Merge branch 'devel' into 'test'

Devel

See merge request liu-puppet-modules/aes!36

README.md

 # aes
 
+Repeated apply in puppet logs are the below
+
+
+notice 	/Stage[main]/Aes::Aes_sw/Exec[script-repo-updated]/returns 	executed successfully (corrective)
+notice 	/Stage[main]/Aes::Tal_cli/Exec[update-tal-repo]/returns 	executed successfully (corrective)
+notice 	/Stage[main]/Aes::Opendsa/Exec[update-repo]/returns 		executed successfully (corrective)
+notice 	/Stage[main]/Aes::Broker/Exec[update-broker-repo]/returns 	executed successfully (corrective)
+notice 	/Stage[main]/Aes::Auth/Exec[update-auth-repo]/returns 		executed successfully (corrective)
+notice 	/Stage[main]/Aes::Auth_keydb/Exec[update-keydb-repo]/returns 	executed successfully (corrective)
+  All use the same script "/opt/utils/update_repo.sh" to update local repo files
+  Should be possible to run with cron
+  Why is this required to run within puppet?
+
+notice 	/Stage[main]/Aes/Exec[/usr/bin/touch /var/last_puppet_run]/returns 	executed successfully (corrective)
+  If a semaphore is required, use /opt/puppetlabs/puppet/public/last_run_summary.yaml 
+  Please skip the touch exec!
\ No newline at end of file

data/common.yaml

@@ -26,6 +26,32 @@ aes::auth::keytab_devel: >
   IcAIbgvoQbriFHLJiL9HIWl6GSe6I/jp9n5veEkhHdT3M0nEEc0hbKWBaELj
   gTDWfQoET9V1Lrtv]
 
+aes::auth::keytab_production_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAWDNqT2ab63HdYWzW2/9TZrsxEcdDvJBKl87f
+  vNVOQveZOoK2vBSaGb0Mzs5AQrY02ib2mBEZKsIgyI5JIPJRc+KAPVsjOOa1
+  vYx8N/VazTPWEIEtCMXG5wwR2P+ws/mzU9ztcDd4E1Hh5k8bRsu/krTGn783
+  QF1I+FEod9tYd1vMMpRkd1nkGq0GJtRHv9Xteb3DN6XJkdrdMaNpKw8Cemj/
+  N96wTtcL72LvogBpgzueQJ8+XdyFJCmWqk1lQV7pyllOIcnXrIcAz9E7TRXz
+  kCjq3Lr2MPnpptV8CDhoIUuEiNfGAQIWa3DQJIPzuz5gtug9Am1XDvbg9Bxx
+  VQ2FmjCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAjUES6mKmlxRmzIZ
+  wu7L04CBgACGs/1vQi4G6v4Lz99FyonAjwsGU/texX/8Xgchp7emzkgLgqqz
+  BnDIXQukEIHBA5sBiBSYbvztTj99QQ2+hjS0fIyclQHa1xACtzeWJeGuf7Wh
+  /SVEJY3QpTspf98UwahjqrDLrGNK/my8Wc0U4ji4dozFhDl1WGcTyYUp5Zgn]
+
+aes::auth::keytab_devel_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAIlqY2OywFv+nNU225WBoKCqDOoPLak73Di0u
+  Qm+zyFOroYQMYfzvCQ38U41wQanG3TdRaK9G9EoG3uX9qR/9AEYi9YWCq/YN
+  uhR7baNq4TEGsIkf/DoeMPh/LJGgQm8UGgRFj2cxTVERe/g1PC54LzuvmuHj
+  lk2KS1MYltGhnZoumczTFlk+1qGwzTzyGglSxt8EFbDJgLr5YEwWbgyhHQVg
+  C1HK53N5UeCUdJrRePDOoSfhXTq2TkzcmeuO6DMV+3pnb6IXdweBQTDikGnM
+  Bd5GSOx0U0njCVOeXqSmWAhDu2hCtryshbhhhiv+qL7cQ5yDulZIj6YaRb0X
+  CNCuXDCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1yi1qYaUepK4KbkL
+  YTGfO4CBgKPQ++rfV6Nw1M5qPgLS6gsvkOEAe+9FFiFWH1uTNqoZX9jSO4tZ
+  F0y5pwJ4OpjQS0oiInF+rxET2PTnND6yNtxeSkBncAWnNHA80Z2U7BOZG6Lw
+  BbBuhpmotOaWx2thqdb2sCNlj3yZMT1k62VXU8rBqzRA3Vj7jiRiXXxcSnnQ]
+
 aes::tal_cli::credentials: >
   ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBAD
   AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAii6nHpFM6+6aPuw1Qnawf77K7f

manifests/aes_sw.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
 class aes::aes_sw {
   $examadm_user = examadm
   $examadm_group = $examadm_user
@@ -34,24 +39,29 @@ class aes::aes_sw {
     group  => $examadm_group,
   }
 
+  # lint:ignore:140chars
   file { "${examadm_home}/.ssh/authorized_keys":
     ensure  => file,
     mode    => '0600',
     owner   => $examadm_user,
     group   => $examadm_group,
+    # lint:ignore:strict_indent heredoc failing...
     content => @(SSHPUBKEY),
       command="/home/examadm/tal-cli/source/scripts/tal-export.py --format ics --lookback 90 --lookahead 180",no-pty,no-user-rc,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJW4LP0av20r7lPXNgsftF9oaAXK41AvHyuHwybciZC/QBfTcmYif83563cTg0OzR/p+OSobiDM0odaaFYtP/8xbuVRz87X5bGYm2m8yHHqPxobHkT5g/faMkl9Fef+Al4EsT5tiaYMOhG2lj8XRYuwAb7qjoz3FFbs8TEPE7Sv+4BUCCH94taCuNYLXSxN1EXvw7VW6Ld5QXRFP53l2QUeTqE9oSii3BVrXlqqrLvNV/7nwdwyse4uhff4QrM9o4oc9FaQr8PLlPGxdlbSfIQJMVzHGpeDu0WLw+NqtLO1hsdlvQm7GrT/v8N7GJNKlsvhwnwUuMhTrB0yPMbbub1 klaar36@upp
       command="/home/examadm/tal-cli/source/scripts/tal-export.py --written --format ics --lookback 90 --lookahead 180",no-pty,no-user-rc,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZ8aEAXw0tRcYrk1aqldepuC6tmdUYZuM270QdDF79o tal written exams to ics
     | SSHPUBKEY
+    # lint:endignore:strict_indent
   }
+  # lint:endignore:140chars
 
   file { '/etc/systemd/system/aes_login.service':
     ensure  => file,
     owner   => root,
     group   => root,
     mode    => '0644',
+    # lint:ignore:strict_indent heredoc failing...
     content => @(LOGINSERVICE),
-          [Unit]
+    [Unit]
     Description=AES Login server
     After=network.target
 
@@ -64,6 +74,7 @@ class aes::aes_sw {
     [Install]
     WantedBy=multi-user.target
     | LOGINSERVICE
+    # lint:endignore:strict_indent
   }
 
   # todo: logrotate
@@ -77,8 +88,9 @@ class aes::aes_sw {
     owner   => root,
     group   => root,
     mode    => '0644',
+    # lint:ignore:strict_indent heredoc failing...
     content => @(MSSERVICE),
-          [Unit]
+    [Unit]
     Description=AES Exam server
     After=network.target
 
@@ -91,6 +103,7 @@ class aes::aes_sw {
     [Install]
     WantedBy=multi-user.target
     | MSSERVICE
+    # lint:endignore:strict_indent
   }
 
   file { '/etc/cron.daily/aes_ms':
@@ -98,10 +111,12 @@ class aes::aes_sw {
     owner   => root,
     group   => root,
     mode    => '0700',
+    # lint:ignore:strict_indent heredoc failing...
     content => @(MSCRON),
-          #!/bin/sh
+    #!/bin/sh
     /usr/bin/systemctl restart aes_ms
     | MSCRON
+    # lint:endignore:strict_indent
   }
 
   file { '/etc/cron.daily/aes_login':
@@ -109,10 +124,12 @@ class aes::aes_sw {
     owner   => root,
     group   => root,
     mode    => '0700',
+    # lint:ignore:strict_indent heredoc failing...
     content => @(MSCRON),
-          #!/bin/sh
+    #!/bin/sh
     /usr/bin/systemctl restart aes_login
     | MSCRON
+    # lint:endignore:strict_indent
   }
 
   # todo: logrotate

manifests/auth.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
+# @param keytab_production_base64
+#   Describe keytab_production_base64
+#
+# @param keytab_devel_base64
+#   Describe keytab_devel_base64
+#
 class aes::auth (
-  Optional[String] $keytab_production = undef,
-  Optional[String] $keytab_devel = undef
+  # Comment out old keytab params but
+  # keep temporay for comparison
+  #
+  # # Existing keytabs
+  # Optional[String] $keytab_production = undef,
+  # Optional[String] $keytab_devel = undef
+  #
+  # new base64+pkcs7 keytabs
+  Optional[String] $keytab_production_base64 = undef,
+  Optional[String] $keytab_devel_base64 = undef
 ) {
   $auth_user = auth
   $auth_group = $auth_user
   $auth_home = "/srv/${auth_user}"
   $auth_service = 'aes_auth'
 
+  # Decode base64 encoded keytabs
+  $keytab_production  = Binary.new($keytab_production_base64, '%b')
+  $keytab_devel = Binary.new($keytab_devel_base64, '%b')
+
   # Pick the right keytab for the current environment. We use the fqdn rather than 
   # $environment since the keys are tied to the domain name rather than what 
   # environment the machine is configured in.

manifests/auth_keydb.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes::auth_keydb {
   $keydb_user = auth_keydb
   $keydb_group = $keydb_user

manifests/broker.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes::broker {
   $broker_user = broker
   $broker_group = $broker_user

manifests/examfiles.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes::examfiles {
   include users::micis03
   include users::jondy94

manifests/init.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes {
   include aes::examfiles
   include aes::aes_sw
@@ -107,8 +113,9 @@ class aes {
   }
 
   ::server_firewall::rules_file { '45-permit_squid.rules':
+    # lint:ignore:strict_indent heredoc failing...
     content => @(EOF),
-          service squid is tcp/3128
+    service squid is tcp/3128
     service sclogin is tcp/23431
     service aesmsi is tcp/23816
     service aesmso is tcp/23817
@@ -122,5 +129,6 @@ class aes {
       accept service:aesbroker from class:liu-nets
     end policy
     |-EOF
+    # lint:endignore:strict_indent
   }
 }

manifests/latex.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes::latex {
   package {
     [

manifests/opendsa.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes::opendsa {
   $opendsa_user = opendsa
   $opendsa_group = $opendsa_user

manifests/squid_filter.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
 class aes::squid_filter {
   package { 'squid' :
     ensure => 'present',

manifests/tal_cli.pp

+# @summary
+#   Describe what this class do!
+#
+#   Detailed summary info if suitable
+#
+#
+# @param credentials
+#   Describe credentials
+#
 class aes::tal_cli (
   Optional[String] $credentials = undef
 ) {
@@ -53,6 +62,7 @@ class aes::tal_cli (
     owner   => 'root',
     group   => 'root',
     mode    => '0700',
+    # lint:ignore:strict_indent heredoc failing...
     content => @(END),
     #!/bin/bash
     if [ "$(hostname)" = "aes-devel.edu.liu.se" ]
@@ -67,5 +77,6 @@ class aes::tal_cli (
         sudo -u examadm /home/examadm/tal-cli/source/scripts/tal-remind.py --to ${TO} --computer-exam --send
     fi
     | END
+    # lint:endignore:strict_indent
   }
 }