From ab4cf8e2df4767ff1e2ad0c287b24426e8937c3e Mon Sep 17 00:00:00 2001
From: Klas Arvidsson <klas.arvidsson@liu.se>
Date: Tue, 3 Oct 2023 18:19:52 +0200
Subject: [PATCH] Adaptions for RHEL9
---
manifests/aes_sw.pp | 53 ++++++++++++++++++++++++++++---
manifests/broker.pp | 66 ++++++++++++++++++++++++++++++++++-----
manifests/init.pp | 64 +++++++++++++++++++------------------
manifests/squid_filter.pp | 42 +++++++++++++++++++++++++
4 files changed, 181 insertions(+), 44 deletions(-)
diff --git a/manifests/aes_sw.pp b/manifests/aes_sw.pp
index 9352ba5..f2ab5ee 100644
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -8,6 +8,54 @@ class aes::aes_sw {
$examadm_group = $examadm_user
$examadm_home = "/home/${examadm_user}"
+ case fact('os.family') {
+ 'RedHat': {
+ firewalld_custom_service { 'aes-server':
+ description => 'Authentic Examination System server',
+ ports => [
+ { port => '23431', protocol => 'tcp' },
+ { port => '23816', protocol => 'tcp' },
+ { port => '23817', protocol => 'tcp' },
+ ],
+ }
+
+ @firewalld_rich_rule {
+ default:
+ service => 'aes-server',
+ log => false;
+
+ 'Accept aes-server in LiU networks without logging IPv4':
+ zone => 'liu',
+ family => 'ipv4',
+ action => 'accept';
+ 'Accept aes-server in LiU networks without logging IPv6':
+ zone => 'liu',
+ family => 'ipv6',
+ action => 'accept';
+ }
+ }
+ 'CentOS': {
+ ::server_firewall::rules_file { '45-permit_aes_sw.rules':
+ # lint:ignore:strict_indent heredoc failing...
+ content => @(EOF),
+ service sclogin is tcp/23431
+ service aesmsi is tcp/23816
+ service aesmso is tcp/23817
+
+ policy chain INPUT is
+ accept service:sclogin from class:liu-nets
+ accept service:aesmsi from class:liu-nets
+ accept service:aesmso from class:liu-nets
+ end policy
+ |-EOF
+ # lint:endignore:strict_indent
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
+ }
+
package {
[
'enscript', # present in pars_pwd_list.py, but pars_pwd_list.py old and unused?
@@ -147,9 +195,4 @@ class aes::aes_sw {
owner => $examadm_user,
group => $examadm_group,
}
-
- schedule { 'everyday':
- period => daily,
- range => '01:00 - 04:00',
- }
}
diff --git a/manifests/broker.pp b/manifests/broker.pp
index 880145b..f5b02c1 100644
--- a/manifests/broker.pp
+++ b/manifests/broker.pp
@@ -11,14 +11,64 @@ class aes::broker {
$broker_home = "/srv/${broker_user}"
$broker_service = 'aes_broker'
- # Sadly, it does not seem like we can not only install asio, so we need
- # to install the Boost as a whole.
- package {
- [
- 'boost169',
- 'boost169-devel',
- ]:
- ensure => installed,
+ case fact('os.family') {
+ 'RedHat': {
+ package {
+ [
+ 'boost',
+ 'boost-devel',
+ ]:
+ ensure => installed,
+ }
+
+ firewalld_custom_service { 'aes-broker':
+ description => 'Authentic Examination System server',
+ ports => [
+ { port => '31337', protocol => 'tcp' },
+ ],
+ }
+
+ @firewalld_rich_rule {
+ default:
+ service => 'aes-broker',
+ log => false;
+
+ 'Accept aes-broker in LiU networks without logging IPv4':
+ zone => 'liu',
+ family => 'ipv4',
+ action => 'accept';
+ 'Accept aes-broker in LiU networks without logging IPv6':
+ zone => 'liu',
+ family => 'ipv6',
+ action => 'accept';
+ }
+ }
+ 'CentOS': {
+ # Sadly, it does not seem like we can not only install asio, so we need
+ # to install the Boost as a whole.
+ package {
+ [
+ 'boost169',
+ 'boost169-devel',
+ ]:
+ ensure => installed,
+ }
+
+ ::server_firewall::rules_file { '45-permit_aes_broker.rules':
+ # lint:ignore:strict_indent heredoc failing...
+ content => @(EOF),
+ service aesbroker is tcp/31337
+
+ policy chain INPUT is
+ accept service:aesbroker from class:liu-nets
+ end policy
+ |-EOF
+ # lint:endignore:strict_indent
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
}
# Figure out which certificate to use based on the hostname.
diff --git a/manifests/init.pp b/manifests/init.pp
index 40e8d9f..4a4027d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -14,18 +14,40 @@ class aes {
include aes::broker
include aes::auth
include aes::auth_keydb
- include liurepo::centos_sclo_rh
- package {
- [
- 'devtoolset-7',
- 'gcc',
- 'gcc-c++',
- 'libaio',
- 'python36',
- ]:
- ensure => installed,
- require => Class['liurepo::centos_sclo_rh'],
+ case fact('os.family') {
+ 'RedHat': {
+ # TODO: Move this to the subclass that actually require it?
+ package {
+ [
+ 'gcc-toolset-12',
+ 'gcc',
+ 'gcc-c++',
+ 'libaio',
+ 'python3',
+ ]:
+ ensure => installed,
+ require => Class['liurepo::centos_sclo_rh'],
+ }
+ }
+ 'CentOS': {
+ include liurepo::centos_sclo_rh
+ # TODO: Move this to the subclass that actually require it?
+ package {
+ [
+ 'devtoolset-7',
+ 'gcc',
+ 'gcc-c++',
+ 'libaio',
+ 'python36',
+ ]:
+ ensure => installed,
+ require => Class['liurepo::centos_sclo_rh'],
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
}
file { '/etc/sudoers.d/aes':
@@ -111,24 +133,4 @@ class aes {
shell => '/bin/bash',
sshkey => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCsUKr53aCwErzsdhD/5oEQ4gWW51NgXa70Ow20Fnv/pyKAepDsIMCOB6kf1aET8LOlnq8Wyu0/52GGB38mO6cUzi7MLeWj7bg1Npq7b5/Uoaquq/dginoVQDc5RuJfmoy7PwmjKep/J2OIkCs8kD4sKbqN3ArCW555hgBvlGCdHxER1x2c5wGc2iuMCcbsfonOfORIxzCoiF4igfmuA1wpFZgyjBLuHn/SOtp85pD3nR0JSiaJWcMLB7IkWzXxvbpUWhDf7/gE4mwCDkOajY8zdG+aLkAZI0J1TJUGq50zji4OouwxxPW2JhpVl1KbRPqec+pVtdQIZstgUg3YbJGl', # lint:ignore:140chars
}
-
- ::server_firewall::rules_file { '45-permit_squid.rules':
- # lint:ignore:strict_indent heredoc failing...
- content => @(EOF),
- service squid is tcp/3128
- service sclogin is tcp/23431
- service aesmsi is tcp/23816
- service aesmso is tcp/23817
- service aesbroker is tcp/31337
-
- policy chain INPUT is
- accept service:squid from class:liu-nets
- accept service:sclogin from class:liu-nets
- accept service:aesmsi from class:liu-nets
- accept service:aesmso from class:liu-nets
- accept service:aesbroker from class:liu-nets
- end policy
- |-EOF
- # lint:endignore:strict_indent
- }
}
diff --git a/manifests/squid_filter.pp b/manifests/squid_filter.pp
index 071d583..eb5dc55 100644
--- a/manifests/squid_filter.pp
+++ b/manifests/squid_filter.pp
@@ -5,6 +5,48 @@
#
#
class aes::squid_filter {
+ case fact('os.family') {
+ 'RedHat': {
+ firewalld_custom_service { 'squid':
+ description => 'Squid proxy for filtered internet access',
+ ports => [
+ { port => '3128', protocol => 'tcp' },
+ ],
+ }
+
+ @firewalld_rich_rule {
+ default:
+ service => 'squid',
+ log => false;
+
+ 'Accept squid in LiU networks without logging IPv4':
+ zone => 'liu',
+ family => 'ipv4',
+ action => 'accept';
+ 'Accept squid in LiU networks without logging IPv6':
+ zone => 'liu',
+ family => 'ipv6',
+ action => 'accept';
+ }
+ }
+ 'CentOS': {
+ ::server_firewall::rules_file { '45-permit_squid.rules':
+ # lint:ignore:strict_indent heredoc failing...
+ content => @(EOF),
+ service squid is tcp/3128
+
+ policy chain INPUT is
+ accept service:squid from class:liu-nets
+ end policy
+ |-EOF
+ # lint:endignore:strict_indent
+ }
+ }
+ default: {
+ fail("${module_name} - Not supported for family ${fact('os.family')}.")
+ }
+ }
+
package { 'squid' :
ensure => 'present',
}
--
GitLab