diff --git a/README.md b/README.md
index 39042de6316e62258e1862de1e94719b99cb59d2..d2d7d40dfdd6f878e53d556a1d47877cf861d224 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,18 @@
# aes
+Repeated apply in puppet logs are the below
+
+
+notice /Stage[main]/Aes::Aes_sw/Exec[script-repo-updated]/returns executed successfully (corrective)
+notice /Stage[main]/Aes::Tal_cli/Exec[update-tal-repo]/returns executed successfully (corrective)
+notice /Stage[main]/Aes::Opendsa/Exec[update-repo]/returns executed successfully (corrective)
+notice /Stage[main]/Aes::Broker/Exec[update-broker-repo]/returns executed successfully (corrective)
+notice /Stage[main]/Aes::Auth/Exec[update-auth-repo]/returns executed successfully (corrective)
+notice /Stage[main]/Aes::Auth_keydb/Exec[update-keydb-repo]/returns executed successfully (corrective)
+ All use the same script "/opt/utils/update_repo.sh" to update local repo files
+ Should be possible to run with cron
+ Why is this required to run within puppet?
+
+notice /Stage[main]/Aes/Exec[/usr/bin/touch /var/last_puppet_run]/returns executed successfully (corrective)
+ If a semaphore is required, use /opt/puppetlabs/puppet/public/last_run_summary.yaml
+ Please skip the touch exec!
\ No newline at end of file
diff --git a/data/common.yaml b/data/common.yaml
index e1414775418393cd29180542217ff61c22247ba4..6d593aa775bbfe4edc4f94248870df52042309ef 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -26,6 +26,32 @@ aes::auth::keytab_devel: >
IcAIbgvoQbriFHLJiL9HIWl6GSe6I/jp9n5veEkhHdT3M0nEEc0hbKWBaELj
gTDWfQoET9V1Lrtv]
+aes::auth::keytab_production_base64: >
+ ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAWDNqT2ab63HdYWzW2/9TZrsxEcdDvJBKl87f
+ vNVOQveZOoK2vBSaGb0Mzs5AQrY02ib2mBEZKsIgyI5JIPJRc+KAPVsjOOa1
+ vYx8N/VazTPWEIEtCMXG5wwR2P+ws/mzU9ztcDd4E1Hh5k8bRsu/krTGn783
+ QF1I+FEod9tYd1vMMpRkd1nkGq0GJtRHv9Xteb3DN6XJkdrdMaNpKw8Cemj/
+ N96wTtcL72LvogBpgzueQJ8+XdyFJCmWqk1lQV7pyllOIcnXrIcAz9E7TRXz
+ kCjq3Lr2MPnpptV8CDhoIUuEiNfGAQIWa3DQJIPzuz5gtug9Am1XDvbg9Bxx
+ VQ2FmjCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAjUES6mKmlxRmzIZ
+ wu7L04CBgACGs/1vQi4G6v4Lz99FyonAjwsGU/texX/8Xgchp7emzkgLgqqz
+ BnDIXQukEIHBA5sBiBSYbvztTj99QQ2+hjS0fIyclQHa1xACtzeWJeGuf7Wh
+ /SVEJY3QpTspf98UwahjqrDLrGNK/my8Wc0U4ji4dozFhDl1WGcTyYUp5Zgn]
+
+aes::auth::keytab_devel_base64: >
+ ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAIlqY2OywFv+nNU225WBoKCqDOoPLak73Di0u
+ Qm+zyFOroYQMYfzvCQ38U41wQanG3TdRaK9G9EoG3uX9qR/9AEYi9YWCq/YN
+ uhR7baNq4TEGsIkf/DoeMPh/LJGgQm8UGgRFj2cxTVERe/g1PC54LzuvmuHj
+ lk2KS1MYltGhnZoumczTFlk+1qGwzTzyGglSxt8EFbDJgLr5YEwWbgyhHQVg
+ C1HK53N5UeCUdJrRePDOoSfhXTq2TkzcmeuO6DMV+3pnb6IXdweBQTDikGnM
+ Bd5GSOx0U0njCVOeXqSmWAhDu2hCtryshbhhhiv+qL7cQ5yDulZIj6YaRb0X
+ CNCuXDCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1yi1qYaUepK4KbkL
+ YTGfO4CBgKPQ++rfV6Nw1M5qPgLS6gsvkOEAe+9FFiFWH1uTNqoZX9jSO4tZ
+ F0y5pwJ4OpjQS0oiInF+rxET2PTnND6yNtxeSkBncAWnNHA80Z2U7BOZG6Lw
+ BbBuhpmotOaWx2thqdb2sCNlj3yZMT1k62VXU8rBqzRA3Vj7jiRiXXxcSnnQ]
+
aes::tal_cli::credentials: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBAD
AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAii6nHpFM6+6aPuw1Qnawf77K7f
diff --git a/manifests/aes_sw.pp b/manifests/aes_sw.pp
index 2bfa4847928646d0c2d8eb6d214437a0bbcfbd51..15cec34746e7cf86234f7d9f25806fa70026473d 100644
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -1,3 +1,8 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
class aes::aes_sw {
$examadm_user = examadm
$examadm_group = $examadm_user
@@ -34,24 +39,29 @@ class aes::aes_sw {
group => $examadm_group,
}
+ # lint:ignore:140chars
file { "${examadm_home}/.ssh/authorized_keys":
ensure => file,
mode => '0600',
owner => $examadm_user,
group => $examadm_group,
+ # lint:ignore:strict_indent heredoc failing...
content => @(SSHPUBKEY),
command="/home/examadm/tal-cli/source/scripts/tal-export.py --format ics --lookback 90 --lookahead 180",no-pty,no-user-rc,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJW4LP0av20r7lPXNgsftF9oaAXK41AvHyuHwybciZC/QBfTcmYif83563cTg0OzR/p+OSobiDM0odaaFYtP/8xbuVRz87X5bGYm2m8yHHqPxobHkT5g/faMkl9Fef+Al4EsT5tiaYMOhG2lj8XRYuwAb7qjoz3FFbs8TEPE7Sv+4BUCCH94taCuNYLXSxN1EXvw7VW6Ld5QXRFP53l2QUeTqE9oSii3BVrXlqqrLvNV/7nwdwyse4uhff4QrM9o4oc9FaQr8PLlPGxdlbSfIQJMVzHGpeDu0WLw+NqtLO1hsdlvQm7GrT/v8N7GJNKlsvhwnwUuMhTrB0yPMbbub1 klaar36@upp
command="/home/examadm/tal-cli/source/scripts/tal-export.py --written --format ics --lookback 90 --lookahead 180",no-pty,no-user-rc,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZ8aEAXw0tRcYrk1aqldepuC6tmdUYZuM270QdDF79o tal written exams to ics
| SSHPUBKEY
+ # lint:endignore:strict_indent
}
+ # lint:endignore:140chars
file { '/etc/systemd/system/aes_login.service':
ensure => file,
owner => root,
group => root,
mode => '0644',
+ # lint:ignore:strict_indent heredoc failing...
content => @(LOGINSERVICE),
- [Unit]
+ [Unit]
Description=AES Login server
After=network.target
@@ -64,6 +74,7 @@ class aes::aes_sw {
[Install]
WantedBy=multi-user.target
| LOGINSERVICE
+ # lint:endignore:strict_indent
}
# todo: logrotate
@@ -77,8 +88,9 @@ class aes::aes_sw {
owner => root,
group => root,
mode => '0644',
+ # lint:ignore:strict_indent heredoc failing...
content => @(MSSERVICE),
- [Unit]
+ [Unit]
Description=AES Exam server
After=network.target
@@ -91,6 +103,7 @@ class aes::aes_sw {
[Install]
WantedBy=multi-user.target
| MSSERVICE
+ # lint:endignore:strict_indent
}
file { '/etc/cron.daily/aes_ms':
@@ -98,10 +111,12 @@ class aes::aes_sw {
owner => root,
group => root,
mode => '0700',
+ # lint:ignore:strict_indent heredoc failing...
content => @(MSCRON),
- #!/bin/sh
+ #!/bin/sh
/usr/bin/systemctl restart aes_ms
| MSCRON
+ # lint:endignore:strict_indent
}
file { '/etc/cron.daily/aes_login':
@@ -109,10 +124,12 @@ class aes::aes_sw {
owner => root,
group => root,
mode => '0700',
+ # lint:ignore:strict_indent heredoc failing...
content => @(MSCRON),
- #!/bin/sh
+ #!/bin/sh
/usr/bin/systemctl restart aes_login
| MSCRON
+ # lint:endignore:strict_indent
}
# todo: logrotate
diff --git a/manifests/auth.pp b/manifests/auth.pp
index ae5ba62684f4ebce9b72e35671886bdb0948a2be..248720ef119bf12f3133e0360633da868bc7b200 100644
--- a/manifests/auth.pp
+++ b/manifests/auth.pp
@@ -1,12 +1,36 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
+# @param keytab_production_base64
+# Describe keytab_production_base64
+#
+# @param keytab_devel_base64
+# Describe keytab_devel_base64
+#
class aes::auth (
- Optional[String] $keytab_production = undef,
- Optional[String] $keytab_devel = undef
+ # Comment out old keytab params but
+ # keep temporay for comparison
+ #
+ # # Existing keytabs
+ # Optional[String] $keytab_production = undef,
+ # Optional[String] $keytab_devel = undef
+ #
+ # new base64+pkcs7 keytabs
+ Optional[String] $keytab_production_base64 = undef,
+ Optional[String] $keytab_devel_base64 = undef
) {
$auth_user = auth
$auth_group = $auth_user
$auth_home = "/srv/${auth_user}"
$auth_service = 'aes_auth'
+ # Decode base64 encoded keytabs
+ $keytab_production = Binary.new($keytab_production_base64, '%b')
+ $keytab_devel = Binary.new($keytab_devel_base64, '%b')
+
# Pick the right keytab for the current environment. We use the fqdn rather than
# $environment since the keys are tied to the domain name rather than what
# environment the machine is configured in.
diff --git a/manifests/auth_keydb.pp b/manifests/auth_keydb.pp
index f7a0c5a130b1f91e8ba1cdd5d0cc76dd7ca48a5e..5bde484935cd53ffe2e218a3ee094acc8d8b34a4 100644
--- a/manifests/auth_keydb.pp
+++ b/manifests/auth_keydb.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes::auth_keydb {
$keydb_user = auth_keydb
$keydb_group = $keydb_user
diff --git a/manifests/broker.pp b/manifests/broker.pp
index 33724401235d0f0f36adee8374d29d9e8c76ac70..3a093332f110217a9ff26eb5f313e39903219e51 100644
--- a/manifests/broker.pp
+++ b/manifests/broker.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes::broker {
$broker_user = broker
$broker_group = $broker_user
diff --git a/manifests/examfiles.pp b/manifests/examfiles.pp
index 6571ba070d5e7a67871e4f02180201051baaefa3..0e0d7f74d233ec7bf4350e641189aa1c2fd0503f 100644
--- a/manifests/examfiles.pp
+++ b/manifests/examfiles.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes::examfiles {
include users::micis03
include users::jondy94
diff --git a/manifests/init.pp b/manifests/init.pp
index 1e5903418e2475f2f8bb6fc9ec4ae8f17bc6f21e..6f3529e453441a5a39ee74c89c34fbc3897b7664 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes {
include aes::examfiles
include aes::aes_sw
@@ -107,8 +113,9 @@ class aes {
}
::server_firewall::rules_file { '45-permit_squid.rules':
+ # lint:ignore:strict_indent heredoc failing...
content => @(EOF),
- service squid is tcp/3128
+ service squid is tcp/3128
service sclogin is tcp/23431
service aesmsi is tcp/23816
service aesmso is tcp/23817
@@ -122,5 +129,6 @@ class aes {
accept service:aesbroker from class:liu-nets
end policy
|-EOF
+ # lint:endignore:strict_indent
}
}
diff --git a/manifests/latex.pp b/manifests/latex.pp
index e2d1c8be03fd2deb50bd6b2be5f1a5dd5a839d93..02092261dd54f71948c26bd09240488d7c97948f 100644
--- a/manifests/latex.pp
+++ b/manifests/latex.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes::latex {
package {
[
diff --git a/manifests/opendsa.pp b/manifests/opendsa.pp
index c2e623df5b1140a1f771465e4d94317e29ff4ac3..0dc64cfe1ec99c8183509de9541203bcd914f898 100644
--- a/manifests/opendsa.pp
+++ b/manifests/opendsa.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes::opendsa {
$opendsa_user = opendsa
$opendsa_group = $opendsa_user
diff --git a/manifests/squid_filter.pp b/manifests/squid_filter.pp
index 3e64c0cef8535ded5a578b063845e100e01f54d4..071d583849619ead9e299a3d70d55a6fa42cb71f 100644
--- a/manifests/squid_filter.pp
+++ b/manifests/squid_filter.pp
@@ -1,3 +1,9 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
class aes::squid_filter {
package { 'squid' :
ensure => 'present',
diff --git a/manifests/tal_cli.pp b/manifests/tal_cli.pp
index c17363ed860a69752cea388f7394a69856eb57cd..530af22eeef3722a1caba428ef10523eb40ae0ac 100644
--- a/manifests/tal_cli.pp
+++ b/manifests/tal_cli.pp
@@ -1,3 +1,12 @@
+# @summary
+# Describe what this class do!
+#
+# Detailed summary info if suitable
+#
+#
+# @param credentials
+# Describe credentials
+#
class aes::tal_cli (
Optional[String] $credentials = undef
) {
@@ -53,6 +62,7 @@ class aes::tal_cli (
owner => 'root',
group => 'root',
mode => '0700',
+ # lint:ignore:strict_indent heredoc failing...
content => @(END),
#!/bin/bash
if [ "$(hostname)" = "aes-devel.edu.liu.se" ]
@@ -67,5 +77,6 @@ class aes::tal_cli (
sudo -u examadm /home/examadm/tal-cli/source/scripts/tal-remind.py --to ${TO} --computer-exam --send
fi
| END
+ # lint:endignore:strict_indent
}
}