Adaptions for RHEL9

ab4cf8e2 · Klas Arvidsson · a401cadc · ab4cf8e2 · ab4cf8e2 · ab4cf8e2
Commit ab4cf8e2 authored 1 year ago by Klas Arvidsson
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -8,6 +8,54 @@ class aes::aes_sw {
  $examadm_group = $examadm_user
  $examadm_home = "/home/${examadm_user}"

+  case fact('os.family') {
+    'RedHat': {
+      firewalld_custom_service { 'aes-server':
+        description => 'Authentic Examination System server',
+        ports       => [
+          { port => '23431',  protocol => 'tcp' },
+          { port => '23816',  protocol => 'tcp' },
+          { port => '23817',  protocol => 'tcp' },
+        ],
+      }
+
+      @firewalld_rich_rule {
+        default:
+          service => 'aes-server',
+          log     => false;
+
+        'Accept aes-server in LiU networks without logging IPv4':
+          zone   => 'liu',
+          family => 'ipv4',
+          action => 'accept';
+        'Accept aes-server in LiU networks without logging IPv6':
+          zone   => 'liu',
+          family => 'ipv6',
+          action => 'accept';
+      }
+    }
+    'CentOS': {
+      ::server_firewall::rules_file { '45-permit_aes_sw.rules':
+        # lint:ignore:strict_indent heredoc failing...
+        content => @(EOF),
+	service sclogin is tcp/23431
+        service aesmsi is tcp/23816
+        service aesmso is tcp/23817
+
+        policy chain INPUT is
+          accept service:sclogin from class:liu-nets
+          accept service:aesmsi from class:liu-nets
+          accept service:aesmso from class:liu-nets
+        end policy
+        |-EOF
+        # lint:endignore:strict_indent
+      }
+    }
+    default: {
+      fail("${module_name} - Not supported for family ${fact('os.family')}.")
+    }
+  }
+
  package {
    [
      'enscript', # present in pars_pwd_list.py, but pars_pwd_list.py old and unused?
@@ -147,9 +195,4 @@ class aes::aes_sw {
    owner    => $examadm_user,
    group    => $examadm_group,
  }
-
-  schedule { 'everyday':
-    period => daily,
-    range  => '01:00 - 04:00',
-  }
 }
--- a/manifests/broker.pp
+++ b/manifests/broker.pp
@@ -11,14 +11,64 @@ class aes::broker {
  $broker_home = "/srv/${broker_user}"
  $broker_service = 'aes_broker'

-  # Sadly, it does not seem like we can not only install asio, so we need
-  # to install the Boost as a whole.
-  package {
-    [
-      'boost169',
-      'boost169-devel',
-    ]:
-      ensure => installed,
+  case fact('os.family') {
+    'RedHat': {
+      package {
+        [
+          'boost',
+          'boost-devel',
+        ]:
+          ensure => installed,
+      }
+
+      firewalld_custom_service { 'aes-broker':
+        description => 'Authentic Examination System server',
+        ports       => [
+          { port => '31337',  protocol => 'tcp' },
+        ],
+      }
+
+      @firewalld_rich_rule {
+        default:
+          service => 'aes-broker',
+          log     => false;
+
+        'Accept aes-broker in LiU networks without logging IPv4':
+          zone   => 'liu',
+          family => 'ipv4',
+          action => 'accept';
+        'Accept aes-broker in LiU networks without logging IPv6':
+          zone   => 'liu',
+          family => 'ipv6',
+          action => 'accept';
+      }
+    }
+    'CentOS': {
+      # Sadly, it does not seem like we can not only install asio, so we need
+      # to install the Boost as a whole.
+      package {
+        [
+          'boost169',
+          'boost169-devel',
+        ]:
+          ensure => installed,
+      }
+
+      ::server_firewall::rules_file { '45-permit_aes_broker.rules':
+        # lint:ignore:strict_indent heredoc failing...
+        content => @(EOF),
+        service aesbroker is tcp/31337
+        
+        policy chain INPUT is
+          accept service:aesbroker from class:liu-nets
+        end policy
+        |-EOF
+        # lint:endignore:strict_indent
+      }
+    }
+    default: {
+      fail("${module_name} - Not supported for family ${fact('os.family')}.")
+    }
  }

  # Figure out which certificate to use based on the hostname.

--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -14,18 +14,40 @@ class aes {
  include aes::broker
  include aes::auth
  include aes::auth_keydb
-  include liurepo::centos_sclo_rh

-  package {
-    [
-      'devtoolset-7',
-      'gcc',
-      'gcc-c++',
-      'libaio',
-      'python36',
-    ]:
-      ensure  => installed,
-      require => Class['liurepo::centos_sclo_rh'],
+  case fact('os.family') {
+    'RedHat': {
+      # TODO: Move this to the subclass that actually require it?
+      package {
+        [
+          'gcc-toolset-12',
+          'gcc',
+          'gcc-c++',
+          'libaio',
+          'python3',
+        ]:
+          ensure  => installed,
+          require => Class['liurepo::centos_sclo_rh'],
+      }
+    }
+    'CentOS': {
+      include liurepo::centos_sclo_rh
+      # TODO: Move this to the subclass that actually require it?
+      package {
+        [
+          'devtoolset-7',
+          'gcc',
+          'gcc-c++',
+          'libaio',
+          'python36',
+        ]:
+          ensure  => installed,
+          require => Class['liurepo::centos_sclo_rh'],
+      }
+    }
+    default: {
+      fail("${module_name} - Not supported for family ${fact('os.family')}.")
+    }
  }

  file { '/etc/sudoers.d/aes':
@@ -111,24 +133,4 @@ class aes {
    shell      => '/bin/bash',
    sshkey     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCsUKr53aCwErzsdhD/5oEQ4gWW51NgXa70Ow20Fnv/pyKAepDsIMCOB6kf1aET8LOlnq8Wyu0/52GGB38mO6cUzi7MLeWj7bg1Npq7b5/Uoaquq/dginoVQDc5RuJfmoy7PwmjKep/J2OIkCs8kD4sKbqN3ArCW555hgBvlGCdHxER1x2c5wGc2iuMCcbsfonOfORIxzCoiF4igfmuA1wpFZgyjBLuHn/SOtp85pD3nR0JSiaJWcMLB7IkWzXxvbpUWhDf7/gE4mwCDkOajY8zdG+aLkAZI0J1TJUGq50zji4OouwxxPW2JhpVl1KbRPqec+pVtdQIZstgUg3YbJGl', # lint:ignore:140chars
  }
-
-  ::server_firewall::rules_file { '45-permit_squid.rules':
-    # lint:ignore:strict_indent heredoc failing...
-    content => @(EOF),
-    service squid is tcp/3128
-    service sclogin is tcp/23431
-    service aesmsi is tcp/23816
-    service aesmso is tcp/23817
-    service aesbroker is tcp/31337
-
-    policy chain INPUT is
-      accept service:squid from class:liu-nets
-      accept service:sclogin from class:liu-nets
-      accept service:aesmsi from class:liu-nets
-      accept service:aesmso from class:liu-nets
-      accept service:aesbroker from class:liu-nets
-    end policy
-    |-EOF
-    # lint:endignore:strict_indent
-  }
 }
--- a/manifests/squid_filter.pp
+++ b/manifests/squid_filter.pp
@@ -5,6 +5,48 @@
 #
 #
 class aes::squid_filter {
+  case fact('os.family') {
+    'RedHat': {
+      firewalld_custom_service { 'squid':
+        description => 'Squid proxy for filtered internet access',
+        ports       => [
+          { port => '3128',  protocol => 'tcp' },
+        ],
+      }
+
+      @firewalld_rich_rule {
+        default:
+          service => 'squid',
+          log     => false;
+
+        'Accept squid in LiU networks without logging IPv4':
+          zone   => 'liu',
+          family => 'ipv4',
+          action => 'accept';
+        'Accept squid in LiU networks without logging IPv6':
+          zone   => 'liu',
+          family => 'ipv6',
+          action => 'accept';
+      }
+    }
+    'CentOS': {
+      ::server_firewall::rules_file { '45-permit_squid.rules':
+        # lint:ignore:strict_indent heredoc failing...
+        content => @(EOF),
+        service squid is tcp/3128
+
+        policy chain INPUT is
+          accept service:squid from class:liu-nets
+        end policy
+        |-EOF
+        # lint:endignore:strict_indent
+      }
+    }
+    default: {
+      fail("${module_name} - Not supported for family ${fact('os.family')}.")
+    }
+  }
+
  package { 'squid' :
    ensure => 'present',
  }