auth.pp

class aes::auth(
  Optional[String] $keytab_production = undef,
  Optional[String] $keytab_devel = undef
){

  $auth_user = auth
  $auth_group = "${auth_user}"
  $auth_home = "/srv/${auth_user}"
  $auth_service = "aes_auth"

  # Pick the right keytab for the current environment. We use the fqdn rather than 
  # $environment since the keys are tied to the domain name rather than what 
  # environment the machine is configured in.
  if $facts[fqdn] == 'aes.edu.liu.se' {
    # The AD service account for this key is: ida_sys002_srv
    $auth_keytab_data = $keytab_production
    $server_type = "production"
  } elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
    # The AD service account for this key is: ida_sys004_srv
    $auth_keytab_data = $keytab_devel
    $server_type = "devel"
  } else {
    $auth_keytab_data = undef
  }

  # Note: We rely on Boost being installed by the broker. It seems Puppet does not like
  # that we specify "boost" multiple times, even though it would look nice, modularity-wise
  # since both the auth server and the broker requires boost.
  package {
    [
	'krb5-libs',
	'krb5-devel',
	'openssl-devel',
    ]:
      ensure => installed,
  }

  # Group for local authentication. All accounts that are members
  # of this group are considered trusted by the authentication system.
  group { "aes_local_auth" :
    ensure => present
  }

  user { "${auth_user}" :
    ensure => present,
    home => "${auth_home}",
    comment => 'Authentication server for AES',
    managehome => false,
    membership => inclusive,
    groups => [ "aes_local_auth" ],
    system => true,
    shell => '/sbin/nologin',
  }

  file { "${auth_home}" :
    ensure => directory,
    owner => "${auth_user}",
    group => "${auth_group}",
    mode => '0755',
  }

  file { "/etc/systemd/system/${auth_service}.service" :
    ensure => present,
    owner  => root,
    group  => root,
    mode   => '0644',
    source => "puppet:///modules/${module_name}/auth/auth.service",
  }

  file { "${auth_home}/on_update.sh" :
    ensure => present,
    owner  => root,
    group  => root,
    mode   => '0700',
    source => "puppet:///modules/${module_name}/auth/on_update.sh",
  }

  file { "${auth_home}/config.json" :
    ensure => present,
    owner  => "${auth_user}",
    group  => "${auth_group}",
    mode   => '0644',
    source => "puppet:///modules/${module_name}/auth/config.json",
  }

  file { "${auth_home}/start.sh" :
    ensure => present,
    owner  => "${auth_user}",
    group  => "${auth_group}",
    mode   => '0755',
    source => "puppet:///modules/${module_name}/auth/start.sh",
  }

  file { "${auth_home}/keys" :
    ensure => directory,
    owner  => "${auth_user}",
    group  => "${auth_group}",
    mode   => "0700"
  }

  if $auth_keytab_data {
    file { "${auth_home}/keys/kerberos.keytab" :
      ensure => file,
      owner  => root,
      group  => "${auth_group}",
      mode   => "0640",
      content => "${auth_keytab_data}"
    }
  }

  exec { 'update-auth-repo' :
    command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
    environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
    # This command will need to run "on_update" as root in order to restart the service.
    user => root,
    group => root,
    cwd => "${auth_home}",
    require => File["${auth_home}/on_update.sh"],
  }

  service { "${auth_service}" : 
    ensure => "running",
  }

}