aes_sw.pp

# @summary
#   Software for the AES system.
#
#   Detailed summary info if suitable
#
class aes::aes_sw {
  $examadm_user = examadm
  $examadm_group = $examadm_user
  $examadm_home = "/home/${examadm_user}"

  case fact('os.family') {
    'RedHat': {
      firewalld_custom_service { 'aes-server':
        description => 'Authentic Examination System server',
        ports       => [
          { port => '23431',  protocol => 'tcp' },
          { port => '23816',  protocol => 'tcp' },
          { port => '23817',  protocol => 'tcp' },
        ],
      }

      @firewalld_rich_rule {
        default:
          service => 'aes-server',
          log     => false;

        'Accept aes-server in LiU networks without logging IPv4':
          zone   => 'liu',
          family => 'ipv4',
          action => 'accept';
        'Accept aes-server in LiU networks without logging IPv6':
          zone   => 'liu',
          family => 'ipv6',
          action => 'accept';
      }
    }
    'CentOS': {
      ::server_firewall::rules_file { '45-permit_aes_sw.rules':
        # lint:ignore:strict_indent heredoc failing...
        content => @(EOF),
	service sclogin is tcp/23431
        service aesmsi is tcp/23816
        service aesmso is tcp/23817

        policy chain INPUT is
          accept service:sclogin from class:liu-nets
          accept service:aesmsi from class:liu-nets
          accept service:aesmso from class:liu-nets
        end policy
        |-EOF
        # lint:endignore:strict_indent
      }
    }
    default: {
      fail("${module_name} - Not supported for family ${fact('os.family')}.")
    }
  }

  package {
    [
      'enscript', # present in pars_pwd_list.py, but pars_pwd_list.py old and unused?
      'cronie',
      'java-11-openjdk-devel',
    ]:
      ensure  => installed,
  }

  user { 'examadm' :
    ensure     => present,
    managehome => false,
    membership => inclusive,
    system     => true,
    shell      => '/bin/bash',
  }

  file { $examadm_home:
    ensure => directory,
    mode   => '0755',
    owner  => $examadm_user,
    group  => $examadm_group,
  }

  file { "${examadm_home}/.ssh":
    ensure => directory,
    mode   => '0700',
    owner  => $examadm_user,
    group  => $examadm_group,
  }

  # lint:ignore:140chars
  file { "${examadm_home}/.ssh/authorized_keys":
    ensure  => file,
    mode    => '0600',
    owner   => $examadm_user,
    group   => $examadm_group,
    # lint:ignore:strict_indent heredoc failing...
    content => @(SSHPUBKEY),
      command="/home/examadm/tal-cli/source/scripts/tal-export.py --format ics --lookback 90 --lookahead 180",no-pty,no-user-rc,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJW4LP0av20r7lPXNgsftF9oaAXK41AvHyuHwybciZC/QBfTcmYif83563cTg0OzR/p+OSobiDM0odaaFYtP/8xbuVRz87X5bGYm2m8yHHqPxobHkT5g/faMkl9Fef+Al4EsT5tiaYMOhG2lj8XRYuwAb7qjoz3FFbs8TEPE7Sv+4BUCCH94taCuNYLXSxN1EXvw7VW6Ld5QXRFP53l2QUeTqE9oSii3BVrXlqqrLvNV/7nwdwyse4uhff4QrM9o4oc9FaQr8PLlPGxdlbSfIQJMVzHGpeDu0WLw+NqtLO1hsdlvQm7GrT/v8N7GJNKlsvhwnwUuMhTrB0yPMbbub1 klaar36@upp
      command="/home/examadm/tal-cli/source/scripts/tal-export.py --written --format ics --lookback 90 --lookahead 180",no-pty,no-user-rc,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZ8aEAXw0tRcYrk1aqldepuC6tmdUYZuM270QdDF79o tal written exams to ics
    | SSHPUBKEY
    # lint:endignore:strict_indent
  }
  # lint:endignore:140chars

  file { '/etc/systemd/system/aes_login.service':
    ensure  => file,
    owner   => root,
    group   => root,
    mode    => '0644',
    # lint:ignore:strict_indent heredoc failing...
    content => @(LOGINSERVICE),
    [Unit]
    Description=AES Login server
    After=network.target

    [Service]
    Type=simple
    User=examadm
    WorkingDirectory=/home/examadm/Version-3.1/exam
    ExecStart=/usr/bin/python3 /home/examadm/Version-3.1/pub/bin/examiner/find_pnr_and_otp_from_liuid.py

    [Install]
    WantedBy=multi-user.target
    | LOGINSERVICE
    # lint:endignore:strict_indent
  }

  # todo: logrotate
  service { 'aes_login' :
    ensure => 'running',
    enable => true,
  }

  file { '/etc/systemd/system/aes_ms.service':
    ensure  => file,
    owner   => root,
    group   => root,
    mode    => '0644',
    # lint:ignore:strict_indent heredoc failing...
    content => @(MSSERVICE),
    [Unit]
    Description=AES Exam server
    After=network.target

    [Service]
    Type=simple
    User=examadm
    WorkingDirectory=/home/examadm/Version-3.1
    ExecStart=/usr/bin/java -Xmx512M -jar /home/examadm/Version-3.1/pub/bin/examiner/ms.jar /home/examadm/Version-3.1

    [Install]
    WantedBy=multi-user.target
    | MSSERVICE
    # lint:endignore:strict_indent
  }

  file { '/etc/cron.daily/aes_ms':
    ensure  => file,
    owner   => root,
    group   => root,
    mode    => '0700',
    # lint:ignore:strict_indent heredoc failing...
    content => @(MSCRON),
    #!/bin/sh
    /usr/bin/systemctl restart aes_ms
    | MSCRON
    # lint:endignore:strict_indent
  }

  file { '/etc/cron.daily/aes_login':
    ensure  => file,
    owner   => root,
    group   => root,
    mode    => '0700',
    # lint:ignore:strict_indent heredoc failing...
    content => @(MSCRON),
    #!/bin/sh
    /usr/bin/systemctl restart aes_login
    | MSCRON
    # lint:endignore:strict_indent
  }

  # todo: logrotate
  service { 'aes_ms' :
    ensure => 'running',
    enable => true,
  }

  # Test to replace exec for repo update //thojo16
  vcsrepo { "${examadm_home}/scripts":
    ensure   => latest,
    provider => git,
    source   => 'https://oauth2:iAyewr9Jq5E-tnsVrmbj@gitlab.liu.se/examadm/scripts.git',
    revision => 'master',
    owner    => $examadm_user,
    group    => $examadm_group,
  }
}