auth.pp

class aes::auth (
  Optional[String] $keytab_production = undef,
  Optional[String] $keytab_devel = undef
) {
  $auth_user = auth
  $auth_group = $auth_user
  $auth_home = "/srv/${auth_user}"
  $auth_service = 'aes_auth'

  # Pick the right keytab for the current environment. We use the fqdn rather than 
  # $environment since the keys are tied to the domain name rather than what 
  # environment the machine is configured in.
  if $facts[fqdn] == 'aes.edu.liu.se' {
    # The AD service account for this key is: ida_sys002_srv
    $auth_keytab_data = $keytab_production
    $server_type = 'production'
  } elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
    # The AD service account for this key is: ida_sys004_srv
    $auth_keytab_data = $keytab_devel
    $server_type = 'devel'
  } else {
    $auth_keytab_data = undef
  }

  # Note: We rely on Boost being installed by the broker. It seems Puppet does not like
  # that we specify "boost" multiple times, even though it would look nice, modularity-wise
  # since both the auth server and the broker requires boost.
  package {
    [
      'krb5-libs',
      'krb5-devel',
      'openssl-devel',
    ]:
      ensure => installed,
  }

  # Group for local authentication. All accounts that are members
  # of this group are considered trusted by the authentication system.
  group { 'aes_local_auth' :
    ensure => present,
  }

  user { $auth_user :
    ensure     => present,
    home       => $auth_home,
    comment    => 'Authentication server for AES',
    managehome => false,
    membership => inclusive,
    groups     => ['aes_local_auth'],
    system     => true,
    shell      => '/sbin/nologin',
  }

  file { $auth_home :
    ensure => directory,
    owner  => $auth_user,
    group  => $auth_group,
    mode   => '0755',
  }

  file { "/etc/systemd/system/${auth_service}.service" :
    ensure => file,
    owner  => root,
    group  => root,
    mode   => '0644',
    source => "puppet:///modules/${module_name}/auth/auth.service",
  }

  file { "${auth_home}/on_update.sh" :
    ensure => file,
    owner  => root,
    group  => root,
    mode   => '0700',
    source => "puppet:///modules/${module_name}/auth/on_update.sh",
  }

  file { "${auth_home}/config.json" :
    ensure => file,
    owner  => $auth_user,
    group  => $auth_group,
    mode   => '0644',
    source => "puppet:///modules/${module_name}/auth/config.json",
  }

  file { "${auth_home}/start.sh" :
    ensure => file,
    owner  => $auth_user,
    group  => $auth_group,
    mode   => '0755',
    source => "puppet:///modules/${module_name}/auth/start.sh",
  }

  file { "${auth_home}/keys" :
    ensure => directory,
    owner  => $auth_user,
    group  => $auth_group,
    mode   => '0700',
  }

  if $auth_keytab_data {
    file { "${auth_home}/keys/kerberos.keytab" :
      ensure  => file,
      owner   => root,
      group   => $auth_group,
      mode    => '0640',
      content => $auth_keytab_data,
    }
  }

  exec { 'update-auth-repo' :
    command     => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
    environment => ["REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh"],
    # This command will need to run "on_update" as root in order to restart the service.
    user        => root,
    group       => root,
    cwd         => $auth_home,
    require     => File["${auth_home}/on_update.sh"],
  }

  service { $auth_service :
    ensure => 'running',
    enable => true,
  }
}