Skip to content
Snippets Groups Projects

Devel

Merged Devel
devel into test
Merged Magnus Svensson requested to merge devel into test
Viewing commit b7ce9f1a
Prev Next
Show latest version
3 files
+ 20
9
Compare changes
  • Side-by-side
  • Inline
Files
3
manifests/auth.pp
+ 73
31
class aes::auth {
class aes::auth(
Optional[String] $keytab_production = undef,
Optional[String] $keytab_devel = undef
) {
$auth_user = auth
$auth_group = "${auth_user}"
$auth_group = $auth_user
$auth_home = "/srv/${auth_user}"
$auth_service = "aes_auth"
$auth_service = 'aes_auth'
# Pick the right keytab for the current environment. We use the fqdn rather than
# $environment since the keys are tied to the domain name rather than what
# environment the machine is configured in.
if $facts[fqdn] == 'aes.edu.liu.se' {
# The AD service account for this key is: ida_sys002_srv
$auth_keytab_data = $keytab_production
$server_type = 'production'
} elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
# The AD service account for this key is: ida_sys004_srv
$auth_keytab_data = $keytab_devel
$server_type = 'devel'
} else {
$auth_keytab_data = undef
}
# Note: We rely on Boost being installed by the broker. It seems Puppet does not like
# that we specify "boost" multiple times, even though it would look nice, modularity-wise
# since both the auth server and the broker requires boost.
package {
[
'krb5-libs',
'krb5-devel',
'krb5-libs',
'krb5-devel',
'openssl-devel',
]:
ensure => installed,
}
user { "${auth_user}" :
# Group for local authentication. All accounts that are members
# of this group are considered trusted by the authentication system.
group { 'aes_local_auth' :
ensure => present,
home => "${auth_home}",
comment => 'Authentication server for AES',
}
user { $auth_user :
ensure => present,
home => $auth_home,
comment => 'Authentication server for AES',
managehome => false,
membership => inclusive,
system => true,
shell => '/sbin/nologin',
groups => [ 'aes_local_auth' ],
system => true,
shell => '/sbin/nologin',
}
file { "${auth_home}" :
file { $auth_home :
ensure => directory,
owner => "${auth_user}",
group => "${auth_group}",
mode => '0755',
owner => $auth_user,
group => $auth_group,
mode => '0755',
}
file { "/etc/systemd/system/${auth_service}.service" :
ensure => present,
ensure => file,
owner => root,
group => root,
mode => '0644',
@@ -42,7 +68,7 @@ class aes::auth {
}
file { "${auth_home}/on_update.sh" :
ensure => present,
ensure => file,
owner => root,
group => root,
mode => '0700',
@@ -50,33 +76,49 @@ class aes::auth {
}
file { "${auth_home}/config.json" :
ensure => present,
owner => auth,
group => auth,
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0644',
source => "puppet:///modules/${module_name}/auth/config.json",
}
file { "${auth_home}/start.sh" :
ensure => present,
owner => auth,
group => auth,
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0755',
source => "puppet:///modules/${module_name}/auth/start.sh",
}
file { "${auth_home}/keys" :
ensure => directory,
owner => $auth_user,
group => $auth_group,
mode => '0700',
}
if $auth_keytab_data {
file { "${auth_home}/keys/kerberos.keytab" :
ensure => file,
owner => root,
group => $auth_group,
mode => '0640',
content => $auth_keytab_data,
}
}
exec { 'update-auth-repo' :
command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
# This command will need to run "on_update" as root in order to restart the service.
user => root,
group => root,
cwd => "${auth_home}",
require => File["${auth_home}/on_update.sh"],
user => root,
group => root,
cwd => $auth_home,
require => File["${auth_home}/on_update.sh"],
}
service { "${auth_service}" :
ensure => "running",
service { $auth_service :
ensure => 'running',
}
}
\ No newline at end of file
}