diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..12ed4ff109624ca4b2696bdfa6638dcf8967fcbe
--- /dev/null
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,6 @@
+FROM puppet/pdk:latest
+
+# [Optional] Uncomment this section to install additional packages.
+# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+# && apt-get -y install --no-install-recommends <your-package-list-here>
+
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
new file mode 100644
index 0000000000000000000000000000000000000000..f1a55dc3f0acb1031982196149da8edcb1a2d6ef
--- /dev/null
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,23 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet
+{
+ "name": "Puppet Development Kit (Community)",
+ "dockerFile": "Dockerfile",
+
+ // Set *default* container specific settings.json values on container create.
+ "settings": {
+ "terminal.integrated.shell.linux": "/bin/bash"
+ },
+
+ // Add the IDs of extensions you want installed when the container is created.
+ "extensions": [
+ "puppet.puppet-vscode",
+ "rebornix.Ruby"
+ ]
+
+ // Use 'forwardPorts' to make a list of ports inside the container available locally.
+ // "forwardPorts": [],
+
+ // Use 'postCreateCommand' to run commands after the container is created.
+ // "postCreateCommand": "pdk --version",
+}
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000000000000000000000000000000000000..8da4715e7dae6f3e4c91e9c5642ecab5d361d3f7
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,21 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+indent_style = space
+indent_size = 2
+
+# The JSON files contain newlines inconsistently
+[*.json]
+indent_size = 2
+insert_final_newline = ignore
+
+[*.{ps1,psm1}]
+indent_size = 4
diff --git a/.fixtures.yml b/.fixtures.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2296adb3a2c93c33eb195611cddd1d4b433a4dee
--- /dev/null
+++ b/.fixtures.yml
@@ -0,0 +1,6 @@
+# This file can be used to install module dependencies for unit testing
+# See https://github.com/puppetlabs/puppetlabs_spec_helper#using-fixtures for details
+---
+fixtures:
+ forge_modules:
+# stdlib: "puppetlabs/stdlib"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d49a282204f95e69b20f82be215ceefc76129d11
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,4 @@
+---
+include:
+ - project: 'puppet-infra/shared-ci-piplines'
+ file: '/puppet-module-pipeline.yaml'
diff --git a/.pdkignore b/.pdkignore
new file mode 100644
index 0000000000000000000000000000000000000000..3c059934e7b2f21e361661b8c5c72b819145d191
--- /dev/null
+++ b/.pdkignore
@@ -0,0 +1,48 @@
+.git/
+.*.sw[op]
+.metadata
+.yardoc
+.yardwarns
+*.iml
+/.bundle/
+/.idea/
+/.vagrant/
+/coverage/
+/bin/
+/doc/
+/Gemfile.local
+/Gemfile.lock
+/junit/
+/log/
+/pkg/
+/spec/fixtures/manifests/
+/spec/fixtures/modules/
+/tmp/
+/vendor/
+/convert_report.txt
+/update_report.txt
+.DS_Store
+.project
+.envrc
+/inventory.yaml
+*~
+\#*\#
+.\#*
+/appveyor.yml
+/.fixtures.yml
+/Gemfile
+/.gitattributes
+/.gitignore
+/.gitlab-ci.yml
+/.pdkignore
+/.puppet-lint.rc
+/Rakefile
+/rakelib/
+/.rspec
+/.rubocop.yml
+/.travis.yml
+/.yardopts
+/spec/
+/.vscode/
+/.sync.yml
+/.devcontainer/
diff --git a/.puppet-lint.rc b/.puppet-lint.rc
new file mode 100644
index 0000000000000000000000000000000000000000..cc96ece0513d69709b87af611173e2a6e4532f62
--- /dev/null
+++ b/.puppet-lint.rc
@@ -0,0 +1 @@
+--relative
diff --git a/.rspec b/.rspec
new file mode 100644
index 0000000000000000000000000000000000000000..16f9cdb013585a86aa600f8d0c002e8a2c33b6a9
--- /dev/null
+++ b/.rspec
@@ -0,0 +1,2 @@
+--color
+--format documentation
diff --git a/.rubocop.yml b/.rubocop.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8f782e741528905cd59743f73283f8a39e9bf210
--- /dev/null
+++ b/.rubocop.yml
@@ -0,0 +1,519 @@
+---
+require:
+- rubocop-performance
+- rubocop-rspec
+AllCops:
+ DisplayCopNames: true
+ TargetRubyVersion: '2.4'
+ Include:
+ - "**/*.rb"
+ Exclude:
+ - bin/*
+ - ".vendor/**/*"
+ - "**/Gemfile"
+ - "**/Rakefile"
+ - pkg/**/*
+ - spec/fixtures/**/*
+ - vendor/**/*
+ - "**/Puppetfile"
+ - "**/Vagrantfile"
+ - "**/Guardfile"
+Layout/LineLength:
+ Description: People have wide screens, use them.
+ Max: 200
+RSpec/BeforeAfterAll:
+ Description: Beware of using after(:all) as it may cause state to leak between tests.
+ A necessary evil in acceptance testing.
+ Exclude:
+ - spec/acceptance/**/*.rb
+RSpec/HookArgument:
+ Description: Prefer explicit :each argument, matching existing module's style
+ EnforcedStyle: each
+RSpec/DescribeSymbol:
+ Exclude:
+ - spec/unit/facter/**/*.rb
+Style/BlockDelimiters:
+ Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to
+ be consistent then.
+ EnforcedStyle: braces_for_chaining
+Style/ClassAndModuleChildren:
+ Description: Compact style reduces the required amount of indentation.
+ EnforcedStyle: compact
+Style/EmptyElse:
+ Description: Enforce against empty else clauses, but allow `nil` for clarity.
+ EnforcedStyle: empty
+Style/FormatString:
+ Description: Following the main puppet project's style, prefer the % format format.
+ EnforcedStyle: percent
+Style/FormatStringToken:
+ Description: Following the main puppet project's style, prefer the simpler template
+ tokens over annotated ones.
+ EnforcedStyle: template
+Style/Lambda:
+ Description: Prefer the keyword for easier discoverability.
+ EnforcedStyle: literal
+Style/RegexpLiteral:
+ Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168
+ EnforcedStyle: percent_r
+Style/TernaryParentheses:
+ Description: Checks for use of parentheses around ternary conditions. Enforce parentheses
+ on complex expressions for better readability, but seriously consider breaking
+ it up.
+ EnforcedStyle: require_parentheses_when_complex
+Style/TrailingCommaInArguments:
+ Description: Prefer always trailing comma on multiline argument lists. This makes
+ diffs, and re-ordering nicer.
+ EnforcedStyleForMultiline: comma
+Style/TrailingCommaInArrayLiteral:
+ Description: Prefer always trailing comma on multiline literals. This makes diffs,
+ and re-ordering nicer.
+ EnforcedStyleForMultiline: comma
+Style/SymbolArray:
+ Description: Using percent style obscures symbolic intent of array's contents.
+ EnforcedStyle: brackets
+RSpec/MessageSpies:
+ EnforcedStyle: receive
+Style/Documentation:
+ Exclude:
+ - lib/puppet/parser/functions/**/*
+ - spec/**/*
+Style/WordArray:
+ EnforcedStyle: brackets
+Performance/AncestorsInclude:
+ Enabled: true
+Performance/BigDecimalWithNumericArgument:
+ Enabled: true
+Performance/BlockGivenWithExplicitBlock:
+ Enabled: true
+Performance/CaseWhenSplat:
+ Enabled: true
+Performance/ConstantRegexp:
+ Enabled: true
+Performance/MethodObjectAsBlock:
+ Enabled: true
+Performance/RedundantSortBlock:
+ Enabled: true
+Performance/RedundantStringChars:
+ Enabled: true
+Performance/ReverseFirst:
+ Enabled: true
+Performance/SortReverse:
+ Enabled: true
+Performance/Squeeze:
+ Enabled: true
+Performance/StringInclude:
+ Enabled: true
+Performance/Sum:
+ Enabled: true
+Style/CollectionMethods:
+ Enabled: true
+Style/MethodCalledOnDoEndBlock:
+ Enabled: true
+Style/StringMethods:
+ Enabled: true
+Bundler/InsecureProtocolSource:
+ Enabled: false
+Gemspec/DuplicatedAssignment:
+ Enabled: false
+Gemspec/OrderedDependencies:
+ Enabled: false
+Gemspec/RequiredRubyVersion:
+ Enabled: false
+Gemspec/RubyVersionGlobalsUsage:
+ Enabled: false
+Layout/ArgumentAlignment:
+ Enabled: false
+Layout/BeginEndAlignment:
+ Enabled: false
+Layout/ClosingHeredocIndentation:
+ Enabled: false
+Layout/EmptyComment:
+ Enabled: false
+Layout/EmptyLineAfterGuardClause:
+ Enabled: false
+Layout/EmptyLinesAroundArguments:
+ Enabled: false
+Layout/EmptyLinesAroundAttributeAccessor:
+ Enabled: false
+Layout/EndOfLine:
+ Enabled: false
+Layout/FirstArgumentIndentation:
+ Enabled: false
+Layout/HashAlignment:
+ Enabled: false
+Layout/HeredocIndentation:
+ Enabled: false
+Layout/LeadingEmptyLines:
+ Enabled: false
+Layout/SpaceAroundMethodCallOperator:
+ Enabled: false
+Layout/SpaceInsideArrayLiteralBrackets:
+ Enabled: false
+Layout/SpaceInsideReferenceBrackets:
+ Enabled: false
+Lint/BigDecimalNew:
+ Enabled: false
+Lint/BooleanSymbol:
+ Enabled: false
+Lint/ConstantDefinitionInBlock:
+ Enabled: false
+Lint/DeprecatedOpenSSLConstant:
+ Enabled: false
+Lint/DisjunctiveAssignmentInConstructor:
+ Enabled: false
+Lint/DuplicateElsifCondition:
+ Enabled: false
+Lint/DuplicateRequire:
+ Enabled: false
+Lint/DuplicateRescueException:
+ Enabled: false
+Lint/EmptyConditionalBody:
+ Enabled: false
+Lint/EmptyFile:
+ Enabled: false
+Lint/ErbNewArguments:
+ Enabled: false
+Lint/FloatComparison:
+ Enabled: false
+Lint/HashCompareByIdentity:
+ Enabled: false
+Lint/IdentityComparison:
+ Enabled: false
+Lint/InterpolationCheck:
+ Enabled: false
+Lint/MissingCopEnableDirective:
+ Enabled: false
+Lint/MixedRegexpCaptureTypes:
+ Enabled: false
+Lint/NestedPercentLiteral:
+ Enabled: false
+Lint/NonDeterministicRequireOrder:
+ Enabled: false
+Lint/OrderedMagicComments:
+ Enabled: false
+Lint/OutOfRangeRegexpRef:
+ Enabled: false
+Lint/RaiseException:
+ Enabled: false
+Lint/RedundantCopEnableDirective:
+ Enabled: false
+Lint/RedundantRequireStatement:
+ Enabled: false
+Lint/RedundantSafeNavigation:
+ Enabled: false
+Lint/RedundantWithIndex:
+ Enabled: false
+Lint/RedundantWithObject:
+ Enabled: false
+Lint/RegexpAsCondition:
+ Enabled: false
+Lint/ReturnInVoidContext:
+ Enabled: false
+Lint/SafeNavigationConsistency:
+ Enabled: false
+Lint/SafeNavigationWithEmpty:
+ Enabled: false
+Lint/SelfAssignment:
+ Enabled: false
+Lint/SendWithMixinArgument:
+ Enabled: false
+Lint/ShadowedArgument:
+ Enabled: false
+Lint/StructNewOverride:
+ Enabled: false
+Lint/ToJSON:
+ Enabled: false
+Lint/TopLevelReturnWithArgument:
+ Enabled: false
+Lint/TrailingCommaInAttributeDeclaration:
+ Enabled: false
+Lint/UnreachableLoop:
+ Enabled: false
+Lint/UriEscapeUnescape:
+ Enabled: false
+Lint/UriRegexp:
+ Enabled: false
+Lint/UselessMethodDefinition:
+ Enabled: false
+Lint/UselessTimes:
+ Enabled: false
+Metrics/AbcSize:
+ Enabled: false
+Metrics/BlockLength:
+ Enabled: false
+Metrics/BlockNesting:
+ Enabled: false
+Metrics/ClassLength:
+ Enabled: false
+Metrics/CyclomaticComplexity:
+ Enabled: false
+Metrics/MethodLength:
+ Enabled: false
+Metrics/ModuleLength:
+ Enabled: false
+Metrics/ParameterLists:
+ Enabled: false
+Metrics/PerceivedComplexity:
+ Enabled: false
+Migration/DepartmentName:
+ Enabled: false
+Naming/AccessorMethodName:
+ Enabled: false
+Naming/BlockParameterName:
+ Enabled: false
+Naming/HeredocDelimiterCase:
+ Enabled: false
+Naming/HeredocDelimiterNaming:
+ Enabled: false
+Naming/MemoizedInstanceVariableName:
+ Enabled: false
+Naming/MethodParameterName:
+ Enabled: false
+Naming/RescuedExceptionsVariableName:
+ Enabled: false
+Naming/VariableNumber:
+ Enabled: false
+Performance/BindCall:
+ Enabled: false
+Performance/DeletePrefix:
+ Enabled: false
+Performance/DeleteSuffix:
+ Enabled: false
+Performance/InefficientHashSearch:
+ Enabled: false
+Performance/UnfreezeString:
+ Enabled: false
+Performance/UriDefaultParser:
+ Enabled: false
+RSpec/Be:
+ Enabled: false
+RSpec/Capybara/CurrentPathExpectation:
+ Enabled: false
+RSpec/Capybara/FeatureMethods:
+ Enabled: false
+RSpec/Capybara/VisibilityMatcher:
+ Enabled: false
+RSpec/ContextMethod:
+ Enabled: false
+RSpec/ContextWording:
+ Enabled: false
+RSpec/DescribeClass:
+ Enabled: false
+RSpec/EmptyHook:
+ Enabled: false
+RSpec/EmptyLineAfterExample:
+ Enabled: false
+RSpec/EmptyLineAfterExampleGroup:
+ Enabled: false
+RSpec/EmptyLineAfterHook:
+ Enabled: false
+RSpec/ExampleLength:
+ Enabled: false
+RSpec/ExampleWithoutDescription:
+ Enabled: false
+RSpec/ExpectChange:
+ Enabled: false
+RSpec/ExpectInHook:
+ Enabled: false
+RSpec/FactoryBot/AttributeDefinedStatically:
+ Enabled: false
+RSpec/FactoryBot/CreateList:
+ Enabled: false
+RSpec/FactoryBot/FactoryClassName:
+ Enabled: false
+RSpec/HooksBeforeExamples:
+ Enabled: false
+RSpec/ImplicitBlockExpectation:
+ Enabled: false
+RSpec/ImplicitSubject:
+ Enabled: false
+RSpec/LeakyConstantDeclaration:
+ Enabled: false
+RSpec/LetBeforeExamples:
+ Enabled: false
+RSpec/MissingExampleGroupArgument:
+ Enabled: false
+RSpec/MultipleExpectations:
+ Enabled: false
+RSpec/MultipleMemoizedHelpers:
+ Enabled: false
+RSpec/MultipleSubjects:
+ Enabled: false
+RSpec/NestedGroups:
+ Enabled: false
+RSpec/PredicateMatcher:
+ Enabled: false
+RSpec/ReceiveCounts:
+ Enabled: false
+RSpec/ReceiveNever:
+ Enabled: false
+RSpec/RepeatedExampleGroupBody:
+ Enabled: false
+RSpec/RepeatedExampleGroupDescription:
+ Enabled: false
+RSpec/RepeatedIncludeExample:
+ Enabled: false
+RSpec/ReturnFromStub:
+ Enabled: false
+RSpec/SharedExamples:
+ Enabled: false
+RSpec/StubbedMock:
+ Enabled: false
+RSpec/UnspecifiedException:
+ Enabled: false
+RSpec/VariableDefinition:
+ Enabled: false
+RSpec/VoidExpect:
+ Enabled: false
+RSpec/Yield:
+ Enabled: false
+Security/Open:
+ Enabled: false
+Style/AccessModifierDeclarations:
+ Enabled: false
+Style/AccessorGrouping:
+ Enabled: false
+Style/AsciiComments:
+ Enabled: false
+Style/BisectedAttrAccessor:
+ Enabled: false
+Style/CaseLikeIf:
+ Enabled: false
+Style/ClassEqualityComparison:
+ Enabled: false
+Style/ColonMethodDefinition:
+ Enabled: false
+Style/CombinableLoops:
+ Enabled: false
+Style/CommentedKeyword:
+ Enabled: false
+Style/Dir:
+ Enabled: false
+Style/DoubleCopDisableDirective:
+ Enabled: false
+Style/EmptyBlockParameter:
+ Enabled: false
+Style/EmptyLambdaParameter:
+ Enabled: false
+Style/Encoding:
+ Enabled: false
+Style/EvalWithLocation:
+ Enabled: false
+Style/ExpandPathArguments:
+ Enabled: false
+Style/ExplicitBlockArgument:
+ Enabled: false
+Style/ExponentialNotation:
+ Enabled: false
+Style/FloatDivision:
+ Enabled: false
+Style/FrozenStringLiteralComment:
+ Enabled: false
+Style/GlobalStdStream:
+ Enabled: false
+Style/HashAsLastArrayItem:
+ Enabled: false
+Style/HashLikeCase:
+ Enabled: false
+Style/HashTransformKeys:
+ Enabled: false
+Style/HashTransformValues:
+ Enabled: false
+Style/IfUnlessModifier:
+ Enabled: false
+Style/KeywordParametersOrder:
+ Enabled: false
+Style/MinMax:
+ Enabled: false
+Style/MixinUsage:
+ Enabled: false
+Style/MultilineWhenThen:
+ Enabled: false
+Style/NegatedUnless:
+ Enabled: false
+Style/NumericPredicate:
+ Enabled: false
+Style/OptionalBooleanParameter:
+ Enabled: false
+Style/OrAssignment:
+ Enabled: false
+Style/RandomWithOffset:
+ Enabled: false
+Style/RedundantAssignment:
+ Enabled: false
+Style/RedundantCondition:
+ Enabled: false
+Style/RedundantConditional:
+ Enabled: false
+Style/RedundantFetchBlock:
+ Enabled: false
+Style/RedundantFileExtensionInRequire:
+ Enabled: false
+Style/RedundantRegexpCharacterClass:
+ Enabled: false
+Style/RedundantRegexpEscape:
+ Enabled: false
+Style/RedundantSelfAssignment:
+ Enabled: false
+Style/RedundantSort:
+ Enabled: false
+Style/RescueStandardError:
+ Enabled: false
+Style/SingleArgumentDig:
+ Enabled: false
+Style/SlicingWithRange:
+ Enabled: false
+Style/SoleNestedConditional:
+ Enabled: false
+Style/StderrPuts:
+ Enabled: false
+Style/StringConcatenation:
+ Enabled: false
+Style/Strip:
+ Enabled: false
+Style/SymbolProc:
+ Enabled: false
+Style/TrailingBodyOnClass:
+ Enabled: false
+Style/TrailingBodyOnMethodDefinition:
+ Enabled: false
+Style/TrailingBodyOnModule:
+ Enabled: false
+Style/TrailingCommaInHashLiteral:
+ Enabled: false
+Style/TrailingMethodEndStatement:
+ Enabled: false
+Style/UnpackFirst:
+ Enabled: false
+Lint/DuplicateBranch:
+ Enabled: false
+Lint/DuplicateRegexpCharacterClassElement:
+ Enabled: false
+Lint/EmptyBlock:
+ Enabled: false
+Lint/EmptyClass:
+ Enabled: false
+Lint/NoReturnInBeginEndBlocks:
+ Enabled: false
+Lint/ToEnumArguments:
+ Enabled: false
+Lint/UnexpectedBlockArity:
+ Enabled: false
+Lint/UnmodifiedReduceAccumulator:
+ Enabled: false
+Performance/CollectionLiteralInLoop:
+ Enabled: false
+Style/ArgumentsForwarding:
+ Enabled: false
+Style/CollectionCompact:
+ Enabled: false
+Style/DocumentDynamicEvalDefinition:
+ Enabled: false
+Style/NegatedIfElseCondition:
+ Enabled: false
+Style/NilLambda:
+ Enabled: false
+Style/RedundantArgument:
+ Enabled: false
+Style/SwapValues:
+ Enabled: false
diff --git a/.sync.yml b/.sync.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8c2c98ed7242c79e8d57e882d3df06f18ec0d781
--- /dev/null
+++ b/.sync.yml
@@ -0,0 +1,8 @@
+# This file can be used to customize the files managed by PDK.
+#
+# See https://github.com/puppetlabs/pdk-templates/blob/main/README.md
+# for more information.
+#
+# See https://github.com/puppetlabs/pdk-templates/blob/main/config_defaults.yml
+# for the default values.
+--- {}
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
new file mode 100644
index 0000000000000000000000000000000000000000..24650e52586e9ab1e85de79e06f5dc8790efcdd2
--- /dev/null
+++ b/.vscode/extensions.json
@@ -0,0 +1,8 @@
+{
+ "recommendations": [
+ "puppet.puppet-vscode",
+ "rebornix.Ruby",
+ "ms-vscode.powershell",
+ "EditorConfig.EditorConfig"
+ ]
+}
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000000000000000000000000000000000000..79547efad98d0396e7ce8998f465899e6e6ec467
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,26 @@
+{
+ // Enable per-language
+ "[powershell]": {
+ "editor.formatOnSave": true
+ },
+ // Controls how the editor should render whitespace characters, possibilities are 'none', 'boundary', and 'all'. The 'boundary' option does not render single spaces between words.
+ "editor.renderWhitespace": "boundary", // Default: none
+ // Does not reformat one-line code blocks, such as "if (...) {...} else {...}".
+ "powershell.codeFormatting.ignoreOneLineBlock": false, // Default: True
+ // Adds a newline (line break) after a closing brace.
+ "powershell.codeFormatting.newLineAfterCloseBrace": true, // Default: True
+ // Adds a newline (line break) after an open brace.
+ "powershell.codeFormatting.newLineAfterOpenBrace": true, // Default: True
+ // Places open brace on the same line as its associated statement.
+ "powershell.codeFormatting.openBraceOnSameLine": true, // Default: True
+ // Adds a space after a separator (',' and ';').
+ "powershell.codeFormatting.whitespaceAfterSeparator": true, // Default: True
+ // Adds spaces before and after an operator ('=', '+', '-', etc.).
+ "powershell.codeFormatting.whitespaceAroundOperator": true, // Default: True
+ // Adds a space between a keyword and its associated scriptblock expression.
+ "powershell.codeFormatting.whitespaceBeforeOpenBrace": true, // Default: True
+ // Adds a space between a keyword (if, elseif, while, switch, etc) and its associated conditional expression.
+ "powershell.codeFormatting.whitespaceBeforeOpenParen": true, // Default: True
+ // Align assignment statements in a hashtable or a DSC Configuration.
+ "powershell.codeFormatting.alignPropertyValuePairs": true // Default: True
+}
diff --git a/.yardopts b/.yardopts
new file mode 100644
index 0000000000000000000000000000000000000000..29c933bcf15d56c2583bbfafabc88093ffa1da68
--- /dev/null
+++ b/.yardopts
@@ -0,0 +1 @@
+--markup markdown
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000000000000000000000000000000000000..d7bba92b3089535e5e3845fdac607a841c433478
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,11 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## Release 0.0.0
+
+**Features**
+
+**Bugfixes**
+
+**Known Issues**
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000000000000000000000000000000000000..581f5d708f2ae0c66e6298611cc15c5b6cfe539a
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,69 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+def location_for(place_or_version, fake_version = nil)
+ git_url_regex = %r{\A(?<url>(https?|git)[:@][^#]*)(#(?<branch>.*))?}
+ file_url_regex = %r{\Afile:\/\/(?<path>.*)}
+
+ if place_or_version && (git_url = place_or_version.match(git_url_regex))
+ [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact
+ elsif place_or_version && (file_url = place_or_version.match(file_url_regex))
+ ['>= 0', { path: File.expand_path(file_url[:path]), require: false }]
+ else
+ [place_or_version, { require: false }]
+ end
+end
+
+ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
+minor_version = ruby_version_segments[0..1].join('.')
+
+group :development do
+ gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+ gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+ gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 2.8.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+ gem "puppet-module-posix-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
+ gem "puppet-module-posix-dev-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
+ gem "puppet-module-win-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
+ gem "puppet-module-win-dev-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
+ gem "puppet-lint-absolute_classname-check", '3.0.0', require: false
+ gem "puppet-lint-absolute_template_path", '1.0.1', require: false
+ gem "puppet-lint-empty_trailing_lines", '0.0.1', require: false
+ gem "puppet-lint-file_ensure-check", '0.3.1', require: false
+ gem "puppet-lint-strict_indent-check", '2.0.7', require: false
+ gem "puppet-lint-trailing_comma-check", '0.4.2', require: false
+ gem "puppet-lint-unquoted_string-check", '2.0.0', require: false
+end
+group :system_tests do
+ gem "puppet-module-posix-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
+ gem "puppet-module-win-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
+end
+
+puppet_version = ENV['PUPPET_GEM_VERSION']
+facter_version = ENV['FACTER_GEM_VERSION']
+hiera_version = ENV['HIERA_GEM_VERSION']
+
+gems = {}
+
+gems['puppet'] = location_for(puppet_version)
+
+# If facter or hiera versions have been specified via the environment
+# variables
+
+gems['facter'] = location_for(facter_version) if facter_version
+gems['hiera'] = location_for(hiera_version) if hiera_version
+
+gems.each do |gem_name, gem_params|
+ gem gem_name, *gem_params
+end
+
+# Evaluate Gemfile.local and ~/.gemfile if they exist
+extra_gemfiles = [
+ "#{__FILE__}.local",
+ File.join(Dir.home, '.gemfile'),
+]
+
+extra_gemfiles.each do |gemfile|
+ if File.file?(gemfile) && File.readable?(gemfile)
+ eval(File.read(gemfile), binding)
+ end
+end
+# vim: syntax=ruby
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000000000000000000000000000000000000..2906c15babbebe65d3ed29e72a07328609fefe8e
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'bundler'
+require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any?
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-syntax/tasks/puppet-syntax'
+require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?
+require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any?
+require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any?
+
+def changelog_user
+ return unless Rake.application.top_level_tasks.include? "changelog"
+ returnVal = nil || JSON.load(File.read('metadata.json'))['author']
+ raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil?
+ puts "GitHubChangelogGenerator user:#{returnVal}"
+ returnVal
+end
+
+def changelog_project
+ return unless Rake.application.top_level_tasks.include? "changelog"
+
+ returnVal = nil
+ returnVal ||= begin
+ metadata_source = JSON.load(File.read('metadata.json'))['source']
+ metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z})
+
+ metadata_source_match && metadata_source_match[1]
+ end
+
+ raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil?
+
+ puts "GitHubChangelogGenerator project:#{returnVal}"
+ returnVal
+end
+
+def changelog_future_release
+ return unless Rake.application.top_level_tasks.include? "changelog"
+ returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version']
+ raise "unable to find the future_release (version) in metadata.json" if returnVal.nil?
+ puts "GitHubChangelogGenerator future_release:#{returnVal}"
+ returnVal
+end
+
+PuppetLint.configuration.send('disable_relative')
+
+if Bundler.rubygems.find_name('github_changelog_generator').any?
+ GitHubChangelogGenerator::RakeTask.new :changelog do |config|
+ raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
+ config.user = "#{changelog_user}"
+ config.project = "#{changelog_project}"
+ config.future_release = "#{changelog_future_release}"
+ config.exclude_labels = ['maintenance']
+ config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
+ config.add_pr_wo_labels = true
+ config.issues = false
+ config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB"
+ config.configure_sections = {
+ "Changed" => {
+ "prefix" => "### Changed",
+ "labels" => ["backwards-incompatible"],
+ },
+ "Added" => {
+ "prefix" => "### Added",
+ "labels" => ["enhancement", "feature"],
+ },
+ "Fixed" => {
+ "prefix" => "### Fixed",
+ "labels" => ["bug", "documentation", "bugfix"],
+ },
+ }
+ end
+else
+ desc 'Generate a Changelog from GitHub'
+ task :changelog do
+ raise <<EOM
+The changelog tasks depends on recent features of the github_changelog_generator gem.
+Please manually add it to your .sync.yml for now, and run `pdk update`:
+---
+Gemfile:
+ optional:
+ ':development':
+ - gem: 'github_changelog_generator'
+ version: '~> 1.15'
+ condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')"
+EOM
+ end
+end
+
diff --git a/data/common.yaml b/data/common.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..11d9b06014445601ec59cd4b69150c6ae6b11cae
--- /dev/null
+++ b/data/common.yaml
@@ -0,0 +1,27 @@
+---
+version: 5
+aes::auth::keytab_production: >
+ ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAfFSsoD6ALGcGIKtmxr/5DxCxmDUSAf2M/7dg
+ krxqYfSLDUZ2z4hWCqWotA2urirssyEuf2kKnX2DpVxPN/N8Nzzt6IKwgk2Y
+ EL4EbjOGdbUtH6vQmq4gcbQEs5WRiVDWYeFBvq4+OlLqbnOuaQu4opLzz6R3
+ Syqx7+y3f8E+CaBHHB+6FN+P2LMPlqQQo7eiUSWFFuarJIDm1058yf/qAuhL
+ wlIZW8e5u72g6UDd8pzZzsLp050HJL6D5RJGln3/D41Ovg2UaUYSqcJw+AFA
+ 5U9cmHj+7aaRHaEVqaxbcHCWulD1ayN5T42EhEx3j5BJC7xeI+dWaqfLBTgm
+ dHm8cDCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ6Gqc0YRrzi6w4+sw
+ QGUDM4BgTxHOYZpR3/stp6XdF5dt+LH+MVKobcQqw8f7d9t6ErChN/x2hRav
+ KnKyBQOSoeXYCwc8Mx0OWxI0yFu4uvFYDAT1KqWFYbuF39/xwcAtdd7brWyR
+ SQj5KZjJjZ6I7hGq]
+
+aes::auth::keytab_devel: >
+ ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAnNhH1Mg+0TyYNuisBCohVGEQVKjbAZtv55gO
+ fDc34isvjYTfz4l9WRq7tnqZda27sPQnwmc6GaYniogdhKmOiiXxTXc6QmzD
+ T0hCjSfgip6uk6BxHwWz1aBQZPgClqb5sYxTIy90JmWXyqIXyp/HpXpD3e/C
+ oz2irquG4aQPm7FsdufRFF3ZGwIGGHPwkiXIxxPHj6WElG88QBviSBl7/xZN
+ 2usi0O4wqI2Ut/A05ffPxDkTCYNDvXvlMEggTnVnZEiDsANISSmwaEfU7Jwj
+ YZE1R6eZ8h2xWqmEbas8PrpHQabVe8vl7hrW0eSWuyEv9jj8wG9HnaFws7ie
+ yc64YTCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQVyuR220gqFTmN33X
+ 6BI72YBgvod9N9z6P2iH0gFVVazciWTHVNcL4qZN4UHGDeBu5MH1wvTBZPpC
+ IcAIbgvoQbriFHLJiL9HIWl6GSe6I/jp9n5veEkhHdT3M0nEEc0hbKWBaELj
+ gTDWfQoET9V1Lrtv]
diff --git a/files/auth/auth.service b/files/auth/auth.service
index cf6ba59421e9918bc2bee99e6bba2ab7cdf1d6d5..74051904c808af69d3c63e2a78abee3e18e03fc5 100644
--- a/files/auth/auth.service
+++ b/files/auth/auth.service
@@ -1,5 +1,5 @@
[Unit]
-Description=Exam System Message Broker
+Description=Exam System Authentication Service
After=network.target
[Service]
@@ -11,7 +11,7 @@ Restart=on-failure
RestartSec=10
# No limit. We won't overload the system anyway.
-StartLimitIntervalSec=0
+StartLimitInterval=0
[Install]
WantedBy=multi-user.target
diff --git a/files/auth/config.json b/files/auth/config.json
index c7d0302ec319c49130670c167861cf1f6665850a..465a73855342c28f4fd10e583775f2ea9ee96953 100644
--- a/files/auth/config.json
+++ b/files/auth/config.json
@@ -4,8 +4,8 @@
// These are in place to make it easy to strip the comments without knowledge of JSON before passing
// it to the JSON parser.
{
- // Timeout for all authentications, in minutes
- "timeout" : 1,
+ // Timeout for all authentications, in seconds
+ "timeout" : 30,
// All groups known to the system, and what permissions we assign each group.
"groups" : {
@@ -18,6 +18,18 @@
"groups" : [ "TEST" ]
},
+ // SSH key database.
+ "KDB" : {
+ "message_size" : 102400,
+ "groups" : [ "KMGR", "AUTH" ]
+ },
+
+ // SSH key manager.
+ "KMGR" : {
+ "message_size" : 102400,
+ "groups" : [ "KDB" ]
+ },
+
// Admin clients.
"ADMC" : {
"message_size" : 1024000,
@@ -27,7 +39,7 @@
// Examiner clients.
"EC" : {
"message_size" : 1024000,
- "groups" : [ "", "MS" ]
+ "groups" : [ "", "MS", "EC" ]
},
// Student clients.
@@ -50,6 +62,29 @@
}
},
+ // How should the system tie acquired identity strings to system IDs? The information here is
+ // used by all authentication systems that figure out some kind of identity and need to tie that
+ // to some kind of database ID.
+ "identity" : {
+ // Address of the server that holds all identities.
+ "server" : {
+ "group" : "DB",
+ "id" : 1
+ },
+
+ // Mapping from group names to one or more categories that users in that group may belong
+ // to. This lets the system know which tables to examine in a query, and roughly what
+ // permissions are required for the different groups.
+ "groups" : {
+ "SC" : [ "student" ],
+ "EC" : [ "staff", "admin" ],
+ "ADMC" : [ "admin" ],
+ // Note: This might not be a good idea in the long run. We should at least
+ // put "admin" here instead of "staff".
+ "KMGR" : [ "staff" ]
+ }
+ },
+
// All authentication methods the auth server is going to support. Each method may appear multiple
// times with different configuration if different groups are to be guarded with different levels
// of security.
@@ -57,7 +92,7 @@
{
// A list of groups that we allow authenticating using this method. This is mandatory
// for all elements in here.
- "allow" : [ "TEST" ],
+ "allow" : [ "TEST", "EC", "SC", "MS" ],
// The debug auth is the simplest. It just allows whatever the connected client
// claimed. It is not good to use in production, and is always disabled unless the
@@ -65,7 +100,7 @@
"type" : "debug"
},
{
- "allow" : [ "DB", "MS" ],
+ "allow" : [ "DB", "MS", "KDB" ],
// File system authentication. This works for clients on the same system as the
// authentication server (e.g. DB, ARLA, etc.), and relies on UNIX permissions. This
@@ -79,11 +114,11 @@
"permissions" : "0770",
// Group of the file. If not present or null, we won't change the group.
- "group" : null
+ "group" : "aes_local_auth"
},
{
- // Slightly different requirements for ADMC.
- "allow" : [ "ADMC" ],
+ // Slightly different requirements for ADMC and the Key manager.
+ "allow" : [ "ADMC", "KMGR" ],
"type" : "fs",
"path" : "/tmp",
"permissions" : "0777",
@@ -98,29 +133,19 @@
"group" : null
},
{
- // Allow authenticating EC with Kerberos.
- "allow" : [ "EC" ],
- "type" : "kerberos",
-
- // What is the address of the database server we shall query for information?
- "db" : {
- "group" : "DB",
- "id" : 1
- },
-
- "user_type" : "staff"
+ // Allow authenticating SC, EC and AdmC with Kerberos.
+ "allow" : [ "EC", "SC", "ADMC" ],
+ "type" : "kerberos"
},
{
- // Allow authenticating SC with Kerberos.
- "allow" : [ "SC" ],
- "type" : "kerberos",
+ // Allow TEST, EC, SC, and KMGR with SSH.
+ "allow" : [ "TEST", "EC", "SC", "KMGR" ],
+ "type" : "ssh",
- "db" : {
- "group" : "DB",
+ "identity_db" : {
+ "group" : "KDB",
"id" : 1
- },
-
- "user_type" : "student"
+ }
}
]
}
diff --git a/files/auth/keydb.service b/files/auth/keydb.service
new file mode 100644
index 0000000000000000000000000000000000000000..44946874e42930ff54549e1f11c938f50296e8cd
--- /dev/null
+++ b/files/auth/keydb.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Exam System SSH Key Storage
+After=network.target
+
+[Service]
+Type=simple
+User=auth_keydb
+WorkingDirectory=/srv/auth_keydb/
+ExecStart=/usr/bin/env python3 /srv/auth_keydb/src/keydb/keydb.py localhost 31337
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/auth/on_update.sh b/files/auth/on_update.sh
index 848eb18d98a071272dd245436ebba2857775a562..7a13654e474b977a29cc3f2e1af013a944d5bf46 100644
--- a/files/auth/on_update.sh
+++ b/files/auth/on_update.sh
@@ -4,12 +4,18 @@ run_as_broker=$(cat <<'EOF'
cd
# To make sure we have a decent GCC in our path.
source /opt/rh/devtoolset-7/enable
+
+# Use a newer Boost.
+export LIBRARY_PATH=/usr/lib64/boost169
+export CPATH=/usr/include/boost169
+
cd src/auth
make clean
-make
+make -j4
cd
mkdir -p bin/
+rm -f bin/auth
cp src/auth/auth bin/
EOF
)
@@ -18,5 +24,5 @@ EOF
sudo --user auth --group auth --set-home -- bash -c "$run_as_broker"
# Then, we can restart the services.
-systemctl service restart aes_auth.service
+systemctl restart aes_auth.service
diff --git a/files/auth/on_update_keydb.sh b/files/auth/on_update_keydb.sh
new file mode 100644
index 0000000000000000000000000000000000000000..3ed0354cff24082abb91955c6e78a5d67b01fa30
--- /dev/null
+++ b/files/auth/on_update_keydb.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl restart aes_auth_keydb.service
+systemctl restart aes_temp_userdb.service
diff --git a/files/auth/start.sh b/files/auth/start.sh
index 435ef7e06a8b905dd40bc97cec5803dea39b17e0..51242d34df28bb2b24c176c1770acc328f5caba8 100644
--- a/files/auth/start.sh
+++ b/files/auth/start.sh
@@ -1,5 +1,8 @@
#!/bin/bash
+# Set the keytab. Otherwise, it won't find the appropriate keys.
+export KRB5_KTNAME=$(pwd)/keys/kerberos.keytab
+
if grep "aes-devel" /etc/hostname > /dev/null
then
# Allow debug auth when on the devel system.
diff --git a/files/auth/temp_userdb.service b/files/auth/temp_userdb.service
new file mode 100644
index 0000000000000000000000000000000000000000..d0c3df8759d34b643b37bbeb1b6658a05a3ef91a
--- /dev/null
+++ b/files/auth/temp_userdb.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Exam System Temporary User Database
+After=network.target
+
+[Service]
+Type=simple
+User=auth_keydb
+WorkingDirectory=/srv/auth_keydb/
+ExecStart=/usr/bin/env python3 /srv/auth_keydb/src/temporary_userdb/userdb.py localhost 31337
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitIntervalSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/broker/broker.service b/files/broker/broker.service
index f4f902a4c516a7fc7358f54605082d5c565b4f74..751cec9243a3fac5e5e965162b3926e301589433 100644
--- a/files/broker/broker.service
+++ b/files/broker/broker.service
@@ -6,12 +6,12 @@ After=network.target
Type=simple
User=broker
WorkingDirectory=/srv/broker/
-ExecStart=/srv/broker/bin/broker 31337 localhost 31338
+ExecStart=/srv/broker/bin/broker --ssl ssl/cert.pem ssl/key.pem file:ssl/password 31337 localhost 31338
Restart=on-failure
RestartSec=10
# No limit. We won't overload the system anyway.
-StartLimitIntervalSec=0
+StartLimitInterval=0
[Install]
WantedBy=multi-user.target
diff --git a/files/broker/cert/devel_cert.pem b/files/broker/cert/devel_cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..d29d81e472a583467de101454502af9be28c0664
--- /dev/null
+++ b/files/broker/cert/devel_cert.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIFzzCCA7egAwIBAgIUUovCzY4lSVRxKYmB4g1oU53OKugwDQYJKoZIhvcNAQEL
+BQAwdzEdMBsGA1UEAwwUYWVzLWRldmVsLmVkdS5saXUuc2UxEDAOBgNVBAsMB1Nh
+Uy9VUFAxIDAeBgNVBAoMF0xpbmvDg8K2cGluZyBVbml2ZXJzaXR5MRUwEwYDVQQH
+DAxMaW5rw4PCtnBpbmcxCzAJBgNVBAYTAlNFMB4XDTIxMDIyNjEwMDUwMloXDTMx
+MDIyNDEwMDUwMlowdzEdMBsGA1UEAwwUYWVzLWRldmVsLmVkdS5saXUuc2UxEDAO
+BgNVBAsMB1NhUy9VUFAxIDAeBgNVBAoMF0xpbmvDg8K2cGluZyBVbml2ZXJzaXR5
+MRUwEwYDVQQHDAxMaW5rw4PCtnBpbmcxCzAJBgNVBAYTAlNFMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAswRwlpwI6h6wpoJEo7jjTxa99WDMXFkCJhan
+deOoPC7b531ZCCq7Dx6I0CetaC3GkURbLpZX8fYLZTZCsHI9qK2C+30fzGv6i9Vn
+0Z84FRfoRwiIudJa+Cn1hJXC3vViUusCqLbHhjN2buEwGpBXMcGF80cRaiwz7m4Q
+upgZX2Rj1XJVne9calcDw9EKq/N0kd5JW+AS6cpJ66f8brC/5M9TJIPljtCHMUd5
+FJhUP7otQZAL+3sDiZ5OBRIX6rd/JRzGbiDPUF8+Bg5ZOvzRq/e2rkIncdTFGpVM
+YLncTYUgQBc+zp9pmQo6HSK260N4JXiz3fyi44GcBviFfkwLN2OJ+823l3+TlBCq
+ucHZiS558iZbrlaW0quJdq+4zt34595yC66quWUnflv4NIj4nUqJYeppwdG06Ena
+6tdvw10+iv/1TKiT3OgeH8n70weK0tfvAyedOq8MnDk5ZE7CiKSe9pe/o73LGlDB
+PSazOWYmGv+Bo+hCzXGhusf1ybhfZ0u4fLXC7x9SJw9+Du7xEVzewNsNDdP/kf1G
+1wovbhfsvi/uYe9rBDSl3UjP5C1TjyUupBuRXYGM1hUyKKd7b05MVFa+Muckxf6h
+UZavzvrl5xuRvnOFjyTmdCEpoV9tKitKuLm3KS3/ndf5P1KIAJDIiIpj1ACeTXs5
+u+v1h3ECAwEAAaNTMFEwHQYDVR0OBBYEFLd9Gndboy46YZ6xS47UZzLAN+gJMB8G
+A1UdIwQYMBaAFLd9Gndboy46YZ6xS47UZzLAN+gJMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBAKW1LvBeX6enapAfKXyJ0Mb5oe8qaFXp06ZLPVWV
+R24I/bPE/MfzL7DjIONuugwaOILKRrHkXnfrB23pgn3ZxD3ZASy5QYNYgs/xfaV8
+fB8xks3cg0oWYXKHqoZHDJuiUJOc6tHysC1YtomJF4fQZ11kfxiy+7fJTSf9MNET
+lZrJ5pIb3/ZYGGz6yjMinRG8lscgVPJiQCh0ItWEMmI3ml+VbzDgUH/9Sh6cSZwf
+tIrnlheRe7i6NN753LcOROCn2cm+WQZTpfAGwXuwDbeEotybG1Zws/fB0EVQt8sK
+04MHbEfp/jCd4emetPCgXqmNd0KHCk8wSoSduppc/qRVWStrf1YdH3UbpyK5nzFN
+op9wWjuRGV5wa7AYuElIlfu771k2EGH/CbHzT2kal4+4PYCz9ADnVAxLUF7VzQNw
+Aieks++Kn+vl9OGa8sx3xwyq4IaTr2GJbBV+nDYpsNli1uk3lSDski0Mskyagdbg
+H/h4/q+eAnEF8lPOTB+Ru8yR7pXcingyWdbAc0jLM4NUv0m+drGFtrKTWaDoFL5A
+E9Q9J66Klt1AU2wCRl9hJdvJ/Hz05q7QdFeq80aUywA3GVmkfwOPQY7Dh9WxUYuq
+NPTzglKI/UYLuCzp1sT2W1QtKyX8Zqrj6LDhq39/iVye0q77hZanjHrsOM7TL7E8
+7u84
+-----END CERTIFICATE-----
diff --git a/files/broker/cert/devel_key.pem b/files/broker/cert/devel_key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..9d07bd725ddb36ed2d10caffcf9e1268d7bd20f7
--- /dev/null
+++ b/files/broker/cert/devel_key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJpDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIdZFHLQGgpdoCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOB27pdG2YGEBIIJUFv6rQ32jAF2
+Qz8kcOTz7MB1e//TgL3R44oLEY83uWUtFnvSMsBq3YsPAlNboR/bLj7ijFVUojKS
+0Bm6FTMyramN93cexWNNWJDyLaU8vZEEC230x57/6qf+80AjCxg5BGAl/xTpRgIn
+m6lju5vAGjconb95UnII0BzMmEE/FtGpM5vBg9EAU0/YYTXkDKi3yFa7+hidF54K
+0fOC2CUxVxXiP/pNJbgivvUmt/9Ae7BZuqzXlEj3vTxrAWzXW6GS3fp0rR2YfLgx
+mZYfcEEFvQex+AhtirgpV2U+QK1IUmh7NlFsnJRn1uoxU+r2jYRluQ76t6fypRqi
+Jbycx0zVuKdWm3x9np9dsXUU/ovyFYIwLzaBd0ZTN+clBkHbrfF0UlVupeUngS3p
+2uFW59iYKF+Y1E7X+eCb8okI+ODiDT5xgkU8Mle2F62wA1bugAgK3KQs5JeUI5aW
+KQd5XlKfEAXDJgu6UFx2vV/qm1Qv5aWjgzm7ccRWVto3kdmHSvTZtMF82lhn8eMA
+kG5Yd4ilyHLUJ+A3A+I+weQsUMTU0ZFIUEMwOzT7kmeBJBKiX4dZ+y6QDuebc8OR
+vo/bijgC+eWu/ODMm1PYV7nnsLDrDXueurAPMBot/aDbJpyruuuE2EZ9gdg5z46F
+impegAMZD7xIKJmbdwa1aHJjAk3hdtano8iqQq9QvJiu9ncTBAgGeTdgRUNg3BJI
+uVLkG5C3tGBZ56oUDu8BKZXCKhKAUZ2+ZswDpNjIxW42s3QHlJ9p9UI+QSTF7dyr
+NSh7qOU93dhBeCzUoqkgzWYfh6we2+RxzrWENkVIO76unwsJItU5hhnVFGF7U5dv
+2QojZNHYyhU/D+j+8wJioM8NJwWw2dhQDRi0R5mJZCkoO1iZLM6o7XcSw1Gs/Py7
+EaLR26s69tzxRxbmuCkBtLFKljUF40YyNfAtVlcsml1laf24yhaqYYSIZDJq4jCD
+TbK3wMaP7WD2tXD1lQwDRLZ0ygQsYKl+UzmbmF4iAiUDjSgnkAyyvx0BVAOdY/bd
+6Q8fNIwqHE4VBNyUuEco4ft3wtKuJNDYAMX8JuwYK2MJOya1DOyfE6kFVYjJWvfd
+54mKhyAGQhYQQqC1Shbd4x6Q7ZC+HA9pGH/EcOhtt5oww6zyE6sEJWphJ30Aiko/
+BUCneIeTcI2hzgaffkb5FxrXFfttufsi/URVnPGF9UeV5jwhd0quiFnI51kno0rK
+kEsfyYSf5GM5PieM9Q3/MxTtqD3hiFFh6G3Y6D75WHuNHlRNIxvn1MYDw0krcteK
+9rtY5KTGcKC7n0EVyFKVBgQuaapD1XD70PWUZRhVjaAj4Tv3XYCc34dXmPNOc2eU
+cyF480w4Hant+yecHQx+ddnHiW7MXOZKnZVYqTH7oOUkYOPm1MZhwKLVnINfFIxz
+fp16ZMjMJ24Ni8saXXtaZ68K0y/Rau107aulrRNdck1YZ8jVlwRqGPJPIFgsB303
+MEhRhaT57XEUFoWBwv7pwYjVlMxRwVzvhnj8FOqrQ42QOhvUoYOVdkhjPgDA8g3l
+LlvT4MovtAEHWPg8Iowh+cUru5SXDp7sLy5gMtJ6EacSRYz+xV9FcAJbQ2vtELYF
+AhkjEUJzFTfb9NKrq3nfRObK1wfBAjc+aHI75k49mfmkH81xGQd3YlGP3s91jUCw
+wcA8zmVbU9xX1Tf7hm7Y+EIt6lZCC/ZE1q7iwML/YJH3Y7Vi6+USxulAx7ZXMYuM
+TO/cuiYCdcptJD9iXoAUHNlcgnDtuiZBE9AOJmYgZWAhiQAk7ng/sECjg3u/v7e7
+XfuuaExNPc3pigtCsXDLbODkerLjtABdAS414SK37Ag3h9xcoIyEZVz8rRDWm/U1
+nllTvhawJ+w5zy51R/LibCfalmVdiQslSTBaQ/nFB+lmMdKZoRO85v2DU+sL79rg
+iM4yboM1otjV60dkf2QjiLT6SclAUHM82s/CQZ5nmDLsE5SOJVOI9VeZLBEuclQH
+HojaXp0gZRcBrhjPDqfsY1viFtnvaj3fAEFCp87Z9mysXAvo+m/n1JuNvoOairih
+SxJdzDrL3GkRmPmMszCuPfrDo2Wm8br3piRDRTSFF9Wd/3VQInB5cB6UzMs36qNN
+i9vS7DecOKogJlvKMDN7DZxr16efWWeeVa7+2odWDeEGj/Vmjh3rb+AApSn3uVC+
+YGvmcpY7IJ7iotoA7gzy+E4BwYRT0TgNGQMt0lr6NibM8smfK/BBoTKSKjo7lhvl
+V88+n5IMv3J8IezA+YVd4adYmFfq14ET35pNe6VHv3GGT7eg5Q97LKkkj7IiKQ9y
+rZM5XUhQpSm29hjLsSrscEv62aKMiXOoZr/Ktsrm1O7IW7dCeSB1dFoZbbUZUlmW
+ci0x0pmcLN5tBFD8GEkl0g+cDeqkVXMkV6sFUKRWFuo9golNraUWfswrBUSCfUsW
+I31zRX2MWZvLlDlFalPQ7QD3Rgy+QoiCm5IQMSjmi/vhPKKDjOGYLL+HcV7QKwoN
+JJPRTF8L3Rrcptse1T7Z8+8C4DysQuyMYInb/2/un6C6n0xVXy5eMtrNNtlWIQbp
+Dp/8YV2CPDJOFjZ4EcBLVW4+VpZezXVD9yPFjoW31kpqDJs+sPklYVCyte2tprFG
+5AumR1okzL6BzNwPJ5S8DCvhrkOoVLUSujg9hHLb4BHihRfc9i5bZI9+v2Avnlxv
+oL3bxb8+xwtnSiloO2ZgHZ10cOnRAA4gHy0evMojsLUFsz3W8f3zCXkQNxKLDLZt
+J/SpYx0FAVIxeCXJP7OU13qK49wzWtq+cr4mMwBUyv8eal5BvDiF6p+F6JjHZjgk
+ymP9UDPoDf90f3l69rk9GmBJtzsjdGQVOaER7H7gmQPNeyySRHgCoFuCE4uxpB4M
+EVEWlfez+IHKKQfh0yWE8O+zy+lr7villSLYJSuFMPm5asMqahxEaQOB09V1uUN5
+iEpPu9o5Nv7bgbMKiqHXHFgyQuh6vJ4ZuKMU/GyRRHyfj592r43NZ3OxiTCtI3Ka
+BMk8vDPtTjxnpb1ukPQJIEHRIdPJrMiIC9vUOKmWSMyVtdqULhzNiorMsjtI8cMS
+0xo51Ib5fQKU7meVi7UmZ4oi85eRZVPsX12vauEtALGzqSAvZD+nBuKEskNSNiLF
+I57ZHP1z3jUCX+T7Y3mGVsu0vTZRGePT
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/files/broker/cert/devel_password b/files/broker/cert/devel_password
new file mode 100644
index 0000000000000000000000000000000000000000..d9d1c8cfd42f0db4e4526758d59209b9f44eb72c
--- /dev/null
+++ b/files/broker/cert/devel_password
@@ -0,0 +1 @@
+upp-aes-devel
diff --git a/files/broker/cert/production_cert.pem b/files/broker/cert/production_cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..514adc2557479687eb148c67c0c61beb9a46f21d
--- /dev/null
+++ b/files/broker/cert/production_cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFwzCCA6ugAwIBAgIUPGonFCe9e5LzywN67bHbIOdPGTowDQYJKoZIhvcNAQEL
+BQAwcTEXMBUGA1UEAwwOYWVzLmVkdS5saXUuc2UxEDAOBgNVBAsMB1NhUy9VUFAx
+IDAeBgNVBAoMF0xpbmvDg8K2cGluZyBVbml2ZXJzaXR5MRUwEwYDVQQHDAxMaW5r
+w4PCtnBpbmcxCzAJBgNVBAYTAlNFMB4XDTIxMDIyNjEwMDUwM1oXDTMxMDIyNDEw
+MDUwM1owcTEXMBUGA1UEAwwOYWVzLmVkdS5saXUuc2UxEDAOBgNVBAsMB1NhUy9V
+UFAxIDAeBgNVBAoMF0xpbmvDg8K2cGluZyBVbml2ZXJzaXR5MRUwEwYDVQQHDAxM
+aW5rw4PCtnBpbmcxCzAJBgNVBAYTAlNFMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAtlErHFreFJsL20J0WoF3unE/AhmQEK7UqMaO2g54fxuYNTPu1B/K
+MS1TiQS/gYmnKXyIRIhdf4gBUqRraqHNH1D07BqZitRNDYMA9AFM7StgjXlsObDc
+ZgsAMHXXD9GR08Mi8FjVCoMweJgJPJ4z5W+hrMntAN/2z/cpdMV+a2CVJra6qvVR
+pQF9GJkToq+e+m0t+t3O1i04IBKmEnHeXaNI+Zf4y0XAiysz8t57JCWxfF5w0HaC
+sOv7o7awU6Z1yTe5fSlJBlkHfAazsgy17Ic+2H9oWdtEzQgOuzNNtke/IKkiXzx0
++CKkf9g0jv9WUxAjK5PwIhu68HGrUiYT8W4IQchl86Kyk+aRJZuIVw/ZNwLPjf6e
+Rngnq/zejv5OII61SfHR1zJlNcBroO0WK3e9ecRd/mXJPLj7Iwo1/5krvHeJ6vZ3
+DB+J2wtGQZAHAnInH/+YzcVK4PpjKjFv20HoaRL72eOmIYQZTaQukunfcrCFLvRZ
+eMUgs+xbKEreENTdaP3lM7eRdR5rnJSECPaHxps2EfsMZ+3OLqARLv42KALbsCC5
+Qx05RwFTjBr11WfJR5h5S5DBj775ebu/pP6ifyYSwMx2y59YYvxHRYdWK7h4KXnq
+rG8hqZ6Esn5bMIqWKRQyvrEIjUV+N76dSuD9GNFLDODMoIVJF6TJLVsCAwEAAaNT
+MFEwHQYDVR0OBBYEFO6lfpOP6ACNfuLAqVAg6PD36fKEMB8GA1UdIwQYMBaAFO6l
+fpOP6ACNfuLAqVAg6PD36fKEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBAFrpmBfBUT7Hp+NRMgMcJPTHdf3JXTYdEaYeZcerVkU6RD+5IsBBgX7f
+WSYBTn7Ru8Njo2P/PyQ4uWYOud4oMI12rcqp94EVQTFU2MaTpCk0OpD+entfMwK8
+B8eEaCrj0zNS2pICYTAEwAQIhJv9B53Ip5HO9Niva4BCbjN8rrCaE6ODUqBWFSnS
+P3UHwcz+kj5vl6cVfUP4JMloKHOjcNmrTVLSBIjXYrANlE++PNAnc9IO8jGv1eZP
+DytvBm5KK4R7FNgP+ykC0LaNvw4zHeL7E+nbTIt2HOfvQnrDtTpaYXuuMg+wqn5l
+yLmyFEtesQj3teiH9i1G7RKtNEr3ShYFsC+nGeVQGCgJ3RUBgwMTN9fLlgeYdKe7
+ZP/Hb15Bw/FnphomWP5usvCKutj+i1dMP+uHVdUtM6BNDGfe8amjhA9Uw397wvfu
+MFjzcey8BW5IhJSSWJzSC+UKeLTtGOAoj2kWr/e8PrzQWBiqi7EbdrGFjfd+VCpT
+Y+8L0sFd+DoEXW0/SdSWWthp1j3OReufpCE+Kgn1pp/ZeEUAO0d56M310EfH5+ej
+9raCY+qtyFjxIDOw1AVgSx1kTtZhi+wyFnqM6zvbKIogyR+tWeBNAoZTILDHh6Z4
+h4+UdJOoBSnNqpL9DHTUgbZJa6swkeorlUsKMJ3IJEmQqqE8gWJD
+-----END CERTIFICATE-----
diff --git a/files/broker/cert/production_key.pem b/files/broker/cert/production_key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..0b60adef2c4d7e45894b85ea58ea263e381db884
--- /dev/null
+++ b/files/broker/cert/production_key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI0F2iqTcGrykCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAgfrAxtR0Z5BIIJSF+E0NBKi4hg
+vwIzr/aGQ88utJ0VQe0g7LcdQAngEOJNNWxT7GDgf9t/VXhPhmNBDmWkfWD+uqku
+HQy9/Ys77HsxaOitN/NVYO4bmlTuMHERmVzvLJXMmLNMrkd9+MBcklWsXxPWnoGH
+8Yrcf23vaE9KAbTMl5+OFgRI1592b08Z8pQVw65N9xSPH8FgzSb/87kpmiAzG6Dc
+zv6Vkz+DYN3pfXhsL7HLhVB0/VZbTLy8on9dCnsK7ExsyOLo4GrGH9CXMVu/TKhZ
+39REnkFN+BrUVgUEJeeEJlKU/7tHRSBiXUQcHHI8tIUY8S6V/0WNBq0vxJX/DCRu
+L4XYeSaVIjiq6cahNE7LGxJ4XP6wEPcvlzaqab/tOIpC6Q2Aaxu5zEa06DvJqiSI
+CCqiW6rDtrcRkyuJhYL2bb0hULywnRAWmRPwcyHHYqM/ltpODV8Wb+CU55Zi2Up5
+T+Yl2dVE75Gino1kXGzKCgoFHREOxYBiH6jrRCSBd2eY9L6Z2iH/gZXBDqy2O/TL
+ReGawEoBfaETWs5m8cIrRH3RZmEbF4lkH4AikekUoF9bCKvdDSurYanX/V0P2uVj
+cKnTDrTvnJCUxreqOO2fwUksbaL8ZQmuHvibQAHqCTEVNyAM/C3+H5M1hCWWJaD3
+hbL1afPeX1wm9hKkcDQZkKFrOrF1oiEuaku5/+UmA8Ha2uVMFgWXco/qVISWyRPv
+XmngamOAlPc6e5fzzHcBTchMjb7Fgb/n6t6T4nghkehx7MJRx4y8iBYu3qsCYxGH
+MXtrZtj/hxcMfk954CWsj9XA+sK70M3qug3RzsTZfviy5CFf3WtAMK8cT82avwF9
+b9YZRNwNgnEdkQ1OIFzEji48vTiTzKxrXGWs/8WoQBbmlF6civ1OnABW1phH/n+W
+3N4OPT2ZVxebsV7nhqPQHkhRuRqJEKA/9ziFuA9jI1OrFZMKr9/4wf+0WWwL1BiO
+Xo8hLp78eMsuk6yqGu4l0q3aaLQdbdAK3IVQA34J8fILAGZdNyO6Anjsp2VkKOus
+9EDXOVSStCXAayVLZqATcunB/EAQCxk5hT5KJuexRFVj76RnODynxqlsM44GT0j7
+MoF66eZ3Uiyoq6V/02l5wHWQOp42PhLIs5QJTKGkvq0nZLEHO7pUxCL2fPoLX8t9
+Z3aZrXnV90XQRA/70T9hWKNJEOZWnLWVe+CeYVfrLVXsT4RMJN6A/MgSbXden2As
+vu0jx9I6r8NIkBHFwhz28GHO1O8k6LP8oX+kzDBstx8zQcp/bJHwnSePVGJDHWUu
+S8GtxG4KZUjOYleOjnJMnoiK1OQuOyx/6Vmgr7cjXcbXu5l1J5ORRFCBx+7Efy5/
+Bh4Bin+Hyqg7uoPeyQt71UbChYqKBVRkkQEjzE/Ql7Qz8gqAYCFE4cb4t28Lmj+1
+zNQeAVU8TUbnVi7prlcEv5oKolqj1XrfOlXdurH7iTTmPhnoPtwrg+8BXJkAAgfc
+mxj3F86GFzdlWT6nzF2jBatBnq4RBtwqlf11ph8OJBP5TCCCXGMdkdxfJxdmsjgu
+I4WDikGd1dycamXaPiDKWZmPRl5mGTzrVsYLgFQjC0cxOpds1MKzYv6x8HyjpjC0
+Ljd2nMQD5C/hr7frEqgHno+OmqWw0mohSNmx3QVHcBsXyFPvqWAEl545+O7o6GRa
+oqo3WTxTGtlYSqRnYAafNnOkDyZ3g5skWxxrTU2pYZF2goiyLPGlO3hg+sTbUNYI
+hQjKmaoY7538BkLdZ+yU67T5kp5CnuqL8VZegkSuGQycEGneHdn0qKBCBnTjULIn
+m82iLF7Fhnd9c2cV7ZQ7xOuIxYoV0S5FCbGlcQP00nQf4LADmbrJme12O/avCDiQ
+NLUc3UN2WmSjbZ3ftz0i9Y5BJawIT/kkroHcJd65UJYMaTJ9h8wAaT4giSZo+XFv
+Porx0YXQbRkiWSuKLuzTuxTwgEpL+HP+XskTD/Pq61i7B/WwynWWsp2fac4Hfpn4
+s96wHFHUSqIpVn0tLb49xEK1oGvcpXho4WMzGx6YEacCv146eKWEagsHlh6ZlTOm
+18X/DGSgY5kJUc50H5z1wCYBiOS0D2y8fqIssknDhW2QuYVwepnm373EDzJtHOxK
+JAzwCgWdNX/tSFz3ttDVF4OV7RW0wbvldzZgurjZ6osT7VQc2aYKHfJm51x57h9o
+tOStaPVeXVP8ndR4dbLN0bGtaZnQ7ysQ0U6j9xwPu+wsJIKmwwRWONWD/zYb1BTP
+grmL7a/5dXeXa7dDdZVWHWXB9wA26mMAL45CzkkmWlN7juArkDVRHZ7oPOPRasEy
+pGI/CBFWFWVeaBWBNgWErr10YgkrYp/1lIwFCZaJ83Xc65Vr8baYtCI74YQ/bv1W
+akEH6ySMfUUJLAByK7Q0JjVg7v2IIzBdrn8YvuTICLgTKFg9i9rx4T9ZEXJhAXfk
+wMDHkVsn/dUx253besMV0OAp3B6qElXBUPvPqSPVdYbiUW4I9SBwDKZFYSuwhZ1d
+PGMqEDDi2uKyRtA6dk6XxFIsPEEDL7iT2Cxbwa9kCbxnA70yMo/ymgxXVAXhXHRZ
+RNFDvs8qzLQTgVESt0oTOG047g7aQTUQSkL+JI3CRTKix+CsIqoSg7Xr0X0vL806
+uv96OsIgBeH9X3xaSHfkzBqgERuO9msDvGMFp75bhhkfE3SDCwP11FiUMs277jDG
+RfrLje2S5GSa6DWeVk6j/scSUOkSThTTooH1q6uAKbtT1SM/nG5Y2xqd3ZHlUMiX
+KeKZqAIEiSeNIbnyzjLXz08UC3vHCdii5IVIISHNWPkRNgf6NgmtwB/4yH6wHczR
+89O4ZyNfEHuhGzO2FGAMPrzAa+UrjsClct1MmPXQnvi2pOtX95uA0gJ8YgxKGULE
+F3vIQcMwthqA2J9r1n9XH+eAmliUhAwhQ/cK9fCUvEOUGGvlZE0BcP20brV7dalH
+kLXTmkHnTKMrAEq2I5q/Mp3ItxP2ma21i+z1B3T4cModTrH1yWVCqcU9mn2iEvf2
+ZI0nHsV7ovrzlG4Sp1MxQmL0aQqnFpCuts68U3wb2QvA8fmrZL0KtpkHPBa3z25l
+4gx3iPK4NDgrv3oUlHZ6eHtxv6qL++nWgKzH4DJ/BjdvyELYDS2tYhTuOafb5Jtr
+QAbRP+JcUVzO6VU7h9DDzQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/files/broker/cert/production_password b/files/broker/cert/production_password
new file mode 100644
index 0000000000000000000000000000000000000000..cc0c88b0262c1e678e69836dc4bdd7d2d61ee06f
--- /dev/null
+++ b/files/broker/cert/production_password
@@ -0,0 +1 @@
+upp-aes-production
diff --git a/files/broker/on_update.sh b/files/broker/on_update.sh
index ec79273b6940fe8e71332d67f6278fd52283bbf2..1e6a62c2563fc353ed58fd4c00cb75e0d90d9409 100644
--- a/files/broker/on_update.sh
+++ b/files/broker/on_update.sh
@@ -4,12 +4,18 @@ run_as_broker=$(cat <<'EOF'
cd
# To make sure we have a decent GCC in our path.
source /opt/rh/devtoolset-7/enable
+
+# Use a newer Boost.
+export LIBRARY_PATH=/usr/lib64/boost169
+export CPATH=/usr/include/boost169
+
cd src/broker
make clean
-make
+make -j4
cd
mkdir -p bin/
+rm -f bin/broker
cp src/broker/broker bin/
EOF
)
@@ -18,5 +24,5 @@ EOF
sudo --user broker --group broker --set-home -- bash -c "$run_as_broker"
# Then, we can restart the services.
-systemctl service restart aes_broker.service
+systemctl restart aes_broker.service
diff --git a/hiera.yaml b/hiera.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0485d51b337619178813a462c5dd3aa1b1f8294d
--- /dev/null
+++ b/hiera.yaml
@@ -0,0 +1,19 @@
+---
+version: 5
+
+defaults: # Used for any hierarchy level that omits these keys.
+ datadir: data # This path is relative to hiera.yaml's directory.
+ lookup_key: eyaml_lookup_key # eyaml backend
+ options:
+ pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
+ pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
+
+hierarchy:
+ - name: "Environment"
+ path: "environment/%{::environment}.yaml"
+
+ - name: "OS family"
+ path: "os/%{facts.os.family}.yaml"
+
+ - name: 'common'
+ path: 'common.yaml'
diff --git a/manifests/aes_sw.pp b/manifests/aes_sw.pp
index d4700177d03dfffb0e7fc42fd97eb22cd900f7f1..d907ca2f141cd5e5d6291e387c19a49e1dc3f613 100644
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -1,7 +1,7 @@
class aes::aes_sw {
$examadm_user = examadm
- $examadm_group = "${examadm_user}"
+ $examadm_group = $examadm_user
$examadm_home = "/home/${examadm_user}"
package {
@@ -13,27 +13,27 @@ class aes::aes_sw {
ensure => installed,
}
- user { "examadm" :
- ensure => present,
+ user { 'examadm' :
+ ensure => present,
managehome => false,
membership => inclusive,
- system => true,
- shell => '/sbin/nologin',
+ system => true,
+ shell => '/sbin/nologin',
}
- file { "${examadm_home}":
+ file { $examadm_home:
ensure => directory,
mode => '0755',
- owner => "${examadm_user}",
- group => "${examadm_group}",
+ owner => $examadm_user,
+ group => $examadm_group,
}
- file { "/etc/systemd/system/aes_login.service":
- ensure => present,
- owner => root,
- group => root,
- mode => '0644',
- content => @(LOGINSERVICE)
+ file { '/etc/systemd/system/aes_login.service':
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0644',
+ content => @(LOGINSERVICE),
[Unit]
Description=AES Login server
After=network.target
@@ -50,16 +50,16 @@ class aes::aes_sw {
}
# todo: logrotate
- service { "aes_login" :
- ensure => "running",
+ service { 'aes_login' :
+ ensure => 'running',
}
- file { "/etc/systemd/system/aes_ms.service":
- ensure => present,
- owner => root,
- group => root,
- mode => '0644',
- content => @(MSSERVICE)
+ file { '/etc/systemd/system/aes_ms.service':
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0644',
+ content => @(MSSERVICE),
[Unit]
Description=AES Exam server
After=network.target
@@ -75,31 +75,31 @@ class aes::aes_sw {
| MSSERVICE
}
- file { "/etc/cron.daily/aes_ms":
- ensure => present,
- owner => root,
- group => root,
- mode => '0700',
- content => @(MSCRON)
+ file { '/etc/cron.daily/aes_ms':
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0700',
+ content => @(MSCRON),
#!/bin/sh
/usr/bin/systemctl restart aes_ms
| MSCRON
}
# todo: logrotate
- service { "aes_ms" :
- ensure => "running",
+ service { 'aes_ms' :
+ ensure => 'running',
}
exec { 'script-repo-updated':
command => "/opt/utils/update_repo.sh ${examadm_home}/scripts https://oauth2:iAyewr9Jq5E-tnsVrmbj@gitlab.liu.se/examadm/scripts.git master",
- cwd => "${examadm_home}",
- user => "${examadm_user}",
- group => "${examadm_group}",
+ cwd => $examadm_home,
+ user => $examadm_user,
+ group => $examadm_group,
}
schedule { 'everyday':
period => daily,
- range => '01:00 - 04:00',
+ range => '01:00 - 04:00',
}
}
diff --git a/manifests/auth.pp b/manifests/auth.pp
index b8a159af81b6f4f815754990d4481624ce6a0a26..be636f5463f919987366c10a1831a3ad83c82adb 100644
--- a/manifests/auth.pp
+++ b/manifests/auth.pp
@@ -1,40 +1,66 @@
-class aes::auth {
+class aes::auth(
+ Optional[String] $keytab_production = undef,
+ Optional[String] $keytab_devel = undef
+) {
$auth_user = auth
- $auth_group = "${auth_user}"
+ $auth_group = $auth_user
$auth_home = "/srv/${auth_user}"
- $auth_service = "aes_auth"
+ $auth_service = 'aes_auth'
+
+ # Pick the right keytab for the current environment. We use the fqdn rather than
+ # $environment since the keys are tied to the domain name rather than what
+ # environment the machine is configured in.
+ if $facts[fqdn] == 'aes.edu.liu.se' {
+ # The AD service account for this key is: ida_sys002_srv
+ $auth_keytab_data = $keytab_production
+ $server_type = 'production'
+ } elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
+ # The AD service account for this key is: ida_sys004_srv
+ $auth_keytab_data = $keytab_devel
+ $server_type = 'devel'
+ } else {
+ $auth_keytab_data = undef
+ }
# Note: We rely on Boost being installed by the broker. It seems Puppet does not like
# that we specify "boost" multiple times, even though it would look nice, modularity-wise
# since both the auth server and the broker requires boost.
package {
[
- 'krb5-libs',
- 'krb5-devel',
+ 'krb5-libs',
+ 'krb5-devel',
+ 'openssl-devel',
]:
ensure => installed,
}
- user { "${auth_user}" :
+ # Group for local authentication. All accounts that are members
+ # of this group are considered trusted by the authentication system.
+ group { 'aes_local_auth' :
ensure => present,
- home => "${auth_home}",
- comment => 'Authentication server for AES',
+ }
+
+ user { $auth_user :
+ ensure => present,
+ home => $auth_home,
+ comment => 'Authentication server for AES',
managehome => false,
membership => inclusive,
- system => true,
- shell => '/sbin/nologin',
+ groups => [ 'aes_local_auth' ],
+ system => true,
+ shell => '/sbin/nologin',
}
- file { "${auth_home}" :
+ file { $auth_home :
ensure => directory,
- owner => "${auth_user}",
- group => "${auth_group}",
- mode => '0755',
+ owner => $auth_user,
+ group => $auth_group,
+ mode => '0755',
}
file { "/etc/systemd/system/${auth_service}.service" :
- ensure => present,
+ ensure => file,
owner => root,
group => root,
mode => '0644',
@@ -42,7 +68,7 @@ class aes::auth {
}
file { "${auth_home}/on_update.sh" :
- ensure => present,
+ ensure => file,
owner => root,
group => root,
mode => '0700',
@@ -50,33 +76,49 @@ class aes::auth {
}
file { "${auth_home}/config.json" :
- ensure => present,
- owner => auth,
- group => auth,
+ ensure => file,
+ owner => $auth_user,
+ group => $auth_group,
mode => '0644',
source => "puppet:///modules/${module_name}/auth/config.json",
}
file { "${auth_home}/start.sh" :
- ensure => present,
- owner => auth,
- group => auth,
+ ensure => file,
+ owner => $auth_user,
+ group => $auth_group,
mode => '0755',
source => "puppet:///modules/${module_name}/auth/start.sh",
}
+ file { "${auth_home}/keys" :
+ ensure => directory,
+ owner => $auth_user,
+ group => $auth_group,
+ mode => '0700',
+ }
+
+ if $auth_keytab_data {
+ file { "${auth_home}/keys/kerberos.keytab" :
+ ensure => file,
+ owner => root,
+ group => $auth_group,
+ mode => '0640',
+ content => $auth_keytab_data,
+ }
+ }
+
exec { 'update-auth-repo' :
- command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+ command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
# This command will need to run "on_update" as root in order to restart the service.
- user => root,
- group => root,
- cwd => "${auth_home}",
- require => File["${auth_home}/on_update.sh"],
+ user => root,
+ group => root,
+ cwd => $auth_home,
+ require => File["${auth_home}/on_update.sh"],
}
- service { "${auth_service}" :
- ensure => "running",
+ service { $auth_service :
+ ensure => 'running',
}
-
-}
\ No newline at end of file
+}
diff --git a/manifests/auth_keydb.pp b/manifests/auth_keydb.pp
new file mode 100644
index 0000000000000000000000000000000000000000..72a808e05a22f7274e85e093d6d0148b9c4d3f2b
--- /dev/null
+++ b/manifests/auth_keydb.pp
@@ -0,0 +1,77 @@
+class aes::auth_keydb {
+
+ $keydb_user = auth_keydb
+ $keydb_group = $keydb_user
+ $keydb_home = "/srv/${keydb_user}"
+ $keydb_service = 'aes_auth_keydb'
+
+ # Figure out which certificate to use based on the hostname.
+ if $facts[fqdn] == 'aes.edu.liu.se' {
+ $server_type = 'production'
+ } elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
+ $server_type = 'devel'
+ } else {
+ $server_type = undef
+ }
+
+ user { $keydb_user :
+ ensure => present,
+ home => $keydb_home,
+ comment => 'Authentication server for AES',
+ managehome => false,
+ membership => inclusive,
+ groups => [ 'aes_local_auth' ],
+ system => true,
+ shell => '/sbin/nologin',
+ }
+
+ file { $keydb_home :
+ ensure => directory,
+ owner => $keydb_user,
+ group => $keydb_group,
+ mode => '0755',
+ }
+
+ file { "/etc/systemd/system/${keydb_service}.service" :
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/auth/keydb.service",
+ }
+
+ file { "${keydb_home}/on_update.sh" :
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/auth/on_update_keydb.sh",
+ }
+
+ exec { 'update-keydb-repo' :
+ command => "/opt/utils/update_repo.sh ${keydb_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
+ environment => [ "REPO_USER=${keydb_user}", "REPO_GROUP=${keydb_group}", "REPO_ON_UPDATE=${keydb_home}/on_update.sh" ],
+ # This command will need to run "on_update" as root in order to restart the service.
+ user => root,
+ group => root,
+ cwd => $keydb_home,
+ require => File["${keydb_home}/on_update.sh"],
+ }
+
+ service { $keydb_service :
+ ensure => 'running',
+ }
+
+ # These are temporary until the AdmC database is up and running.
+
+ file { '/etc/systemd/system/aes_temp_userdb.service' :
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/auth/temp_userdb.service",
+ }
+
+ service { 'aes_temp_userdb' :
+ ensure => 'running',
+}}
\ No newline at end of file
diff --git a/manifests/broker.pp b/manifests/broker.pp
index bd8891bbef2471c54ad1052d0c263d242e61cd23..973989b813a655e6c33de66116f2dd91ddd1fa10 100644
--- a/manifests/broker.pp
+++ b/manifests/broker.pp
@@ -1,42 +1,48 @@
class aes::broker {
$broker_user = broker
- $broker_group = "${broker_user}"
+ $broker_group = $broker_user
$broker_home = "/srv/${broker_user}"
- $broker_service = "aes_broker"
+ $broker_service = 'aes_broker'
- # Sadly, it does not seem like we can only install asio, so we need
+ # Sadly, it does not seem like we can not only install asio, so we need
# to install the Boost as a whole.
- # It is easiest to install just "boost", even if that is a bit older
- # than what is available (others require modifying the include path).
- # It is still enough for the broker.
package {
[
- 'boost',
- 'boost-devel',
+ 'boost169',
+ 'boost169-devel',
]:
ensure => installed,
}
- user { "${broker_user}" :
- ensure => present,
- home => "${broker_home}",
- comment => 'Message broker for AES',
+ # Figure out which certificate to use based on the hostname.
+ if $facts[fqdn] == 'aes.edu.liu.se' {
+ $server_type = 'production'
+ } elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
+ $server_type = 'devel'
+ } else {
+ $server_type = undef
+ }
+
+ user { $broker_user :
+ ensure => present,
+ home => $broker_home,
+ comment => 'Message broker for AES',
managehome => false,
membership => inclusive,
- system => true,
- shell => '/sbin/nologin',
+ system => true,
+ shell => '/sbin/nologin',
}
- file { "${broker_home}" :
+ file { $broker_home :
ensure => directory,
- owner => "${broker_user}",
- group => "${broker_group}",
- mode => '0755',
+ owner => $broker_user,
+ group => $broker_group,
+ mode => '0755',
}
file { "/etc/systemd/system/${broker_service}.service" :
- ensure => present,
+ ensure => file,
owner => root,
group => root,
mode => '0644',
@@ -44,25 +50,55 @@ class aes::broker {
}
file { "${broker_home}/on_update.sh" :
- ensure => present,
+ ensure => file,
owner => root,
group => root,
mode => '0700',
source => "puppet:///modules/${module_name}/broker/on_update.sh",
}
+ file { "${broker_home}/ssl" :
+ ensure => directory,
+ owner => $broker_user,
+ group => $broker_group,
+ mode => '0700',
+ }
+
+ file { "${broker_home}/ssl/cert.pem" :
+ ensure => file,
+ owner => $broker_user,
+ group => $broker_group,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/broker/cert/${server_type}_cert.pem",
+ }
+
+ file { "${broker_home}/ssl/key.pem" :
+ ensure => file,
+ owner => $broker_user,
+ group => $broker_group,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/broker/cert/${server_type}_key.pem",
+ }
+
+ file { "${broker_home}/ssl/password" :
+ ensure => file,
+ owner => $broker_user,
+ group => $broker_group,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/broker/cert/${server_type}_password",
+ }
+
exec { 'update-broker-repo' :
- command => "/opt/utils/update_repo.sh ${broker_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+ command => "/opt/utils/update_repo.sh ${broker_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
environment => [ "REPO_USER=${broker_user}", "REPO_GROUP=${broker_group}", "REPO_ON_UPDATE=${broker_home}/on_update.sh" ],
# This command will need to run "on_update" as root in order to restart the service.
- user => root,
- group => root,
- cwd => "${broker_home}",
- require => File["${broker_home}/on_update.sh"],
+ user => root,
+ group => root,
+ cwd => $broker_home,
+ require => File["${broker_home}/on_update.sh"],
}
- service { "${broker_service}" :
- ensure => "running",
+ service { $broker_service :
+ ensure => 'running',
}
-
-}
\ No newline at end of file
+}
diff --git a/manifests/examfiles.pp b/manifests/examfiles.pp
index 1af3e29ceb94babf50d1ade46545bc18856f4bf6..db8b5d49bfc0a00d5b0907156fccf3480fcf1520 100644
--- a/manifests/examfiles.pp
+++ b/manifests/examfiles.pp
@@ -1,11 +1,11 @@
class aes::examfiles {
- include ::users::henhe83
- include ::users::micis03
- include ::users::jondy94
+ include users::henhe83
+ include users::micis03
+ include users::jondy94
- group { "liuitdrs" :
- ensure => present,
+ group { 'liuitdrs' :
+ ensure => present,
allowdupe => false,
}
diff --git a/manifests/init.pp b/manifests/init.pp
index ae5f965d6cbfb43576927f59e50e1f1dbd203203..e722866b50b58d73e57edcb24acff5b243d87e55 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -6,7 +6,8 @@ class aes {
include aes::latex
include aes::broker
include aes::auth
- include ::liurepo::centos_sclo_rh
+ include aes::auth_keydb
+ include liurepo::centos_sclo_rh
package {
[
@@ -35,10 +36,10 @@ class aes {
# File for updating repositories.
file { '/opt/utils':
- ensure => directory,
- mode => '0755',
- owner => root,
- group => root,
+ ensure => directory,
+ mode => '0755',
+ owner => root,
+ group => root,
}
file { '/opt/utils/update_repo.sh':
ensure => file,
@@ -50,12 +51,21 @@ class aes {
# File to easily see when Puppet was last executed.
# Ideally, we would like to know if it is devel or production as well.
- exec { '/usr/bin/touch /var/last_puppet_run' :
- cwd => "/var",
- user => root,
+ exec { '/usr/bin/touch /var/last_puppet_run' :
+ cwd => '/var',
+ user => root,
group => root,
}
+ # File containing which environment is used.
+ file { '/var/puppet_environment' :
+ ensure => file,
+ mode => '0644',
+ owner => root,
+ group => root,
+ content => $environment,
+ }
+
::users::liu_user { 'klaar36':
commonname => 'Klas Arvidsson',
shell => '/bin/bash',
diff --git a/manifests/latex.pp b/manifests/latex.pp
index 8ea97cfe4f329bcfbaaa78286e5147f0b3f7a20f..a60733369c86a233fb8a11a24b868bea9e68fb6b 100644
--- a/manifests/latex.pp
+++ b/manifests/latex.pp
@@ -2,16 +2,16 @@ class aes::latex {
package {
[
- 'texlive',
- 'texlive-latex',
- 'texlive-xetex',
- 'texlive-collection-xetex',
- 'texlive-collection-latex',
- 'texlive-collection-latexrecommended',
- 'texlive-xetex-def',
- 'texlive-tcolorbox',
- 'texlive-booktabs',
- 'latexmk',
+ 'texlive',
+ 'texlive-latex',
+ 'texlive-xetex',
+ 'texlive-collection-xetex',
+ 'texlive-collection-latex',
+ 'texlive-collection-latexrecommended',
+ 'texlive-xetex-def',
+ 'texlive-tcolorbox',
+ 'texlive-booktabs',
+ 'latexmk',
]:
ensure => installed,
}
diff --git a/manifests/opendsa.pp b/manifests/opendsa.pp
index b8f3a56fd86e14ed2ca518fc6fd565da01d75804..c54b242937a39f17e94bab8793970ba7ee90265b 100644
--- a/manifests/opendsa.pp
+++ b/manifests/opendsa.pp
@@ -1,38 +1,38 @@
class aes::opendsa {
$opendsa_user = opendsa
- $opendsa_group = "${opendsa_user}"
+ $opendsa_group = $opendsa_user
$opendsa_home = "/srv/${opendsa_user}"
- $opendsa_service = "${opendsa_user}"
+ $opendsa_service = $opendsa_user
- user { "${opendsa_user}" :
- ensure => present,
- home => "${opendsa_home}",
- comment => 'OpenDSA server',
+ user { $opendsa_user :
+ ensure => present,
+ home => $opendsa_home,
+ comment => 'OpenDSA server',
managehome => false,
membership => inclusive,
- system => true,
- shell => '/sbin/nologin',
+ system => true,
+ shell => '/sbin/nologin',
}
- file { "${opendsa_home}":
+ file { $opendsa_home:
ensure => directory,
- owner => "${opendsa_user}",
- group => "${opendsa_group}",
- mode => '0755',
+ owner => $opendsa_user,
+ group => $opendsa_group,
+ mode => '0755',
}
# This file will be executed as root, which is why we don't let anyone but root examine it.
file { "${opendsa_home}/on_update.sh":
- ensure => present,
- owner => root,
- group => root,
- mode => '0700',
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => '0700',
source => "puppet:///modules/${module_name}/opendsa/on_update.sh",
}
file { "/etc/systemd/system/${opendsa_service}.service":
- ensure => present,
+ ensure => file,
owner => root,
group => root,
mode => '0644',
@@ -40,26 +40,26 @@ class aes::opendsa {
}
exec { 'update-repo':
- command => "/opt/utils/update_repo.sh ${opendsa_home}/OpenDSA https://oauth2:taNPRZid9Hv6jJtdW_T8@gitlab.liu.se/opendsa/OpenDSA.git exam",
+ command => "/opt/utils/update_repo.sh ${opendsa_home}/OpenDSA https://oauth2:taNPRZid9Hv6jJtdW_T8@gitlab.liu.se/opendsa/OpenDSA.git exam",
environment => [ "REPO_USER=${opendsa_user}", "REPO_GROUP=${opendsa_group}", "REPO_ON_UPDATE=${opendsa_home}/on_update.sh" ],
# This command will need to run "on_update" as root in order to restart the service.
- user => root,
- group => root,
- cwd => "${opendsa_home}",
- require => File["${opendsa_home}/on_update.sh"],
+ user => root,
+ group => root,
+ cwd => $opendsa_home,
+ require => File["${opendsa_home}/on_update.sh"],
}
file { "${opendsa_home}/manage.sh":
- ensure => present,
- owner => "${opendsa_user}",
- group => "${opendsa_group}",
- mode => '0755',
+ ensure => file,
+ owner => $opendsa_user,
+ group => $opendsa_group,
+ mode => '0755',
source => "puppet:///modules/${module_name}/opendsa/manage.sh",
}
- # Do we need port 12000 open? NO
- service { "${opendsa_service}" :
- ensure => "running",
+ # Do we need port 12000 open? NO
+ service { $opendsa_service :
+ ensure => 'running',
}
# Ändra TDDD86-raden i rules.d/opendsa till "TDDD86[AB]_191219"
diff --git a/manifests/squid_filter.pp b/manifests/squid_filter.pp
index f6ae203a37670bd30b5361900f10f28ea7912e3d..b94f736acb232ae81d92ebba2fc3bb54757d6ecb 100644
--- a/manifests/squid_filter.pp
+++ b/manifests/squid_filter.pp
@@ -1,36 +1,36 @@
class aes::squid_filter {
- package { "squid" :
- ensure => "present",
+ package { 'squid' :
+ ensure => 'present',
}
file { '/etc/squid/squid.conf':
- ensure => file,
- mode => '0644',
- owner => root,
- group => root,
+ ensure => file,
+ mode => '0644',
+ owner => root,
+ group => root,
content => file("${module_name}/squid/squid.conf"),
}
-
+
file { '/usr/libexec/squid/helpers':
- ensure => directory,
+ ensure => directory,
recurse => true,
- purge => true,
- force => true,
- owner => squid,
- group => squid,
- mode => '0644',
- source => "puppet:///modules/${module_name}/squid/helpers",
- notify => Service['squid']
+ purge => true,
+ force => true,
+ owner => squid,
+ group => squid,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/squid/helpers",
+ notify => Service['squid'],
}
file { '/usr/libexec/squid/helpers/squid-url-rewrite.py':
ensure => file,
owner => squid,
group => squid,
- mode => '0755',
+ mode => '0755',
source => "puppet:///modules/${module_name}/squid/helpers/squid-url-rewrite.py",
- notify => Service['squid']
+ notify => Service['squid'],
}
file { '/var/cache/squid' :
@@ -54,15 +54,15 @@ class aes::squid_filter {
group => squid,
}
- exec { '/usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db' :
- user => "squid",
- group => "squid",
+ exec { '/usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db' :
+ user => 'squid',
+ group => 'squid',
creates => '/var/lib/squid/ssl_db',
}
# todo: logrotate
- service { "squid" :
- ensure => "running",
+ service { 'squid' :
+ ensure => 'running',
}
}
diff --git a/metadata.json b/metadata.json
index 9651bb0d0ff5e9b14fbef00faafdba27e61d16c2..30851da4a6d6861e83fcdbadd5b0ec14638fa582 100644
--- a/metadata.json
+++ b/metadata.json
@@ -3,18 +3,18 @@
"version": "0.0.0",
"author": "LiU-IT",
"summary": "Module for aes",
- "license": "TBD",
+ "license": "Apache-2.0",
"source": "https://gitlab.liu.se/liu-puppet-modules/aes/tree/production",
"project_page": "https://gitlab.liu.se/liu-puppet-modules/aes",
"issues_url": "https://gitlab.liu.se/liu-puppet-modules/aes/issues",
"dependencies": [
+
],
"data_provider": "hiera",
"operatingsystem_support": [
{
"operatingsystem": "CentOS",
"operatingsystemrelease": [
- "6",
"7",
"8"
]
@@ -23,7 +23,10 @@
"requirements": [
{
"name": "puppet",
- "version_requirement": ">= 5.5.10 < 7.0.0"
+ "version_requirement": ">= 6.21.0 < 8.0.0"
}
- ]
+ ],
+ "pdk-version": "2.1.0",
+ "template-url": "https://gitlab.it.liu.se/puppet-infra/pdk-templates.git#liu",
+ "template-ref": "heads/liu-0-g8fb0f81"
}
diff --git a/spec/classes/aes_spec.rb b/spec/classes/aes_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..137f66635f0fd47f9c43d99ddb9b6dc2e341afe7
--- /dev/null
+++ b/spec/classes/aes_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/aes_sw_spec.rb b/spec/classes/aes_sw_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d906484d158a4d1f948bac9952c38108df5010fc
--- /dev/null
+++ b/spec/classes/aes_sw_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::aes_sw' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/auth_keydb_spec.rb b/spec/classes/auth_keydb_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..97bbeabc37ea262766d50369ea8e8621a8ba1f2f
--- /dev/null
+++ b/spec/classes/auth_keydb_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::auth_keydb' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/auth_spec.rb b/spec/classes/auth_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..5feb091765d206dc2a9086d2fe6beaf0c21d1f07
--- /dev/null
+++ b/spec/classes/auth_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::auth' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/broker_spec.rb b/spec/classes/broker_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..503f421650b5b9c07f78060a48f0f665575916c5
--- /dev/null
+++ b/spec/classes/broker_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::broker' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/examfiles_spec.rb b/spec/classes/examfiles_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..98adf01b31b23fedf1475c9db00d6d63c335317b
--- /dev/null
+++ b/spec/classes/examfiles_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::examfiles' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/latex_spec.rb b/spec/classes/latex_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..b5fbcad5e33f3047c95ea9f0da48deb51ae51212
--- /dev/null
+++ b/spec/classes/latex_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::latex' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/opendsa_spec.rb b/spec/classes/opendsa_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..7c01a8defb768db0b9759d9c7f4a8bf993fcbf95
--- /dev/null
+++ b/spec/classes/opendsa_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::opendsa' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/squid_filter_spec.rb b/spec/classes/squid_filter_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..7c07485ca7b453fb420e05fbedf0aa4dc34cf478
--- /dev/null
+++ b/spec/classes/squid_filter_spec.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'aes::squid_filter' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/default_facts.yml b/spec/default_facts.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f777abfc9905202e7ccf5b5fcc76b9b4c59a39fb
--- /dev/null
+++ b/spec/default_facts.yml
@@ -0,0 +1,8 @@
+# Use default_module_facts.yml for module specific facts.
+#
+# Facts specified here will override the values provided by rspec-puppet-facts.
+---
+ipaddress: "172.16.254.254"
+ipaddress6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA"
+is_pe: false
+macaddress: "AA:AA:AA:AA:AA:AA"
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
new file mode 100644
index 0000000000000000000000000000000000000000..c4cb9ef0f8906567ea118c5db8ba59e01707525b
--- /dev/null
+++ b/spec/spec_helper.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+RSpec.configure do |c|
+ c.mock_with :rspec
+end
+
+require 'puppetlabs_spec_helper/module_spec_helper'
+require 'rspec-puppet-facts'
+
+require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb'))
+
+# LiU - Default to UTF-8 encoding
+Encoding.default_external = Encoding::UTF_8
+
+include RspecPuppetFacts
+
+default_facts = {
+ puppetversion: Puppet.version,
+ facterversion: Facter.version,
+}
+
+default_fact_files = [
+ File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')),
+ File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')),
+]
+
+default_fact_files.each do |f|
+ next unless File.exist?(f) && File.readable?(f) && File.size?(f)
+
+ begin
+ default_facts.merge!(YAML.safe_load(File.read(f), [], [], true))
+ rescue => e
+ RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}"
+ end
+end
+
+# read default_facts and merge them over what is provided by facterdb
+default_facts.each do |fact, value|
+ add_custom_fact fact, value
+end
+
+RSpec.configure do |c|
+ c.default_facts = default_facts
+ c.before :each do
+ # set to strictest setting for testing
+ # by default Puppet runs at warning level
+ Puppet.settings[:strict] = :warning
+ Puppet.settings[:strict_variables] = true
+ end
+ c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT']
+ c.after(:suite) do
+ RSpec::Puppet::Coverage.report!(0)
+ end
+end
+
+# Ensures that a module is defined
+# @param module_name Name of the module
+def ensure_module_defined(module_name)
+ module_name.split('::').reduce(Object) do |last_module, next_module|
+ last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false)
+ last_module.const_get(next_module, false)
+ end
+end
+
+# 'spec_overrides' from sync.yml will appear below this line