Newer
Older
# Authentication service for the communication module.
# Sets up the authentication service for the communication module in the
# new exam system. Connects to the broker to authenticate users.
# Keytab contents (in base64) for the Kerberos host key used to authenticate
# in the production environment (aes-devel.edu.liu.se).
# Keytab contents (in base64) for the Kerberos host key used to authenticate
# in the development environment (aes-devel.edu.liu.se).
Thomas Johansson
committed
Optional[String] $keytab_production_base64 = undef,
Optional[String] $keytab_devel_base64 = undef
$auth_user = auth
$auth_home = "/srv/${auth_user}"
Thomas Johansson
committed
# Decode base64 encoded keytabs
$keytab_production = Binary.new($keytab_production_base64, '%b')
$keytab_devel = Binary.new($keytab_devel_base64, '%b')
# Pick the right keytab for the current environment. We use the fqdn rather than
# $environment since the keys are tied to the domain name rather than what
# environment the machine is configured in.
if $facts[fqdn] == 'aes.edu.liu.se' {
# The AD service account for this key is: ida_sys002_srv
$auth_keytab_data = $keytab_production
} elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
# The AD service account for this key is: ida_sys004_srv
$auth_keytab_data = $keytab_devel
Filip Strömbäck
committed
# Note: We rely on Boost being installed by the broker. It seems Puppet does not like
# that we specify "boost" multiple times, even though it would look nice, modularity-wise
# since both the auth server and the broker requires boost.
package {
[
]:
ensure => installed,
}
# Group for local authentication. All accounts that are members
# of this group are considered trusted by the authentication system.
}
user { $auth_user :
ensure => present,
home => $auth_home,
comment => 'Authentication server for AES',
managehome => false,
membership => inclusive,
ensure => directory,
owner => $auth_user,
group => $auth_group,
mode => '0755',
}
file { "/etc/systemd/system/${auth_service}.service" :
owner => root,
group => root,
mode => '0644',
source => "puppet:///modules/${module_name}/auth/auth.service",
}
file { "${auth_home}/on_update.sh" :
owner => $auth_user,
group => $auth_group,
mode => '0755',
source => "puppet:///modules/${module_name}/auth/on_update.sh",
}
file { "${auth_home}/config.json" :
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0644',
source => "puppet:///modules/${module_name}/auth/config.json",
}
file { "${auth_home}/start.sh" :
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0755',
source => "puppet:///modules/${module_name}/auth/start.sh",
}
file { "${auth_home}/keys" :
ensure => directory,
owner => $auth_user,
group => $auth_group,
mode => '0700',
if $auth_keytab_data {
file { "${auth_home}/keys/kerberos.keytab" :
ensure => file,
owner => root,
group => $auth_group,
mode => '0640',
content => $auth_keytab_data,
vcsrepo { "${auth_home}/src":
ensure => latest,
provider => git,
source => 'https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git',
revision => $server_type,
owner => $auth_user,
group => $auth_group,
notify => Exec['compile-auth-repo'],
}
exec { 'compile-auth-repo':
user => $auth_user,
group => $auth_group,
cwd => $auth_home,
path => '/bin:/usr/bin',
environment => ["HOME=${auth_home}"],
require => File["${auth_home}/on_update.sh"],