diff --git a/manifests/aes_sw.pp b/manifests/aes_sw.pp
index 9352ba5c73cba6b528aa883a44916e5500acab0a..f2ab5eee31f2c8e2aef0b30b9a112ed109d99d58 100644
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -8,6 +8,54 @@ class aes::aes_sw {
$examadm_group = $examadm_user
$examadm_home = "/home/${examadm_user}"
+ case fact('os.family') {
+ 'RedHat': {
+ firewalld_custom_service { 'aes-server':
+ description => 'Authentic Examination System server',
+ ports => [
+ { port => '23431', protocol => 'tcp' },
+ { port => '23816', protocol => 'tcp' },
+ { port => '23817', protocol => 'tcp' },
+ ],
+ }
+
+ @firewalld_rich_rule {
+ default:
+ service => 'aes-server',
+ log => false;
+
+ 'Accept aes-server in LiU networks without logging IPv4':
+ zone => 'liu',
+ family => 'ipv4',
+ action => 'accept';
+ 'Accept aes-server in LiU networks without logging IPv6':
+ zone => 'liu',
+ family => 'ipv6',
+ action => 'accept';
+ }
+ }
+ 'CentOS': {
+ ::server_firewall::rules_file { '45-permit_aes_sw.rules':
+ # lint:ignore:strict_indent heredoc failing...
+ content => @(EOF),
+ service sclogin is tcp/23431
+ service aesmsi is tcp/23816
+ service aesmso is tcp/23817
+
+ policy chain INPUT is
+ accept service:sclogin from class:liu-nets
+ accept service:aesmsi from class:liu-nets
+ accept service:aesmso from class:liu-nets
+ end policy
+ |-EOF
+ # lint:endignore:strict_indent
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
+ }
+
package {
[
'enscript', # present in pars_pwd_list.py, but pars_pwd_list.py old and unused?
@@ -147,9 +195,4 @@ class aes::aes_sw {
owner => $examadm_user,
group => $examadm_group,
}
-
- schedule { 'everyday':
- period => daily,
- range => '01:00 - 04:00',
- }
}
diff --git a/manifests/broker.pp b/manifests/broker.pp
index 880145bee2ec6894b8d4fb03c7ffd455de25bffb..f5b02c1acdef3e377df0eb88da06e40f3fc318cf 100644
--- a/manifests/broker.pp
+++ b/manifests/broker.pp
@@ -11,14 +11,64 @@ class aes::broker {
$broker_home = "/srv/${broker_user}"
$broker_service = 'aes_broker'
- # Sadly, it does not seem like we can not only install asio, so we need
- # to install the Boost as a whole.
- package {
- [
- 'boost169',
- 'boost169-devel',
- ]:
- ensure => installed,
+ case fact('os.family') {
+ 'RedHat': {
+ package {
+ [
+ 'boost',
+ 'boost-devel',
+ ]:
+ ensure => installed,
+ }
+
+ firewalld_custom_service { 'aes-broker':
+ description => 'Authentic Examination System server',
+ ports => [
+ { port => '31337', protocol => 'tcp' },
+ ],
+ }
+
+ @firewalld_rich_rule {
+ default:
+ service => 'aes-broker',
+ log => false;
+
+ 'Accept aes-broker in LiU networks without logging IPv4':
+ zone => 'liu',
+ family => 'ipv4',
+ action => 'accept';
+ 'Accept aes-broker in LiU networks without logging IPv6':
+ zone => 'liu',
+ family => 'ipv6',
+ action => 'accept';
+ }
+ }
+ 'CentOS': {
+ # Sadly, it does not seem like we can not only install asio, so we need
+ # to install the Boost as a whole.
+ package {
+ [
+ 'boost169',
+ 'boost169-devel',
+ ]:
+ ensure => installed,
+ }
+
+ ::server_firewall::rules_file { '45-permit_aes_broker.rules':
+ # lint:ignore:strict_indent heredoc failing...
+ content => @(EOF),
+ service aesbroker is tcp/31337
+
+ policy chain INPUT is
+ accept service:aesbroker from class:liu-nets
+ end policy
+ |-EOF
+ # lint:endignore:strict_indent
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
}
# Figure out which certificate to use based on the hostname.
diff --git a/manifests/init.pp b/manifests/init.pp
index 40e8d9f1f8bf7cd42a0d8276f0a9f2bb8fd06e86..4a4027d676fb0de3ffaed80ba9d9d1c45914fc77 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -14,18 +14,40 @@ class aes {
include aes::broker
include aes::auth
include aes::auth_keydb
- include liurepo::centos_sclo_rh
- package {
- [
- 'devtoolset-7',
- 'gcc',
- 'gcc-c++',
- 'libaio',
- 'python36',
- ]:
- ensure => installed,
- require => Class['liurepo::centos_sclo_rh'],
+ case fact('os.family') {
+ 'RedHat': {
+ # TODO: Move this to the subclass that actually require it?
+ package {
+ [
+ 'gcc-toolset-12',
+ 'gcc',
+ 'gcc-c++',
+ 'libaio',
+ 'python3',
+ ]:
+ ensure => installed,
+ require => Class['liurepo::centos_sclo_rh'],
+ }
+ }
+ 'CentOS': {
+ include liurepo::centos_sclo_rh
+ # TODO: Move this to the subclass that actually require it?
+ package {
+ [
+ 'devtoolset-7',
+ 'gcc',
+ 'gcc-c++',
+ 'libaio',
+ 'python36',
+ ]:
+ ensure => installed,
+ require => Class['liurepo::centos_sclo_rh'],
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
}
file { '/etc/sudoers.d/aes':
@@ -111,24 +133,4 @@ class aes {
shell => '/bin/bash',
sshkey => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCsUKr53aCwErzsdhD/5oEQ4gWW51NgXa70Ow20Fnv/pyKAepDsIMCOB6kf1aET8LOlnq8Wyu0/52GGB38mO6cUzi7MLeWj7bg1Npq7b5/Uoaquq/dginoVQDc5RuJfmoy7PwmjKep/J2OIkCs8kD4sKbqN3ArCW555hgBvlGCdHxER1x2c5wGc2iuMCcbsfonOfORIxzCoiF4igfmuA1wpFZgyjBLuHn/SOtp85pD3nR0JSiaJWcMLB7IkWzXxvbpUWhDf7/gE4mwCDkOajY8zdG+aLkAZI0J1TJUGq50zji4OouwxxPW2JhpVl1KbRPqec+pVtdQIZstgUg3YbJGl', # lint:ignore:140chars
}
-
- ::server_firewall::rules_file { '45-permit_squid.rules':
- # lint:ignore:strict_indent heredoc failing...
- content => @(EOF),
- service squid is tcp/3128
- service sclogin is tcp/23431
- service aesmsi is tcp/23816
- service aesmso is tcp/23817
- service aesbroker is tcp/31337
-
- policy chain INPUT is
- accept service:squid from class:liu-nets
- accept service:sclogin from class:liu-nets
- accept service:aesmsi from class:liu-nets
- accept service:aesmso from class:liu-nets
- accept service:aesbroker from class:liu-nets
- end policy
- |-EOF
- # lint:endignore:strict_indent
- }
}
diff --git a/manifests/squid_filter.pp b/manifests/squid_filter.pp
index 071d583849619ead9e299a3d70d55a6fa42cb71f..eb5dc55a8bde5dc5bdec56d5e5083910525e5bd3 100644
--- a/manifests/squid_filter.pp
+++ b/manifests/squid_filter.pp
@@ -5,6 +5,48 @@
#
#
class aes::squid_filter {
+ case fact('os.family') {
+ 'RedHat': {
+ firewalld_custom_service { 'squid':
+ description => 'Squid proxy for filtered internet access',
+ ports => [
+ { port => '3128', protocol => 'tcp' },
+ ],
+ }
+
+ @firewalld_rich_rule {
+ default:
+ service => 'squid',
+ log => false;
+
+ 'Accept squid in LiU networks without logging IPv4':
+ zone => 'liu',
+ family => 'ipv4',
+ action => 'accept';
+ 'Accept squid in LiU networks without logging IPv6':
+ zone => 'liu',
+ family => 'ipv6',
+ action => 'accept';
+ }
+ }
+ 'CentOS': {
+ ::server_firewall::rules_file { '45-permit_squid.rules':
+ # lint:ignore:strict_indent heredoc failing...
+ content => @(EOF),
+ service squid is tcp/3128
+
+ policy chain INPUT is
+ accept service:squid from class:liu-nets
+ end policy
+ |-EOF
+ # lint:endignore:strict_indent
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
+ }
+
package { 'squid' :
ensure => 'present',
}