diff --git a/apply.sh b/apply.sh
new file mode 100755
index 0000000000000000000000000000000000000000..f2812024ef7180341a41e2dcaea56f25af35fe7d
--- /dev/null
+++ b/apply.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+modulepath="$(pwd)/.."
+
+set -x
+
+puppet parser validate --strict_variables --modulepath="$modulepath" manifests/
+
+for file in $*
+do
+ class=$(basename $file .pp)
+ # Sudo is needed for modules that do something with yum for example.
+ sudo /opt/puppetlabs/bin/puppet apply --test --modulepath="$modulepath" -e "include aes::$class"
+done
diff --git a/files/auth/auth.service b/files/auth/auth.service
new file mode 100644
index 0000000000000000000000000000000000000000..cf6ba59421e9918bc2bee99e6bba2ab7cdf1d6d5
--- /dev/null
+++ b/files/auth/auth.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Exam System Message Broker
+After=network.target
+
+[Service]
+Type=simple
+User=auth
+WorkingDirectory=/srv/auth/
+ExecStart=/srv/auth/start.sh
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitIntervalSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/auth/config.json b/files/auth/config.json
new file mode 100644
index 0000000000000000000000000000000000000000..c7d0302ec319c49130670c167861cf1f6665850a
--- /dev/null
+++ b/files/auth/config.json
@@ -0,0 +1,126 @@
+// The client strips C++-style comments from this file. There are some restrictions as follows:
+// - Only C++-style single line comments are allowed.
+// - They must be the only thing on the line, except for leading whitespace (space and tab)
+// These are in place to make it easy to strip the comments without knowledge of JSON before passing
+// it to the JSON parser.
+{
+ // Timeout for all authentications, in minutes
+ "timeout" : 1,
+
+ // All groups known to the system, and what permissions we assign each group.
+ "groups" : {
+ // Each entry consists of the group's name, followed by properties for that group.
+ "TEST" : {
+ // Maximum message size for this group.
+ "message_size" : 10240,
+
+ // Allow communicating to these groups. The empty string is the broadcast "group".
+ "groups" : [ "TEST" ]
+ },
+
+ // Admin clients.
+ "ADMC" : {
+ "message_size" : 1024000,
+ "groups" : [ "", "ADMC", "DB", "MS" ]
+ },
+
+ // Examiner clients.
+ "EC" : {
+ "message_size" : 1024000,
+ "groups" : [ "", "MS" ]
+ },
+
+ // Student clients.
+ "SC" : {
+ "message_size" : 102400,
+ "groups" : [ "MS" ]
+ },
+
+ // Message server.
+ "MS" : {
+ "message_size" : 1024000,
+ "groups" : [ "", "EC", "SC" ]
+ },
+
+ // The "large" DB server.
+ // Note: If using the kerberos authentication, the DB needs to be able to reply to AUTH-messages.
+ "DB" : {
+ "message_size" : 1024000,
+ "groups" : [ "", "ADMC", "MS", "AUTH" ]
+ }
+ },
+
+ // All authentication methods the auth server is going to support. Each method may appear multiple
+ // times with different configuration if different groups are to be guarded with different levels
+ // of security.
+ "methods" : [
+ {
+ // A list of groups that we allow authenticating using this method. This is mandatory
+ // for all elements in here.
+ "allow" : [ "TEST" ],
+
+ // The debug auth is the simplest. It just allows whatever the connected client
+ // claimed. It is not good to use in production, and is always disabled unless the
+ // "--debug" flag is given on the command line.
+ "type" : "debug"
+ },
+ {
+ "allow" : [ "DB", "MS" ],
+
+ // File system authentication. This works for clients on the same system as the
+ // authentication server (e.g. DB, ARLA, etc.), and relies on UNIX permissions. This
+ // means we don't have to bother with certificates and the like.
+ "type" : "fs",
+
+ // Where to store the key files in the filesystem.
+ "path" : "/tmp",
+
+ // Permissions of the file.
+ "permissions" : "0770",
+
+ // Group of the file. If not present or null, we won't change the group.
+ "group" : null
+ },
+ {
+ // Slightly different requirements for ADMC.
+ "allow" : [ "ADMC" ],
+ "type" : "fs",
+ "path" : "/tmp",
+ "permissions" : "0777",
+ "group" : null
+ },
+ {
+ // Allow FS auth for the TEST group as well.
+ "allow" : [ "TEST" ],
+ "type" : "fs",
+ "path" : "/tmp",
+ "permissions" : "0777",
+ "group" : null
+ },
+ {
+ // Allow authenticating EC with Kerberos.
+ "allow" : [ "EC" ],
+ "type" : "kerberos",
+
+ // What is the address of the database server we shall query for information?
+ "db" : {
+ "group" : "DB",
+ "id" : 1
+ },
+
+ "user_type" : "staff"
+ },
+ {
+ // Allow authenticating SC with Kerberos.
+ "allow" : [ "SC" ],
+ "type" : "kerberos",
+
+ "db" : {
+ "group" : "DB",
+ "id" : 1
+ },
+
+ "user_type" : "student"
+ }
+ ]
+}
diff --git a/files/auth/on_update.sh b/files/auth/on_update.sh
new file mode 100644
index 0000000000000000000000000000000000000000..848eb18d98a071272dd245436ebba2857775a562
--- /dev/null
+++ b/files/auth/on_update.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+run_as_broker=$(cat <<'EOF'
+cd
+# To make sure we have a decent GCC in our path.
+source /opt/rh/devtoolset-7/enable
+cd src/auth
+make clean
+make
+
+cd
+mkdir -p bin/
+cp src/auth/auth bin/
+EOF
+)
+
+# Compile as the auth user
+sudo --user auth --group auth --set-home -- bash -c "$run_as_broker"
+
+# Then, we can restart the services.
+systemctl service restart aes_auth.service
+
diff --git a/files/auth/start.sh b/files/auth/start.sh
new file mode 100644
index 0000000000000000000000000000000000000000..435ef7e06a8b905dd40bc97cec5803dea39b17e0
--- /dev/null
+++ b/files/auth/start.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if grep "aes-devel" /etc/hostname > /dev/null
+then
+ # Allow debug auth when on the devel system.
+ exec bin/auth --debug 31338 config.json
+else
+ # Not on the real system, however.
+ exec bin/auth 31338 config.json
+fi
diff --git a/files/broker/broker.service b/files/broker/broker.service
new file mode 100644
index 0000000000000000000000000000000000000000..f4f902a4c516a7fc7358f54605082d5c565b4f74
--- /dev/null
+++ b/files/broker/broker.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Exam System Message Broker
+After=network.target
+
+[Service]
+Type=simple
+User=broker
+WorkingDirectory=/srv/broker/
+ExecStart=/srv/broker/bin/broker 31337 localhost 31338
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitIntervalSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/broker/on_update.sh b/files/broker/on_update.sh
new file mode 100644
index 0000000000000000000000000000000000000000..ec79273b6940fe8e71332d67f6278fd52283bbf2
--- /dev/null
+++ b/files/broker/on_update.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+run_as_broker=$(cat <<'EOF'
+cd
+# To make sure we have a decent GCC in our path.
+source /opt/rh/devtoolset-7/enable
+cd src/broker
+make clean
+make
+
+cd
+mkdir -p bin/
+cp src/broker/broker bin/
+EOF
+)
+
+# Compile as "broker".
+sudo --user broker --group broker --set-home -- bash -c "$run_as_broker"
+
+# Then, we can restart the services.
+systemctl service restart aes_broker.service
+
diff --git a/files/opendsa/.ssh/id_rsa b/files/opendsa/.ssh/id_rsa
deleted file mode 100755
index 7d3860f75730124c09d6a77e6c24133ede256ec5..0000000000000000000000000000000000000000
--- a/files/opendsa/.ssh/id_rsa
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1GjnhseuHiZdIpo5vpn8nhX94ZG8PS5LFgyy03VZQigC6NSJ
-G0HeVV5PoiJNsisDh251d/50kALNpNCuiAZqBGw8SuKxIbev8M4hLyy3IMLK9frY
-Ap6cefolxq5d/ZEz46kkrEFCg7oJiqvADtrhPYwz1jcKiTzdL6936POnrKv6Pcq5
-yhCu+cJ9avWUhCuk41tIX0SI7hl0Lm2KtP8jfyBepWc6Lq8E0xVOmwqQtf0flddu
-g8RfuHFTscl8wnyMSGLWa4Ps+Ihu1zsis7bSfGZjdHbxQT382VxemfkzE6FNGTZM
-4CtafhvF3ZuxjIrx658pCA34JSiKe/4Zlm/c3wIDAQABAoIBAES3k3+FBg1299aD
-8n55LsKt9q6NCUr5uQzvGsNSSYgfjaFpcNnCm30ev8CCPISRadjcoWAqj+cvIPxb
-Druu54l6wp6vbAKufFr5NL8gRjZxDlw5xLxEN/c2OBZovruTyCe0xsp7altXSlL0
-cXPc19Wjj/mTYPM5H42XxME2Yl53xUPi8OKrnZzyEJjrcdLeq8a4yusjdJOidW6O
-wXkk/cDvtMeZZWEEu4nBL3vnU7hXvdF90crwNYqScd1lWIriqjfKhEpAvyrlASSW
-tqURkbw0WIYas+jSexLV/bqmgPydsOHJ15TXKtIYUejpPKB5WEdiMECc286fMLCx
-ogVGoZECgYEA/z/bl2/+El3smoEgNv2xpQIyXgKKp19figxm9xJIqbAcN66JAn1R
-EiOFiEy5o33q6Yz1sZ5/n4e3zoj8HiVZHNqkpBtuleZJJ7XBM/NcUH+OUrke+tlV
-q7arNlx9uN6liGp9SfJwKYtUSH13Z3O7sEAt7OX+mzWj527zDROZQHMCgYEA1QjM
-bFkZx83Nj4Qklo+GvgJhq0+Vr4hQd/hLZmgGo3dKZ3McXUmM70A0ETOxyp4zzMep
-Hi5wYa/qdtdVi25S38NExqxFO+JbuXrHoM1XyxzQ3DooV1goaKPybJjoB64zmycx
-D+Ni9MEwMsP1X8kxGQr4A1Nh37sm2hAhWoZCcuUCgYEA7oGG+SyGpjbpfT2nEntf
-4SX6VmndkaPGrEIGfFuzVgvfchA+qfrbJC3Y+pFm7WQde3phokTOUA0LLYxGuQyB
-BjsvmMChRqRWOyrUi2ydGAL4xEeCsTcfnEImHbezKmmxF5UZ2V0WfVtZuBq01hAI
-kxqFT1Vh4TnwG7NKnS9xBg0CgYBouXeMt8xlnXU03PgDj7DkTVVoGqpx7Ofp4gRm
-5jKFP0ozSrIh5dtDbeNqpWf8PAMo4unvLVMPoqP3IeoqreRNnbd8lwk95AvFRWdH
-VEqZTaQa7vgP4AWVUysEWbKOvAMgfYav0c8+lI22FwDTwprBPdQoBmBx1JXH0vAi
-iSe3RQKBgQCPutMegWA+vLupD12XWdde3M5hi4Cd/PxcvJwJrUSjjwlbkHr8EAkZ
-3MXK9o+1Ssj4Ipf1T7VUfdE5uaFJjGLLiPmMAoHbqqPo/0nnsk5JCqJuagmMup0O
-rOQmrvbbDLRXndhb3YeoCtehTiONTMzW+dsdbCrrdnx5AzV4Akwlqw==
------END RSA PRIVATE KEY-----
diff --git a/files/opendsa/.ssh/id_rsa.pub b/files/opendsa/.ssh/id_rsa.pub
deleted file mode 100755
index 10096d594d4b37a8e9633dc021c89ce8b957869a..0000000000000000000000000000000000000000
--- a/files/opendsa/.ssh/id_rsa.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUaOeGx64eJl0imjm+mfyeFf3hkbw9LksWDLLTdVlCKALo1IkbQd5VXk+iIk2yKwOHbnV3/nSQAs2k0K6IBmoEbDxK4rEht6/wziEvLLcgwsr1+tgCnpx5+iXGrl39kTPjqSSsQUKDugmKq8AO2uE9jDPWNwqJPN0vr3fo86esq/o9yrnKEK75wn1q9ZSEK6TjW0hfRIjuGXQubYq0/yN/IF6lZzourwTTFU6bCpC1/R+V126DxF+4cVOxyXzCfIxIYtZrg+z4iG7XOyKzttJ8ZmN0dvFBPfzZXF6Z+TMToU0ZNkzgK1p+G8Xdm7GMivHrnykIDfglKIp7/hmWb9zf opendsa@aes-devel.edu.liu.se
diff --git a/files/opendsa/.ssh/known_hosts b/files/opendsa/.ssh/known_hosts
deleted file mode 100755
index 8eb1a50ebef29e00ee9ba2f141ec6c849132d61a..0000000000000000000000000000000000000000
--- a/files/opendsa/.ssh/known_hosts
+++ /dev/null
@@ -1 +0,0 @@
-gitlab.ida.liu.se,130.236.180.82 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAYihlTjGKAun+fT/4v1c7zW0+HmsniwuuxWMmHM+/Y1RK/31DyxV+oLpiACP+2cR/FJ5Ab2wGai4sgnrZqY+yDHHZFbTAThqXylJmIvm57U1J8yL1ayOJe7wQNwan13rmEfzBjrNCxn/aFcvwLutZx+sRsYYfFnGhLeULbaoIeysXm+qufL2TQib+GJzanL6uksiccJ9RiWVg7YewzsdP23DzBSZBJobggaX5bIGzVp2omwe0F4X0YgMZvUHBNWJRjbit56c92jirmLaHJNvl3J+xSIty1XaCp/0kg5Ws8jRV9iGDXRafPPcWn2T8p1S4vIYsAD6QH9Ec6hAKT9qn
diff --git a/files/opendsa/on_update.sh b/files/opendsa/on_update.sh
new file mode 100644
index 0000000000000000000000000000000000000000..a2912aae220747d95ecc6e82aec52d83e3c0d9fa
--- /dev/null
+++ b/files/opendsa/on_update.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# This file is called whenever the OpenDSA repo was updated. This means we should re-check
+# the requirements.txt file and restart the service.
+
+# Note: This file is executed as root, so we drop back to the opendsa user before starting pip.
+
+update_pip_fn=$(cat <<'EOF'
+cd
+python3 -m pip install --user -r OpenDSA/server/requirements.txt
+
+# Initialize the DB if required.
+if [[ ! -f OpenDSA/server/openDSA.db ]]
+then
+ cd OpenDSA/server/
+ ./main.py init_db
+fi
+EOF
+)
+
+# Run PIP as OpenDSA.
+sudo --user opendsa --group opendsa --set-home -- bash -c "$update_pip_fn"
+
+# Then, we can restart the service.
+systemctl service restart opendsa.service
diff --git a/files/squid/helpers/rules.d/opendsa.rules b/files/squid/helpers/rules.d/opendsa.rules
index 4c36719c8ff49ab46637b8934544252cded77471..724eedbdae57aef32333fb75a67ea981a419afd9 100644
--- a/files/squid/helpers/rules.d/opendsa.rules
+++ b/files/squid/helpers/rules.d/opendsa.rules
@@ -2,6 +2,8 @@
// ^.* false
+^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/Books/TDDD86_200317/.* true
+
^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/Books/.* false
^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/lib/.* true
^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/JSAV/.* true
diff --git a/files/update_repo.sh b/files/update_repo.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c871f416b5e32be90723fca95003573861de992e
--- /dev/null
+++ b/files/update_repo.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# Keep a Git repository updated. Optionally execute a command whenever it has been updated in order
+# to trigger further processing of some kind (e.g. restarting services).
+
+# The command is called as follows:
+# update_repo.sh <destination path> <source repo> <source branch>
+
+# If REPO_ON_UPDATE is set, then that command will be executed whenever the repo is created and/or
+# updated to a new revision. This can be used to trigger further processing of some sort, such as
+# compiling the contained source and/or restarting system services as appropriate.
+
+# This script is designed to be executed as a privillegied user so that the update command could do
+# privillegied operations. Thus, the git commands will be isolated to a user as described by
+# REPO_USER and REPO_GROUP, if they are is set. It is, of course, also possible to just run this
+# script as a regular user without setting REPO_USER.
+
+
+# "function" that keeps the repo updated. Returns 0 if nothing was done, 100 if the repo was updated,
+# and something else on some kind of error. This function will be executed as the user indicated in
+# the environment variables.
+# I'm sorry for this thing... Turns out that sudo does not allow passing bash functions as environment
+# variables, so I simply pass the entire "function" to Bash as a string.
+update_repo_fn=$(cat <<'EOF'
+if [[ ! -d "$repo_path" ]]
+then
+ # Does not exist. We need to checkout the repository.
+ git clone --single-branch --branch "$repo_branch" "$repo_source" "$repo_path" || exit 1
+ exit 100
+else
+ # It does exist. Make sure it is updated.
+ cd "$repo_path"
+ old_sha=$(git rev-parse HEAD)
+ git fetch -f "$repo_source" "$repo_branch":remotes/origin/"$repo_branch" || exit 1
+ new_sha=$(git rev-parse remotes/origin/"$repo_branch")
+ if [[ "$old_sha" == "$new_sha" ]]
+ then
+ # They are the same, we don't need to do anything.
+ exit 0
+ else
+ # They differ. Check out the new revision.
+ git checkout -f "$new_sha" || exit 1
+ git branch -f "$repo_branch" "$new_sha" || exit 1
+ # This is not strictly necessary, but it makes it look like we have the correct branch
+ # checked out. Good if someone inspects the repo at a later time.
+ git checkout -f "$repo_branch" || exit 1
+ exit 100
+ fi
+fi
+EOF
+)
+
+# Check for enough parameters.
+if [[ "$#" < 3 ]]
+then
+ echo "Not enough parameters."
+ echo "Usage: update_repo.sh <path> <source> <branch>"
+ exit 2
+fi
+
+# Setup variables for calling "update_repo"...
+repo_path="$1"
+repo_source="$2"
+repo_branch="$3"
+
+export repo_path repo_source repo_branch
+
+if [[ -z "$REPO_USER" ]]
+then
+ # Just run it in a subshell
+ bash -c "$update_repo_fn"
+else
+ # Perhaps group was not supplied.
+ if [[ -z "$REPO_GROUP" ]]
+ then
+ REPO_GROUP="$REPO_USER"
+ fi
+ sudo --preserve-env=repo_path,repo_source,repo_branch,update_repo --set-home --user="$REPO_USER" --group="$REPO_GROUP" -- bash -c "$update_repo_fn"
+fi
+# Note: We cannot put any commands between the if-statement and here. We need the result code from
+# invoking bash, which is the last command in both the if- and else- branches.
+result="$?"
+if [[ $result == 0 ]]
+then
+ # All is well, nothing needed to be done.
+ exit 0
+elif [[ $result == 100 ]]
+then
+ # All is well, but we need to tell the environment that we updated the repo.
+ if [[ ! -z "$REPO_ON_UPDATE" ]]
+ then
+ # Run it if it is there.
+ eval "$REPO_ON_UPDATE"
+ fi
+ exit 0
+else
+ # Something went awry, forward the exit code.
+ exit $result
+fi
diff --git a/manifests/aes_broker.pp b/manifests/aes_broker.pp
deleted file mode 100644
index 81716334468f1828443e26444f1892a4378a1817..0000000000000000000000000000000000000000
--- a/manifests/aes_broker.pp
+++ /dev/null
@@ -1,43 +0,0 @@
-class aes::aes_broker {
-
- $broker_user = broker
- $broker_group = "${broker_user}"
- $broker_home = "/srv/${broker_user}"
- $broker_service = "${broker_user}"
-
- # Sadly, it does not seem like we can only install asio, so we need
- # to install the Boost as a whole.
- # It is easiest to install just "boost", even if that is a bit older
- # than what is available (others require modifying the include path).
- # It is still enough for the broker.
- package {
- [
- 'boost',
- 'boost-devel',
- 'krb5-libs',
- 'krb5-devel',
- ]:
- ensure => installed,
- }
-
- user { "${broker_user}" :
- ensure => present,
- home => "${broker_user}",
- comment => 'Message broker for AES',
- managehome => false,
- membership => inclusive,
- system => true,
- shell => '/sbin/nologin',
- }
-
- file { "${broker_home}" :
- ensure => directory,
- owner => "${broker_user}",
- group => "${broker_group}",
- mode => '0755',
- }
-
- # TODO: We still need to download the source from Git as needed and update the broker and auth service.
- # To compile the broker, we need to do "source /opt/rh/devtoolset-7/enable" first. Otherwise, we will not get a good enough GCC.
-
-}
diff --git a/manifests/aes_sw.pp b/manifests/aes_sw.pp
index 3b3001f7e31d546290071885e242bb2ba9d9a712..d4700177d03dfffb0e7fc42fd97eb22cd900f7f1 100644
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -91,39 +91,15 @@ class aes::aes_sw {
ensure => "running",
}
- file { "${examadm_home}/.ssh/known_hosts":
- ensure => present,
- owner => "${examadm_user}",
- group => "${examadm_group}",
- mode => '0644',
- content => @(KNOWNHOST)
- gitlab.liu.se,2001:6b0:17:f003::44 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF3yWjkuKo7f3OH4BhGwcd71lkWZqdyk7cxOCn5exPoqLldt2OfbhEA7lM+89Gr/AqRbHlbrS1M8An7j4Lj77hc=
- | KNOWNHOST
- }
-
- exec { 'script-repo-clone':
-# TODO
-# git config user.name "aes-devel.edu.liu.se"
-# git config user.email "klas.arvidsson@liu.se"
- command => '/usr/bin/git clone --quiet --single-branch --branch master --depth 1 git@gitlab.liu.se:examadm/scripts.git',
+ exec { 'script-repo-updated':
+ command => "/opt/utils/update_repo.sh ${examadm_home}/scripts https://oauth2:iAyewr9Jq5E-tnsVrmbj@gitlab.liu.se/examadm/scripts.git master",
cwd => "${examadm_home}",
- creates => "${examadm_home}/scripts",
user => "${examadm_user}",
group => "${examadm_group}",
- require => File["${examadm_home}/.ssh/known_hosts"],
}
schedule { 'everyday':
period => daily,
range => '01:00 - 04:00',
}
-
- exec { 'script-repo-pull':
- cwd => "${examadm_home}", # 'cwd' is set before 'onlyif' and 'command'
- onlyif => "/usr/bin/test -d scripts/.git",
- command => "/usr/bin/git --git-dir scripts/.git --work-tree scripts pull --depth 1",
- user => "${examadm_user}",
- group => "${examadm_group}",
-# schedule => 'everyday',
- }
}
diff --git a/manifests/auth.pp b/manifests/auth.pp
new file mode 100644
index 0000000000000000000000000000000000000000..b8a159af81b6f4f815754990d4481624ce6a0a26
--- /dev/null
+++ b/manifests/auth.pp
@@ -0,0 +1,82 @@
+class aes::auth {
+
+ $auth_user = auth
+ $auth_group = "${auth_user}"
+ $auth_home = "/srv/${auth_user}"
+ $auth_service = "aes_auth"
+
+ # Note: We rely on Boost being installed by the broker. It seems Puppet does not like
+ # that we specify "boost" multiple times, even though it would look nice, modularity-wise
+ # since both the auth server and the broker requires boost.
+ package {
+ [
+ 'krb5-libs',
+ 'krb5-devel',
+ ]:
+ ensure => installed,
+ }
+
+ user { "${auth_user}" :
+ ensure => present,
+ home => "${auth_home}",
+ comment => 'Authentication server for AES',
+ managehome => false,
+ membership => inclusive,
+ system => true,
+ shell => '/sbin/nologin',
+ }
+
+ file { "${auth_home}" :
+ ensure => directory,
+ owner => "${auth_user}",
+ group => "${auth_group}",
+ mode => '0755',
+ }
+
+ file { "/etc/systemd/system/${auth_service}.service" :
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/auth/auth.service",
+ }
+
+ file { "${auth_home}/on_update.sh" :
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/auth/on_update.sh",
+ }
+
+ file { "${auth_home}/config.json" :
+ ensure => present,
+ owner => auth,
+ group => auth,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/auth/config.json",
+ }
+
+ file { "${auth_home}/start.sh" :
+ ensure => present,
+ owner => auth,
+ group => auth,
+ mode => '0755',
+ source => "puppet:///modules/${module_name}/auth/start.sh",
+ }
+
+ exec { 'update-auth-repo' :
+ command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+ environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
+ # This command will need to run "on_update" as root in order to restart the service.
+ user => root,
+ group => root,
+ cwd => "${auth_home}",
+ require => File["${auth_home}/on_update.sh"],
+ }
+
+ service { "${auth_service}" :
+ ensure => "running",
+ }
+
+}
\ No newline at end of file
diff --git a/manifests/broker.pp b/manifests/broker.pp
new file mode 100644
index 0000000000000000000000000000000000000000..bd8891bbef2471c54ad1052d0c263d242e61cd23
--- /dev/null
+++ b/manifests/broker.pp
@@ -0,0 +1,68 @@
+class aes::broker {
+
+ $broker_user = broker
+ $broker_group = "${broker_user}"
+ $broker_home = "/srv/${broker_user}"
+ $broker_service = "aes_broker"
+
+ # Sadly, it does not seem like we can only install asio, so we need
+ # to install the Boost as a whole.
+ # It is easiest to install just "boost", even if that is a bit older
+ # than what is available (others require modifying the include path).
+ # It is still enough for the broker.
+ package {
+ [
+ 'boost',
+ 'boost-devel',
+ ]:
+ ensure => installed,
+ }
+
+ user { "${broker_user}" :
+ ensure => present,
+ home => "${broker_home}",
+ comment => 'Message broker for AES',
+ managehome => false,
+ membership => inclusive,
+ system => true,
+ shell => '/sbin/nologin',
+ }
+
+ file { "${broker_home}" :
+ ensure => directory,
+ owner => "${broker_user}",
+ group => "${broker_group}",
+ mode => '0755',
+ }
+
+ file { "/etc/systemd/system/${broker_service}.service" :
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/broker/broker.service",
+ }
+
+ file { "${broker_home}/on_update.sh" :
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/broker/on_update.sh",
+ }
+
+ exec { 'update-broker-repo' :
+ command => "/opt/utils/update_repo.sh ${broker_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+ environment => [ "REPO_USER=${broker_user}", "REPO_GROUP=${broker_group}", "REPO_ON_UPDATE=${broker_home}/on_update.sh" ],
+ # This command will need to run "on_update" as root in order to restart the service.
+ user => root,
+ group => root,
+ cwd => "${broker_home}",
+ require => File["${broker_home}/on_update.sh"],
+ }
+
+ service { "${broker_service}" :
+ ensure => "running",
+ }
+
+}
\ No newline at end of file
diff --git a/manifests/init.pp b/manifests/init.pp
index 8c63907c846aa2bb120281c93091c10e9aadc3bb..2a1ff0e7024ce71df53d73bd34f752b75fa0fb71 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -5,6 +5,7 @@ class aes {
include aes::squid_filter
include aes::latex
include aes::broker
+ include aes::auth
include ::liurepo::centos_sclo_rh
package {
@@ -32,6 +33,30 @@ class aes {
content => file("${module_name}/anacrontab"),
}
+ # File for updating repositories.
+ file { '/opt/utils':
+ ensure => directory,
+ mode => '0755',
+ owner => root,
+ group => root,
+ }
+ file { '/opt/utils/update_repo.sh':
+ ensure => file,
+ mode => '0755',
+ owner => root,
+ group => root,
+ content => file("${module_name}/update_repo.sh"),
+ }
+
+ # File to easily see when Puppet was last executed.
+ # Ideally, we would like to know if it is devel or production as well.
+ exec { '/usr/bin/touch /var/last_puppet_run' :
+ cwd => "/var",
+ creates => "/var/last_puppet_run",
+ user => root,
+ group => root,
+ }
+
::users::liu_user { 'klaar36':
commonname => 'Klas Arvidsson',
shell => '/bin/bash',
@@ -68,14 +93,14 @@ class aes {
service sclogin is tcp/23431
service aesmsi is tcp/23816
service aesmso is tcp/23817
-# service opendsa is tcp/12000
+ service aesbroker is tcp/31337
policy chain INPUT is
accept service:squid from class:liu-nets
accept service:sclogin from class:liu-nets
accept service:aesmsi from class:liu-nets
accept service:aesmso from class:liu-nets
-# accept service:opendsa from class:liu-nets
+ accept service:aesbroker from class:liu-nets
end policy
|-EOF
}
diff --git a/manifests/opendsa.pp b/manifests/opendsa.pp
index 632f7f09911f04ccfa5526a0e713e97a07aaf400..b8f3a56fd86e14ed2ca518fc6fd565da01d75804 100644
--- a/manifests/opendsa.pp
+++ b/manifests/opendsa.pp
@@ -22,40 +22,31 @@ class aes::opendsa {
mode => '0755',
}
- file { "${opendsa_home}/.ssh":
- ensure => directory,
- recurse => true,
- # Is modes copied correctly by "recurse" option above? NO, but works
- # chmod 0700 .ssh/id_rsa
- # chmod 0744 .ssh/id_rsa.pub .ssh/known_hosts
- purge => true,
- force => true,
- owner => "${opendsa_user}",
- group => "${opendsa_group}",
- mode => '0700',
- source => "puppet:///modules/${module_name}/opendsa/.ssh",
+ # This file will be executed as root, which is why we don't let anyone but root examine it.
+ file { "${opendsa_home}/on_update.sh":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0700',
+ source => "puppet:///modules/${module_name}/opendsa/on_update.sh",
}
- exec { '/usr/bin/git clone --single-branch --branch exam git@gitlab.ida.liu.se:filst04/OpenDSA.git' :
- cwd => "${opendsa_home}",
- creates => "${opendsa_home}/OpenDSA",
- user => "${opendsa_user}",
- group => "${opendsa_group}",
+ file { "/etc/systemd/system/${opendsa_service}.service":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => "puppet:///modules/${module_name}/opendsa/opendsa.service",
}
- # Will this work? DANGEROUS, need service restart! Not needed.
- # exec { '/usr/bin/git pull' :
- # cwd => "${opendsa_home}/OpenDSA",
- # onlyif => "/bin/test -d ${opendsa_home}/OpenDSA/.git",
- # user => "${opendsa_user}",
- # group => "${opendsa_group}",
- # }
-
- # Install python packets. Can this be run several times safely? (Idempotent?) YES
- exec { '/usr/bin/python3 -m pip install --user -r OpenDSA/server/requirements.txt' :
+ exec { 'update-repo':
+ command => "/opt/utils/update_repo.sh ${opendsa_home}/OpenDSA https://oauth2:taNPRZid9Hv6jJtdW_T8@gitlab.liu.se/opendsa/OpenDSA.git exam",
+ environment => [ "REPO_USER=${opendsa_user}", "REPO_GROUP=${opendsa_group}", "REPO_ON_UPDATE=${opendsa_home}/on_update.sh" ],
+ # This command will need to run "on_update" as root in order to restart the service.
+ user => root,
+ group => root,
cwd => "${opendsa_home}",
- user => "${opendsa_user}",
- group => "${opendsa_group}",
+ require => File["${opendsa_home}/on_update.sh"],
}
file { "${opendsa_home}/manage.sh":
@@ -66,21 +57,6 @@ class aes::opendsa {
source => "puppet:///modules/${module_name}/opendsa/manage.sh",
}
- exec { "${opendsa_home}/OpenDSA/server/main.py init_db" :
- cwd => "${opendsa_home}/OpenDSA/server/",
- creates => "${opendsa_home}/OpenDSA/server/openDSA.db",
- user => "${opendsa_user}",
- group => "${opendsa_group}",
- }
-
- file { "/etc/systemd/system/${opendsa_service}.service":
- ensure => present,
- owner => root,
- group => root,
- mode => '0644',
- source => "puppet:///modules/${module_name}/opendsa/opendsa.service",
- }
-
# Do we need port 12000 open? NO
service { "${opendsa_service}" :
ensure => "running",
diff --git a/validate.sh b/validate.sh
index deee0a939b2673d89da70da174289c27fe0f171c..63c0eeda4afa2894f74119fbe2efe621f539c189 100755
--- a/validate.sh
+++ b/validate.sh
@@ -9,5 +9,6 @@ puppet parser validate --strict_variables --modulepath="$modulepath" manifests/
for file in $*
do
class=$(basename $file .pp)
- puppet apply --noop --test --modulepath="$modulepath" -e "include aes::$class"
+ # Sudo is needed for modules that do something with yum for example.
+ sudo /opt/puppetlabs/bin/puppet apply --noop --test --modulepath="$modulepath" -e "include aes::$class"
done