helpers/flushcache.pp b/manifests/helpers/flushcache.pp index 23451ca4..bd55d7ee 100644 --- a/manifests/helpers/flushcache.pp +++ b/manifests/helpers/flushcache.pp @@ -26,7 +26,6 @@ exec { "ipa_flushcache_${title}": command => "/bin/bash -c ${ipa_fluch_cache_cmd}", returns => ['0','1','2'], - notify => Service['sssd'], refreshonly => true, } } diff --git a/manifests/init.pp b/manifests/init.pp index ad38813e..66d7d622 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -80,9 +80,6 @@ # @param install_ipa_server # (boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. # -# @param install_sssd -# (boolean) If true, then the sssd packages are installed. -# # @param ip_address # (string) IP address to pass to the IPA installer. # @@ -145,7 +142,6 @@ Variant[Integer,Undef] $idmax = undef, Boolean $install_ipa_client = true, Boolean $install_ipa_server = true, - Boolean $install_sssd = true, Optional[Stdlib::IP::Address] $ip_address = undef, String $ipa_server_fqdn = $facts['networking']['fqdn'], Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, diff --git a/manifests/install.pp b/manifests/install.pp index df0f7ff6..3961e11c 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -2,11 +2,6 @@ # @summary Manage easy_ipa install # class easy_ipa::install { - # Note: sssd.conf handled by ipa-server-install. - if $easy_ipa::install_sssd { - contain 'easy_ipa::install::sssd' - } - if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { if $easy_ipa::install_ipa_server { contain 'easy_ipa::install::server' diff --git a/manifests/install/client.pp b/manifests/install/client.pp index efad9579..ba1fbfea 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -71,7 +71,6 @@ unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", creates => '/etc/ipa/default.conf', logoutput => false, # prevent passphrases from appearing in puppet log - before => Service['sssd'], provider => 'shell', require => Package['ipa-client'], } @@ -80,12 +79,4 @@ if $facts['os']['family'] == 'Debian' and $easy_ipa::mkhomedir { contain easy_ipa::install::client::debian } - - if $easy_ipa::install_sssd { - service { 'sssd': - ensure => 'running', - enable => true, - require => Package[$easy_ipa::params::sssd_package_name], - } - } } diff --git a/manifests/install/server.pp b/manifests/install/server.pp index fc4b99ff..06a80ff8 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -125,13 +125,5 @@ require => Exec["server_install_${easy_ipa::ipa_server_fqdn}"], } - if $easy_ipa::install_sssd { - service { 'sssd': - ensure => 'running', - enable => true, - require => Package[$easy_ipa::params::sssd_package_name], - } - } - easy_ipa::helpers::flushcache { "server_${easy_ipa::ipa_server_fqdn}": } } diff --git a/manifests/install/server/master.pp b/manifests/install/server/master.pp index c2f7ff81..32b992f3 100644 --- a/manifests/install/server/master.pp +++ b/manifests/install/server/master.pp @@ -30,7 +30,6 @@ creates => '/etc/ipa/default.conf', logoutput => false, # prevent passphrases from appearing in puppet log notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], - before => Service['sssd'], } -> cron { 'k5start_root': #allows scp to replicas as root command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/manifests/install/server/replica.pp b/manifests/install/server/replica.pp index 7f31a9d9..1832f053 100644 --- a/manifests/install/server/replica.pp +++ b/manifests/install/server/replica.pp @@ -31,7 +31,6 @@ creates => '/etc/ipa/default.conf', logoutput => false, # prevent passphrases from appearing in puppet log notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], - before => Service['sssd'], } -> cron { 'k5start_root': command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/manifests/install/sssd.pp b/manifests/install/sssd.pp deleted file mode 100644 index f28d3f7b..00000000 --- a/manifests/install/sssd.pp +++ /dev/null @@ -1,8 +0,0 @@ -# -# @summary Manage sssd install -# -class easy_ipa::install::sssd { - package { $easy_ipa::params::sssd_package_name: - ensure => present, - } -} diff --git a/manifests/params.pp b/manifests/params.pp index dfe9ab31..0c373664 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,5 +25,4 @@ # These package names are the same on RedHat and Debian derivatives $ipa_server_package_name = 'ipa-server' $kstart_package_name = 'kstart' - $sssd_package_name = 'sssd-common' } diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 537bad5e..bee59474 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -51,7 +51,6 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::install') } it { is_expected.to contain_class('easy_ipa::install::server') } - it { is_expected.to contain_class('easy_ipa::install::sssd') } it { is_expected.to contain_class('easy_ipa::install::server::master') } it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_class('easy_ipa::validate_params') } @@ -63,7 +62,6 @@ it { is_expected.to contain_package('bind-dyndb-ldap') } it { is_expected.to contain_package('kstart') } it { is_expected.to contain_package('ipa-server') } - it { is_expected.to contain_package('sssd-common') } it { is_expected.not_to contain_package('ipa-client') } end @@ -211,7 +209,6 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::install') } it { is_expected.to contain_class('easy_ipa::install::server') } - it { is_expected.to contain_class('easy_ipa::install::sssd') } it { is_expected.to contain_class('easy_ipa::install::server::replica') } it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_class('easy_ipa::validate_params') } @@ -223,7 +220,6 @@ it { is_expected.to contain_package('bind-dyndb-ldap') } it { is_expected.to contain_package('kstart') } it { is_expected.to contain_package('ipa-server') } - it { is_expected.to contain_package('sssd-common') } it { is_expected.not_to contain_package('ipa-client') } end @@ -309,7 +305,6 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::install') } - it { is_expected.to contain_class('easy_ipa::install::sssd') } it { is_expected.to contain_class('easy_ipa::install::client') } it { is_expected.to contain_class('easy_ipa::validate_params') } @@ -319,7 +314,6 @@ it { is_expected.not_to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_package('ipa-client').that_comes_before('Exec[client_install_ipa.rpsec.example.lan]') } - it { is_expected.to contain_package('sssd-common') } it { is_expected.to contain_package('kstart') } it { is_expected.not_to contain_package('ipa-server-dns') } it { is_expected.not_to contain_package('bind-dyndb-ldap') } From c326a86ac67c92a59518e1c0774748839e4b6011 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:28:39 -0700 Subject: [PATCH 34/78] rm easy_ipa::validate_params class This is to prepare for refactoring param handling. --- REFERENCE.md | 1 - manifests/init.pp | 5 ++++- manifests/install/client.pp | 7 +++++++ manifests/install/server.pp | 9 +++++++++ manifests/validate_params.pp | 18 ------------------ spec/classes/ipa_spec.rb | 3 --- 6 files changed, 20 insertions(+), 23 deletions(-) delete mode 100644 manifests/validate_params.pp diff --git a/REFERENCE.md b/REFERENCE.md index 17d27e93..001b22a2 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -23,7 +23,6 @@ #### Private Classes * `easy_ipa::install::server::redhat` -* `easy_ipa::validate_params`: Validates input configs from init.pp. ### Defined types diff --git a/manifests/init.pp b/manifests/init.pp index 66d7d622..a9a5fcd7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -156,6 +156,10 @@ # Include per-OS parameters and fail on unsupported OS include easy_ipa::params + if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { + fail('Parameter "idmax" must be an integer greater than parameter "idstart".') + } + $final_realm = $realm ? { undef => upcase($domain), default => $realm, @@ -197,6 +201,5 @@ } } - require easy_ipa::validate_params contain easy_ipa::install } diff --git a/manifests/install/client.pp b/manifests/install/client.pp index ba1fbfea..709186f4 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -2,6 +2,13 @@ # @summary Manage ipa client # class easy_ipa::install::client { + unless $easy_ipa::domain_join_password { + fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") + } + unless $easy_ipa::ipa_master_fqdn { + fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") + } + package { 'ipa-client': ensure => $easy_ipa::params::ipa_client_package_ensure, name => $easy_ipa::params::ipa_client_package_name, diff --git a/manifests/install/server.pp b/manifests/install/server.pp index 06a80ff8..46b26929 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -2,6 +2,15 @@ # @summary Manage IPA server install # class easy_ipa::install::server { + if $easy_ipa::ipa_role != 'master' { # if replica or client + unless $easy_ipa::domain_join_password { + fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") + } + unless $easy_ipa::ipa_master_fqdn { + fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") + } + } + if fact('os.family') == 'RedHat' { require easy_ipa::install::server::redhat } diff --git a/manifests/validate_params.pp b/manifests/validate_params.pp deleted file mode 100644 index 480fefc5..00000000 --- a/manifests/validate_params.pp +++ /dev/null @@ -1,18 +0,0 @@ -# Validates input configs from init.pp. -# @api private -class easy_ipa::validate_params { - assert_private() - - if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { - fail('Parameter "idmax" must be an integer greater than parameter "idstart".') - } - - if $easy_ipa::ipa_role != 'master' { # if replica or client - unless $easy_ipa::domain_join_password { - fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") - } - unless $easy_ipa::ipa_master_fqdn { - fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") - } - } -} diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index bee59474..7ddb0f1e 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -53,7 +53,6 @@ it { is_expected.to contain_class('easy_ipa::install::server') } it { is_expected.to contain_class('easy_ipa::install::server::master') } it { is_expected.to contain_class('easy_ipa::config::webui') } - it { is_expected.to contain_class('easy_ipa::validate_params') } it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } it { is_expected.not_to contain_class('easy_ipa::install::client') } @@ -211,7 +210,6 @@ it { is_expected.to contain_class('easy_ipa::install::server') } it { is_expected.to contain_class('easy_ipa::install::server::replica') } it { is_expected.to contain_class('easy_ipa::config::webui') } - it { is_expected.to contain_class('easy_ipa::validate_params') } it { is_expected.not_to contain_class('easy_ipa::install::server::master') } it { is_expected.not_to contain_class('easy_ipa::install::client') } @@ -306,7 +304,6 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::install') } it { is_expected.to contain_class('easy_ipa::install::client') } - it { is_expected.to contain_class('easy_ipa::validate_params') } it { is_expected.not_to contain_class('easy_ipa::install::server') } it { is_expected.not_to contain_class('easy_ipa::install::server::master') } From e75b967e6d58d28357827a681c39d528bd14015f Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:35:53 -0700 Subject: [PATCH 35/78] rm easy_ipa::install_ipa_{client,server} params The function of these parameters is confusing. That may be both set to true yet only client or server packages will be installed. The functionality of not installing packages could be handled by a param that allows overriding the package names (by setting it to an empty list). --- README.md | 2 -- REFERENCE.md | 23 ----------------------- manifests/init.pp | 14 +++++--------- manifests/install.pp | 14 -------------- spec/classes/ipa_spec.rb | 3 --- 5 files changed, 5 insertions(+), 51 deletions(-) delete mode 100644 manifests/install.pp diff --git a/README.md b/README.md index c0056f65..533c650d 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,6 @@ class {'easy_ipa': ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan', admin_password => 'vagrant123', directory_services_password => 'vagrant123', - install_ipa_server => true, ip_address => '192.168.56.35', enable_ip_address => true, enable_hostname => true, @@ -49,7 +48,6 @@ class {'::easy_ipa': domain => 'vagrant.example.lan', ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan', domain_join_password => 'vagrant123', - install_ipa_server => true, ip_address => '192.168.56.36', enable_ip_address => true, enable_hostname => true, diff --git a/REFERENCE.md b/REFERENCE.md index 001b22a2..4345077f 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,7 +10,6 @@ * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. -* [`easy_ipa::install`](#easy_ipa--install): Manage easy_ipa install * [`easy_ipa::install::client`](#easy_ipa--install--client): Manage ipa client * [`easy_ipa::install::client::debian`](#easy_ipa--install--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. * [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install @@ -70,8 +69,6 @@ The following parameters are available in the `easy_ipa` class: * [`idstart`](#-easy_ipa--idstart) * [`gssapi_no_negotiate`](#-easy_ipa--gssapi_no_negotiate) * [`idmax`](#-easy_ipa--idmax) -* [`install_ipa_client`](#-easy_ipa--install_ipa_client) -* [`install_ipa_server`](#-easy_ipa--install_ipa_server) * [`ip_address`](#-easy_ipa--ip_address) * [`ipa_server_fqdn`](#-easy_ipa--ipa_server_fqdn) * [`ipa_master_fqdn`](#-easy_ipa--ipa_master_fqdn) @@ -259,22 +256,6 @@ Data type: `Variant[Integer,Undef]` Default value: `undef` -##### `install_ipa_client` - -Data type: `Boolean` - -(boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. - -Default value: `true` - -##### `install_ipa_server` - -Data type: `Boolean` - -(boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. - -Default value: `true` - ##### `ip_address` Data type: `Optional[Stdlib::IP::Address]` @@ -361,10 +342,6 @@ Default value: `false` Configures port and redirect overrides for the IPA server web UI. -### `easy_ipa::install` - -Manage easy_ipa install - ### `easy_ipa::install::client` Manage ipa client diff --git a/manifests/init.pp b/manifests/init.pp index a9a5fcd7..66c4d835 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -74,12 +74,6 @@ # @param idmax # (integer) From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". # -# @param install_ipa_client -# (boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. -# -# @param install_ipa_server -# (boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. -# # @param ip_address # (string) IP address to pass to the IPA installer. # @@ -140,8 +134,6 @@ Variant[Pattern,Undef] $gssapi_no_negotiate = undef, Integer[10000] $idstart = (fqdn_rand('10737') + 10000), Variant[Integer,Undef] $idmax = undef, - Boolean $install_ipa_client = true, - Boolean $install_ipa_server = true, Optional[Stdlib::IP::Address] $ip_address = undef, String $ipa_server_fqdn = $facts['networking']['fqdn'], Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, @@ -201,5 +193,9 @@ } } - contain easy_ipa::install + if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { + contain 'easy_ipa::install::server' + } elsif $easy_ipa::ipa_role == 'client' { + contain 'easy_ipa::install::client' + } } diff --git a/manifests/install.pp b/manifests/install.pp deleted file mode 100644 index 3961e11c..00000000 --- a/manifests/install.pp +++ /dev/null @@ -1,14 +0,0 @@ -# -# @summary Manage easy_ipa install -# -class easy_ipa::install { - if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { - if $easy_ipa::install_ipa_server { - contain 'easy_ipa::install::server' - } - } elsif $easy_ipa::ipa_role == 'client' { - if $easy_ipa::install_ipa_client { - contain 'easy_ipa::install::client' - } - } -} diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 7ddb0f1e..3bc4958a 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -49,7 +49,6 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install') } it { is_expected.to contain_class('easy_ipa::install::server') } it { is_expected.to contain_class('easy_ipa::install::server::master') } it { is_expected.to contain_class('easy_ipa::config::webui') } @@ -206,7 +205,6 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install') } it { is_expected.to contain_class('easy_ipa::install::server') } it { is_expected.to contain_class('easy_ipa::install::server::replica') } it { is_expected.to contain_class('easy_ipa::config::webui') } @@ -302,7 +300,6 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install') } it { is_expected.to contain_class('easy_ipa::install::client') } it { is_expected.not_to contain_class('easy_ipa::install::server') } From 1fe75c91cc0efb3b3077a240539bd29980c1602b Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:44:31 -0700 Subject: [PATCH 36/78] use fact() function to improve readability --- REFERENCE.md | 4 ++-- manifests/backup.pp | 2 +- manifests/config/webui.pp | 2 +- manifests/helpers/flushcache.pp | 4 ++-- manifests/init.pp | 2 +- manifests/install/client.pp | 8 ++++---- manifests/named.pp | 2 +- manifests/params.pp | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 4345077f..8ea5d1d0 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -270,7 +270,7 @@ Data type: `String` (string) Actual fqdn of the IPA server or client. -Default value: `$facts['networking']['fqdn']` +Default value: `fact('networking.fqdn')` ##### `ipa_master_fqdn` @@ -477,7 +477,7 @@ Data type: `String` Email to send cron notifications to. Defaults to $::servermonitor. -Default value: `$facts['servermonitor']` +Default value: `fact('servermonitor')` ### `easy_ipa::config::named` diff --git a/manifests/backup.pp b/manifests/backup.pp index f828f243..e8e57356 100644 --- a/manifests/backup.pp +++ b/manifests/backup.pp @@ -29,7 +29,7 @@ Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]] $minute, Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]] $weekday = '*', Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]] $monthday = '*', - String $email = $facts['servermonitor'], + String $email = fact('servermonitor'), Boolean $timestamp = true, ) { $script = 'ipa-backup-wrapper.sh' diff --git a/manifests/config/webui.pp b/manifests/config/webui.pp index 43aedb73..1d4ca55d 100644 --- a/manifests/config/webui.pp +++ b/manifests/config/webui.pp @@ -21,7 +21,7 @@ # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0 # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0 # These are not needed for versions newer than 4.7.10 - if versioncmp($facts['ipa_server_version'], '4.7.0') < 0 { + if versioncmp(fact('ipa_server_version'), '4.7.0') < 0 { exec { 'semanage-port-http_port_t': command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}", unless => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"", diff --git a/manifests/helpers/flushcache.pp b/manifests/helpers/flushcache.pp index bd55d7ee..289567a1 100644 --- a/manifests/helpers/flushcache.pp +++ b/manifests/helpers/flushcache.pp @@ -3,14 +3,14 @@ # define easy_ipa::helpers::flushcache { #TODO: nscd should be called on both platforms. - if $::facts['os']['family'] == 'RedHat' { + if fact('os.family') == 'RedHat' { $ipa_fluch_cache_cmd = "\ if [ -x /usr/sbin/sss_cache ]; then \ /usr/sbin/sss_cache -UGNA >/dev/null 2>&1 ; \ else \ /usr/bin/find /var/lib/sss/db -type f -exec rm -f \"{}\" ; ; \ fi" - } elsif $::facts['os']['family'] == 'Debian' { + } elsif fact('os.family') == 'Debian' { $ipa_fluch_cache_cmd = "\ if [ -x /usr/sbin/nscd ]; then \ /usr/sbin/nscd -i passwd -i group -i netgroup -i automount >/dev/null 2>&1 ; \ diff --git a/manifests/init.pp b/manifests/init.pp index 66c4d835..79dbb9d9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -135,7 +135,7 @@ Integer[10000] $idstart = (fqdn_rand('10737') + 10000), Variant[Integer,Undef] $idmax = undef, Optional[Stdlib::IP::Address] $ip_address = undef, - String $ipa_server_fqdn = $facts['networking']['fqdn'], + String $ipa_server_fqdn = fact('networking.fqdn'), Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, Boolean $mkhomedir = true, Boolean $no_ui_redirect = false, diff --git a/manifests/install/client.pp b/manifests/install/client.pp index 709186f4..198b0c93 100644 --- a/manifests/install/client.pp +++ b/manifests/install/client.pp @@ -43,12 +43,12 @@ } if $easy_ipa::enable_hostname { - $client_install_cmd_opts_hostname = "--hostname=${facts['networking']['fqdn']}" + $client_install_cmd_opts_hostname = "--hostname=${fact('networking.fqdn')}" } else { $client_install_cmd_opts_hostname = '' } - if $facts['ipa_force_join'] { + if fact('ipa_force_join') { $client_install_cmd_opts_force_join= '--force-join' } else { $client_install_cmd_opts_force_join = '' @@ -72,7 +72,7 @@ --unattended" if $easy_ipa::params::ipa_client_package_ensure == 'present' { - exec { "client_install_${facts['networking']['fqdn']}": + exec { "client_install_${fact('networking.fqdn')}": command => $client_install_cmd, timeout => 0, unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", @@ -83,7 +83,7 @@ } } - if $facts['os']['family'] == 'Debian' and $easy_ipa::mkhomedir { + if fact('os.family') == 'Debian' and $easy_ipa::mkhomedir { contain easy_ipa::install::client::debian } } diff --git a/manifests/named.pp b/manifests/named.pp index d745630c..49be5f55 100644 --- a/manifests/named.pp +++ b/manifests/named.pp @@ -7,7 +7,7 @@ class easy_ipa::named { include easy_ipa::params - unless $facts['os']['family'] == 'RedHat' { + unless fact('os.family') == 'RedHat' { fail('ERROR: class ::easy_ipa::named supports only RedHat/CentOS') } diff --git a/manifests/params.pp b/manifests/params.pp index 0c373664..92878bf1 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,7 +7,7 @@ # by failing early rather than later. # class easy_ipa::params { - case $facts['os']['family'] { + case fact('os.family') { 'RedHat': { $ipa_client_package_name = 'ipa-client' $ipa_client_package_ensure = 'present' From 4c761f7851f606eb057c6dafa71f25698c6fbc54 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:48:54 -0700 Subject: [PATCH 37/78] rename easy_ipa::install::client -> easy_ipa::client --- REFERENCE.md | 16 ++++++++-------- manifests/{install => }/client.pp | 4 ++-- manifests/{install => }/client/debian.pp | 2 +- manifests/init.pp | 2 +- spec/classes/ipa_spec.rb | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) rename manifests/{install => }/client.pp (97%) rename manifests/{install => }/client/debian.pp (95%) diff --git a/REFERENCE.md b/REFERENCE.md index 8ea5d1d0..91eda41b 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -9,9 +9,9 @@ #### Public Classes * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. +* [`easy_ipa::client`](#easy_ipa--client): Manage ipa client +* [`easy_ipa::client::debian`](#easy_ipa--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. -* [`easy_ipa::install::client`](#easy_ipa--install--client): Manage ipa client -* [`easy_ipa::install::client::debian`](#easy_ipa--install--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. * [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install * [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server * [`easy_ipa::install::server::replica`](#easy_ipa--install--server--replica): Manage replica install @@ -338,19 +338,19 @@ Data type: `Boolean` Default value: `false` -### `easy_ipa::config::webui` - -Configures port and redirect overrides for the IPA server web UI. - -### `easy_ipa::install::client` +### `easy_ipa::client` Manage ipa client -### `easy_ipa::install::client::debian` +### `easy_ipa::client::debian` This code is needed as the --mkhomedir parameter passed to ipa-client-install does not configure PAM even though it does install the required packages. +### `easy_ipa::config::webui` + +Configures port and redirect overrides for the IPA server web UI. + ### `easy_ipa::install::server` Manage IPA server install diff --git a/manifests/install/client.pp b/manifests/client.pp similarity index 97% rename from manifests/install/client.pp rename to manifests/client.pp index 198b0c93..4a12b1a9 100644 --- a/manifests/install/client.pp +++ b/manifests/client.pp @@ -1,7 +1,7 @@ # # @summary Manage ipa client # -class easy_ipa::install::client { +class easy_ipa::client { unless $easy_ipa::domain_join_password { fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") } @@ -84,6 +84,6 @@ } if fact('os.family') == 'Debian' and $easy_ipa::mkhomedir { - contain easy_ipa::install::client::debian + contain easy_ipa::client::debian } } diff --git a/manifests/install/client/debian.pp b/manifests/client/debian.pp similarity index 95% rename from manifests/install/client/debian.pp rename to manifests/client/debian.pp index e053dc38..6a01f3c1 100644 --- a/manifests/install/client/debian.pp +++ b/manifests/client/debian.pp @@ -4,7 +4,7 @@ # This code is needed as the --mkhomedir parameter passed to ipa-client-install does # not configure PAM even though it does install the required packages. # -class easy_ipa::install::client::debian { +class easy_ipa::client::debian { # Ensure that required packages are present even if they do not get pulled # in as freeipa-client package dependencies stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) diff --git a/manifests/init.pp b/manifests/init.pp index 79dbb9d9..10c4c9b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -196,6 +196,6 @@ if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { contain 'easy_ipa::install::server' } elsif $easy_ipa::ipa_role == 'client' { - contain 'easy_ipa::install::client' + contain 'easy_ipa::client' } } diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 3bc4958a..0660cdb1 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -54,7 +54,7 @@ it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::install::client') } + it { is_expected.not_to contain_class('easy_ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } it { is_expected.to contain_package('bind-dyndb-ldap') } @@ -210,7 +210,7 @@ it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.not_to contain_class('easy_ipa::install::server::master') } - it { is_expected.not_to contain_class('easy_ipa::install::client') } + it { is_expected.not_to contain_class('easy_ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } it { is_expected.to contain_package('bind-dyndb-ldap') } @@ -300,7 +300,7 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install::client') } + it { is_expected.to contain_class('easy_ipa::client') } it { is_expected.not_to contain_class('easy_ipa::install::server') } it { is_expected.not_to contain_class('easy_ipa::install::server::master') } From 81d093e5acb3c8ef08687b32a11a39f7c8fea5c4 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:51:08 -0700 Subject: [PATCH 38/78] change easy_ipa::client::debian to a private class --- REFERENCE.md | 7 +------ manifests/client/debian.pp | 3 +++ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 91eda41b..42dca8d0 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,7 +10,6 @@ * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. * [`easy_ipa::client`](#easy_ipa--client): Manage ipa client -* [`easy_ipa::client::debian`](#easy_ipa--client--debian): Ensure that home directories get created on Debian and Ubuntu clients. * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. * [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install * [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server @@ -21,6 +20,7 @@ #### Private Classes +* `easy_ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. * `easy_ipa::install::server::redhat` ### Defined types @@ -342,11 +342,6 @@ Default value: `false` Manage ipa client -### `easy_ipa::client::debian` - -This code is needed as the --mkhomedir parameter passed to ipa-client-install does -not configure PAM even though it does install the required packages. - ### `easy_ipa::config::webui` Configures port and redirect overrides for the IPA server web UI. diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp index 6a01f3c1..dd795551 100644 --- a/manifests/client/debian.pp +++ b/manifests/client/debian.pp @@ -4,7 +4,10 @@ # This code is needed as the --mkhomedir parameter passed to ipa-client-install does # not configure PAM even though it does install the required packages. # +# @api private class easy_ipa::client::debian { + assert_private() + # Ensure that required packages are present even if they do not get pulled # in as freeipa-client package dependencies stdlib::ensure_packages(['oddjob','oddjob-mkhomedir'], { 'ensure' => 'present' }) From adc0d6b5d3848d3c8ccffa329473cc1c18b62fe0 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 25 Oct 2023 17:55:06 -0700 Subject: [PATCH 39/78] rename easy_ipa::install::server -> easy_ipa::server --- REFERENCE.md | 32 +++++++++++------------ manifests/init.pp | 2 +- manifests/{install => }/server.pp | 12 ++++----- manifests/{install => }/server/master.pp | 24 ++++++++--------- manifests/{install => }/server/redhat.pp | 2 +- manifests/{install => }/server/replica.pp | 22 ++++++++-------- spec/classes/ipa_spec.rb | 18 ++++++------- 7 files changed, 56 insertions(+), 56 deletions(-) rename manifests/{install => }/server.pp (92%) rename manifests/{install => }/server/master.pp (56%) rename manifests/{install => }/server/redhat.pp (80%) rename manifests/{install => }/server/replica.pp (59%) diff --git a/REFERENCE.md b/REFERENCE.md index 42dca8d0..8d49609c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11,17 +11,17 @@ * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. * [`easy_ipa::client`](#easy_ipa--client): Manage ipa client * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. -* [`easy_ipa::install::server`](#easy_ipa--install--server): Manage IPA server install -* [`easy_ipa::install::server::master`](#easy_ipa--install--server--master): Manage primary server -* [`easy_ipa::install::server::replica`](#easy_ipa--install--server--replica): Manage replica install * [`easy_ipa::named`](#easy_ipa--named): Prepare the integrated named-pkcs11 service for local configuration * [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. * [`easy_ipa::params`](#easy_ipa--params): Prevent havoc on unsupported operating systems. +* [`easy_ipa::server`](#easy_ipa--server): Manage IPA server install +* [`easy_ipa::server::master`](#easy_ipa--server--master): Manage primary server +* [`easy_ipa::server::replica`](#easy_ipa--server--replica): Manage replica install #### Private Classes * `easy_ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. -* `easy_ipa::install::server::redhat` +* `easy_ipa::server::redhat` ### Defined types @@ -346,18 +346,6 @@ Manage ipa client Configures port and redirect overrides for the IPA server web UI. -### `easy_ipa::install::server` - -Manage IPA server install - -### `easy_ipa::install::server::master` - -Manage primary server - -### `easy_ipa::install::server::replica` - -Manage replica install - ### `easy_ipa::named` fragments. @@ -398,6 +386,18 @@ differences. Right now the main purpose is to prevent easy_ipa classes from causing havoc (e.g. partial configurations) on unsupported operating systems by failing early rather than later. +### `easy_ipa::server` + +Manage IPA server install + +### `easy_ipa::server::master` + +Manage primary server + +### `easy_ipa::server::replica` + +Manage replica install + ## Defined types ### `easy_ipa::backup` diff --git a/manifests/init.pp b/manifests/init.pp index 10c4c9b2..7c1bbd64 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -194,7 +194,7 @@ } if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { - contain 'easy_ipa::install::server' + contain 'easy_ipa::server' } elsif $easy_ipa::ipa_role == 'client' { contain 'easy_ipa::client' } diff --git a/manifests/install/server.pp b/manifests/server.pp similarity index 92% rename from manifests/install/server.pp rename to manifests/server.pp index 46b26929..4da965b4 100644 --- a/manifests/install/server.pp +++ b/manifests/server.pp @@ -1,7 +1,7 @@ # # @summary Manage IPA server install # -class easy_ipa::install::server { +class easy_ipa::server { if $easy_ipa::ipa_role != 'master' { # if replica or client unless $easy_ipa::domain_join_password { fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") @@ -12,7 +12,7 @@ } if fact('os.family') == 'RedHat' { - require easy_ipa::install::server::redhat + require easy_ipa::server::redhat } $dns_packages = [ @@ -111,12 +111,12 @@ } if $easy_ipa::ipa_role == 'master' { - contain 'easy_ipa::install::server::master' - Class['easy_ipa::install::server::master'] + contain 'easy_ipa::server::master' + Class['easy_ipa::server::master'] -> Class['easy_ipa::config::webui'] } elsif $easy_ipa::ipa_role == 'replica' { - contain 'easy_ipa::install::server::replica' - Class['easy_ipa::install::server::replica'] + contain 'easy_ipa::server::replica' + Class['easy_ipa::server::replica'] -> Class['easy_ipa::config::webui'] } diff --git a/manifests/install/server/master.pp b/manifests/server/master.pp similarity index 56% rename from manifests/install/server/master.pp rename to manifests/server/master.pp index 32b992f3..b2afa446 100644 --- a/manifests/install/server/master.pp +++ b/manifests/server/master.pp @@ -1,24 +1,24 @@ # # @summary Manage primary server # -class easy_ipa::install::server::master { +class easy_ipa::server::master { $server_install_cmd = "\ /usr/sbin/ipa-server-install \ - ${easy_ipa::install::server::server_install_cmd_opts_hostname} \ + ${easy_ipa::server::server_install_cmd_opts_hostname} \ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ --admin-password='${easy_ipa::admin_password}' \ --ds-password='${easy_ipa::directory_services_password}' \ - ${easy_ipa::install::server::server_install_cmd_opts_zone_overlap} \ - ${easy_ipa::install::server::server_install_cmd_opts_dnssec_validation} \ - ${easy_ipa::install::server::server_install_cmd_opts_setup_dns} \ - ${easy_ipa::install::server::server_install_cmd_opts_forwarders} \ - ${easy_ipa::install::server::server_install_cmd_opts_ip_address} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ntp} \ - ${easy_ipa::install::server::server_install_cmd_opts_idstart} \ - ${easy_ipa::install::server::server_install_cmd_opts_idmax} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ui_redirect} \ - ${easy_ipa::install::server::server_install_cmd_opts_mkhomedir} \ + ${easy_ipa::server::server_install_cmd_opts_zone_overlap} \ + ${easy_ipa::server::server_install_cmd_opts_dnssec_validation} \ + ${easy_ipa::server::server_install_cmd_opts_setup_dns} \ + ${easy_ipa::server::server_install_cmd_opts_forwarders} \ + ${easy_ipa::server::server_install_cmd_opts_ip_address} \ + ${easy_ipa::server::server_install_cmd_opts_no_ntp} \ + ${easy_ipa::server::server_install_cmd_opts_idstart} \ + ${easy_ipa::server::server_install_cmd_opts_idmax} \ + ${easy_ipa::server::server_install_cmd_opts_no_ui_redirect} \ + ${easy_ipa::server::server_install_cmd_opts_mkhomedir} \ ${easy_ipa::opt_no_ssh} \ ${easy_ipa::opt_no_sshd} \ --unattended" diff --git a/manifests/install/server/redhat.pp b/manifests/server/redhat.pp similarity index 80% rename from manifests/install/server/redhat.pp rename to manifests/server/redhat.pp index 1ee80f96..2836fc6c 100644 --- a/manifests/install/server/redhat.pp +++ b/manifests/server/redhat.pp @@ -1,5 +1,5 @@ # @api private -class easy_ipa::install::server::redhat { +class easy_ipa::server::redhat { assert_private() if versioncmp(fact('os.release.major'), '8') == 0 { diff --git a/manifests/install/server/replica.pp b/manifests/server/replica.pp similarity index 59% rename from manifests/install/server/replica.pp rename to manifests/server/replica.pp index 1832f053..6375de08 100644 --- a/manifests/install/server/replica.pp +++ b/manifests/server/replica.pp @@ -1,24 +1,24 @@ # # @summary Manage replica install # -class easy_ipa::install::server::replica { +class easy_ipa::server::replica { $replica_install_cmd = "\ /usr/sbin/ipa-replica-install \ --principal=${easy_ipa::domain_join_principal} \ --admin-password='${easy_ipa::domain_join_password}' \ - ${easy_ipa::install::server::server_install_cmd_opts_hostname} \ + ${easy_ipa::server::server_install_cmd_opts_hostname} \ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ --server=${easy_ipa::ipa_master_fqdn} \ - ${easy_ipa::install::server::server_install_cmd_opts_zone_overlap} \ - ${easy_ipa::install::server::server_install_cmd_opts_dnssec_validation} \ - ${easy_ipa::install::server::server_install_cmd_opts_setup_dns} \ - ${easy_ipa::install::server::server_install_cmd_opts_setup_ca} \ - ${easy_ipa::install::server::server_install_cmd_opts_forwarders} \ - ${easy_ipa::install::server::server_install_cmd_opts_ip_address} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ntp} \ - ${easy_ipa::install::server::server_install_cmd_opts_no_ui_redirect} \ - ${easy_ipa::install::server::server_install_cmd_opts_mkhomedir} \ + ${easy_ipa::server::server_install_cmd_opts_zone_overlap} \ + ${easy_ipa::server::server_install_cmd_opts_dnssec_validation} \ + ${easy_ipa::server::server_install_cmd_opts_setup_dns} \ + ${easy_ipa::server::server_install_cmd_opts_setup_ca} \ + ${easy_ipa::server::server_install_cmd_opts_forwarders} \ + ${easy_ipa::server::server_install_cmd_opts_ip_address} \ + ${easy_ipa::server::server_install_cmd_opts_no_ntp} \ + ${easy_ipa::server::server_install_cmd_opts_no_ui_redirect} \ + ${easy_ipa::server::server_install_cmd_opts_mkhomedir} \ ${easy_ipa::opt_no_ssh} \ ${easy_ipa::opt_no_sshd} \ --unattended" diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 0660cdb1..3a9fac87 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -49,11 +49,11 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install::server') } - it { is_expected.to contain_class('easy_ipa::install::server::master') } + it { is_expected.to contain_class('easy_ipa::server') } + it { is_expected.to contain_class('easy_ipa::server::master') } it { is_expected.to contain_class('easy_ipa::config::webui') } - it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } + it { is_expected.not_to contain_class('easy_ipa::server::replica') } it { is_expected.not_to contain_class('easy_ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } @@ -205,11 +205,11 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::install::server') } - it { is_expected.to contain_class('easy_ipa::install::server::replica') } + it { is_expected.to contain_class('easy_ipa::server') } + it { is_expected.to contain_class('easy_ipa::server::replica') } it { is_expected.to contain_class('easy_ipa::config::webui') } - it { is_expected.not_to contain_class('easy_ipa::install::server::master') } + it { is_expected.not_to contain_class('easy_ipa::server::master') } it { is_expected.not_to contain_class('easy_ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } @@ -302,9 +302,9 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::client') } - it { is_expected.not_to contain_class('easy_ipa::install::server') } - it { is_expected.not_to contain_class('easy_ipa::install::server::master') } - it { is_expected.not_to contain_class('easy_ipa::install::server::replica') } + it { is_expected.not_to contain_class('easy_ipa::server') } + it { is_expected.not_to contain_class('easy_ipa::server::master') } + it { is_expected.not_to contain_class('easy_ipa::server::replica') } it { is_expected.not_to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_package('ipa-client').that_comes_before('Exec[client_install_ipa.rpsec.example.lan]') } From ef832e512ff45743ba4acf50a152ded3bb27c0f9 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 26 Oct 2023 08:48:46 -0700 Subject: [PATCH 40/78] add easy_ipa::client::force_join param and rm usage of `ipa_force_join` fact. --- REFERENCE.md | 14 ++++++++++++++ manifests/client.pp | 9 +++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 8d49609c..02c00710 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -342,6 +342,20 @@ Default value: `false` Manage ipa client +#### Parameters + +The following parameters are available in the `easy_ipa::client` class: + +* [`force_join`](#-easy_ipa--client--force_join) + +##### `force_join` + +Data type: `Boolean` + +Force the client to join the domain even if it is already joined. + +Default value: `false` + ### `easy_ipa::config::webui` Configures port and redirect overrides for the IPA server web UI. diff --git a/manifests/client.pp b/manifests/client.pp index 4a12b1a9..f626d0af 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,7 +1,12 @@ # # @summary Manage ipa client # -class easy_ipa::client { +# @param force_join +# Force the client to join the domain even if it is already joined. +# +class easy_ipa::client ( + Boolean $force_join = false, +) { unless $easy_ipa::domain_join_password { fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") } @@ -48,7 +53,7 @@ $client_install_cmd_opts_hostname = '' } - if fact('ipa_force_join') { + if $force_join { $client_install_cmd_opts_force_join= '--force-join' } else { $client_install_cmd_opts_force_join = '' From 048424d65a511bf698b891ee3622a6431b7ae7b2 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 26 Oct 2023 17:29:38 -0700 Subject: [PATCH 41/78] mv ipa client package name(s) to hiera data --- REFERENCE.md | 9 +++++++++ data/os/Debian.yaml | 4 ++++ data/os/RedHat.yaml | 4 ++++ manifests/client.pp | 31 +++++++++++++------------------ manifests/params.pp | 4 ---- spec/classes/ipa_spec.rb | 12 +++++++++--- 6 files changed, 39 insertions(+), 25 deletions(-) create mode 100644 data/os/Debian.yaml create mode 100644 data/os/RedHat.yaml diff --git a/REFERENCE.md b/REFERENCE.md index 02c00710..feea5574 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -346,8 +346,17 @@ Manage ipa client The following parameters are available in the `easy_ipa::client` class: +* [`package_name`](#-easy_ipa--client--package_name) * [`force_join`](#-easy_ipa--client--force_join) +##### `package_name` + +Data type: `Array[String]` + +The name of the package(s) to install. + +Default value: `undef` + ##### `force_join` Data type: `Boolean` diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml new file mode 100644 index 00000000..dfdd8d8f --- /dev/null +++ b/data/os/Debian.yaml @@ -0,0 +1,4 @@ +--- +easy_ipa::client::package_name: + - freeipa-client + - kstart diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml new file mode 100644 index 00000000..3262eca3 --- /dev/null +++ b/data/os/RedHat.yaml @@ -0,0 +1,4 @@ +--- +easy_ipa::client::package_name: + - ipa-client + - kstart diff --git a/manifests/client.pp b/manifests/client.pp index f626d0af..1114f58f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,10 +1,14 @@ # # @summary Manage ipa client # +# @param package_name +# The name of the package(s) to install. +# # @param force_join # Force the client to join the domain even if it is already joined. # class easy_ipa::client ( + Array[String] $package_name = undef, Boolean $force_join = false, ) { unless $easy_ipa::domain_join_password { @@ -14,14 +18,7 @@ fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") } - package { 'ipa-client': - ensure => $easy_ipa::params::ipa_client_package_ensure, - name => $easy_ipa::params::ipa_client_package_name, - } - - package { $easy_ipa::params::kstart_package_name: - ensure => present, - } + ensure_packages($package_name) if $easy_ipa::mkhomedir { $client_install_cmd_opts_mkhomedir = '--mkhomedir' @@ -76,16 +73,14 @@ ${easy_ipa::opt_no_sshd} \ --unattended" - if $easy_ipa::params::ipa_client_package_ensure == 'present' { - exec { "client_install_${fact('networking.fqdn')}": - command => $client_install_cmd, - timeout => 0, - unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - provider => 'shell', - require => Package['ipa-client'], - } + exec { "client_install_${fact('networking.fqdn')}": + command => $client_install_cmd, + timeout => 0, + unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", + creates => '/etc/ipa/default.conf', + logoutput => false, # prevent passphrases from appearing in puppet log + provider => 'shell', + require => Package[$package_name], } if fact('os.family') == 'Debian' and $easy_ipa::mkhomedir { diff --git a/manifests/params.pp b/manifests/params.pp index 92878bf1..42a3106b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,13 +9,9 @@ class easy_ipa::params { case fact('os.family') { 'RedHat': { - $ipa_client_package_name = 'ipa-client' - $ipa_client_package_ensure = 'present' $named_conf_d = '/etc/named/conf.d' } 'Debian': { - $ipa_client_package_ensure = 'present' - $ipa_client_package_name = 'freeipa-client' } default: { fail('ERROR: unsupported operating system!') diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 3a9fac87..83bab1df 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -27,6 +27,12 @@ ) end + if facts[:os]['family'] == 'RedHat' + let(:client_package) { 'ipa-client' } + else + let(:client_package) { 'freeipa-client' } + end + context 'as bad_val role' do let(:params) do { @@ -61,7 +67,7 @@ it { is_expected.to contain_package('kstart') } it { is_expected.to contain_package('ipa-server') } - it { is_expected.not_to contain_package('ipa-client') } + it { is_expected.not_to contain_package(client_package) } end context 'with idmax' do @@ -217,7 +223,7 @@ it { is_expected.to contain_package('kstart') } it { is_expected.to contain_package('ipa-server') } - it { is_expected.not_to contain_package('ipa-client') } + it { is_expected.not_to contain_package(client_package) } end context 'configure_ssh' do @@ -307,7 +313,7 @@ it { is_expected.not_to contain_class('easy_ipa::server::replica') } it { is_expected.not_to contain_class('easy_ipa::config::webui') } - it { is_expected.to contain_package('ipa-client').that_comes_before('Exec[client_install_ipa.rpsec.example.lan]') } + it { is_expected.to contain_package(client_package).that_comes_before('Exec[client_install_ipa.rpsec.example.lan]') } it { is_expected.to contain_package('kstart') } it { is_expected.not_to contain_package('ipa-server-dns') } it { is_expected.not_to contain_package('bind-dyndb-ldap') } From 0459db8a6d7323189cf56c796a63cc9bffe98033 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 26 Oct 2023 17:05:53 -0700 Subject: [PATCH 42/78] pass secrets to exec using env vars and enable logoutput => on_failure as ths use of env vars will prevent secrets from leaking into the console output (and also keep secrets from leaking via the process table). --- manifests/client.pp | 19 +++++---- manifests/server.pp | 17 +++++--- manifests/server/master.pp | 22 ++++++---- manifests/server/replica.pp | 18 ++++---- spec/classes/ipa_spec.rb | 82 +++++++++++++++++++++++-------------- 5 files changed, 94 insertions(+), 64 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 1114f58f..07078f15 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -62,7 +62,7 @@ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ --principal='${easy_ipa::domain_join_principal}' \ - --password='${easy_ipa::domain_join_password}' \ + --password=\"\${IPA_DOMAIN_JOIN_PASSWORD}\" \ ${client_install_cmd_opts_dns_updates} \ ${client_install_cmd_opts_hostname} \ ${client_install_cmd_opts_mkhomedir} \ @@ -73,14 +73,15 @@ ${easy_ipa::opt_no_sshd} \ --unattended" - exec { "client_install_${fact('networking.fqdn')}": - command => $client_install_cmd, - timeout => 0, - unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - provider => 'shell', - require => Package[$package_name], + exec { 'ipa-client-install': + environment => "IPA_DOMAIN_JOIN_PASSWORD=${easy_ipa::domain_join_password}", + command => $client_install_cmd, + timeout => 0, + unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", + creates => '/etc/ipa/default.conf', + logoutput => on_failure, + provider => shell, + require => Package[$package_name], } if fact('os.family') == 'Debian' and $easy_ipa::mkhomedir { diff --git a/manifests/server.pp b/manifests/server.pp index 4da965b4..b3892b51 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -3,12 +3,12 @@ # class easy_ipa::server { if $easy_ipa::ipa_role != 'master' { # if replica or client - unless $easy_ipa::domain_join_password { - fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") - } unless $easy_ipa::ipa_master_fqdn { fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") } + unless $easy_ipa::admin_password { + fail("When creating a ${easy_ipa::ipa_role} the parameter named admin_password cannot be empty.") + } } if fact('os.family') == 'RedHat' { @@ -114,10 +114,16 @@ contain 'easy_ipa::server::master' Class['easy_ipa::server::master'] -> Class['easy_ipa::config::webui'] + + Class['easy_ipa::server::master'] + -> Service['ipa'] } elsif $easy_ipa::ipa_role == 'replica' { contain 'easy_ipa::server::replica' Class['easy_ipa::server::replica'] -> Class['easy_ipa::config::webui'] + + Class['easy_ipa::server::replica'] + -> Service['ipa'] } ensure_resource ( @@ -129,9 +135,8 @@ contain 'easy_ipa::config::webui' service { 'ipa': - ensure => 'running', - enable => true, - require => Exec["server_install_${easy_ipa::ipa_server_fqdn}"], + ensure => running, + enable => true, } easy_ipa::helpers::flushcache { "server_${easy_ipa::ipa_server_fqdn}": } diff --git a/manifests/server/master.pp b/manifests/server/master.pp index b2afa446..bd9a8c2f 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -7,8 +7,8 @@ ${easy_ipa::server::server_install_cmd_opts_hostname} \ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ - --admin-password='${easy_ipa::admin_password}' \ - --ds-password='${easy_ipa::directory_services_password}' \ + --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ + --ds-password=\"\${IPA_DS_PASSWORD}\" \ ${easy_ipa::server::server_install_cmd_opts_zone_overlap} \ ${easy_ipa::server::server_install_cmd_opts_dnssec_validation} \ ${easy_ipa::server::server_install_cmd_opts_setup_dns} \ @@ -23,13 +23,17 @@ ${easy_ipa::opt_no_sshd} \ --unattended" - exec { "server_install_${easy_ipa::ipa_server_fqdn}": - command => $server_install_cmd, - timeout => 0, - unless => '/usr/sbin/ipactl status >/dev/null 2>&1', - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], + exec { 'ipa-server-install': + environment => [ + "IPA_ADMIN_PASSWORD=${easy_ipa::admin_password}", + "IPA_DS_PASSWORD=${easy_ipa::directory_services_password}", + ], + command => $server_install_cmd, + timeout => 0, + unless => '/usr/sbin/ipactl status >/dev/null 2>&1', + creates => '/etc/ipa/default.conf', + logoutput => on_failure, + notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], } -> cron { 'k5start_root': #allows scp to replicas as root command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp index 6375de08..aff139e8 100644 --- a/manifests/server/replica.pp +++ b/manifests/server/replica.pp @@ -5,7 +5,7 @@ $replica_install_cmd = "\ /usr/sbin/ipa-replica-install \ --principal=${easy_ipa::domain_join_principal} \ - --admin-password='${easy_ipa::domain_join_password}' \ + --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ ${easy_ipa::server::server_install_cmd_opts_hostname} \ --realm=${easy_ipa::final_realm} \ --domain=${easy_ipa::domain} \ @@ -23,14 +23,14 @@ ${easy_ipa::opt_no_sshd} \ --unattended" - # TODO: config-show and grep for IPA\ masters - exec { "server_install_${easy_ipa::ipa_server_fqdn}": - command => $replica_install_cmd, - timeout => 0, - unless => '/usr/sbin/ipactl status >/dev/null 2>&1', - creates => '/etc/ipa/default.conf', - logoutput => false, # prevent passphrases from appearing in puppet log - notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], + exec { 'ipa-replica-install': + environment => "IPA_ADMIN_PASSWORD=${easy_ipa::admin_password}", + command => $replica_install_cmd, + timeout => 0, + unless => '/usr/sbin/ipactl status >/dev/null 2>&1', + creates => '/etc/ipa/default.conf', + logoutput => on_failure, + notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], } -> cron { 'k5start_root': command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 83bab1df..65253a54 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -49,8 +49,8 @@ { ipa_role: 'master', domain: 'rspec.example.lan', - admin_password: 'rspecrspec123', - directory_services_password: 'rspecrspec123', + admin_password: 'rspec-admin-password', + directory_services_password: 'rspedc-ds-password', } end @@ -77,8 +77,12 @@ end it do - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ). with_command(%r{--idstart=10000}). with_command(%r{--idmax=20000}) @@ -91,10 +95,14 @@ end it do - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ).with_command(%r{--idstart=10000}) - is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idmax}) + is_expected.not_to contain_exec('ipa-server-install').with_command(%r{--idmax}) end end @@ -104,7 +112,7 @@ super().merge(configure_ssh: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) } + it { is_expected.not_to contain_exec('ipa-server-install').with_command(%r{--no-ssh(?!d)}) } end context 'false' do @@ -113,8 +121,12 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ).with_command(%r{--no-ssh(?!d)}) } end @@ -126,7 +138,7 @@ super().merge(configure_sshd: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) } + it { is_expected.not_to contain_exec('ipa-server-install').with_command(%r{--no-sshd}) } end context 'false' do @@ -135,8 +147,12 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-server-install').with( + environment: [ + 'IPA_ADMIN_PASSWORD=rspec-admin-password', + 'IPA_DS_PASSWORD=rspedc-ds-password', + ], + logoutput: 'on_failure' ).with_command(%r{--no-sshd}) } end @@ -206,7 +222,7 @@ ipa_role: 'replica', domain: 'rspec.example.lan', ipa_master_fqdn: 'ipa-server-1.rspec.example.lan', - domain_join_password: 'rspecrspec123', + admin_password: 'rspec-admin-password', } end @@ -232,7 +248,7 @@ super().merge(configure_ssh: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) } + it { is_expected.not_to contain_exec('ipa-replica-install').with_command(%r{--no-ssh(?!d)}) } end context 'false' do @@ -241,8 +257,9 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-replica-install').with( + environment: ['IPA_ADMIN_PASSWORD=rspec-admin-password'], + logoutput: 'on_failure' ).with_command(%r{--no-ssh(?!d)}) } end @@ -254,7 +271,7 @@ super().merge(configure_sshd: true) end - it { is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) } + it { is_expected.not_to contain_exec('ipa-replica-install').with_command(%r{--no-sshd}) } end context 'false' do @@ -263,8 +280,9 @@ end it { - is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-replica-install').with( + environment: ['IPA_ADMIN_PASSWORD=rspec-admin-password'], + logoutput: 'on_failure' ).with_command(%r{--no-sshd}) } end @@ -286,12 +304,12 @@ it { is_expected.to raise_error(Puppet::Error, %r{expects a match for Stdlib::Fqdn}) } end - context 'missing domain_join_password' do + context 'missing admin_password' do let(:params) do - super().reject { |k| k == :domain_join_password } + super().reject { |k| k == :admin_password } end - it { is_expected.to raise_error(Puppet::Error, %r{domain_join_password cannot be empty}) } + it { is_expected.to raise_error(Puppet::Error, %r{admin_password cannot be empty}) } end end @@ -301,7 +319,7 @@ ipa_role: 'client', domain: 'rspec.example.lan', ipa_master_fqdn: 'ipa-server-1.rspec.example.lan', - domain_join_password: 'rspecrspec123', + domain_join_password: 'rspec-domain-join-password', } end @@ -313,7 +331,7 @@ it { is_expected.not_to contain_class('easy_ipa::server::replica') } it { is_expected.not_to contain_class('easy_ipa::config::webui') } - it { is_expected.to contain_package(client_package).that_comes_before('Exec[client_install_ipa.rpsec.example.lan]') } + it { is_expected.to contain_package(client_package).that_comes_before('Exec[ipa-client-install]') } it { is_expected.to contain_package('kstart') } it { is_expected.not_to contain_package('ipa-server-dns') } it { is_expected.not_to contain_package('bind-dyndb-ldap') } @@ -326,7 +344,7 @@ super().merge(configure_ssh: true) end - it { is_expected.not_to contain_exec('client_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) } + it { is_expected.not_to contain_exec('ipa-client-install').with_command(%r{--no-ssh(?!d)}) } end context 'false' do @@ -335,8 +353,9 @@ end it { - is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-client-install').with( + environment: 'IPA_DOMAIN_JOIN_PASSWORD=rspec-domain-join-password', + logoutput: 'on_failure' ).with_command(%r{--no-ssh(?!d)}) } end @@ -348,7 +367,7 @@ super().merge(configure_sshd: true) end - it { is_expected.not_to contain_exec('client_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) } + it { is_expected.not_to contain_exec('ipa-client-install').with_command(%r{--no-sshd}) } end context 'false' do @@ -357,8 +376,9 @@ end it { - is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with( - logoutput: false + is_expected.to contain_exec('ipa-client-install').with( + environment: 'IPA_DOMAIN_JOIN_PASSWORD=rspec-domain-join-password', + logoutput: 'on_failure' ).with_command(%r{--no-sshd}) } end From 1bc7dc637f4efd38c19ebd72d16717930b0dcfd1 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 26 Oct 2023 17:23:57 -0700 Subject: [PATCH 43/78] rm spec for testing on windows -- unsupported os --- spec/classes/ipa_spec.rb | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 65253a54..a8fb87fb 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -3,20 +3,6 @@ require 'spec_helper' describe 'easy_ipa', type: :class do - context 'on Windows' do - let(:facts) do - { os: { family: 'Windows' } } - end - let(:params) do - { - ipa_role: 'master', - domain: 'rspec.example.lan', - } - end - - it { is_expected.to raise_error(Puppet::Error, %r{ERROR: unsupported operating system}) } - end - on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do From 77fb34e69691733e40f29a077d235ea280cce9c7 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Fri, 27 Oct 2023 09:17:22 -0700 Subject: [PATCH 44/78] rm named|bind|dns support This should be managed with a forge module. E.g. theforeman/dns --- REFERENCE.md | 43 ------------------------------------- manifests/config/named.pp | 45 --------------------------------------- manifests/named.pp | 27 ----------------------- manifests/params.pp | 11 ---------- 4 files changed, 126 deletions(-) delete mode 100644 manifests/config/named.pp delete mode 100644 manifests/named.pp diff --git a/REFERENCE.md b/REFERENCE.md index feea5574..4cceab47 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11,7 +11,6 @@ * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. * [`easy_ipa::client`](#easy_ipa--client): Manage ipa client * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. -* [`easy_ipa::named`](#easy_ipa--named): Prepare the integrated named-pkcs11 service for local configuration * [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. * [`easy_ipa::params`](#easy_ipa--params): Prevent havoc on unsupported operating systems. * [`easy_ipa::server`](#easy_ipa--server): Manage IPA server install @@ -26,7 +25,6 @@ ### Defined types * [`easy_ipa::backup`](#easy_ipa--backup): Define easy_ipa::backup -* [`easy_ipa::config::named`](#easy_ipa--config--named): Add custom named.conf fragment. * [`easy_ipa::helpers::flushcache`](#easy_ipa--helpers--flushcache): Manage cache flushing ### Plans @@ -369,12 +367,6 @@ Default value: `false` Configures port and redirect overrides for the IPA server web UI. -### `easy_ipa::named` - -fragments. - -This is only supposed to work on RHEL/CentOS. - ### `easy_ipa::packetfilter::server` Install packet filtering rules for FreeIPA. @@ -497,41 +489,6 @@ Email to send cron notifications to. Defaults to $::servermonitor. Default value: `fact('servermonitor')` -### `easy_ipa::config::named` - -Add custom named.conf fragment. - -#### Parameters - -The following parameters are available in the `easy_ipa::config::named` defined type: - -* [`basename`](#-easy_ipa--config--named--basename) -* [`content`](#-easy_ipa--config--named--content) -* [`notify_named`](#-easy_ipa--config--named--notify_named) - -##### `basename` - -Data type: `String` - -(string) Basename of the configuration fragment, without the ".conf" at the end. Defaults to $title. - -Default value: `$title` - -##### `content` - -Data type: `String` - -(string) The value to pass to the File resource's "content" parameter. For example -template('profile/templates/tsig-key.erb'). - -##### `notify_named` - -Data type: `Boolean` - -(boolean) Whether to restart named-pkcs11 on config changes. Defaults to false. - -Default value: `false` - ### `easy_ipa::helpers::flushcache` Manage cache flushing diff --git a/manifests/config/named.pp b/manifests/config/named.pp deleted file mode 100644 index f38f1b24..00000000 --- a/manifests/config/named.pp +++ /dev/null @@ -1,45 +0,0 @@ -# -# @summary Add custom named.conf fragment. -# -# @param basename -# (string) Basename of the configuration fragment, without the ".conf" at the end. Defaults to $title. -# @param content -# (string) The value to pass to the File resource's "content" parameter. For example -# template('profile/templates/tsig-key.erb'). -# @param notify_named -# (boolean) Whether to restart named-pkcs11 on config changes. Defaults to false. -# -define easy_ipa::config::named ( - String $content, - String $basename = $title, - Boolean $notify_named = false -) { - include easy_ipa::params - include easy_ipa::named - - $named_conf_d = $easy_ipa::params::named_conf_d - - $notify = $notify_named ? { - true => Service['named-pkcs11'], - false => undef, - default => undef, - } - - file { "${named_conf_d}/${basename}.conf": - ensure => 'file', - content => $content, - owner => 'root', - group => 'named', - mode => '0640', - require => File[$named_conf_d], - notify => $notify, - } - - file_line { "named-include-${basename}.conf": - ensure => 'present', - path => '/etc/named.conf', - line => "include \"${named_conf_d}/${basename}.conf\";", - after => '^/* End of IPA-managed part. */$', - notify => $notify, - } -} diff --git a/manifests/named.pp b/manifests/named.pp deleted file mode 100644 index 49be5f55..00000000 --- a/manifests/named.pp +++ /dev/null @@ -1,27 +0,0 @@ -# -# @summary Prepare the integrated named-pkcs11 service for local configuration -# fragments. -# -# This is only supposed to work on RHEL/CentOS. -# -class easy_ipa::named { - include easy_ipa::params - - unless fact('os.family') == 'RedHat' { - fail('ERROR: class ::easy_ipa::named supports only RedHat/CentOS') - } - - $named_conf_d = $easy_ipa::params::named_conf_d - - service { 'named-pkcs11': - require => Class['easy_ipa'], - } - - file { $named_conf_d: - ensure => 'directory', - owner => 'root', - group => 'named', - mode => '0750', - require => Class['easy_ipa'], - } -} diff --git a/manifests/params.pp b/manifests/params.pp index 42a3106b..f6ec9396 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,17 +7,6 @@ # by failing early rather than later. # class easy_ipa::params { - case fact('os.family') { - 'RedHat': { - $named_conf_d = '/etc/named/conf.d' - } - 'Debian': { - } - default: { - fail('ERROR: unsupported operating system!') - } - } - # These package names are the same on RedHat and Debian derivatives $ipa_server_package_name = 'ipa-server' $kstart_package_name = 'kstart' From 92ab3ddc8f81547fa710010a1f596bbbdb85f5be Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 30 Oct 2023 10:28:18 -0700 Subject: [PATCH 45/78] rm pdk metadata --- metadata.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/metadata.json b/metadata.json index 83e418fd..97ba4e4b 100644 --- a/metadata.json +++ b/metadata.json @@ -80,8 +80,5 @@ "easy ipa", "freeipa", "free ipa" - ], - "pdk-version": "3.0.0", - "template-url": "pdk-default#3.0.0", - "template-ref": "tags/3.0.0-0-g056e50d" + ] } From 43e86ce229c9266ba47803dd3b7ca81255168b6e Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 30 Oct 2023 10:29:09 -0700 Subject: [PATCH 46/78] rm Vagrantfile --- Vagrantfile | 217 -------------------------------------- vagrant/centos.sh | 9 -- vagrant/common.sh | 14 --- vagrant/debian.sh | 14 --- vagrant/install-puppet.sh | 137 ------------------------ vagrant/ipa-client.sh | 23 ---- vagrant/ipa-server-1.sh | 19 ---- vagrant/ipa-server-2.sh | 25 ----- 8 files changed, 458 deletions(-) delete mode 100644 Vagrantfile delete mode 100644 vagrant/centos.sh delete mode 100644 vagrant/common.sh delete mode 100644 vagrant/debian.sh delete mode 100644 vagrant/install-puppet.sh delete mode 100644 vagrant/ipa-client.sh delete mode 100644 vagrant/ipa-server-1.sh delete mode 100644 vagrant/ipa-server-2.sh diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index decea26e..00000000 --- a/Vagrantfile +++ /dev/null @@ -1,217 +0,0 @@ -# -*- mode: ruby -*- -# rsync patterns -vagrant_ignore = [ - 'bin*', - 'pkg*', - 'spec/fixtures*', -] - -Vagrant.configure("2") do |config| - config.vagrant.plugins = ["vagrant-vbguest"] - config.vm.network "private_network", type: "dhcp", name: "vboxnet0" - config.vbguest.auto_update = false - - config.vm.define "ipa-server-1" do |box| - box.vm.box = "centos/7" - box.vm.box_version = "2004.01" - # Exclude certain directories to avoid issues - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-server-1.vagrant.example.lan' - # Assign this VM to a host-only network IP, allowing you to access it - # via the IP. - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1536 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - # Fix Virtualbox Guest Additions installation issue - # https://github.com/hashicorp/vagrant/issues/12095 - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.network "private_network", ip: "192.168.56.35" - box.vm.network "forwarded_port", guest: 8000, host: 8000 - box.vm.network "forwarded_port", guest: 8440, host: 8440 - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - # common.sh synchronizes latest code, so do not disable it while testing - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/centos.sh" - box.vm.provision "shell", path: "vagrant/ipa-server-1.sh" - end - - config.vm.define "ipa-server-2" do |box| - box.vm.box = "centos/7" - box.vm.box_version = "2004.01" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-server-2.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1536 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.network "private_network", ip: "192.168.56.36" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/centos.sh" - box.vm.provision "shell", path: "vagrant/ipa-server-2.sh" - end - - config.vm.define "ipa-client-1" do |box| - box.vm.box = "centos/7" - box.vm.box_version = "2004.01" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-1.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.network "private_network", ip: "192.168.56.37" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/centos.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-2" do |box| - box.vm.box = "ubuntu/xenial64" - box.vm.box_version = "20211001.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-2.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.38" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-3" do |box| - box.vm.box = "ubuntu/trusty64" - box.vm.box_version = "20190514.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-3.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.39" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-4" do |box| - box.vm.box = "generic/debian9" - box.vm.box_version = "4.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-4.vagrant.example.lan' - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.40" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-5" do |box| - box.vm.box = "ubuntu/bionic64" - box.vm.box_version = "20220424.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-5.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.41" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-6" do |box| - box.vm.box = "generic/debian10" - box.vm.box_version = "4.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-6.vagrant.example.lan' - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.10/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.42" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - #box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-7" do |box| - box.vm.box = "generic/debian11" - box.vm.box_version = "4.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-7.vagrant.example.lan' - box.vbguest.installer_options = { allow_kernel_upgrade: true } - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.10/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.43" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end - - config.vm.define "ipa-client-8" do |box| - box.vm.box = "ubuntu/jammy64" - box.vm.box_version = "20220419.0.0" - box.vm.synced_folder '.', '/vagrant', type: "rsync", rsync__auto: true, rsync__exclude: vagrant_ignore - box.vm.hostname = 'ipa-client-8.vagrant.example.lan' - box.vm.provider 'virtualbox' do |vb| - vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"] - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - end - box.vm.network "private_network", ip: "192.168.56.44" - box.vm.provision "shell", path: "vagrant/install-puppet.sh" - box.vm.provision "shell", path: "vagrant/common.sh" - box.vm.provision "shell", path: "vagrant/debian.sh" - box.vm.provision "shell", path: "vagrant/ipa-client.sh" - end -end diff --git a/vagrant/centos.sh b/vagrant/centos.sh deleted file mode 100644 index cae51f3b..00000000 --- a/vagrant/centos.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -echo Final provisioning... -export FACTER_is_vagrant='true' - -yum -y upgrade - -# Recent CentOS images have NetworkManager enabled. As it breaks IPA server's -# /etc/resolv.conf we don't want to use it. -puppet apply -e "service { 'NetworkManager': ensure => 'stopped', enable => false, }" diff --git a/vagrant/common.sh b/vagrant/common.sh deleted file mode 100644 index a4cb1541..00000000 --- a/vagrant/common.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -export PATH=$PATH:/opt/puppetlabs/bin -puppet module install puppetlabs-stdlib -puppet module install puppetlabs-concat -puppet module install crayfishx-firewalld -puppet module install puppet-selinux -puppet module install puppet-systemd -puppet module install saz-resolv_conf --version 5.0.0 --ignore-dependencies -puppet module install puppetlabs-apt --ignore-dependencies -puppet module install puppetlabs-firewall -puppet module install puppetlabs-k5login_core -if [ -d /tmp/modules/easy_ipa ]; then rm -rf /tmp/modules/easy_ipa; fi -mkdir -p /tmp/modules/easy_ipa -cp -r /vagrant/* /tmp/modules/easy_ipa diff --git a/vagrant/debian.sh b/vagrant/debian.sh deleted file mode 100644 index df196468..00000000 --- a/vagrant/debian.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -echo I am provisioning... -export FACTER_is_vagrant='true' - -DEBIAN_FRONTEND=noninteractive -apt-get dist-upgrade -y - -# For Debian systems, the freeipa-client package is only available in the backports repository. -# It needs to be enabled manually. -DESCR="$(lsb_release -d | awk '{ print $2}')" -if [ `echo $DESCR|grep Debian` ]; then - puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e \ - "class { 'apt::backports': }" -fi \ No newline at end of file diff --git a/vagrant/install-puppet.sh b/vagrant/install-puppet.sh deleted file mode 100644 index f33710eb..00000000 --- a/vagrant/install-puppet.sh +++ /dev/null @@ -1,137 +0,0 @@ -#!/bin/sh -# This is a heavily stripped down version of puppet-puppetmaster/vagrant/prepare.sh -# -# Gist based on commit 9a429d77f11aa6d of terraform-aws_instance_wrapper - -# Exit on any error -set -e - -# Default settings -HOST_NAME="false" -PUPPET_ENV="production" -START_AGENT="false" - -export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin - -CWD=`pwd` - -set_hostname() { - hostnamectl set-hostname $1 -} - -detect_osfamily() { - if [ -f /etc/redhat-release ]; then - OSFAMILY='redhat' - RELEASE=$(cat /etc/redhat-release) - if [ "`echo $RELEASE | grep -E 7\.[0-9]+`" ]; then - REDHAT_VERSION="7" - REDHAT_RELEASE="el-7" - elif [ "`echo $RELEASE | grep -E 8\.[0-9]+`" ]; then - REDHAT_VERSION="8" - REDHAT_RELEASE="el-8" - else - echo "Unsupported Redhat/Centos/Fedora version." - exit 1 - fi - elif [ "`lsb_release -d | grep -E '(Ubuntu|Debian)'`" ]; then - OSFAMILY='debian' - DESCR="$(lsb_release -d | awk '{ print $2}')" - if [ `echo $DESCR|grep Ubuntu` ]; then - UBUNTU_VERSION="$(lsb_release -c | awk '{ print $2}')" - # TODO: Remove when Puppet makes a jammy release - if [ "$UBUNTU_VERSION" = "jammy" ]; then - UBUNTU_VERSION="focal" - fi - elif [ `echo $DESCR|grep Debian` ]; then - DEBIAN_VERSION="$(lsb_release -c | awk '{ print $2}')" - else - echo "Unsupported Debian family operating system. Supported are Debian and Ubuntu" - exit 1 - fi - else - echo "ERROR: unsupported osfamily. Supported are Debian and RedHat" - exit 1 - fi -} - -install_dependencies() { - if [ "${REDHAT_VERSION}" = "30" ]; then - dnf -y install libxcrypt-compat - fi -} - -setup_puppet() { - if [ -x /opt/puppetlabs/bin/puppet ]; then - true - else - if [ $REDHAT_RELEASE ]; then - RELEASE_URL="https://yum.puppetlabs.com/puppet6/puppet6-release-${REDHAT_RELEASE}.noarch.rpm" - rpm -hiv "${RELEASE_URL}" || (c=$?; echo "Failed to install ${RELEASE_URL}"; (exit $c)) - yum -y install puppet-agent || (c=$?; echo "Failed to install puppet agent"; (exit $c)) - if systemctl list-unit-files --type=service | grep firewalld; then - systemctl stop firewalld - systemctl disable firewalld - systemctl mask firewalld - fi - else - if [ $UBUNTU_VERSION ]; then - APT_URL="https://apt.puppetlabs.com/puppet6-release-${UBUNTU_VERSION}.deb" - fi - if [ $DEBIAN_VERSION ]; then - APT_URL="https://apt.puppetlabs.com/puppet6-release-${DEBIAN_VERSION}.deb" - fi - # https://serverfault.com/questions/500764/dpkg-reconfigure-unable-to-re-open-stdin-no-file-or-directory - export DEBIAN_FRONTEND=noninteractive - FILE="$(mktemp -d)/puppet-release.db" - wget "${APT_URL}" -qO $FILE || (c=$?; echo "Failed to retrieve ${APT_URL}"; (exit $c)) - # The apt-daily and apt-daily-upgrade services have a nasty habit of - # launching immediately on boot. This prevents the installer from updating - # the package caches itself, which causes some packages to be missing and - # subsequently causing puppetmaster-installer to fail. So, wait for those - # two services to run before attempting to run the installer. There are - # ways to use systemd-run to accomplish this rather nicely: - # - # https://unix.stackexchange.com/questions/315502/how-to-disable-apt-daily-service-on-ubuntu-cloud-vm-image - # - # However, that approach fails on Ubuntu 16.04 (and earlier) as well as - # Debian 9, so it is not practical. This approach uses a simple polling - # method and built-in tools. - APT_READY=no - while [ "$APT_READY" = "no" ]; do - # This checks three things to prevent package installation failures, in this order: - # - # 1) Is "apt-get update" running? - # 2) Is "apt-get install" running? - # 3) Is "dpkg" running? - # - # The "apt-get install" commands locks dpkg as well, but the last check ensures that dpkg running outside of apt does not cause havoc. - # - fuser -s /var/lib/apt/lists/lock || fuser -s /var/cache/apt/archives/lock || fuser -s /var/lib/dpkg/lock || APT_READY=yes - sleep 1 - done - - dpkg --install $FILE; rm $FILE; apt-get update || (c=$?; echo "Failed to install from ${FILE}"; (exit $c)) - apt-get -y install puppet-agent || (c=$?; echo "Failed to install puppet agent"; (exit $c)) - fi - fi -} - -set_puppet_agent_environment() { - puppet config set --section agent environment $1 -} - -run_puppet_agent() { - systemctl enable puppet - systemctl start puppet -} - -if [ "${HOST_NAME}" != "false" ]; then - set_hostname $HOST_NAME -fi -detect_osfamily -install_dependencies -setup_puppet -set_puppet_agent_environment $PUPPET_ENV -if [ "${START_AGENT}" = "true" ]; then - run_puppet_agent -fi diff --git a/vagrant/ipa-client.sh b/vagrant/ipa-client.sh deleted file mode 100644 index 191c733c..00000000 --- a/vagrant/ipa-client.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - case \$facts['os']['distro']['codename'] {\ - /(stretch|trusty|xenial)/: {\ - class { 'resolv_conf':\ - nameservers => ['192.168.56.35'],\ - }\ - }\ - /(bionic|buster|focal|bullseye|jammy)/: {\ - class { 'systemd':\ - manage_resolved => true,\ - dns => ['192.168.56.35'],\ - }\ - }\ - }" -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class {'::easy_ipa':\ - ipa_role => 'client',\ - domain => 'vagrant.example.lan',\ - domain_join_password => 'vagrant123',\ - install_epel => true,\ - ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',\ - }" diff --git a/vagrant/ipa-server-1.sh b/vagrant/ipa-server-1.sh deleted file mode 100644 index c8ef082e..00000000 --- a/vagrant/ipa-server-1.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class {'::easy_ipa':\ - ipa_role => 'master',\ - domain => 'vagrant.example.lan',\ - ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan',\ - admin_password => 'vagrant123',\ - directory_services_password => 'vagrant123',\ - install_ipa_server => true,\ - ip_address => '192.168.56.35',\ - enable_ip_address => true,\ - enable_hostname => true,\ - manage_host_entry => true,\ - install_epel => true,\ - webui_disable_kerberos => true,\ - webui_enable_proxy => true,\ - webui_force_https => true,\ - idstart => 14341,\ - }" diff --git a/vagrant/ipa-server-2.sh b/vagrant/ipa-server-2.sh deleted file mode 100644 index 8b6d5313..00000000 --- a/vagrant/ipa-server-2.sh +++ /dev/null @@ -1,25 +0,0 @@ -#/bin/sh -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class { 'resolv_conf':\ - nameservers => ['192.168.56.35'],\ - }" -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - host {'ipa-server-1.vagrant.example.lan':\ - ensure => present,\ - ip => '192.168.56.35',\ - }" -puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\ - class {'::easy_ipa':\ - ipa_role => 'replica',\ - domain => 'vagrant.example.lan',\ - ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan',\ - domain_join_password => 'vagrant123',\ - install_ipa_server => true,\ - ip_address => '192.168.56.36',\ - enable_ip_address => true,\ - enable_hostname => true,\ - manage_host_entry => true,\ - install_epel => true,\ - ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',\ - idstart => 14341,\ - }" From 7ca878a533a9033d883e42d0a7a0d405e6e0d922 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 30 Oct 2023 10:48:26 -0700 Subject: [PATCH 47/78] mv ipa server package name(s) to hiera data --- REFERENCE.md | 22 ++++++++++++++-------- data/common.yaml | 5 ++++- manifests/init.pp | 3 --- manifests/params.pp | 13 ------------- manifests/server.pp | 17 ++++++++--------- manifests/server/master.pp | 1 - manifests/server/replica.pp | 1 - 7 files changed, 26 insertions(+), 36 deletions(-) delete mode 100644 manifests/params.pp diff --git a/REFERENCE.md b/REFERENCE.md index 4cceab47..5cb893f9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -12,7 +12,6 @@ * [`easy_ipa::client`](#easy_ipa--client): Manage ipa client * [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. * [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. -* [`easy_ipa::params`](#easy_ipa--params): Prevent havoc on unsupported operating systems. * [`easy_ipa::server`](#easy_ipa--server): Manage IPA server install * [`easy_ipa::server::master`](#easy_ipa--server--master): Manage primary server * [`easy_ipa::server::replica`](#easy_ipa--server--replica): Manage replica install @@ -394,17 +393,24 @@ IPv6 address to allow access from. Default value: `'::1'` -### `easy_ipa::params` - -Traditionally this file would be used to abstract away operating system -differences. Right now the main purpose is to prevent easy_ipa classes from -causing havoc (e.g. partial configurations) on unsupported operating systems -by failing early rather than later. - ### `easy_ipa::server` Manage IPA server install +#### Parameters + +The following parameters are available in the `easy_ipa::server` class: + +* [`package_name`](#-easy_ipa--server--package_name) + +##### `package_name` + +Data type: `Array[String]` + +The name of the package(s) to install. + +Default value: `undef` + ### `easy_ipa::server::master` Manage primary server diff --git a/data/common.yaml b/data/common.yaml index 2fbf0ffd..c5bc1aa1 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1 +1,4 @@ ---- {} +--- +easy_ipa::server::package_name: + - ipa-server + - kstart diff --git a/manifests/init.pp b/manifests/init.pp index 7c1bbd64..6140a4a3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -145,9 +145,6 @@ String $webui_proxy_https_port = '8440', Boolean $adjust_login_defs = false, ) { - # Include per-OS parameters and fail on unsupported OS - include easy_ipa::params - if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { fail('Parameter "idmax" must be an integer greater than parameter "idstart".') } diff --git a/manifests/params.pp b/manifests/params.pp deleted file mode 100644 index f6ec9396..00000000 --- a/manifests/params.pp +++ /dev/null @@ -1,13 +0,0 @@ -# -# @summary Prevent havoc on unsupported operating systems. -# -# Traditionally this file would be used to abstract away operating system -# differences. Right now the main purpose is to prevent easy_ipa classes from -# causing havoc (e.g. partial configurations) on unsupported operating systems -# by failing early rather than later. -# -class easy_ipa::params { - # These package names are the same on RedHat and Debian derivatives - $ipa_server_package_name = 'ipa-server' - $kstart_package_name = 'kstart' -} diff --git a/manifests/server.pp b/manifests/server.pp index b3892b51..6e4f1f09 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,7 +1,12 @@ # # @summary Manage IPA server install # -class easy_ipa::server { +# @param package_name +# The name of the package(s) to install. +# +class easy_ipa::server ( + Array[String] $package_name = undef, +) { if $easy_ipa::ipa_role != 'master' { # if replica or client unless $easy_ipa::ipa_master_fqdn { fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") @@ -15,6 +20,8 @@ require easy_ipa::server::redhat } + ensure_packages($package_name) + $dns_packages = [ 'ipa-server-dns', 'bind-dyndb-ldap', @@ -24,14 +31,6 @@ ensure_packages($dns_packages) } - package { $easy_ipa::params::ipa_server_package_name: - ensure => present, - } - - package { $easy_ipa::params::kstart_package_name: - ensure => present, - } - $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}" $server_install_cmd_opts_idmax = $easy_ipa::idmax ? { diff --git a/manifests/server/master.pp b/manifests/server/master.pp index bd9a8c2f..beef697f 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -39,6 +39,5 @@ command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', user => 'root', minute => '*/1', - require => Package[$easy_ipa::params::kstart_package_name], } } diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp index aff139e8..44b34d2e 100644 --- a/manifests/server/replica.pp +++ b/manifests/server/replica.pp @@ -36,6 +36,5 @@ command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', user => 'root', minute => '*/1', - require => Package[$easy_ipa::params::kstart_package_name], } } From 5abfa364582c88e3e5873ef92dd3584c61f1c822 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 30 Oct 2023 10:51:27 -0700 Subject: [PATCH 48/78] add LICENSE file (migrated from README.md) --- LICENSE | 14 ++++++++++++++ README.md | 19 ------------------- 2 files changed, 14 insertions(+), 19 deletions(-) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..941cf7d7 --- /dev/null +++ b/LICENSE @@ -0,0 +1,14 @@ +Copyright (C) 2013 Harvard University Information Technology + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . diff --git a/README.md b/README.md index 533c650d..980922b7 100644 --- a/README.md +++ b/README.md @@ -293,22 +293,3 @@ Steps to get started: 1. Run `vagrant up` in a terminal window from the root of the repo. 1. Open a browser and navigate to `https://localhost:8440`. Log in with username `admin` and password `vagrant123`. - -## License -jpuskar/puppet-easy_ipa forked from: -huit/puppet-ipa - Puppet module that can manage an IPA master, replicas and clients. - - Copyright (C) 2013 Harvard University Information Technology - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . From 8e278de5e8614cf06143273069a23163ba124c44 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 30 Oct 2023 10:52:06 -0700 Subject: [PATCH 49/78] rm outdated README section & those that dup REFERENCE.md --- .rspec | 1 + README.md | 218 ------------------------------------------------------ 2 files changed, 1 insertion(+), 218 deletions(-) diff --git a/.rspec b/.rspec index f634583d..c6cfef19 100644 --- a/.rspec +++ b/.rspec @@ -3,3 +3,4 @@ --format documentation --color +--fail-fast diff --git a/README.md b/README.md index 980922b7..df21acd1 100644 --- a/README.md +++ b/README.md @@ -6,22 +6,6 @@ This module will install and configure IPA servers, replicas, and clients. This module was forked from huit-ipa, and refactored with a focus on simplicity and ease of use. -The following features work great: -- Creating a domain. -- Adding IPA server replicas. -- Joining clients. -- WebUI proxy to https://localhost:8440 (for vagrant testing). - -The following features were stripped out and are currently unavailable: -- Autofs configuration. -- Sudo rule management. -- Host management (beyond simple clinet domain joins). -- Host joins via one time passwords. -- Dns zone management (beyond creating an initial zone). - -## Dependencies -This module requires [puppetlabs/stdlib](https://forge.puppetlabs.com/puppetlabs/stdlib) >= 4.13.0. - ## Usage ### Example usage: @@ -55,15 +39,6 @@ class {'::easy_ipa': } ``` -Add monitoring with [monit](https://mmonit.com/monit/). Depends on the -[puppetfinland-monit](https://github.com/Puppet-Finland/monit) module: - -``` -class { '::easy_ipa::monit::server': - email => 'monitoring@domain.com', -} -``` - Add iptables/ip6tables allow rules: ``` @@ -90,14 +65,6 @@ false. A wrapper script is used as ipa-backup always adds a timestamp to the backup directory, which makes no sense if an external system (e.g. Bacula) is handling backup versioning anyways. -Adding a local named.conf configuration fragment: -```puppet -::easy_ipa::config::named { 'tsig-key': - content => template('profile/named-tsig-key.conf.erb'), -} -``` -These can be used for various purposes, for example to add a key which allows -dynamic DNS updates to certain DNS zones. Adding a client: ```puppet @@ -108,188 +75,3 @@ domain_join_password => 'vagrant123', ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', } ``` - -### Support for systems without ipa client packages - -This module has partial support configuring ipa clients on operating systems -which lack ipa client package and thus the ipa-client-install script. Right now -Debian 9 is the only operating system supported in this way. Client-side is -configured with the exception that sshd_config is not touched to prevent -configuration overlap with other Puppet modules. Adapt the following procedure -(adapted from [here](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/linux-manual)) -to complete the enrollment of a host into IPA. - -On the IPA master: - - kinit admin - ipa host-add --ip-address=192.168.56.40 ipa-client-4.vagrant.example.lan - ipa host-add-managedby --hosts=ipa-server-1.vagrant.example.lan ipa-client-4.vagrant.example.lan - ipa-getkeytab --server=ipa-server-1.vagrant.example.lan -p host/ipa-client-4.vagrant.example.lan -k /tmp/ipa-client-4.keytab - chmod 644 /tmp/ipa-client-4.keytab - -Copy the keytab to /etc/krb5.keytab on the client host to be enrolled and in there run - - chown root:root /etc/krb5.keytab - chmod 600 /etc/krb5.keytab - -Assuming you had ran Puppet on the client and launching of sssd had failed, try again now: - - systemctl restart sssd - -You should now be able to use kinit normally on the enrolled client: - - kinit admin - -Many of these steps could be automated with exported resources, but getting the -Kerberos keytab back to the enrolled would somewhat be challenging. - -### Mandatory Parameters - -#### `domain` -Mandatory. The name of the IPA domain to create or join. - -#### `ipa_role` -Mandatory. What role the node will be. Options are 'master', 'replica', and 'client'. - -#### `admin_password` -Mandatory if `ipa_role` is set as 'Master' or 'Replica'. -Password which will be assigned to the IPA account named 'admin'. - -#### `directory_services_password` -Mandatory if `ipa_role` is set as 'Master'. -Password which will be passed into the ipa setup's parameter named "--ds-password". - -### Optional Parameters - -#### `autofs_package_name` -Name of the autofs package to install if enabled. - -#### `configure_dns_server` -If true, then the parameter '--setup-dns' is passed to the IPA server installer. -Also, triggers the install of the required dns server packages. - -#### `configure_replica_ca` -If true, then the parameter '--setup-ca' is passed to the IPA replica installer. - -#### `configure_ntp` -If false, then the parameter '--no-ntp' is passed to the IPA server installer. - -#### `custom_dns_forwarders` -Each element in this array is prefixed with '--forwarder ' and passed to the IPA server installer. - -#### `domain_join_principal` -The principal (usually username) used to join a client or replica to the IPA domain. - -#### `domain_join_password` -The password for the domain_join_principal. - -#### `enable_hostname` -If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn' -and passed to the IPA installer. On client installs '--hostname' is populated with `$::fqdn`. - -#### `enable_ip_address` -If true, then the parameter '--ip-address' is populated with the parameter 'ip_address' -and passed to the IPA installer. - -#### `fixed_primary` -If true, then the parameter '--fixed-primary' is passed to the IPA installer. - -#### `idstart` -From the IPA man pages: "The starting user and group id number". Note that this -will clash with installer on RedHat 9. See adjust_login_defs parameter. - -#### `idmax` -From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". - -#### `install_autofs` -If true, then the autofs packages are installed. - -#### `install_epel` -If true, then the epel repo is installed. The epel repo is usually required for sssd packages. - -#### `install_ldaputils` -If true, then the ldaputils packages are installed. - -#### `install_sssdtools` -If true, then the sssdtools packages are installed. - -#### `ipa_client_package_name` -Name of the IPA client package. - -#### `ipa_server_package_name` -Name of the IPA server package. - -#### `install_ipa_client` -If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'. - -#### `install_ipa_server` -If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'. - -#### `install_sssd` -If true, then the sssd packages are installed. - -#### `ip_address` -IP address to pass to the IPA installer. - -#### `ipa_server_fqdn` -Actual fqdn of the IPA server or client. - -#### `kstart_package_name` -Name of the kstart package. - -#### `ldaputils_package_name` -Name of the ldaputils package. - -#### `ipa_master_fqdn` -FQDN of the server to use for a client or replica domain join. - -#### `manage_host_entry` -If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'. - -#### `mkhomedir` -If true, then the parameter '--mkhomedir' is passed to the IPA client installer. - -#### `no_ui_redirect` -If true, then the parameter '--no-ui-redirect' is passed to the IPA server installer. - -#### `realm` -The name of the IPA realm to create or join. - -#### `sssd_package_name` -Name of the sssd package. - -#### `sssdtools_package_name` -Name of the sssdtools package. - -#### ̀gssapi_no_negotiate - -Suppress setting Negotiate headers based on BrowserMatch. Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show authentication popups to users). Example: "Windows". Default undef. - -#### `webui_enable_proxy` -If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows -for the Web UI to be accessed from different ports and hostnames than the default. - -#### `webui_proxy_external_fqdn` -The public or external FQDN used to access the IPA Web UI behind the reverse proxy. - -#### `webui_proxy_https_port` -The HTTPS port to use for the reverse proxy. Cannot be 443. - -#### `adjust_login_defs` -Adjust UID_MAX and GID_MAX in login.defs. This is require on RedHat 9. Default false. - - -## Limitations - -This module has only been tested on Centos 7 and RedHat 9. - -## Testing -A vagrantfile is provided for easy testing. - -Steps to get started: - 1. Install vagrant. - 1. Install virtualbox. - 1. Clone this repo. - 1. Run `vagrant up` in a terminal window from the root of the repo. - 1. Open a browser and navigate to `https://localhost:8440`. - Log in with username `admin` and password `vagrant123`. From 4b3304a9564e809f8632f9333236cc8c75a59f9d Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 30 Oct 2023 10:59:44 -0700 Subject: [PATCH 50/78] rm webui/http configuration This should be managed with a forge module. E.g. puppetlabs/apache --- README.md | 2 -- REFERENCE.md | 44 -------------------------- manifests/config/webui.pp | 65 --------------------------------------- manifests/init.pp | 19 ------------ manifests/server.pp | 12 -------- spec/classes/ipa_spec.rb | 3 -- 6 files changed, 145 deletions(-) delete mode 100644 manifests/config/webui.pp diff --git a/README.md b/README.md index df21acd1..7a051d6e 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,6 @@ and refactored with a focus on simplicity and ease of use. ### Example usage: -Creating an IPA master, with the WebUI proxied to `https://localhost:8440`. ```puppet class {'easy_ipa': ipa_role => 'master', @@ -21,7 +20,6 @@ class {'easy_ipa': ip_address => '192.168.56.35', enable_ip_address => true, enable_hostname => true, - webui_enable_proxy => true, } ``` diff --git a/REFERENCE.md b/REFERENCE.md index 5cb893f9..a88607f3 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,7 +10,6 @@ * [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. * [`easy_ipa::client`](#easy_ipa--client): Manage ipa client -* [`easy_ipa::config::webui`](#easy_ipa--config--webui): Configures port and redirect overrides for the IPA server web UI. * [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. * [`easy_ipa::server`](#easy_ipa--server): Manage IPA server install * [`easy_ipa::server::master`](#easy_ipa--server--master): Manage primary server @@ -64,7 +63,6 @@ The following parameters are available in the `easy_ipa` class: * [`enable_ip_address`](#-easy_ipa--enable_ip_address) * [`fixed_primary`](#-easy_ipa--fixed_primary) * [`idstart`](#-easy_ipa--idstart) -* [`gssapi_no_negotiate`](#-easy_ipa--gssapi_no_negotiate) * [`idmax`](#-easy_ipa--idmax) * [`ip_address`](#-easy_ipa--ip_address) * [`ipa_server_fqdn`](#-easy_ipa--ipa_server_fqdn) @@ -72,9 +70,6 @@ The following parameters are available in the `easy_ipa` class: * [`mkhomedir`](#-easy_ipa--mkhomedir) * [`no_ui_redirect`](#-easy_ipa--no_ui_redirect) * [`realm`](#-easy_ipa--realm) -* [`webui_enable_proxy`](#-easy_ipa--webui_enable_proxy) -* [`webui_proxy_external_fqdn`](#-easy_ipa--webui_proxy_external_fqdn) -* [`webui_proxy_https_port`](#-easy_ipa--webui_proxy_https_port) * [`adjust_login_defs`](#-easy_ipa--adjust_login_defs) ##### `domain` @@ -235,16 +230,6 @@ Data type: `Integer[10000]` Default value: `(fqdn_rand('10737') + 10000` -##### `gssapi_no_negotiate` - -Data type: `Variant[Pattern,Undef]` - -(pattern) Suppress setting Negotiate headers based on BrowserMatch. - Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show - authentication popups to users). Example: "Windows". Default undef. - -Default value: `undef` - ##### `idmax` Data type: `Variant[Integer,Undef]` @@ -302,31 +287,6 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `webui_enable_proxy` - -Data type: `Boolean` - -(boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows - for the Web UI to be accessed from different ports and hostnames than the default. - -Default value: `false` - -##### `webui_proxy_external_fqdn` - -Data type: `String` - -(string) The public or external FQDN used to access the IPA Web UI behind the reverse proxy. - -Default value: `'localhost'` - -##### `webui_proxy_https_port` - -Data type: `String` - -(integer) The HTTPS port to use for the reverse proxy. Cannot be 443. - -Default value: `'8440'` - ##### `adjust_login_defs` Data type: `Boolean` @@ -362,10 +322,6 @@ Force the client to join the domain even if it is already joined. Default value: `false` -### `easy_ipa::config::webui` - -Configures port and redirect overrides for the IPA server web UI. - ### `easy_ipa::packetfilter::server` Install packet filtering rules for FreeIPA. diff --git a/manifests/config/webui.pp b/manifests/config/webui.pp deleted file mode 100644 index 1d4ca55d..00000000 --- a/manifests/config/webui.pp +++ /dev/null @@ -1,65 +0,0 @@ -# Configures port and redirect overrides for the IPA server web UI. -class easy_ipa::config::webui { - if $easy_ipa::webui_enable_proxy { - #ref: https://www.redhat.com/archives/freeipa-users/2016-June/msg00128.html - $proxy_server_internal_fqdn = $easy_ipa::ipa_server_fqdn - $proxy_server_external_fqdn = $easy_ipa::webui_proxy_external_fqdn - $proxy_https_port = $easy_ipa::webui_proxy_https_port - - $proxy_server_external_fqdn_and_port = "${proxy_server_external_fqdn}:${proxy_https_port}" - - $proxy_internal_uri = "https://${proxy_server_internal_fqdn}" - $proxy_external_uri = "https://${proxy_server_external_fqdn}:${proxy_https_port}" - $proxy_server_name = "https://${easy_ipa::ipa_server_fqdn}:${proxy_https_port}" - $proxy_referrer_regex = regsubst( - $proxy_external_uri, - '\.', - '\.', - 'G', - ) - - # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0 - # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0 - # These are not needed for versions newer than 4.7.10 - if versioncmp(fact('ipa_server_version'), '4.7.0') < 0 { - exec { 'semanage-port-http_port_t': - command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}", - unless => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"", - path => ['/bin','/sbin','/usr/bin','/usr/sbin'], - } - - file_line { 'webui_additional_https_port_listener': - ensure => present, - path => '/etc/httpd/conf.d/nss.conf', - line => "Listen ${proxy_https_port}", - after => 'Listen\ 443', - notify => Service['httpd'], - } - - file { '/etc/httpd/conf.d/ipa-rewrite.conf': - ensure => file, - replace => true, - content => template('easy_ipa/ipa-rewrite.conf.erb'), - notify => Service['httpd'], - } - - file { '/etc/httpd/conf.d/ipa-webui-proxy.conf': - ensure => file, - replace => true, - content => template('easy_ipa/ipa-webui-proxy.conf.erb'), - notify => Service['httpd'], - require => Exec['semanage-port-http_port_t'], - } - } - } - - if $easy_ipa::gssapi_no_negotiate { - file_line { 'disable_negotiate_headers': - ensure => present, - path => '/etc/httpd/conf.d/ipa.conf', - line => " BrowserMatch \"${easy_ipa::gssapi_no_negotiate}\" gssapi-no-negotiate", - notify => Service['httpd'], - after => '^\s*AuthType\sGSSAPI$', - } - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 6140a4a3..b3870b91 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -66,11 +66,6 @@ # @param idstart # (integer) From the IPA man pages: "The starting user and group id number". # -# @param gssapi_no_negotiate -# (pattern) Suppress setting Negotiate headers based on BrowserMatch. -# Not sending these headers is useful to work around browsers that do not handle them properly (and incorrectly show -# authentication popups to users). Example: "Windows". Default undef. -# # @param idmax # (integer) From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". # @@ -93,16 +88,6 @@ # @param realm # (string) The name of the IPA realm to create or join. # -# @param webui_enable_proxy -# (boolean) If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows -# for the Web UI to be accessed from different ports and hostnames than the default. -# -# @param webui_proxy_external_fqdn -# (string) The public or external FQDN used to access the IPA Web UI behind the reverse proxy. -# -# @param webui_proxy_https_port -# (integer) The HTTPS port to use for the reverse proxy. Cannot be 443. -# # @param adjust_login_defs # (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false. # @@ -131,7 +116,6 @@ Boolean $enable_hostname = true, Boolean $enable_ip_address = false, Boolean $fixed_primary = false, - Variant[Pattern,Undef] $gssapi_no_negotiate = undef, Integer[10000] $idstart = (fqdn_rand('10737') + 10000), Variant[Integer,Undef] $idmax = undef, Optional[Stdlib::IP::Address] $ip_address = undef, @@ -140,9 +124,6 @@ Boolean $mkhomedir = true, Boolean $no_ui_redirect = false, Optional[Stdlib::Fqdn] $realm = undef, - Boolean $webui_enable_proxy = false, - String $webui_proxy_external_fqdn = 'localhost', - String $webui_proxy_https_port = '8440', Boolean $adjust_login_defs = false, ) { if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { diff --git a/manifests/server.pp b/manifests/server.pp index 6e4f1f09..42fec33c 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -111,28 +111,16 @@ if $easy_ipa::ipa_role == 'master' { contain 'easy_ipa::server::master' - Class['easy_ipa::server::master'] - -> Class['easy_ipa::config::webui'] Class['easy_ipa::server::master'] -> Service['ipa'] } elsif $easy_ipa::ipa_role == 'replica' { contain 'easy_ipa::server::replica' - Class['easy_ipa::server::replica'] - -> Class['easy_ipa::config::webui'] Class['easy_ipa::server::replica'] -> Service['ipa'] } - ensure_resource ( - 'service', - 'httpd', - { ensure => 'running' }, - ) - - contain 'easy_ipa::config::webui' - service { 'ipa': ensure => running, enable => true, diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index a8fb87fb..77d71cd2 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -43,7 +43,6 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::server') } it { is_expected.to contain_class('easy_ipa::server::master') } - it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.not_to contain_class('easy_ipa::server::replica') } it { is_expected.not_to contain_class('easy_ipa::client') } @@ -215,7 +214,6 @@ context 'with defaults' do it { is_expected.to contain_class('easy_ipa::server') } it { is_expected.to contain_class('easy_ipa::server::replica') } - it { is_expected.to contain_class('easy_ipa::config::webui') } it { is_expected.not_to contain_class('easy_ipa::server::master') } it { is_expected.not_to contain_class('easy_ipa::client') } @@ -315,7 +313,6 @@ it { is_expected.not_to contain_class('easy_ipa::server') } it { is_expected.not_to contain_class('easy_ipa::server::master') } it { is_expected.not_to contain_class('easy_ipa::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::config::webui') } it { is_expected.to contain_package(client_package).that_comes_before('Exec[ipa-client-install]') } it { is_expected.to contain_package('kstart') } From 08465c5d8aa985cb832e44574162ae80c04dfbbc Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 31 Oct 2023 09:09:59 -0700 Subject: [PATCH 51/78] convert easy_ipa::helpers::flushcache define to class + rename to easy_ipa::helpers::flushcache and mark as @api_private. --- REFERENCE.md | 6 +----- manifests/server.pp | 4 ++-- manifests/{helpers => server}/flushcache.pp | 7 +++++-- manifests/server/master.pp | 2 +- manifests/server/replica.pp | 2 +- 5 files changed, 10 insertions(+), 11 deletions(-) rename manifests/{helpers => server}/flushcache.pp (89%) diff --git a/REFERENCE.md b/REFERENCE.md index a88607f3..93ad41b1 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -18,12 +18,12 @@ #### Private Classes * `easy_ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. +* `easy_ipa::server::flushcache`: Manage cache flushing * `easy_ipa::server::redhat` ### Defined types * [`easy_ipa::backup`](#easy_ipa--backup): Define easy_ipa::backup -* [`easy_ipa::helpers::flushcache`](#easy_ipa--helpers--flushcache): Manage cache flushing ### Plans @@ -451,10 +451,6 @@ Email to send cron notifications to. Defaults to $::servermonitor. Default value: `fact('servermonitor')` -### `easy_ipa::helpers::flushcache` - -Manage cache flushing - ## Plans ### `easy_ipa::update_host_keys` diff --git a/manifests/server.pp b/manifests/server.pp index 42fec33c..ccbeda68 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -121,10 +121,10 @@ -> Service['ipa'] } + include easy_ipa::server::flushcache + service { 'ipa': ensure => running, enable => true, } - - easy_ipa::helpers::flushcache { "server_${easy_ipa::ipa_server_fqdn}": } } diff --git a/manifests/helpers/flushcache.pp b/manifests/server/flushcache.pp similarity index 89% rename from manifests/helpers/flushcache.pp rename to manifests/server/flushcache.pp index 289567a1..34638942 100644 --- a/manifests/helpers/flushcache.pp +++ b/manifests/server/flushcache.pp @@ -1,7 +1,10 @@ # # @summary Manage cache flushing # -define easy_ipa::helpers::flushcache { +# @api private +class easy_ipa::server::flushcache { + assert_private() + #TODO: nscd should be called on both platforms. if fact('os.family') == 'RedHat' { $ipa_fluch_cache_cmd = "\ @@ -23,7 +26,7 @@ fail('The class easy_ipa::flushcache is only written for RedHat and Debian.') } - exec { "ipa_flushcache_${title}": + exec { 'ipa_flushcache': command => "/bin/bash -c ${ipa_fluch_cache_cmd}", returns => ['0','1','2'], refreshonly => true, diff --git a/manifests/server/master.pp b/manifests/server/master.pp index beef697f..19ba0b34 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -33,7 +33,7 @@ unless => '/usr/sbin/ipactl status >/dev/null 2>&1', creates => '/etc/ipa/default.conf', logoutput => on_failure, - notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], + notify => Class[easy_ipa::server::flushcache], } -> cron { 'k5start_root': #allows scp to replicas as root command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp index 44b34d2e..fc0740d9 100644 --- a/manifests/server/replica.pp +++ b/manifests/server/replica.pp @@ -30,7 +30,7 @@ unless => '/usr/sbin/ipactl status >/dev/null 2>&1', creates => '/etc/ipa/default.conf', logoutput => on_failure, - notify => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"], + notify => Class[easy_ipa::server::flushcache], } -> cron { 'k5start_root': command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', From 4906ed667d316ebad03e597e7eeebf033b5f55c3 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 31 Oct 2023 09:23:00 -0700 Subject: [PATCH 52/78] rename module easy_ipa -> ipa --- README.md | 20 +-- REFERENCE.md | 234 +++++++++++++++---------------- data/common.yaml | 2 +- data/os/Debian.yaml | 2 +- data/os/RedHat.yaml | 2 +- examples/client.pp | 11 ++ examples/master.pp | 8 +- examples/replica.pp | 13 ++ manifests/backup.pp | 6 +- manifests/client.pp | 40 +++--- manifests/client/debian.pp | 2 +- manifests/init.pp | 18 +-- manifests/packetfilter/server.pp | 2 +- manifests/server.pp | 64 ++++----- manifests/server/flushcache.pp | 4 +- manifests/server/master.pp | 38 ++--- manifests/server/redhat.pp | 2 +- manifests/server/replica.pp | 38 ++--- metadata.json | 4 +- plans/update_host_keys.pp | 6 +- spec/classes/ipa_spec.rb | 26 ++-- 21 files changed, 284 insertions(+), 258 deletions(-) create mode 100644 examples/client.pp create mode 100644 examples/replica.pp diff --git a/README.md b/README.md index 7a051d6e..ca221858 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# easy_ipa Puppet module +# ipa Puppet module [![Build Status](https://travis-ci.org/Puppet-Finland/puppet-ipa.svg?branch=master)](https://travis-ci.org/Puppet-Finland/puppet-ipa) ## Overview @@ -11,7 +11,7 @@ and refactored with a focus on simplicity and ease of use. ### Example usage: ```puppet -class {'easy_ipa': +class { 'ipa': ipa_role => 'master', domain => 'vagrant.example.lan', ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan', @@ -24,8 +24,9 @@ class {'easy_ipa': ``` Adding a replica: + ```puppet -class {'::easy_ipa': +class { 'ipa': ipa_role => 'replica', domain => 'vagrant.example.lan', ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan', @@ -39,16 +40,17 @@ class {'::easy_ipa': Add iptables/ip6tables allow rules: -``` -class { '::easy_ipa::packetfilter::server': +```puppet +class { 'ipa::packetfilter::server': allow_address_ipv4 => '10.0.0.0/8', allow_address_ipv6 => '::1', } ``` Add a backup job to cron: -``` - easy_ipa::backup { 'full': + +```puppet + ipa::backup { 'full': type => 'full', timestamp => false, monthday => 1, @@ -58,6 +60,7 @@ Add a backup job to cron: email => 'admin@domain.com', } ``` + Backup type can be 'full' or 'data'. Timestamp is either true (default) or false. A wrapper script is used as ipa-backup always adds a timestamp to the backup directory, which makes no sense if an external system (e.g. Bacula) is @@ -65,8 +68,9 @@ handling backup versioning anyways. Adding a client: + ```puppet -class {'::easy_ipa': +class { 'ipa': ipa_role => 'client', domain => 'vagrant.example.lan', domain_join_password => 'vagrant123', diff --git a/REFERENCE.md b/REFERENCE.md index 93ad41b1..475e2cd1 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -8,31 +8,31 @@ #### Public Classes -* [`easy_ipa`](#easy_ipa): Manages IPA masters, replicas and clients. -* [`easy_ipa::client`](#easy_ipa--client): Manage ipa client -* [`easy_ipa::packetfilter::server`](#easy_ipa--packetfilter--server): Install packet filtering rules for FreeIPA. -* [`easy_ipa::server`](#easy_ipa--server): Manage IPA server install -* [`easy_ipa::server::master`](#easy_ipa--server--master): Manage primary server -* [`easy_ipa::server::replica`](#easy_ipa--server--replica): Manage replica install +* [`ipa`](#ipa): Manages IPA masters, replicas and clients. +* [`ipa::client`](#ipa--client): Manage ipa client +* [`ipa::packetfilter::server`](#ipa--packetfilter--server): Install packet filtering rules for FreeIPA. +* [`ipa::server`](#ipa--server): Manage IPA server install +* [`ipa::server::master`](#ipa--server--master): Manage primary server +* [`ipa::server::replica`](#ipa--server--replica): Manage replica install #### Private Classes -* `easy_ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. -* `easy_ipa::server::flushcache`: Manage cache flushing -* `easy_ipa::server::redhat` +* `ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. +* `ipa::server::flushcache`: Manage cache flushing +* `ipa::server::redhat` ### Defined types -* [`easy_ipa::backup`](#easy_ipa--backup): Define easy_ipa::backup +* [`ipa::backup`](#ipa--backup): Define ipa::backup ### Plans -* [`easy_ipa::update_host_keys`](#easy_ipa--update_host_keys): Update host keys for a domain-joined node in FreeIPA to match real host +* [`ipa::update_host_keys`](#ipa--update_host_keys): Update host keys for a domain-joined node in FreeIPA to match real host keys. ## Classes -### `easy_ipa` +### `ipa` TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks TODO: Class comments. @@ -42,49 +42,49 @@ TODO: configurable admin username. #### Parameters -The following parameters are available in the `easy_ipa` class: - -* [`domain`](#-easy_ipa--domain) -* [`ipa_role`](#-easy_ipa--ipa_role) -* [`admin_password`](#-easy_ipa--admin_password) -* [`directory_services_password`](#-easy_ipa--directory_services_password) -* [`allow_zone_overlap`](#-easy_ipa--allow_zone_overlap) -* [`no_dnssec_validation`](#-easy_ipa--no_dnssec_validation) -* [`configure_dns_server`](#-easy_ipa--configure_dns_server) -* [`configure_replica_ca`](#-easy_ipa--configure_replica_ca) -* [`configure_ntp`](#-easy_ipa--configure_ntp) -* [`configure_ssh`](#-easy_ipa--configure_ssh) -* [`configure_sshd`](#-easy_ipa--configure_sshd) -* [`custom_dns_forwarders`](#-easy_ipa--custom_dns_forwarders) -* [`domain_join_principal`](#-easy_ipa--domain_join_principal) -* [`domain_join_password`](#-easy_ipa--domain_join_password) -* [`enable_dns_updates`](#-easy_ipa--enable_dns_updates) -* [`enable_hostname`](#-easy_ipa--enable_hostname) -* [`enable_ip_address`](#-easy_ipa--enable_ip_address) -* [`fixed_primary`](#-easy_ipa--fixed_primary) -* [`idstart`](#-easy_ipa--idstart) -* [`idmax`](#-easy_ipa--idmax) -* [`ip_address`](#-easy_ipa--ip_address) -* [`ipa_server_fqdn`](#-easy_ipa--ipa_server_fqdn) -* [`ipa_master_fqdn`](#-easy_ipa--ipa_master_fqdn) -* [`mkhomedir`](#-easy_ipa--mkhomedir) -* [`no_ui_redirect`](#-easy_ipa--no_ui_redirect) -* [`realm`](#-easy_ipa--realm) -* [`adjust_login_defs`](#-easy_ipa--adjust_login_defs) - -##### `domain` +The following parameters are available in the `ipa` class: + +* [`domain`](#-ipa--domain) +* [`ipa_role`](#-ipa--ipa_role) +* [`admin_password`](#-ipa--admin_password) +* [`directory_services_password`](#-ipa--directory_services_password) +* [`allow_zone_overlap`](#-ipa--allow_zone_overlap) +* [`no_dnssec_validation`](#-ipa--no_dnssec_validation) +* [`configure_dns_server`](#-ipa--configure_dns_server) +* [`configure_replica_ca`](#-ipa--configure_replica_ca) +* [`configure_ntp`](#-ipa--configure_ntp) +* [`configure_ssh`](#-ipa--configure_ssh) +* [`configure_sshd`](#-ipa--configure_sshd) +* [`custom_dns_forwarders`](#-ipa--custom_dns_forwarders) +* [`domain_join_principal`](#-ipa--domain_join_principal) +* [`domain_join_password`](#-ipa--domain_join_password) +* [`enable_dns_updates`](#-ipa--enable_dns_updates) +* [`enable_hostname`](#-ipa--enable_hostname) +* [`enable_ip_address`](#-ipa--enable_ip_address) +* [`fixed_primary`](#-ipa--fixed_primary) +* [`idstart`](#-ipa--idstart) +* [`idmax`](#-ipa--idmax) +* [`ip_address`](#-ipa--ip_address) +* [`ipa_server_fqdn`](#-ipa--ipa_server_fqdn) +* [`ipa_master_fqdn`](#-ipa--ipa_master_fqdn) +* [`mkhomedir`](#-ipa--mkhomedir) +* [`no_ui_redirect`](#-ipa--no_ui_redirect) +* [`realm`](#-ipa--realm) +* [`adjust_login_defs`](#-ipa--adjust_login_defs) + +##### `domain` Data type: `Stdlib::Fqdn` (string) The name of the IPA domain to create or join. -##### `ipa_role` +##### `ipa_role` Data type: `Enum['client', 'master', 'replica']` (string) What role the node will be. Options are 'master', 'replica', and 'client'. -##### `admin_password` +##### `admin_password` Data type: `Optional[String[8]]` @@ -92,7 +92,7 @@ Data type: `Optional[String[8]]` Default value: `undef` -##### `directory_services_password` +##### `directory_services_password` Data type: `Optional[String[8]]` @@ -100,7 +100,7 @@ Data type: `Optional[String[8]]` Default value: `undef` -##### `allow_zone_overlap` +##### `allow_zone_overlap` Data type: `Boolean` @@ -111,7 +111,7 @@ Data type: `Boolean` Default value: `false` -##### `no_dnssec_validation` +##### `no_dnssec_validation` Data type: `Boolean` @@ -119,7 +119,7 @@ Data type: `Boolean` Default value: `false` -##### `configure_dns_server` +##### `configure_dns_server` Data type: `Boolean` @@ -128,7 +128,7 @@ Data type: `Boolean` Default value: `true` -##### `configure_replica_ca` +##### `configure_replica_ca` Data type: `Boolean` @@ -136,7 +136,7 @@ Data type: `Boolean` Default value: `false` -##### `configure_ntp` +##### `configure_ntp` Data type: `Boolean` @@ -145,7 +145,7 @@ Data type: `Boolean` Default value: `true` -##### `configure_ssh` +##### `configure_ssh` Data type: `Boolean` @@ -154,7 +154,7 @@ Data type: `Boolean` Default value: `true` -##### `configure_sshd` +##### `configure_sshd` Data type: `Boolean` @@ -163,7 +163,7 @@ Data type: `Boolean` Default value: `true` -##### `custom_dns_forwarders` +##### `custom_dns_forwarders` Data type: `Array[String]` @@ -172,7 +172,7 @@ Data type: `Array[String]` Default value: `[]` -##### `domain_join_principal` +##### `domain_join_principal` Data type: `String[1]` @@ -180,7 +180,7 @@ Data type: `String[1]` Default value: `'admin'` -##### `domain_join_password` +##### `domain_join_password` Data type: `Optional[String[1]]` @@ -188,7 +188,7 @@ Data type: `Optional[String[1]]` Default value: `$directory_services_password` -##### `enable_dns_updates` +##### `enable_dns_updates` Data type: `Boolean` @@ -196,7 +196,7 @@ Data type: `Boolean` Default value: `false` -##### `enable_hostname` +##### `enable_hostname` Data type: `Boolean` @@ -205,7 +205,7 @@ Data type: `Boolean` Default value: `true` -##### `enable_ip_address` +##### `enable_ip_address` Data type: `Boolean` @@ -214,7 +214,7 @@ Data type: `Boolean` Default value: `false` -##### `fixed_primary` +##### `fixed_primary` Data type: `Boolean` @@ -222,7 +222,7 @@ Data type: `Boolean` Default value: `false` -##### `idstart` +##### `idstart` Data type: `Integer[10000]` @@ -230,7 +230,7 @@ Data type: `Integer[10000]` Default value: `(fqdn_rand('10737') + 10000` -##### `idmax` +##### `idmax` Data type: `Variant[Integer,Undef]` @@ -238,7 +238,7 @@ Data type: `Variant[Integer,Undef]` Default value: `undef` -##### `ip_address` +##### `ip_address` Data type: `Optional[Stdlib::IP::Address]` @@ -246,7 +246,7 @@ Data type: `Optional[Stdlib::IP::Address]` Default value: `undef` -##### `ipa_server_fqdn` +##### `ipa_server_fqdn` Data type: `String` @@ -254,7 +254,7 @@ Data type: `String` Default value: `fact('networking.fqdn')` -##### `ipa_master_fqdn` +##### `ipa_master_fqdn` Data type: `Optional[Stdlib::Fqdn]` @@ -262,7 +262,7 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `mkhomedir` +##### `mkhomedir` Data type: `Boolean` @@ -271,7 +271,7 @@ installers. Default value: `true` -##### `no_ui_redirect` +##### `no_ui_redirect` Data type: `Boolean` @@ -279,7 +279,7 @@ Data type: `Boolean` Default value: `false` -##### `realm` +##### `realm` Data type: `Optional[Stdlib::Fqdn]` @@ -287,7 +287,7 @@ Data type: `Optional[Stdlib::Fqdn]` Default value: `undef` -##### `adjust_login_defs` +##### `adjust_login_defs` Data type: `Boolean` @@ -295,18 +295,18 @@ Data type: `Boolean` Default value: `false` -### `easy_ipa::client` +### `ipa::client` Manage ipa client #### Parameters -The following parameters are available in the `easy_ipa::client` class: +The following parameters are available in the `ipa::client` class: -* [`package_name`](#-easy_ipa--client--package_name) -* [`force_join`](#-easy_ipa--client--force_join) +* [`package_name`](#-ipa--client--package_name) +* [`force_join`](#-ipa--client--force_join) -##### `package_name` +##### `package_name` Data type: `Array[String]` @@ -314,7 +314,7 @@ The name of the package(s) to install. Default value: `undef` -##### `force_join` +##### `force_join` Data type: `Boolean` @@ -322,18 +322,18 @@ Force the client to join the domain even if it is already joined. Default value: `false` -### `easy_ipa::packetfilter::server` +### `ipa::packetfilter::server` Install packet filtering rules for FreeIPA. #### Parameters -The following parameters are available in the `easy_ipa::packetfilter::server` class: +The following parameters are available in the `ipa::packetfilter::server` class: -* [`allow_address_ipv4`](#-easy_ipa--packetfilter--server--allow_address_ipv4) -* [`allow_address_ipv6`](#-easy_ipa--packetfilter--server--allow_address_ipv6) +* [`allow_address_ipv4`](#-ipa--packetfilter--server--allow_address_ipv4) +* [`allow_address_ipv6`](#-ipa--packetfilter--server--allow_address_ipv6) -##### `allow_address_ipv4` +##### `allow_address_ipv4` Data type: `Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]]` @@ -341,7 +341,7 @@ IPv4 address to allow access from. Default value: `'127.0.0.1'` -##### `allow_address_ipv6` +##### `allow_address_ipv6` Data type: `Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]]` @@ -349,17 +349,17 @@ IPv6 address to allow access from. Default value: `'::1'` -### `easy_ipa::server` +### `ipa::server` Manage IPA server install #### Parameters -The following parameters are available in the `easy_ipa::server` class: +The following parameters are available in the `ipa::server` class: -* [`package_name`](#-easy_ipa--server--package_name) +* [`package_name`](#-ipa--server--package_name) -##### `package_name` +##### `package_name` Data type: `Array[String]` @@ -367,44 +367,44 @@ The name of the package(s) to install. Default value: `undef` -### `easy_ipa::server::master` +### `ipa::server::master` Manage primary server -### `easy_ipa::server::replica` +### `ipa::server::replica` Manage replica install ## Defined types -### `easy_ipa::backup` +### `ipa::backup` Backup FreeIPA from cron #### Parameters -The following parameters are available in the `easy_ipa::backup` defined type: +The following parameters are available in the `ipa::backup` defined type: -* [`title`](#-easy_ipa--backup--title) -* [`type`](#-easy_ipa--backup--type) -* [`timestamp`](#-easy_ipa--backup--timestamp) -* [`monthday`](#-easy_ipa--backup--monthday) -* [`weekday`](#-easy_ipa--backup--weekday) -* [`hour`](#-easy_ipa--backup--hour) -* [`minute`](#-easy_ipa--backup--minute) -* [`email`](#-easy_ipa--backup--email) +* [`title`](#-ipa--backup--title) +* [`type`](#-ipa--backup--type) +* [`timestamp`](#-ipa--backup--timestamp) +* [`monthday`](#-ipa--backup--monthday) +* [`weekday`](#-ipa--backup--weekday) +* [`hour`](#-ipa--backup--hour) +* [`minute`](#-ipa--backup--minute) +* [`email`](#-ipa--backup--email) -##### `title` +##### `title` The resource title is used as part of the the name for the cronjob. -##### `type` +##### `type` Data type: `Enum['full','data']` Backup type. Either 'full' (offline) or 'data' (online). -##### `timestamp` +##### `timestamp` Data type: `Boolean` @@ -415,7 +415,7 @@ own. Default value: `true` -##### `monthday` +##### `monthday` Data type: `Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]]` @@ -423,7 +423,7 @@ Standard parameter for the cron resource. Default value: `'*'` -##### `weekday` +##### `weekday` Data type: `Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]]` @@ -431,19 +431,19 @@ Standard parameter for the cron resource. Default value: `'*'` -##### `hour` +##### `hour` Data type: `Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]]` Standard parameter for the cron resource. -##### `minute` +##### `minute` Data type: `Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]]` Standard parameter for the cron resource -##### `email` +##### `email` Data type: `String` @@ -453,7 +453,7 @@ Default value: `fact('servermonitor')` ## Plans -### `easy_ipa::update_host_keys` +### `ipa::update_host_keys` Useful when real keys and keys in IPA device account have gone out of sync, e.g. due to rebuilding the server from a snapshot. @@ -467,39 +467,39 @@ Useful when real keys and keys in IPA device account have gone #### Parameters -The following parameters are available in the `easy_ipa::update_host_keys` plan: +The following parameters are available in the `ipa::update_host_keys` plan: -* [`ipa_clients`](#-easy_ipa--update_host_keys--ipa_clients) -* [`ipa_server`](#-easy_ipa--update_host_keys--ipa_server) -* [`ipa_user`](#-easy_ipa--update_host_keys--ipa_user) -* [`ipa_password`](#-easy_ipa--update_host_keys--ipa_password) -* [`noop`](#-easy_ipa--update_host_keys--noop) +* [`ipa_clients`](#-ipa--update_host_keys--ipa_clients) +* [`ipa_server`](#-ipa--update_host_keys--ipa_server) +* [`ipa_user`](#-ipa--update_host_keys--ipa_user) +* [`ipa_password`](#-ipa--update_host_keys--ipa_password) +* [`noop`](#-ipa--update_host_keys--noop) -##### `ipa_clients` +##### `ipa_clients` Data type: `TargetSpec` One of more IPA clients whose host keys to puload -##### `ipa_server` +##### `ipa_server` Data type: `TargetSpec` A host which has the "ipa" tools installed. Not necessarily an IPA server. -##### `ipa_user` +##### `ipa_user` Data type: `String` An IPA user with permission to run "ipa host-mod". -##### `ipa_password` +##### `ipa_password` Data type: `String` IPA user's password -##### `noop` +##### `noop` Data type: `Boolean` diff --git a/data/common.yaml b/data/common.yaml index c5bc1aa1..068519c3 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,4 +1,4 @@ --- -easy_ipa::server::package_name: +ipa::server::package_name: - ipa-server - kstart diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml index dfdd8d8f..0f07c699 100644 --- a/data/os/Debian.yaml +++ b/data/os/Debian.yaml @@ -1,4 +1,4 @@ --- -easy_ipa::client::package_name: +ipa::client::package_name: - freeipa-client - kstart diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml index 3262eca3..a2636528 100644 --- a/data/os/RedHat.yaml +++ b/data/os/RedHat.yaml @@ -1,4 +1,4 @@ --- -easy_ipa::client::package_name: +ipa::client::package_name: - ipa-client - kstart diff --git a/examples/client.pp b/examples/client.pp new file mode 100644 index 00000000..676bc54b --- /dev/null +++ b/examples/client.pp @@ -0,0 +1,11 @@ +require epel # provides kstart package on el + +Yumrepo <||> +-> class { 'ipa': + ipa_role => 'client', + domain => 'example.com', + domain_join_principal => 'admin', + domain_join_password => 'rspecrspec123', + ipa_master_fqdn => 'master.example.com', + configure_ntp => false, # chronyd usually fails under gha +} diff --git a/examples/master.pp b/examples/master.pp index 2c3efab7..85fd8633 100644 --- a/examples/master.pp +++ b/examples/master.pp @@ -1,13 +1,13 @@ require epel # provides kstart package on el -require cron # easy_ipa needs cron to be installed +require cron # master/replica needs cron to be installed Yumrepo <||> --> class { 'easy_ipa': +-> class { 'ipa': ipa_role => 'master', - domain => 'rspec.example.lan', + domain => 'example.com', admin_password => 'rspecrspec123', directory_services_password => 'rspecrspec123', idstart => 70000, configure_dns_server => false, - configure_ntp => false, + configure_ntp => false, # chronyd usually fails under gha } diff --git a/examples/replica.pp b/examples/replica.pp new file mode 100644 index 00000000..8bb9cc35 --- /dev/null +++ b/examples/replica.pp @@ -0,0 +1,13 @@ +require epel # provides kstart package on el +require cron # master/replica needs cron to be installed + +Yumrepo <||> +-> class { 'ipa': + ipa_role => 'replica', + domain => 'example.com', + ipa_master_fqdn => 'master.example.com', + admin_password => 'rspecrspec123', + configure_dns_server => false, + configure_ntp => false, + configure_replica_ca => true, +} diff --git a/manifests/backup.pp b/manifests/backup.pp index e8e57356..4f5a8b2f 100644 --- a/manifests/backup.pp +++ b/manifests/backup.pp @@ -1,5 +1,5 @@ # -# @summary Define easy_ipa::backup +# @summary Define ipa::backup # # Backup FreeIPA from cron # @@ -23,7 +23,7 @@ # @param email # Email to send cron notifications to. Defaults to $::servermonitor. # -define easy_ipa::backup ( +define ipa::backup ( Enum['full','data'] $type, Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]] $hour, Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]] $minute, @@ -38,7 +38,7 @@ ensure_resource('file', $script, { 'ensure' => 'present', 'name' => "/usr/local/bin/${script}", - 'content' => template("easy_ipa/${script}.erb"), + 'content' => template("ipa/${script}.erb"), 'owner' => 'root', 'group' => 'root', 'mode' => '0755', diff --git a/manifests/client.pp b/manifests/client.pp index 07078f15..5889fe0a 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -7,44 +7,44 @@ # @param force_join # Force the client to join the domain even if it is already joined. # -class easy_ipa::client ( +class ipa::client ( Array[String] $package_name = undef, Boolean $force_join = false, ) { - unless $easy_ipa::domain_join_password { - fail("When creating a ${easy_ipa::ipa_role} the parameter named domain_join_password cannot be empty.") + unless $ipa::domain_join_password { + fail("When creating a ${ipa::ipa_role} the parameter named domain_join_password cannot be empty.") } - unless $easy_ipa::ipa_master_fqdn { - fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") + unless $ipa::ipa_master_fqdn { + fail("When creating a ${ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") } ensure_packages($package_name) - if $easy_ipa::mkhomedir { + if $ipa::mkhomedir { $client_install_cmd_opts_mkhomedir = '--mkhomedir' } else { $client_install_cmd_opts_mkhomedir = '' } - if $easy_ipa::fixed_primary { + if $ipa::fixed_primary { $client_install_cmd_opts_fixed_primary = '--fixed-primary' } else { $client_install_cmd_opts_fixed_primary = '' } - if $easy_ipa::configure_ntp { + if $ipa::configure_ntp { $client_install_cmd_opts_no_ntp = '' } else { $client_install_cmd_opts_no_ntp = '--no-ntp' } - if $easy_ipa::enable_dns_updates { + if $ipa::enable_dns_updates { $client_install_cmd_opts_dns_updates = '--enable-dns-updates' } else { $client_install_cmd_opts_dns_updates = '' } - if $easy_ipa::enable_hostname { + if $ipa::enable_hostname { $client_install_cmd_opts_hostname = "--hostname=${fact('networking.fqdn')}" } else { $client_install_cmd_opts_hostname = '' @@ -58,10 +58,10 @@ $client_install_cmd = "\ /usr/sbin/ipa-client-install \ - --server=${easy_ipa::ipa_master_fqdn} \ - --realm=${easy_ipa::final_realm} \ - --domain=${easy_ipa::domain} \ - --principal='${easy_ipa::domain_join_principal}' \ + --server=${ipa::ipa_master_fqdn} \ + --realm=${ipa::final_realm} \ + --domain=${ipa::domain} \ + --principal='${ipa::domain_join_principal}' \ --password=\"\${IPA_DOMAIN_JOIN_PASSWORD}\" \ ${client_install_cmd_opts_dns_updates} \ ${client_install_cmd_opts_hostname} \ @@ -69,22 +69,22 @@ ${client_install_cmd_opts_fixed_primary} \ ${client_install_cmd_opts_no_ntp} \ ${client_install_cmd_opts_force_join} \ - ${easy_ipa::opt_no_ssh} \ - ${easy_ipa::opt_no_sshd} \ + ${ipa::opt_no_ssh} \ + ${ipa::opt_no_sshd} \ --unattended" exec { 'ipa-client-install': - environment => "IPA_DOMAIN_JOIN_PASSWORD=${easy_ipa::domain_join_password}", + environment => "IPA_DOMAIN_JOIN_PASSWORD=${ipa::domain_join_password}", command => $client_install_cmd, timeout => 0, - unless => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"", + unless => "cat /etc/ipa/default.conf | grep -i \"${ipa::domain}\"", creates => '/etc/ipa/default.conf', logoutput => on_failure, provider => shell, require => Package[$package_name], } - if fact('os.family') == 'Debian' and $easy_ipa::mkhomedir { - contain easy_ipa::client::debian + if fact('os.family') == 'Debian' and $ipa::mkhomedir { + contain ipa::client::debian } } diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp index dd795551..787c8224 100644 --- a/manifests/client/debian.pp +++ b/manifests/client/debian.pp @@ -5,7 +5,7 @@ # not configure PAM even though it does install the required packages. # # @api private -class easy_ipa::client::debian { +class ipa::client::debian { assert_private() # Ensure that required packages are present even if they do not get pulled diff --git a/manifests/init.pp b/manifests/init.pp index b3870b91..ab1875a8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -97,7 +97,7 @@ # TODO: Variable scope and passing. # TODO: configurable admin username. # -class easy_ipa ( +class ipa ( Stdlib::Fqdn $domain, Enum['client', 'master', 'replica'] $ipa_role, Optional[String[8]] $admin_password = undef, @@ -126,7 +126,7 @@ Optional[Stdlib::Fqdn] $realm = undef, Boolean $adjust_login_defs = false, ) { - if $easy_ipa::idmax and $easy_ipa::idmax < $easy_ipa::idstart { + if $ipa::idmax and $ipa::idmax < $ipa::idstart { fail('Parameter "idmax" must be an integer greater than parameter "idstart".') } @@ -151,9 +151,9 @@ default => '--no-sshd', } - if $easy_ipa::adjust_login_defs { - $uid_max_value = $easy_ipa::idstart -1 - $gid_max_value = $easy_ipa::idstart -1 + if $ipa::adjust_login_defs { + $uid_max_value = $ipa::idstart -1 + $gid_max_value = $ipa::idstart -1 file_line { default: @@ -171,9 +171,9 @@ } } - if $easy_ipa::ipa_role == 'master' or $easy_ipa::ipa_role == 'replica' { - contain 'easy_ipa::server' - } elsif $easy_ipa::ipa_role == 'client' { - contain 'easy_ipa::client' + if $ipa::ipa_role == 'master' or $ipa::ipa_role == 'replica' { + contain 'ipa::server' + } elsif $ipa::ipa_role == 'client' { + contain 'ipa::client' } } diff --git a/manifests/packetfilter/server.pp b/manifests/packetfilter/server.pp index c8e8c488..d63a0037 100644 --- a/manifests/packetfilter/server.pp +++ b/manifests/packetfilter/server.pp @@ -7,7 +7,7 @@ # @param allow_address_ipv6 # IPv6 address to allow access from. # -class easy_ipa::packetfilter::server ( +class ipa::packetfilter::server ( Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]] $allow_address_ipv4 = '127.0.0.1', Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]] $allow_address_ipv6 = '::1' ) { diff --git a/manifests/server.pp b/manifests/server.pp index ccbeda68..f801a84a 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -4,20 +4,20 @@ # @param package_name # The name of the package(s) to install. # -class easy_ipa::server ( +class ipa::server ( Array[String] $package_name = undef, ) { - if $easy_ipa::ipa_role != 'master' { # if replica or client - unless $easy_ipa::ipa_master_fqdn { - fail("When creating a ${easy_ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") + if $ipa::ipa_role != 'master' { # if replica or client + unless $ipa::ipa_master_fqdn { + fail("When creating a ${ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") } - unless $easy_ipa::admin_password { - fail("When creating a ${easy_ipa::ipa_role} the parameter named admin_password cannot be empty.") + unless $ipa::admin_password { + fail("When creating a ${ipa::ipa_role} the parameter named admin_password cannot be empty.") } } if fact('os.family') == 'RedHat' { - require easy_ipa::server::redhat + require ipa::server::redhat } ensure_packages($package_name) @@ -27,64 +27,64 @@ 'bind-dyndb-ldap', ] - if $easy_ipa::final_configure_dns_server { + if $ipa::final_configure_dns_server { ensure_packages($dns_packages) } - $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}" + $server_install_cmd_opts_idstart = "--idstart=${ipa::idstart}" - $server_install_cmd_opts_idmax = $easy_ipa::idmax ? { + $server_install_cmd_opts_idmax = $ipa::idmax ? { undef => '', - default => "--idmax=${easy_ipa::idmax}" + default => "--idmax=${ipa::idmax}" } - if $easy_ipa::allow_zone_overlap { + if $ipa::allow_zone_overlap { $server_install_cmd_opts_zone_overlap = '--allow-zone-overlap' } else { $server_install_cmd_opts_zone_overlap = '' } - if $easy_ipa::no_dnssec_validation { + if $ipa::no_dnssec_validation { $server_install_cmd_opts_dnssec_validation = '--no-dnssec-validation' } else { $server_install_cmd_opts_dnssec_validation = '' } - if $easy_ipa::enable_hostname { - $server_install_cmd_opts_hostname = "--hostname=${easy_ipa::ipa_server_fqdn}" + if $ipa::enable_hostname { + $server_install_cmd_opts_hostname = "--hostname=${ipa::ipa_server_fqdn}" } else { $server_install_cmd_opts_hostname = '' } - if $easy_ipa::enable_ip_address { - $server_install_cmd_opts_ip_address = "--ip-address ${easy_ipa::ip_address}" + if $ipa::enable_ip_address { + $server_install_cmd_opts_ip_address = "--ip-address ${ipa::ip_address}" } else { $server_install_cmd_opts_ip_address = '' } - if $easy_ipa::final_configure_dns_server { + if $ipa::final_configure_dns_server { $server_install_cmd_opts_setup_dns = '--setup-dns' } else { $server_install_cmd_opts_setup_dns = '' } - if $easy_ipa::configure_replica_ca { + if $ipa::configure_replica_ca { $server_install_cmd_opts_setup_ca = '--setup-ca' } else { $server_install_cmd_opts_setup_ca = '' } - if $easy_ipa::configure_ntp { + if $ipa::configure_ntp { $server_install_cmd_opts_no_ntp = '' } else { $server_install_cmd_opts_no_ntp = '--no-ntp' } - if $easy_ipa::final_configure_dns_server { - if size($easy_ipa::custom_dns_forwarders) > 0 { + if $ipa::final_configure_dns_server { + if size($ipa::custom_dns_forwarders) > 0 { $server_install_cmd_opts_forwarders = join( prefix( - $easy_ipa::custom_dns_forwarders, + $ipa::custom_dns_forwarders, '--forwarder '), ' ' ) @@ -97,31 +97,31 @@ $server_install_cmd_opts_forwarders = '' } - if $easy_ipa::no_ui_redirect { + if $ipa::no_ui_redirect { $server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect' } else { $server_install_cmd_opts_no_ui_redirect = '' } - if $easy_ipa::mkhomedir { + if $ipa::mkhomedir { $server_install_cmd_opts_mkhomedir = '--mkhomedir' } else { $server_install_cmd_opts_mkhomedir = '' } - if $easy_ipa::ipa_role == 'master' { - contain 'easy_ipa::server::master' + if $ipa::ipa_role == 'master' { + contain 'ipa::server::master' - Class['easy_ipa::server::master'] + Class['ipa::server::master'] -> Service['ipa'] - } elsif $easy_ipa::ipa_role == 'replica' { - contain 'easy_ipa::server::replica' + } elsif $ipa::ipa_role == 'replica' { + contain 'ipa::server::replica' - Class['easy_ipa::server::replica'] + Class['ipa::server::replica'] -> Service['ipa'] } - include easy_ipa::server::flushcache + include ipa::server::flushcache service { 'ipa': ensure => running, diff --git a/manifests/server/flushcache.pp b/manifests/server/flushcache.pp index 34638942..8d6807ce 100644 --- a/manifests/server/flushcache.pp +++ b/manifests/server/flushcache.pp @@ -2,7 +2,7 @@ # @summary Manage cache flushing # # @api private -class easy_ipa::server::flushcache { +class ipa::server::flushcache { assert_private() #TODO: nscd should be called on both platforms. @@ -23,7 +23,7 @@ /usr/bin/find /var/lib/sss/db -type f -exec rm -f \"{}\" ; ; \ fi" } else { - fail('The class easy_ipa::flushcache is only written for RedHat and Debian.') + fail('The class ipa::flushcache is only written for RedHat and Debian.') } exec { 'ipa_flushcache': diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 19ba0b34..7d8351bf 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -1,39 +1,39 @@ # # @summary Manage primary server # -class easy_ipa::server::master { +class ipa::server::master { $server_install_cmd = "\ /usr/sbin/ipa-server-install \ - ${easy_ipa::server::server_install_cmd_opts_hostname} \ - --realm=${easy_ipa::final_realm} \ - --domain=${easy_ipa::domain} \ + ${ipa::server::server_install_cmd_opts_hostname} \ + --realm=${ipa::final_realm} \ + --domain=${ipa::domain} \ --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ --ds-password=\"\${IPA_DS_PASSWORD}\" \ - ${easy_ipa::server::server_install_cmd_opts_zone_overlap} \ - ${easy_ipa::server::server_install_cmd_opts_dnssec_validation} \ - ${easy_ipa::server::server_install_cmd_opts_setup_dns} \ - ${easy_ipa::server::server_install_cmd_opts_forwarders} \ - ${easy_ipa::server::server_install_cmd_opts_ip_address} \ - ${easy_ipa::server::server_install_cmd_opts_no_ntp} \ - ${easy_ipa::server::server_install_cmd_opts_idstart} \ - ${easy_ipa::server::server_install_cmd_opts_idmax} \ - ${easy_ipa::server::server_install_cmd_opts_no_ui_redirect} \ - ${easy_ipa::server::server_install_cmd_opts_mkhomedir} \ - ${easy_ipa::opt_no_ssh} \ - ${easy_ipa::opt_no_sshd} \ + ${ipa::server::server_install_cmd_opts_zone_overlap} \ + ${ipa::server::server_install_cmd_opts_dnssec_validation} \ + ${ipa::server::server_install_cmd_opts_setup_dns} \ + ${ipa::server::server_install_cmd_opts_forwarders} \ + ${ipa::server::server_install_cmd_opts_ip_address} \ + ${ipa::server::server_install_cmd_opts_no_ntp} \ + ${ipa::server::server_install_cmd_opts_idstart} \ + ${ipa::server::server_install_cmd_opts_idmax} \ + ${ipa::server::server_install_cmd_opts_no_ui_redirect} \ + ${ipa::server::server_install_cmd_opts_mkhomedir} \ + ${ipa::opt_no_ssh} \ + ${ipa::opt_no_sshd} \ --unattended" exec { 'ipa-server-install': environment => [ - "IPA_ADMIN_PASSWORD=${easy_ipa::admin_password}", - "IPA_DS_PASSWORD=${easy_ipa::directory_services_password}", + "IPA_ADMIN_PASSWORD=${ipa::admin_password}", + "IPA_DS_PASSWORD=${ipa::directory_services_password}", ], command => $server_install_cmd, timeout => 0, unless => '/usr/sbin/ipactl status >/dev/null 2>&1', creates => '/etc/ipa/default.conf', logoutput => on_failure, - notify => Class[easy_ipa::server::flushcache], + notify => Class[ipa::server::flushcache], } -> cron { 'k5start_root': #allows scp to replicas as root command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/manifests/server/redhat.pp b/manifests/server/redhat.pp index 2836fc6c..2c7e92d6 100644 --- a/manifests/server/redhat.pp +++ b/manifests/server/redhat.pp @@ -1,5 +1,5 @@ # @api private -class easy_ipa::server::redhat { +class ipa::server::redhat { assert_private() if versioncmp(fact('os.release.major'), '8') == 0 { diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp index fc0740d9..93b76ce5 100644 --- a/manifests/server/replica.pp +++ b/manifests/server/replica.pp @@ -1,36 +1,36 @@ # # @summary Manage replica install # -class easy_ipa::server::replica { +class ipa::server::replica { $replica_install_cmd = "\ /usr/sbin/ipa-replica-install \ - --principal=${easy_ipa::domain_join_principal} \ + --principal=${ipa::domain_join_principal} \ --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ - ${easy_ipa::server::server_install_cmd_opts_hostname} \ - --realm=${easy_ipa::final_realm} \ - --domain=${easy_ipa::domain} \ - --server=${easy_ipa::ipa_master_fqdn} \ - ${easy_ipa::server::server_install_cmd_opts_zone_overlap} \ - ${easy_ipa::server::server_install_cmd_opts_dnssec_validation} \ - ${easy_ipa::server::server_install_cmd_opts_setup_dns} \ - ${easy_ipa::server::server_install_cmd_opts_setup_ca} \ - ${easy_ipa::server::server_install_cmd_opts_forwarders} \ - ${easy_ipa::server::server_install_cmd_opts_ip_address} \ - ${easy_ipa::server::server_install_cmd_opts_no_ntp} \ - ${easy_ipa::server::server_install_cmd_opts_no_ui_redirect} \ - ${easy_ipa::server::server_install_cmd_opts_mkhomedir} \ - ${easy_ipa::opt_no_ssh} \ - ${easy_ipa::opt_no_sshd} \ + ${ipa::server::server_install_cmd_opts_hostname} \ + --realm=${ipa::final_realm} \ + --domain=${ipa::domain} \ + --server=${ipa::ipa_master_fqdn} \ + ${ipa::server::server_install_cmd_opts_zone_overlap} \ + ${ipa::server::server_install_cmd_opts_dnssec_validation} \ + ${ipa::server::server_install_cmd_opts_setup_dns} \ + ${ipa::server::server_install_cmd_opts_setup_ca} \ + ${ipa::server::server_install_cmd_opts_forwarders} \ + ${ipa::server::server_install_cmd_opts_ip_address} \ + ${ipa::server::server_install_cmd_opts_no_ntp} \ + ${ipa::server::server_install_cmd_opts_no_ui_redirect} \ + ${ipa::server::server_install_cmd_opts_mkhomedir} \ + ${ipa::opt_no_ssh} \ + ${ipa::opt_no_sshd} \ --unattended" exec { 'ipa-replica-install': - environment => "IPA_ADMIN_PASSWORD=${easy_ipa::admin_password}", + environment => "IPA_ADMIN_PASSWORD=${ipa::admin_password}", command => $replica_install_cmd, timeout => 0, unless => '/usr/sbin/ipactl status >/dev/null 2>&1', creates => '/etc/ipa/default.conf', logoutput => on_failure, - notify => Class[easy_ipa::server::flushcache], + notify => Class[ipa::server::flushcache], } -> cron { 'k5start_root': command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1', diff --git a/metadata.json b/metadata.json index 97ba4e4b..a4e87983 100644 --- a/metadata.json +++ b/metadata.json @@ -1,5 +1,5 @@ { - "name": "puppetfinland-easy_ipa", + "name": "puppetfinland-ipa", "version": "3.1.1", "author": "Puppet-Finland team", "summary": "Manages IPA servers and clients.", @@ -76,8 +76,6 @@ ], "tags": [ "ipa", - "easyipa", - "easy ipa", "freeipa", "free ipa" ] diff --git a/plans/update_host_keys.pp b/plans/update_host_keys.pp index da8ab1ed..2c94ffa9 100644 --- a/plans/update_host_keys.pp +++ b/plans/update_host_keys.pp @@ -1,7 +1,7 @@ # # @summary Update host keys for a domain-joined node in FreeIPA to match real host # keys. -# +# # Useful when real keys and keys in IPA device account have gone # out of sync, e.g. due to rebuilding the server from a snapshot. # @@ -23,7 +23,7 @@ # @param noop # If true then only imulate what would be done # -plan easy_ipa::update_host_keys +plan ipa::update_host_keys ( TargetSpec $ipa_clients, TargetSpec $ipa_server, @@ -56,7 +56,7 @@ if $noop { out::message("No-op: would run \"${ipa_host_mod_cmd}\" on IPA server") } else { - # lint:ignore:manifest_whitespace_opening_bracket_before # lint:ignore:140chars + # lint:ignore:manifest_whitespace_opening_bracket_before # lint:ignore:140chars $ipa_host_mod_resultset = run_command($ipa_host_mod_cmd, $ipa_server, '_catch_errors' => true) ['stdout','stderr'].each |$output| { # lint:endignore out::message($ipa_host_mod_resultset.first.value[$output]) diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 77d71cd2..3f436b54 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe 'easy_ipa', type: :class do +describe 'ipa', type: :class do on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do @@ -41,11 +41,11 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::server') } - it { is_expected.to contain_class('easy_ipa::server::master') } + it { is_expected.to contain_class('ipa::server') } + it { is_expected.to contain_class('ipa::server::master') } - it { is_expected.not_to contain_class('easy_ipa::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::client') } + it { is_expected.not_to contain_class('ipa::server::replica') } + it { is_expected.not_to contain_class('ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } it { is_expected.to contain_package('bind-dyndb-ldap') } @@ -212,11 +212,11 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::server') } - it { is_expected.to contain_class('easy_ipa::server::replica') } + it { is_expected.to contain_class('ipa::server') } + it { is_expected.to contain_class('ipa::server::replica') } - it { is_expected.not_to contain_class('easy_ipa::server::master') } - it { is_expected.not_to contain_class('easy_ipa::client') } + it { is_expected.not_to contain_class('ipa::server::master') } + it { is_expected.not_to contain_class('ipa::client') } it { is_expected.to contain_package('ipa-server-dns') } it { is_expected.to contain_package('bind-dyndb-ldap') } @@ -308,11 +308,11 @@ end context 'with defaults' do - it { is_expected.to contain_class('easy_ipa::client') } + it { is_expected.to contain_class('ipa::client') } - it { is_expected.not_to contain_class('easy_ipa::server') } - it { is_expected.not_to contain_class('easy_ipa::server::master') } - it { is_expected.not_to contain_class('easy_ipa::server::replica') } + it { is_expected.not_to contain_class('ipa::server') } + it { is_expected.not_to contain_class('ipa::server::master') } + it { is_expected.not_to contain_class('ipa::server::replica') } it { is_expected.to contain_package(client_package).that_comes_before('Exec[ipa-client-install]') } it { is_expected.to contain_package('kstart') } From 955039ab46d14ebf9a720247b63f3cce939cf8cd Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 31 Oct 2023 09:26:14 -0700 Subject: [PATCH 53/78] fix yamllint warnings --- .fixtures.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.fixtures.yml b/.fixtures.yml index 339e58b5..5624411a 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,3 +1,4 @@ +--- fixtures: forge_modules: stdlib: From 0acef2aa40912fa322e5a54a6590b6c91a7c1a2f Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 1 Nov 2023 09:51:09 -0700 Subject: [PATCH 54/78] use stdlib::ensure_packages(); require stdlib >= 9 Resolves this warning: Warning: This function is deprecated, please use stdlib::ensure_packages instead. --- manifests/client.pp | 2 +- manifests/server.pp | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5889fe0a..ab4f9377 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -18,7 +18,7 @@ fail("When creating a ${ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") } - ensure_packages($package_name) + stdlib::ensure_packages($package_name) if $ipa::mkhomedir { $client_install_cmd_opts_mkhomedir = '--mkhomedir' diff --git a/manifests/server.pp b/manifests/server.pp index f801a84a..d5a8e9da 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -20,7 +20,7 @@ require ipa::server::redhat } - ensure_packages($package_name) + stdlib::ensure_packages($package_name) $dns_packages = [ 'ipa-server-dns', @@ -28,7 +28,7 @@ ] if $ipa::final_configure_dns_server { - ensure_packages($dns_packages) + stdlib::ensure_packages($dns_packages) } $server_install_cmd_opts_idstart = "--idstart=${ipa::idstart}" From 6fa0cdcf43198e97f958d153ff83f944693bc1a7 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 30 Nov 2023 09:56:34 -0700 Subject: [PATCH 55/78] rm unused templates ipa-rewrite.conf.erb & ipa-webui-proxy.conf.erb --- templates/ipa-rewrite.conf.erb | 27 --------------------------- templates/ipa-webui-proxy.conf.erb | 17 ----------------- 2 files changed, 44 deletions(-) delete mode 100644 templates/ipa-rewrite.conf.erb delete mode 100644 templates/ipa-webui-proxy.conf.erb diff --git a/templates/ipa-rewrite.conf.erb b/templates/ipa-rewrite.conf.erb deleted file mode 100644 index 8e245858..00000000 --- a/templates/ipa-rewrite.conf.erb +++ /dev/null @@ -1,27 +0,0 @@ -# VERSION 6 - DO NOT REMOVE THIS LINE - -# ref: https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name - -RewriteEngine on - -# By default forward all requests to /ipa. If you don't want IPA -# to be the default on your web server comment this line out. -RewriteRule ^/$ <%= @proxy_internal_uri %>/ipa/ui [L,NC,R=301] - -# Redirect to the fully-qualified hostname. Not redirecting to secure -# port so configuration files can be retrieved without requiring SSL. -RewriteCond %{HTTP_HOST} !^<%= @proxy_server_internal_fqdn %>$ [NC] -RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301] - -# Redirect to the secure port if not displaying an error or retrieving -# configuration. - RewriteCond %{SERVER_PORT} !^443$ - RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) - RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$ - RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301,NC] - -# Rewrite for plugin index, make it like it's a static file -RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT] - -<%= @template_referrer_line %> -RequestHeader edit Referer ^<%= @proxy_referrer_regex %>/ <%= @proxy_internal_uri %>/ diff --git a/templates/ipa-webui-proxy.conf.erb b/templates/ipa-webui-proxy.conf.erb deleted file mode 100644 index 17340a59..00000000 --- a/templates/ipa-webui-proxy.conf.erb +++ /dev/null @@ -1,17 +0,0 @@ -> - NSSEngine on - NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha - NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 - NSSNickname Server-Cert - NSSCertificateDatabase /etc/httpd/alias - - NSSProxyEngine On - NSSProxyCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha - ProxyRequests Off - ServerName <%= @proxy_server_name %> - - ProxyPass / https://<%= @proxy_server_internal_fqdn %>/ - ProxyPassReverse / https://<%= @proxy_server_internal_fqdn %>/ - ProxyPassReverse / http://<%= @proxy_server_internal_fqdn %>/ - ProxyPassReverseCookieDomain <%= @proxy_server_internal_fqdn %> <%= @proxy_server_external_fqdn %> - From 2b999a489fd946a933a62fa7e9e90e3ceb3514d3 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 30 Nov 2023 09:57:45 -0700 Subject: [PATCH 56/78] rm usage of 'servermonitor' fact Configuration should be passed via class/define params instead of as custom facts. --- REFERENCE.md | 9 --------- manifests/backup.pp | 5 +---- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 475e2cd1..77844809 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -392,7 +392,6 @@ The following parameters are available in the `ipa::backup` defined type: * [`weekday`](#-ipa--backup--weekday) * [`hour`](#-ipa--backup--hour) * [`minute`](#-ipa--backup--minute) -* [`email`](#-ipa--backup--email) ##### `title` @@ -443,14 +442,6 @@ Data type: `Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]]` Standard parameter for the cron resource -##### `email` - -Data type: `String` - -Email to send cron notifications to. Defaults to $::servermonitor. - -Default value: `fact('servermonitor')` - ## Plans ### `ipa::update_host_keys` diff --git a/manifests/backup.pp b/manifests/backup.pp index 4f5a8b2f..2f3b7aab 100644 --- a/manifests/backup.pp +++ b/manifests/backup.pp @@ -20,8 +20,6 @@ # Standard parameter for the cron resource. # @param minute # Standard parameter for the cron resource -# @param email -# Email to send cron notifications to. Defaults to $::servermonitor. # define ipa::backup ( Enum['full','data'] $type, @@ -29,7 +27,6 @@ Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]] $minute, Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]] $weekday = '*', Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]] $monthday = '*', - String $email = fact('servermonitor'), Boolean $timestamp = true, ) { $script = 'ipa-backup-wrapper.sh' @@ -51,7 +48,7 @@ weekday => $weekday, hour => $hour, minute => $minute, - environment => ['PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin', "MAILTO=${email}"], + environment => ['PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'], require => File[$script], } } From 437628b39cbd7c3cc36c51eff56ff063e507fa5a Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 30 Nov 2023 10:04:04 -0700 Subject: [PATCH 57/78] convert ipa-backup-wrapper.sh.erb template to be regular file This is to allow shellcheck to match the .sh file extension. --- .../ipa-backup-wrapper.sh.erb => files/ipa-backup-wrapper.sh | 0 manifests/backup.pp | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename templates/ipa-backup-wrapper.sh.erb => files/ipa-backup-wrapper.sh (100%) diff --git a/templates/ipa-backup-wrapper.sh.erb b/files/ipa-backup-wrapper.sh similarity index 100% rename from templates/ipa-backup-wrapper.sh.erb rename to files/ipa-backup-wrapper.sh diff --git a/manifests/backup.pp b/manifests/backup.pp index 2f3b7aab..e280dcdd 100644 --- a/manifests/backup.pp +++ b/manifests/backup.pp @@ -35,7 +35,7 @@ ensure_resource('file', $script, { 'ensure' => 'present', 'name' => "/usr/local/bin/${script}", - 'content' => template("ipa/${script}.erb"), + 'content' => file("${module_name}/${script}"), 'owner' => 'root', 'group' => 'root', 'mode' => '0755', From 3c549a44be33be2da1a67f192306aad55a7f602a Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 30 Nov 2023 10:05:42 -0700 Subject: [PATCH 58/78] add shellcheck gha workflow --- .github/workflows/shellcheck.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/shellcheck.yaml diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml new file mode 100644 index 00000000..0c345d10 --- /dev/null +++ b/.github/workflows/shellcheck.yaml @@ -0,0 +1,15 @@ +--- +# yamllint disable rule:quoted-strings +name: shellcheck + +"on": + - push + +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run ShellCheck + uses: ludeeus/action-shellcheck@master From 1f8403e8aa47484aae92c6835031c88d5e091afe Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 30 Nov 2023 10:07:08 -0700 Subject: [PATCH 59/78] fix shellcheck warnings --- files/ipa-backup-wrapper.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/files/ipa-backup-wrapper.sh b/files/ipa-backup-wrapper.sh index c5434b8c..ab760905 100755 --- a/files/ipa-backup-wrapper.sh +++ b/files/ipa-backup-wrapper.sh @@ -1,10 +1,10 @@ #!/bin/sh # -# Script to work around the fact that ipa-backup always adds timestamps to the +# Script to work around the fact that ipa-backup always adds timestamps to the # backups. This is not intended to be used standalone, but from Puppet-managed # cronjobs. # -# NOTE: this script will destroy old timestamped backup directories if timestamp +# NOTE: this script will destroy old timestamped backup directories if timestamp # is set to false. TYPE=$1 @@ -24,7 +24,7 @@ else fi if [ "$TIMESTAMP" = "true" ]; then - # ipa-backup outputs only to stderr so we can't simply redirect to /dev/null + # ipa-backup outputs only to stderr so we can't simply redirect to /dev/null # and expect cron to email us about errors. $BACKUP_COMMAND 2> /dev/null || echo "ERROR: $BACKUP_COMMAND failed!" @@ -36,7 +36,7 @@ elif [ "$TIMESTAMP" = "false" ]; then $BACKUP_COMMAND 2> /dev/null || echo "ERROR: $BACKUP_COMMAND failed!" # Get rid of the timestamp - find $BASEDIR -mindepth 1 -maxdepth 1 -type d -name "ipa-${TYPE}*" -exec mv {} $BASEDIR/ipa-$TYPE \; + find "$BASEDIR" -mindepth 1 -maxdepth 1 -type d -name "ipa-${TYPE}*" -exec mv {} "${BASEDIR}/ipa-${TYPE}" \; else echo "ERROR: $TIMESTAMP is not valid value for timestamp!" exit 1 From ea95f1316c2a3a513811d1c16b79c6a1cd49ed4b Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 12:00:21 -0700 Subject: [PATCH 60/78] allow password params to be Sensitive --- REFERENCE.md | 8 +++--- manifests/client.pp | 4 +-- manifests/init.pp | 50 ++++++++++++++++++------------------- manifests/server/master.pp | 4 +-- manifests/server/replica.pp | 4 +-- spec/classes/ipa_spec.rb | 8 +++--- 6 files changed, 39 insertions(+), 39 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 77844809..429b9705 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -86,7 +86,7 @@ Data type: `Enum['client', 'master', 'replica']` ##### `admin_password` -Data type: `Optional[String[8]]` +Data type: `Optional[Variant[Sensitive[String[8]],String[8]]]` (string) Password which will be assigned to the IPA account named 'admin'. @@ -94,7 +94,7 @@ Default value: `undef` ##### `directory_services_password` -Data type: `Optional[String[8]]` +Data type: `Optional[Variant[Sensitive[String[8]],String[8]]]` (string) Password which will be passed into the ipa setup's parameter named "--ds-password". @@ -174,7 +174,7 @@ Default value: `[]` ##### `domain_join_principal` -Data type: `String[1]` +Data type: `Variant[Sensitive[String[1]],String[1]]` (string) The principal (usually username) used to join a client or replica to the IPA domain. @@ -182,7 +182,7 @@ Default value: `'admin'` ##### `domain_join_password` -Data type: `Optional[String[1]]` +Data type: `Optional[Variant[Sensitive[String[1]],String[1]]]` (string) The password for the domain_join_principal. diff --git a/manifests/client.pp b/manifests/client.pp index ab4f9377..35b0dc90 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -61,7 +61,7 @@ --server=${ipa::ipa_master_fqdn} \ --realm=${ipa::final_realm} \ --domain=${ipa::domain} \ - --principal='${ipa::domain_join_principal}' \ + --principal='${ipa::domain_join_principal.unwrap}' \ --password=\"\${IPA_DOMAIN_JOIN_PASSWORD}\" \ ${client_install_cmd_opts_dns_updates} \ ${client_install_cmd_opts_hostname} \ @@ -74,7 +74,7 @@ --unattended" exec { 'ipa-client-install': - environment => "IPA_DOMAIN_JOIN_PASSWORD=${ipa::domain_join_password}", + environment => "IPA_DOMAIN_JOIN_PASSWORD=${ipa::domain_join_password.unwrap}", command => $client_install_cmd, timeout => 0, unless => "cat /etc/ipa/default.conf | grep -i \"${ipa::domain}\"", diff --git a/manifests/init.pp b/manifests/init.pp index ab1875a8..e6b5e97a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -100,31 +100,31 @@ class ipa ( Stdlib::Fqdn $domain, Enum['client', 'master', 'replica'] $ipa_role, - Optional[String[8]] $admin_password = undef, - Optional[String[8]] $directory_services_password = undef, - Boolean $allow_zone_overlap = false, - Boolean $no_dnssec_validation = false, - Boolean $configure_dns_server = true, - Boolean $configure_replica_ca = false, - Boolean $configure_ntp = true, - Boolean $configure_ssh = true, - Boolean $configure_sshd = true, - Array[String] $custom_dns_forwarders = [], - String[1] $domain_join_principal = 'admin', - Optional[String[1]] $domain_join_password = $directory_services_password, - Boolean $enable_dns_updates = false, - Boolean $enable_hostname = true, - Boolean $enable_ip_address = false, - Boolean $fixed_primary = false, - Integer[10000] $idstart = (fqdn_rand('10737') + 10000), - Variant[Integer,Undef] $idmax = undef, - Optional[Stdlib::IP::Address] $ip_address = undef, - String $ipa_server_fqdn = fact('networking.fqdn'), - Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, - Boolean $mkhomedir = true, - Boolean $no_ui_redirect = false, - Optional[Stdlib::Fqdn] $realm = undef, - Boolean $adjust_login_defs = false, + Optional[Variant[Sensitive[String[8]],String[8]]] $admin_password = undef, + Optional[Variant[Sensitive[String[8]],String[8]]] $directory_services_password = undef, + Boolean $allow_zone_overlap = false, + Boolean $no_dnssec_validation = false, + Boolean $configure_dns_server = true, + Boolean $configure_replica_ca = false, + Boolean $configure_ntp = true, + Boolean $configure_ssh = true, + Boolean $configure_sshd = true, + Array[String] $custom_dns_forwarders = [], + Variant[Sensitive[String[1]],String[1]] $domain_join_principal = 'admin', + Optional[Variant[Sensitive[String[1]],String[1]]] $domain_join_password = $directory_services_password, + Boolean $enable_dns_updates = false, + Boolean $enable_hostname = true, + Boolean $enable_ip_address = false, + Boolean $fixed_primary = false, + Integer[10000] $idstart = (fqdn_rand('10737') + 10000), + Variant[Integer,Undef] $idmax = undef, + Optional[Stdlib::IP::Address] $ip_address = undef, + String $ipa_server_fqdn = fact('networking.fqdn'), + Optional[Stdlib::Fqdn] $ipa_master_fqdn = undef, + Boolean $mkhomedir = true, + Boolean $no_ui_redirect = false, + Optional[Stdlib::Fqdn] $realm = undef, + Boolean $adjust_login_defs = false, ) { if $ipa::idmax and $ipa::idmax < $ipa::idstart { fail('Parameter "idmax" must be an integer greater than parameter "idstart".') diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 7d8351bf..949f4e8f 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -25,8 +25,8 @@ exec { 'ipa-server-install': environment => [ - "IPA_ADMIN_PASSWORD=${ipa::admin_password}", - "IPA_DS_PASSWORD=${ipa::directory_services_password}", + "IPA_ADMIN_PASSWORD=${ipa::admin_password.unwrap}", + "IPA_DS_PASSWORD=${ipa::directory_services_password.unwrap}", ], command => $server_install_cmd, timeout => 0, diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp index 93b76ce5..3bdb6114 100644 --- a/manifests/server/replica.pp +++ b/manifests/server/replica.pp @@ -4,7 +4,7 @@ class ipa::server::replica { $replica_install_cmd = "\ /usr/sbin/ipa-replica-install \ - --principal=${ipa::domain_join_principal} \ + --principal=${ipa::domain_join_principal.unwrap} \ --admin-password=\"\${IPA_ADMIN_PASSWORD}\" \ ${ipa::server::server_install_cmd_opts_hostname} \ --realm=${ipa::final_realm} \ @@ -24,7 +24,7 @@ --unattended" exec { 'ipa-replica-install': - environment => "IPA_ADMIN_PASSWORD=${ipa::admin_password}", + environment => "IPA_ADMIN_PASSWORD=${ipa::admin_password.unwrap}", command => $replica_install_cmd, timeout => 0, unless => '/usr/sbin/ipactl status >/dev/null 2>&1', diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb index 3f436b54..1954421c 100644 --- a/spec/classes/ipa_spec.rb +++ b/spec/classes/ipa_spec.rb @@ -35,8 +35,8 @@ { ipa_role: 'master', domain: 'rspec.example.lan', - admin_password: 'rspec-admin-password', - directory_services_password: 'rspedc-ds-password', + admin_password: sensitive('rspec-admin-password'), + directory_services_password: sensitive('rspedc-ds-password'), } end @@ -165,7 +165,7 @@ super().merge(admin_password: nil) end - it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type Undef or String[8]'))) } + it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type'))) } end context 'without directory_services_password' do @@ -173,7 +173,7 @@ super().merge(directory_services_password: nil) end - it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type Undef or String[8]'))) } + it { is_expected.to raise_error(Puppet::Error, Regexp.new(Regexp.quote('expects a value of type'))) } end context 'with bad ip_address' do From e3b3c0129da0753c9410cffb68782af4e93b5cfe Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 08:53:42 -0700 Subject: [PATCH 61/78] rm ipa::backup -- this functionality was too inflexible --- README.md | 20 -------------- files/ipa-backup-wrapper.sh | 43 ----------------------------- manifests/backup.pp | 54 ------------------------------------- 3 files changed, 117 deletions(-) delete mode 100755 files/ipa-backup-wrapper.sh delete mode 100644 manifests/backup.pp diff --git a/README.md b/README.md index ca221858..41a1b7bf 100644 --- a/README.md +++ b/README.md @@ -47,26 +47,6 @@ class { 'ipa::packetfilter::server': } ``` -Add a backup job to cron: - -```puppet - ipa::backup { 'full': - type => 'full', - timestamp => false, - monthday => 1, - weekday => undef, - hour => 4, - minute => 15, - email => 'admin@domain.com', - } -``` - -Backup type can be 'full' or 'data'. Timestamp is either true (default) or -false. A wrapper script is used as ipa-backup always adds a timestamp to the -backup directory, which makes no sense if an external system (e.g. Bacula) is -handling backup versioning anyways. - - Adding a client: ```puppet diff --git a/files/ipa-backup-wrapper.sh b/files/ipa-backup-wrapper.sh deleted file mode 100755 index ab760905..00000000 --- a/files/ipa-backup-wrapper.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh -# -# Script to work around the fact that ipa-backup always adds timestamps to the -# backups. This is not intended to be used standalone, but from Puppet-managed -# cronjobs. -# -# NOTE: this script will destroy old timestamped backup directories if timestamp -# is set to false. - -TYPE=$1 -TIMESTAMP=$2 - -PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin - -BASEDIR="/var/lib/ipa/backup" - -if [ "$TYPE" = "full" ]; then - BACKUP_COMMAND="ipa-backup" -elif [ "$TYPE" = "data" ]; then - BACKUP_COMMAND="ipa-backup --online --data" -else - echo "ERROR: unknown backup type $TYPE" - exit 1 -fi - -if [ "$TIMESTAMP" = "true" ]; then - # ipa-backup outputs only to stderr so we can't simply redirect to /dev/null - # and expect cron to email us about errors. - $BACKUP_COMMAND 2> /dev/null || echo "ERROR: $BACKUP_COMMAND failed!" - -elif [ "$TIMESTAMP" = "false" ]; then - # Remove all old backups - find $BASEDIR -mindepth 1 -maxdepth 1 -type d -name "ipa-${TYPE}*" -exec rm -rf {} \; - - # Take the backup (and report only failures) - $BACKUP_COMMAND 2> /dev/null || echo "ERROR: $BACKUP_COMMAND failed!" - - # Get rid of the timestamp - find "$BASEDIR" -mindepth 1 -maxdepth 1 -type d -name "ipa-${TYPE}*" -exec mv {} "${BASEDIR}/ipa-${TYPE}" \; -else - echo "ERROR: $TIMESTAMP is not valid value for timestamp!" - exit 1 -fi diff --git a/manifests/backup.pp b/manifests/backup.pp deleted file mode 100644 index e280dcdd..00000000 --- a/manifests/backup.pp +++ /dev/null @@ -1,54 +0,0 @@ -# -# @summary Define ipa::backup -# -# Backup FreeIPA from cron -# -# @param title -# The resource title is used as part of the the name for the cronjob. -# @param type -# Backup type. Either 'full' (offline) or 'data' (online). -# @param timestamp -# Keep the default timestamp in the backup directory. Valid values are true -# (default) and false. Set this to false if you have and external system (e.g. -# bacula) that fetches the backups periodically and handles versioning on its -# own. -# @param monthday -# Standard parameter for the cron resource. -# @param weekday -# Standard parameter for the cron resource. -# @param hour -# Standard parameter for the cron resource. -# @param minute -# Standard parameter for the cron resource -# -define ipa::backup ( - Enum['full','data'] $type, - Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]] $hour, - Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]] $minute, - Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]] $weekday = '*', - Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]] $monthday = '*', - Boolean $timestamp = true, -) { - $script = 'ipa-backup-wrapper.sh' - $command = "${script} ${type} ${timestamp}" - - ensure_resource('file', $script, { - 'ensure' => 'present', - 'name' => "/usr/local/bin/${script}", - 'content' => file("${module_name}/${script}"), - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0755', - }) - - cron { "ipa-${title}-backup": - user => 'root', - command => $command, - monthday => $monthday, - weekday => $weekday, - hour => $hour, - minute => $minute, - environment => ['PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'], - require => File[$script], - } -} From 7c11c9407689e942085b626928727070ab075501 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 09:03:30 -0700 Subject: [PATCH 62/78] rm ipa::packetfilter::server --- README.md | 9 --- REFERENCE.md | 99 -------------------------------- manifests/packetfilter/server.pp | 62 -------------------- 3 files changed, 170 deletions(-) delete mode 100644 manifests/packetfilter/server.pp diff --git a/README.md b/README.md index 41a1b7bf..8e6c76c7 100644 --- a/README.md +++ b/README.md @@ -38,15 +38,6 @@ class { 'ipa': } ``` -Add iptables/ip6tables allow rules: - -```puppet -class { 'ipa::packetfilter::server': - allow_address_ipv4 => '10.0.0.0/8', - allow_address_ipv6 => '::1', -} -``` - Adding a client: ```puppet diff --git a/REFERENCE.md b/REFERENCE.md index 429b9705..66c52445 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,7 +10,6 @@ * [`ipa`](#ipa): Manages IPA masters, replicas and clients. * [`ipa::client`](#ipa--client): Manage ipa client -* [`ipa::packetfilter::server`](#ipa--packetfilter--server): Install packet filtering rules for FreeIPA. * [`ipa::server`](#ipa--server): Manage IPA server install * [`ipa::server::master`](#ipa--server--master): Manage primary server * [`ipa::server::replica`](#ipa--server--replica): Manage replica install @@ -21,10 +20,6 @@ * `ipa::server::flushcache`: Manage cache flushing * `ipa::server::redhat` -### Defined types - -* [`ipa::backup`](#ipa--backup): Define ipa::backup - ### Plans * [`ipa::update_host_keys`](#ipa--update_host_keys): Update host keys for a domain-joined node in FreeIPA to match real host @@ -322,33 +317,6 @@ Force the client to join the domain even if it is already joined. Default value: `false` -### `ipa::packetfilter::server` - -Install packet filtering rules for FreeIPA. - -#### Parameters - -The following parameters are available in the `ipa::packetfilter::server` class: - -* [`allow_address_ipv4`](#-ipa--packetfilter--server--allow_address_ipv4) -* [`allow_address_ipv6`](#-ipa--packetfilter--server--allow_address_ipv6) - -##### `allow_address_ipv4` - -Data type: `Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]]` - -IPv4 address to allow access from. - -Default value: `'127.0.0.1'` - -##### `allow_address_ipv6` - -Data type: `Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]]` - -IPv6 address to allow access from. - -Default value: `'::1'` - ### `ipa::server` Manage IPA server install @@ -375,73 +343,6 @@ Manage primary server Manage replica install -## Defined types - -### `ipa::backup` - -Backup FreeIPA from cron - -#### Parameters - -The following parameters are available in the `ipa::backup` defined type: - -* [`title`](#-ipa--backup--title) -* [`type`](#-ipa--backup--type) -* [`timestamp`](#-ipa--backup--timestamp) -* [`monthday`](#-ipa--backup--monthday) -* [`weekday`](#-ipa--backup--weekday) -* [`hour`](#-ipa--backup--hour) -* [`minute`](#-ipa--backup--minute) - -##### `title` - -The resource title is used as part of the the name for the cronjob. - -##### `type` - -Data type: `Enum['full','data']` - -Backup type. Either 'full' (offline) or 'data' (online). - -##### `timestamp` - -Data type: `Boolean` - -Keep the default timestamp in the backup directory. Valid values are true -(default) and false. Set this to false if you have and external system (e.g. -bacula) that fetches the backups periodically and handles versioning on its -own. - -Default value: `true` - -##### `monthday` - -Data type: `Variant[Array[String], Array[Integer[1-31]], String, Integer[1-31]]` - -Standard parameter for the cron resource. - -Default value: `'*'` - -##### `weekday` - -Data type: `Variant[Array[String], Array[Integer[0-7]], String, Integer[0-7]]` - -Standard parameter for the cron resource. - -Default value: `'*'` - -##### `hour` - -Data type: `Variant[Array[String], Array[Integer[0-23]], String, Integer[0-23]]` - -Standard parameter for the cron resource. - -##### `minute` - -Data type: `Variant[Array[String], Array[Integer[0-59]], String, Integer[0-59]]` - -Standard parameter for the cron resource - ## Plans ### `ipa::update_host_keys` diff --git a/manifests/packetfilter/server.pp b/manifests/packetfilter/server.pp deleted file mode 100644 index d63a0037..00000000 --- a/manifests/packetfilter/server.pp +++ /dev/null @@ -1,62 +0,0 @@ -# -# @summary Install packet filtering rules for FreeIPA. -# -# @param allow_address_ipv4 -# IPv4 address to allow access from. -# -# @param allow_address_ipv6 -# IPv6 address to allow access from. -# -class ipa::packetfilter::server ( - Variant[Stdlib::IP::Address::V4,Array[Stdlib::IP::Address::V4]] $allow_address_ipv4 = '127.0.0.1', - Variant[Stdlib::IP::Address::V6,Array[Stdlib::IP::Address::V6]] $allow_address_ipv6 = '::1' -) { - # Convert string parameters to arrays - $allow_addresses_ipv4 = any2array($allow_address_ipv4) - $allow_addresses_ipv6 = any2array($allow_address_ipv6) - - # A hash containing the data for packet filtering rules - $services = { 'dns' => { 'tcp' => 53, 'udp' => 53 }, - 'http' => { 'tcp' => 80 }, - 'https' => { 'tcp' => 443 }, - 'kerberos' => { 'tcp' => 88, 'udp' => 88 }, - 'kerberos passwd' => { 'tcp' => 464, 'udp' => 464 }, - 'ldaps' => { 'tcp' => 636 }, - 'ldap' => { 'tcp' => 389 }, - 'ntp' => { 'udp' => 123 }, - 'webcache' => { 'tcp' => 8080 }, - } - - Firewall { - chain => 'INPUT', - action => 'accept', - } - - $services.each |$service| { - $service[1].each |$rule| { - $service_name = $service[0] - $protocol = $rule[0] - $dport = $rule[1] - - $allow_addresses_ipv4.each |$addr_v4| { - @firewall { "008 ipv4 accept ${service_name} ${protocol} ${dport} from ${addr_v4}": - provider => 'iptables', - proto => $protocol, - source => $addr_v4, - dport => $dport, - tag => 'default', - } - } - - $allow_addresses_ipv6.each |$addr_v6| { - @firewall { "008 ipv6 accept ${service_name} ${protocol} ${dport} from ${addr_v6}": - provider => 'ip6tables', - proto => $protocol, - source => $addr_v6, - dport => $dport, - tag => 'default', - } - } - } - } -} From 2d0cadb81fed75517cf98d78adc48664f25f0b26 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 09:40:01 -0700 Subject: [PATCH 63/78] drop support for el7 --- metadata.json | 2 -- spec/support/acceptance/setup.rb | 5 ----- 2 files changed, 7 deletions(-) diff --git a/metadata.json b/metadata.json index a4e87983..aefce23f 100644 --- a/metadata.json +++ b/metadata.json @@ -32,14 +32,12 @@ { "operatingsystem": "CentOS", "operatingsystemrelease": [ - "7", "8" ] }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ - "7", "8", "9" ] diff --git a/spec/support/acceptance/setup.rb b/spec/support/acceptance/setup.rb index 3123009c..b01ced5b 100644 --- a/spec/support/acceptance/setup.rb +++ b/spec/support/acceptance/setup.rb @@ -8,9 +8,4 @@ on(host, 'sysctl -w fs.protected_regular=0') install_puppet_module_via_pmt_on(host, 'puppet/cron') install_puppet_module_via_pmt_on(host, 'puppet/epel') - - if fact_on(host, 'os.family') == 'RedHat' && fact_on(host, 'os.release.major') == '7' - # https://cstan.io/?p=12175&lang=en - on(host, 'yum update -y') - end end From 0697fa2bdde8e2baa200a4a2599b908b01a5d214 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 09:40:18 -0700 Subject: [PATCH 64/78] drop support for puppet7 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index aefce23f..77839d63 100644 --- a/metadata.json +++ b/metadata.json @@ -69,7 +69,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 7.0.0 < 9.0.0" + "version_requirement": ">= 8.0.0 < 9.0.0" } ], "tags": [ From 66d552853fdaa2e00ecdd339e5ab241338b97037 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 09:40:50 -0700 Subject: [PATCH 65/78] drop support for ubuntu 18.04 --- metadata.json | 1 - 1 file changed, 1 deletion(-) diff --git a/metadata.json b/metadata.json index 77839d63..3139463b 100644 --- a/metadata.json +++ b/metadata.json @@ -59,7 +59,6 @@ { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ - "18.04", "20.04", "22.04", "24.04" From 203b7dabd4b0ada75f803622fb486f7e48cfb83f Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 09:41:03 -0700 Subject: [PATCH 66/78] drop support for ubuntu 20.04 --- metadata.json | 1 - 1 file changed, 1 deletion(-) diff --git a/metadata.json b/metadata.json index 3139463b..617c341e 100644 --- a/metadata.json +++ b/metadata.json @@ -59,7 +59,6 @@ { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ - "20.04", "22.04", "24.04" ] From 6fb4ad80a3b01befdd2c892eab6e581a1222c366 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 10:08:59 -0700 Subject: [PATCH 67/78] drop support for centos 8 - eol --- metadata.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/metadata.json b/metadata.json index 617c341e..501e3923 100644 --- a/metadata.json +++ b/metadata.json @@ -29,12 +29,6 @@ "9" ] }, - { - "operatingsystem": "CentOS", - "operatingsystemrelease": [ - "8" - ] - }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ From e952a7ded88eb2db59abd880fe2bbb8cc693660b Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 26 Oct 2023 14:03:06 -0700 Subject: [PATCH 68/78] enable beaker multihost acceptance testing --- .github/workflows/ci.yml | 15 ++++++++++++--- .sync.yml | 4 ++++ Gemfile | 2 +- examples/client.pp | 2 +- examples/replica.pp | 2 +- spec/acceptance/master_spec.rb | 11 +++++++---- spec/support/acceptance/setup.rb | 4 ---- 7 files changed, 26 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afe68f82..da7bf9aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,15 +4,24 @@ name: CI -"on": pull_request +# yamllint disable-line rule:truthy +on: + pull_request: {} + push: + branches: + - main + - master concurrency: group: ${{ github.ref_name }} cancel-in-progress: true +permissions: + contents: read + jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2 + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v4 with: - pidfile_workaround: 'false' + beaker_hosts: master;replica;client diff --git a/.sync.yml b/.sync.yml index a32a02c5..a82d21d1 100644 --- a/.sync.yml +++ b/.sync.yml @@ -20,3 +20,7 @@ spec/spec_helper_acceptance.rb: delete: true .github/workflows/markdownlint.yaml: delete: true + +.github/workflows/ci.yml: + with: + beaker_hosts: master,replica,client diff --git a/Gemfile b/Gemfile index f8aae124..f59e0788 100644 --- a/Gemfile +++ b/Gemfile @@ -7,7 +7,7 @@ group :test do gem 'voxpupuli-test', '~> 7.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 3.5', :require => false + gem 'puppet_metadata', '~> 5.0', :require => false end group :development do diff --git a/examples/client.pp b/examples/client.pp index 676bc54b..f08d40ee 100644 --- a/examples/client.pp +++ b/examples/client.pp @@ -6,6 +6,6 @@ domain => 'example.com', domain_join_principal => 'admin', domain_join_password => 'rspecrspec123', - ipa_master_fqdn => 'master.example.com', + ipa_master_fqdn => 'master-puppet8.example.com', configure_ntp => false, # chronyd usually fails under gha } diff --git a/examples/replica.pp b/examples/replica.pp index 8bb9cc35..71c8a19b 100644 --- a/examples/replica.pp +++ b/examples/replica.pp @@ -5,7 +5,7 @@ -> class { 'ipa': ipa_role => 'replica', domain => 'example.com', - ipa_master_fqdn => 'master.example.com', + ipa_master_fqdn => 'master-puppet8.example.com', admin_password => 'rspecrspec123', configure_dns_server => false, configure_ntp => false, diff --git a/spec/acceptance/master_spec.rb b/spec/acceptance/master_spec.rb index 04909764..e56ccb8c 100644 --- a/spec/acceptance/master_spec.rb +++ b/spec/acceptance/master_spec.rb @@ -4,13 +4,16 @@ # server/replica is only supported on Redhat if fact_on('master', 'os.family') == 'RedHat' - describe 'easy_ipa class' do + describe 'ipa master' do include_examples 'the example', 'master.pp', 'master' end -end -if fact_on('client', 'os.family') == 'RedHat' - describe 'easy_ipa class' do + # replica setup timesout under gha + # describe 'ipa replica' do + # include_examples 'the example', 'replica.pp', 'replica' + # end + + describe 'ipa client' do include_examples 'the example', 'client.pp', 'client' end end diff --git a/spec/support/acceptance/setup.rb b/spec/support/acceptance/setup.rb index b01ced5b..62a67889 100644 --- a/spec/support/acceptance/setup.rb +++ b/spec/support/acceptance/setup.rb @@ -2,10 +2,6 @@ configure_beaker(modules: :metadata) do |host| on(host, 'sysctl -w net.ipv6.conf.lo.disable_ipv6=0') - # disable sticky bit owner enforcement for ipa 4.6/EL7 - # https://bugzilla.redhat.com/show_bug.cgi?id=1677027 - # https://pagure.io/freeipa/c/87496d647706462fa8a10bbea5637104153146b2 - on(host, 'sysctl -w fs.protected_regular=0') install_puppet_module_via_pmt_on(host, 'puppet/cron') install_puppet_module_via_pmt_on(host, 'puppet/epel') end From 4621e30162dc38a0a1f6e5a4ff45bf6db9addbc3 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 12:59:23 -0700 Subject: [PATCH 69/78] tidy README --- README.md | 50 ++++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 8e6c76c7..35b27eff 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ -# ipa Puppet module -[![Build Status](https://travis-ci.org/Puppet-Finland/puppet-ipa.svg?branch=master)](https://travis-ci.org/Puppet-Finland/puppet-ipa) +# ipa ## Overview -This module will install and configure IPA servers, replicas, and clients. This module was forked from huit-ipa, -and refactored with a focus on simplicity and ease of use. +This module manages [FreeIPA](https://www.freeipa.org/) servers, replicas, and clients. + +This module was forked from [Puppet-Finland/puppet-ipa](https://github.com/Puppet-Finland/puppet-ipa), +which was forked from [jpuskar/puppet-ipa](https://github.com/jpuskar/puppet-ipa), +which was forked from [huit/puppet-ipa](https://github.com/huit/puppet-ipa). ## Usage @@ -12,14 +14,13 @@ and refactored with a focus on simplicity and ease of use. ```puppet class { 'ipa': - ipa_role => 'master', - domain => 'vagrant.example.lan', - ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan', - admin_password => 'vagrant123', - directory_services_password => 'vagrant123', - ip_address => '192.168.56.35', - enable_ip_address => true, - enable_hostname => true, + ipa_role => 'master', + domain => 'example.com', + admin_password => 'rspecrspec123', + directory_services_password => 'rspecrspec123', + idstart => 70000, + configure_dns_server => false, + configure_ntp => false, } ``` @@ -27,14 +28,13 @@ Adding a replica: ```puppet class { 'ipa': - ipa_role => 'replica', - domain => 'vagrant.example.lan', - ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan', - domain_join_password => 'vagrant123', - ip_address => '192.168.56.36', - enable_ip_address => true, - enable_hostname => true, - ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', + ipa_role => 'replica', + domain => 'example.com', + ipa_master_fqdn => 'master-puppet8.example.com', + admin_password => 'rspecrspec123', + configure_dns_server => false, + configure_ntp => false, + configure_replica_ca => true, } ``` @@ -42,9 +42,11 @@ Adding a client: ```puppet class { 'ipa': -ipa_role => 'client', -domain => 'vagrant.example.lan', -domain_join_password => 'vagrant123', -ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan', + ipa_role => 'client', + domain => 'example.com', + domain_join_principal => 'admin', + domain_join_password => 'rspecrspec123', + ipa_master_fqdn => 'master-puppet8.example.com', + configure_ntp => false, } ``` From bde529569019cf2f080f9caeae32672f62d7b819 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 13:05:17 -0700 Subject: [PATCH 70/78] mark ipa::server class as api private --- REFERENCE.md | 20 +------------------- manifests/server.pp | 3 +++ 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 66c52445..3b4648f7 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,13 +10,13 @@ * [`ipa`](#ipa): Manages IPA masters, replicas and clients. * [`ipa::client`](#ipa--client): Manage ipa client -* [`ipa::server`](#ipa--server): Manage IPA server install * [`ipa::server::master`](#ipa--server--master): Manage primary server * [`ipa::server::replica`](#ipa--server--replica): Manage replica install #### Private Classes * `ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. +* `ipa::server`: Manage IPA server install * `ipa::server::flushcache`: Manage cache flushing * `ipa::server::redhat` @@ -317,24 +317,6 @@ Force the client to join the domain even if it is already joined. Default value: `false` -### `ipa::server` - -Manage IPA server install - -#### Parameters - -The following parameters are available in the `ipa::server` class: - -* [`package_name`](#-ipa--server--package_name) - -##### `package_name` - -Data type: `Array[String]` - -The name of the package(s) to install. - -Default value: `undef` - ### `ipa::server::master` Manage primary server diff --git a/manifests/server.pp b/manifests/server.pp index d5a8e9da..80ede9c7 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -4,9 +4,12 @@ # @param package_name # The name of the package(s) to install. # +# @api private class ipa::server ( Array[String] $package_name = undef, ) { + assert_private() + if $ipa::ipa_role != 'master' { # if replica or client unless $ipa::ipa_master_fqdn { fail("When creating a ${ipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.") From e1d25061ef0105bf9cdfd83e44aa75819ed10196 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 13:18:03 -0700 Subject: [PATCH 71/78] simplify .fixtures.yml --- .fixtures.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 5624411a..86a9d669 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,14 +1,6 @@ --- fixtures: forge_modules: - stdlib: - repo: "puppetlabs/stdlib" - ref: "9.4.1" - cron_core: - repo: "puppetlabs/cron_core" - ref: "1.2.1" - puppet_version: ">= 7.0.0" - k5login_core: - repo: "puppetlabs/k5login_core" - ref: "1.0.2" - puppet_version: ">= 7.0.0" + stdlib: puppetlabs/stdlib + cron_core: puppetlabs/cron_core + k5login_core: puppetlabs/k5login_core From 4cd5cf191aefb8a76b59499ab1b03c9ac6ee7065 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 13:19:28 -0700 Subject: [PATCH 72/78] allow puppetlabs/cron_core 2.x --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 501e3923..46f48e8e 100644 --- a/metadata.json +++ b/metadata.json @@ -14,7 +14,7 @@ }, { "name": "puppetlabs-cron_core", - "version_requirement": ">=1.0.0 < 2.0.0" + "version_requirement": ">=1.0.0 < 3.0.0" }, { "name": "puppetlabs-k5login_core", From c786c416199d0f19afa5017b19a0f258e98b3551 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 16:05:01 -0700 Subject: [PATCH 73/78] rm ipa::update_host_keys plan This is not necessary; rebuilt nodes should be re-registered with ipa. --- plans/update_host_keys.pp | 66 --------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 plans/update_host_keys.pp diff --git a/plans/update_host_keys.pp b/plans/update_host_keys.pp deleted file mode 100644 index 2c94ffa9..00000000 --- a/plans/update_host_keys.pp +++ /dev/null @@ -1,66 +0,0 @@ -# -# @summary Update host keys for a domain-joined node in FreeIPA to match real host -# keys. -# -# Useful when real keys and keys in IPA device account have gone -# out of sync, e.g. due to rebuilding the server from a snapshot. -# -# This gets a kerberos ticket from the IPA server first, then gathers -# the SSH keys from IPA clients from their SSH facts, then runs appropriate -# "ipa host-mod" commands for each IPA client on the IPA server. -# -# Note that it is assumed that the IPA client host name is equal to the $::fqdn -# fact. -# -# @param ipa_clients -# One of more IPA clients whose host keys to puload -# @param ipa_server -# A host which has the "ipa" tools installed. Not necessarily an IPA server. -# @param ipa_user -# An IPA user with permission to run "ipa host-mod". -# @param ipa_password -# IPA user's password -# @param noop -# If true then only imulate what would be done -# -plan ipa::update_host_keys -( - TargetSpec $ipa_clients, - TargetSpec $ipa_server, - String $ipa_user, - String $ipa_password, - Boolean $noop = true, -) { - # Part #1: get a kerberos ticket on the IPA server - if $noop { - out::message('No-op: get kerberos ticket on the IPA server') - } else { - out::message('Get kerberos ticket on the IPA server') - $kinit_resultset = run_command("sh -c \'echo ${ipa_password}|kinit -V ${ipa_user} 2>&1\'", $ipa_server, '_catch_errors' => true) - $kinit_stdout = $kinit_resultset.first.value['stdout'] - out::message($kinit_stdout) - } - - # Part 2: collect SSH facts from IPA clients - out::message('Gathering facts from the IPA clients') - run_plan('facts', 'targets' => $ipa_clients) - - get_targets($ipa_clients).each |$ipa_client| { - $ed25519 = $ipa_client.facts['ssh']['ed25519']['key'] - $ecdsa = $ipa_client.facts['ssh']['ecdsa']['key'] - $rsa = $ipa_client.facts['ssh']['rsa']['key'] - $dsa = $ipa_client.facts['ssh']['dsa']['key'] - - $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns" # lint:ignore:140chars - - if $noop { - out::message("No-op: would run \"${ipa_host_mod_cmd}\" on IPA server") - } else { - # lint:ignore:manifest_whitespace_opening_bracket_before # lint:ignore:140chars - $ipa_host_mod_resultset = run_command($ipa_host_mod_cmd, $ipa_server, '_catch_errors' => true) ['stdout','stderr'].each |$output| { - # lint:endignore - out::message($ipa_host_mod_resultset.first.value[$output]) - } - } - } -} From c6ddc9aaca30296e520ff2ea5893d94228b640eb Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 16:07:13 -0700 Subject: [PATCH 74/78] mark ipa::client class as api private --- manifests/client.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/client.pp b/manifests/client.pp index 35b0dc90..914807aa 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -7,10 +7,13 @@ # @param force_join # Force the client to join the domain even if it is already joined. # +# @api private class ipa::client ( Array[String] $package_name = undef, Boolean $force_join = false, ) { + assert_private() + unless $ipa::domain_join_password { fail("When creating a ${ipa::ipa_role} the parameter named domain_join_password cannot be empty.") } From 84c214387c06ca3728d9355eca268a51f02b8843 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 16:07:55 -0700 Subject: [PATCH 75/78] mark ipa::server::master class as api private --- manifests/server/master.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 949f4e8f..6be127cf 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -1,7 +1,10 @@ # # @summary Manage primary server # +# @api private class ipa::server::master { + assert_private() + $server_install_cmd = "\ /usr/sbin/ipa-server-install \ ${ipa::server::server_install_cmd_opts_hostname} \ From 079a85b02458a083e7bc7fb1113976deb066c9aa Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 16:08:24 -0700 Subject: [PATCH 76/78] mark ipa::server::replica class as api private --- REFERENCE.md | 102 ++---------------------------------- manifests/server/replica.pp | 3 ++ 2 files changed, 6 insertions(+), 99 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 3b4648f7..6d37cf9d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -9,21 +9,16 @@ #### Public Classes * [`ipa`](#ipa): Manages IPA masters, replicas and clients. -* [`ipa::client`](#ipa--client): Manage ipa client -* [`ipa::server::master`](#ipa--server--master): Manage primary server -* [`ipa::server::replica`](#ipa--server--replica): Manage replica install #### Private Classes +* `ipa::client`: Manage ipa client * `ipa::client::debian`: Ensure that home directories get created on Debian and Ubuntu clients. * `ipa::server`: Manage IPA server install * `ipa::server::flushcache`: Manage cache flushing +* `ipa::server::master`: Manage primary server * `ipa::server::redhat` - -### Plans - -* [`ipa::update_host_keys`](#ipa--update_host_keys): Update host keys for a domain-joined node in FreeIPA to match real host -keys. +* `ipa::server::replica`: Manage replica install ## Classes @@ -290,94 +285,3 @@ Data type: `Boolean` Default value: `false` -### `ipa::client` - -Manage ipa client - -#### Parameters - -The following parameters are available in the `ipa::client` class: - -* [`package_name`](#-ipa--client--package_name) -* [`force_join`](#-ipa--client--force_join) - -##### `package_name` - -Data type: `Array[String]` - -The name of the package(s) to install. - -Default value: `undef` - -##### `force_join` - -Data type: `Boolean` - -Force the client to join the domain even if it is already joined. - -Default value: `false` - -### `ipa::server::master` - -Manage primary server - -### `ipa::server::replica` - -Manage replica install - -## Plans - -### `ipa::update_host_keys` - -Useful when real keys and keys in IPA device account have gone - out of sync, e.g. due to rebuilding the server from a snapshot. - - This gets a kerberos ticket from the IPA server first, then gathers - the SSH keys from IPA clients from their SSH facts, then runs appropriate - "ipa host-mod" commands for each IPA client on the IPA server. - - Note that it is assumed that the IPA client host name is equal to the $::fqdn - fact. - -#### Parameters - -The following parameters are available in the `ipa::update_host_keys` plan: - -* [`ipa_clients`](#-ipa--update_host_keys--ipa_clients) -* [`ipa_server`](#-ipa--update_host_keys--ipa_server) -* [`ipa_user`](#-ipa--update_host_keys--ipa_user) -* [`ipa_password`](#-ipa--update_host_keys--ipa_password) -* [`noop`](#-ipa--update_host_keys--noop) - -##### `ipa_clients` - -Data type: `TargetSpec` - -One of more IPA clients whose host keys to puload - -##### `ipa_server` - -Data type: `TargetSpec` - -A host which has the "ipa" tools installed. Not necessarily an IPA server. - -##### `ipa_user` - -Data type: `String` - -An IPA user with permission to run "ipa host-mod". - -##### `ipa_password` - -Data type: `String` - -IPA user's password - -##### `noop` - -Data type: `Boolean` - -If true then only imulate what would be done - -Default value: `true` - diff --git a/manifests/server/replica.pp b/manifests/server/replica.pp index 3bdb6114..3881577c 100644 --- a/manifests/server/replica.pp +++ b/manifests/server/replica.pp @@ -1,7 +1,10 @@ # # @summary Manage replica install # +# @api private class ipa::server::replica { + assert_private() + $replica_install_cmd = "\ /usr/sbin/ipa-replica-install \ --principal=${ipa::domain_join_principal.unwrap} \ From 3331c120f0c789b6cd41ee396e8455caf75dbef7 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 16:13:44 -0700 Subject: [PATCH 77/78] fork module as lsst/ipa --- metadata.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/metadata.json b/metadata.json index 46f48e8e..f9dd6d2f 100644 --- a/metadata.json +++ b/metadata.json @@ -1,12 +1,12 @@ { - "name": "puppetfinland-ipa", + "name": "lsst-ipa", "version": "3.1.1", - "author": "Puppet-Finland team", - "summary": "Manages IPA servers and clients.", - "license": "Apache-2.0", - "source": "https://github.com/Puppet-Finland/puppet-ipa", - "project_page": "https://github.com/Puppet-Finland/puppet-ipa", - "issues_url": "https://github.com/Puppet-Finland/puppet-ipa", + "author": "AURA/LSST/Rubin Observatory", + "summary": "Manages FreeIPA servers, replicas, and clients", + "license": "GPL-3.0", + "source": "https://github.com/lsst-it/puppet-ipa", + "project_page": "https://github.com/lsst-it/puppet-ipa", + "issues_url": "https://github.com/lsst-it/puppet-ipa", "dependencies": [ { "name": "puppetlabs-stdlib", From d9a465e8782958444aa512cf3fc783d996db4064 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Dec 2025 16:14:18 -0700 Subject: [PATCH 78/78] bump version to 4.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index f9dd6d2f..8f32100e 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "lsst-ipa", - "version": "3.1.1", + "version": "4.0.0", "author": "AURA/LSST/Rubin Observatory", "summary": "Manages FreeIPA servers, replicas, and clients", "license": "GPL-3.0",