auth.pp

class aes::auth {

  $auth_user = auth
  $auth_group = "${auth_user}"
  $auth_home = "/srv/${auth_user}"
  $auth_service = "aes_auth"

  # Note: We rely on Boost being installed by the broker. It seems Puppet does not like
  # that we specify "boost" multiple times, even though it would look nice, modularity-wise
  # since both the auth server and the broker requires boost.
  package {
    [
	'krb5-libs',
	'krb5-devel',
	'openssl-devel',
    ]:
      ensure => installed,
  }

  # Group for local authentication. All accounts that are members
  # of this group are considered trusted by the authentication system.
  group { "aes_local_auth" :
    ensure => present
  }

  user { "${auth_user}" :
    ensure => present,
    home => "${auth_home}",
    comment => 'Authentication server for AES',
    managehome => false,
    membership => inclusive,
    groups => [ "aes_local_auth" ],
    system => true,
    shell => '/sbin/nologin',
  }

  file { "${auth_home}" :
    ensure => directory,
    owner => "${auth_user}",
    group => "${auth_group}",
    mode => '0755',
  }

  file { "/etc/systemd/system/${auth_service}.service" :
    ensure => present,
    owner  => root,
    group  => root,
    mode   => '0644',
    source => "puppet:///modules/${module_name}/auth/auth.service",
  }

  file { "${auth_home}/on_update.sh" :
    ensure => present,
    owner  => root,
    group  => root,
    mode   => '0700',
    source => "puppet:///modules/${module_name}/auth/on_update.sh",
  }

  file { "${auth_home}/config.json" :
    ensure => present,
    owner  => "${auth_user}",
    group  => "${auth_group}",
    mode   => '0644',
    source => "puppet:///modules/${module_name}/auth/config.json",
  }

  file { "${auth_home}/start.sh" :
    ensure => present,
    owner  => "${auth_user}",
    group  => "${auth_group}",
    mode   => '0755',
    source => "puppet:///modules/${module_name}/auth/start.sh",
  }

  exec { 'update-auth-repo' :
    command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
    environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
    # This command will need to run "on_update" as root in order to restart the service.
    user => root,
    group => root,
    cwd => "${auth_home}",
    require => File["${auth_home}/on_update.sh"],
  }

  service { "${auth_service}" : 
    ensure => "running",
  }

}