diff --git a/.puppet-lint.rc b/.puppet-lint.rc index 9e15c6e..df33c5b 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -5,5 +5,6 @@ --no-class_inherits_from_params_class-check --no-autoloader_layout-check --no-documentation-check +--no-parameter-documentation-check --no-single_quote_string_with_variables-check --ignore-paths=.vendor/**/*.pp,.bundle/**/*.pp,pkg/**/*.pp,spec/**/*.pp,tests/**/*.pp,types/**/*.pp,vendor/**/*.pp diff --git a/CHANGELOG.md b/CHANGELOG.md index f5318fd..9080c4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ ## Changelog +## Release 1.1.2 + +- Improvements to psick::admin class +- Improvements to psick::bolt class +- Lints +- Fix to psick::puppet::pe_agent settings + ## Release 1.1.1 - A few more puppet 8 fixes diff --git a/manifests/admin.pp b/manifests/admin.pp index b0e487e..b61dc46 100644 --- a/manifests/admin.pp +++ b/manifests/admin.pp @@ -63,6 +63,7 @@ String $node_class = '::psick::admin::node', String $user = 'admin', + String $group = 'admin', String $master = '', # lint:ignore:params_empty_string_assignment Variant[Undef,String] $keyshare_method = 'storeconfigs', @@ -75,13 +76,16 @@ Boolean $manage = $psick::manage, Boolean $noop_manage = $psick::noop_manage, Boolean $noop_value = $psick::noop_value, + + Boolean $notify_changed_user = true, + Boolean $manage_host_key = true, ) { if $manage { if $noop_manage { noop($noop_value) } - if $user != 'admin' { + if $user != 'admin' and $notify_changed_user { notify { 'admin user warning': message => 'If you change the default admin user name change psick/facts.d/admin_user_key.sh or set $::psick::admin::master::ssh_key', # lint:ignore:140chars } diff --git a/manifests/admin/master.pp b/manifests/admin/master.pp index 740578d..6d81fb8 100644 --- a/manifests/admin/master.pp +++ b/manifests/admin/master.pp @@ -6,10 +6,14 @@ Variant[Undef,String] $inventory_epp = undef, Variant[Undef,String] $ssh_key = undef, + Variant[Undef,String] $from = undef, Boolean $manage = $psick::manage, Boolean $noop_manage = $psick::noop_manage, Boolean $noop_value = $psick::noop_value, + + Boolean $manage_host_key = $psick::admin::manage_host_key, + ) { if $manage { if $noop_manage { @@ -19,14 +23,24 @@ if $psick::admin::keyshare_method == 'storeconfigs' and ($ssh_key or getvar('facts.admin_user_key')) { + if $from { + $options = "from=\"${from}\"" + } else { + $options = undef + } + @@ssh_authorized_key { "admin_user_${psick::admin::user}_rsa-${facts['clientcert']}": - ensure => $ensure, - key => pick($ssh_key,getvar('facts.admin_user_key')), - user => $psick::admin::user, - type => 'rsa', - tag => "admin_master_${psick::admin::master}", + ensure => $ensure, + key => pick($ssh_key,getvar('facts.admin_user_key')), + user => $psick::admin::user, + type => 'rsa', + tag => "admin_master_${psick::admin::master}", + options => $options, + } + + if $manage_host_key { + Sshkey <<| tag == "admin_node_${psick::admin::master}_rsa" |>> } - Sshkey <<| tag == "admin_node_${psick::admin::master}_rsa" |>> } } } diff --git a/manifests/admin/node.pp b/manifests/admin/node.pp index 46c5671..768c711 100644 --- a/manifests/admin/node.pp +++ b/manifests/admin/node.pp @@ -6,6 +6,7 @@ Boolean $manage = $psick::manage, Boolean $noop_manage = $psick::noop_manage, Boolean $noop_value = $psick::noop_value, + Boolean $manage_host_key = $psick::admin::manage_host_key, ) { if $manage { if $noop_manage { @@ -14,12 +15,14 @@ include psick::admin if $psick::admin::keyshare_method == 'storeconfigs' { - @@sshkey { "admin_${facts['networking']['fqdn']}_rsa": - ensure => $ensure, - host_aliases => [$facts['networking']['fqdn'], $facts['networking']['hostname'], $facts['networking']['ip']], - type => 'ssh-rsa', - key => $facts['ssh']['rsa']['key'], - tag => "admin_node_${psick::admin::master}_rsa", + if $manage_host_key { + @@sshkey { "admin_${facts['networking']['fqdn']}_rsa": + ensure => $ensure, + host_aliases => [$facts['networking']['fqdn'], $facts['networking']['hostname'], $facts['networking']['ip']], + type => 'ssh-rsa', + key => $facts['ssh']['rsa']['key'], + tag => "admin_node_${psick::admin::master}_rsa", + } } # Authorize master host ssh key for remote connection Ssh_authorized_key <<| tag == "admin_master_${psick::admin::master}" |>> diff --git a/manifests/admin/user.pp b/manifests/admin/user.pp index d8fb633..9ec4ad5 100644 --- a/manifests/admin/user.pp +++ b/manifests/admin/user.pp @@ -4,6 +4,8 @@ Variant[Boolean,String] $ensure = pick($psick::admin::ensure, 'present'), Optional[String] $password = undef, Boolean $configure_sudo = true, + String $sudo_template = 'psick/admin/sudo.epp', + Boolean $run_ssh_keygen = true, Boolean $manage = $psick::manage, @@ -33,7 +35,7 @@ ensure => $dir_ensure, mode => '0700', owner => $psick::admin::user, - group => $psick::admin::user, + group => $psick::admin::group, require => User[$psick::admin::user], } @@ -53,7 +55,7 @@ mode => '0440', owner => 'root', group => 'root', - content => "${psick::admin::user} ALL = NOPASSWD : ALL\n", + content => $sudo_template, } } } diff --git a/manifests/aws/puppet.pp b/manifests/aws/puppet.pp index 706d3ec..9a91b5f 100644 --- a/manifests/aws/puppet.pp +++ b/manifests/aws/puppet.pp @@ -15,7 +15,7 @@ } $install_modules.each | $mod | { psick::puppet::module { $mod: - user => $module_user, + user => $module_user, } } } diff --git a/manifests/bolt.pp b/manifests/bolt.pp index b1bcb8f..409c210 100644 --- a/manifests/bolt.pp +++ b/manifests/bolt.pp @@ -4,8 +4,8 @@ Variant[Boolean,String] $ensure = present, - String $master_class = '::psick::bolt::master', - String $node_class = '::psick::bolt::node', + String $master_class = 'psick::bolt::master', + String $node_class = 'psick::bolt::node', String $bolt_user = 'bolt', String $bolt_group = 'bolt', @@ -14,10 +14,15 @@ String $ssh_user = 'root', String $ssh_group = 'root', + String $ssh_key_type = 'rsa', String $master = '', # lint:ignore:params_empty_string_assignment Enum['storeconfigs','static'] $keyshare_method = 'storeconfigs', + Variant[Undef,String] $from = undef, + + Boolean $manage_host_key = true, + Boolean $auto_prereq = $psick::auto_prereq, Boolean $is_master = false, @@ -35,6 +40,12 @@ noop($noop_value) } + if $from { + $ssh_auth_key_options = "from=\"${from}\"" + } else { + $ssh_auth_key_options = undef + } + if $is_node { contain $node_class } diff --git a/manifests/bolt/master.pp b/manifests/bolt/master.pp index ffd0893..69f31d3 100644 --- a/manifests/bolt/master.pp +++ b/manifests/bolt/master.pp @@ -16,6 +16,10 @@ Boolean $create_bolt_user = true, Boolean $run_ssh_keygen = true, String $fact_template = 'psick/bolt/bolt_user_key.sh.erb', + Boolean $manage_ssh_dir = true, + + # Management of hostkeys + Boolean $manage_host_key = $psick::bolt::manage_host_key, # Management of automatic host list files used by bolt command Variant[Undef,String] $inventory_epp = undef, @@ -56,15 +60,15 @@ } if $install_package { - package { 'bolt': - ensure => $ensure, + package { 'puppet-bolt': + ensure => $ensure, } } # Management of the user running bolt $user_home_dir = $user_home ? { undef => $psick::bolt::bolt_user ? { - 'root' => '/root', + 'root' => '/root', default => "/home/${psick::bolt::bolt_user}", }, default => $user_home @@ -86,7 +90,8 @@ false => undef, } - if $run_ssh_keygen or $psick::bolt::bolt_user_pub_key { + if ($run_ssh_keygen or $psick::bolt::bolt_user_pub_key) + and $manage_ssh_dir { file { "${user_home_dir}/.ssh" : ensure => $dir_ensure, mode => '0700', @@ -110,26 +115,32 @@ and defined('psick::bolt::bolt_user_pub_key') or defined('bolt_user_key') { @@ssh_authorized_key { "bolt_user_${psick::bolt::ssh_user}_rsa-${facts['clientcert']}": - ensure => $ensure, - key => pick($psick::bolt::bolt_user_pub_key,getvar('facts.bolt_user_key')), - user => $psick::bolt::ssh_user, - type => 'rsa', - tag => "bolt_master_${psick::bolt::master}_${psick::bolt::bolt_user}", + ensure => $ensure, + key => pick($psick::bolt::bolt_user_pub_key,getvar('facts.bolt_user_key')), + user => $psick::bolt::ssh_user, + type => $psick::bolt::ssh_key_type, + tag => "bolt_master_${psick::bolt::master}_${psick::bolt::bolt_user}", + options => $psick::bolt::ssh_auth_key_options, + } + if $manage_host_key { + Sshkey <<| tag == "bolt_node_${psick::bolt::master}_rsa" |>> } - Sshkey <<| tag == "bolt_node_${psick::bolt::master}_rsa" |>> } - if $psick::bolt::bolt_user_pub_key and $psick::bolt::bolt_user_priv_key { + if $psick::bolt::bolt_user_pub_key { file { "${user_home_dir}/.ssh/id_rsa.pub": - ensure => $dir_ensure, - mode => '0700', + ensure => $ensure, + mode => '0600', owner => $psick::bolt::bolt_user, group => $psick::bolt::bolt_group, content => $psick::bolt::bolt_user_pub_key, } + } + + if $psick::bolt::bolt_user_priv_key { file { "${user_home_dir}/.ssh/id_rsa": - ensure => $dir_ensure, - mode => '0700', + ensure => $ensure, + mode => '0600', owner => $psick::bolt::bolt_user, group => $psick::bolt::bolt_group, content => $psick::bolt::bolt_user_priv_key, diff --git a/manifests/bolt/node.pp b/manifests/bolt/node.pp index b001ff1..923e9b2 100644 --- a/manifests/bolt/node.pp +++ b/manifests/bolt/node.pp @@ -8,6 +8,9 @@ Boolean $configure_sudo = true, String $sudo_template = 'psick/bolt/user/sudo.erb', + Boolean $manage_host_key = $psick::bolt::manage_host_key, + Boolean $manage_ssh_dir = true, + Boolean $manage = $psick::manage, Boolean $noop_manage = $psick::noop_manage, Boolean $noop_value = $psick::noop_value, @@ -39,12 +42,14 @@ password => $user_password, } - file { "${user_home_dir}/.ssh" : - ensure => $dir_ensure, - mode => '0700', - owner => $psick::bolt::ssh_user, - group => $psick::bolt::ssh_group, - require => User[$psick::bolt::ssh_user], + if $manage_ssh_dir { + file { "${user_home_dir}/.ssh" : + ensure => $dir_ensure, + mode => '0700', + owner => $psick::bolt::ssh_user, + group => $psick::bolt::ssh_group, + require => User[$psick::bolt::ssh_user], + } } } @@ -59,22 +64,25 @@ } if $psick::bolt::keyshare_method == 'storeconfigs' { - @@sshkey { "bolt_${facts['networking']['fqdn']}_rsa": - ensure => $ensure, - host_aliases => [$facts['networking']['fqdn'], $facts['networking']['hostname'], $facts['networking']['ip']], - type => 'ssh-rsa', - key => $facts['ssh']['rsa']['key'], - tag => "bolt_node_${psick::bolt::master}_rsa", + if $manage_host_key { + @@sshkey { "bolt_${facts['networking']['fqdn']}_rsa": + ensure => $ensure, + host_aliases => [$facts['networking']['fqdn'], $facts['networking']['hostname'], $facts['networking']['ip']], + type => 'ssh-rsa', + key => $facts['ssh']['rsa']['key'], + tag => "bolt_node_${psick::bolt::master}_rsa", + } } # Authorize master host bolt user ssh key for remote connection Ssh_authorized_key <<| tag == "bolt_master_${psick::bolt::master}_${psick::bolt::bolt_user}" |>> } if $psick::bolt::keyshare_method == 'static' { - ssh_authorized_key { "bolt_user_${psick::bolt::ssh_user}_rsa-${psick::bolt::bolt_user_pub_key}": - ensure => $ensure, - key => $psick::bolt::bolt_user_pub_key, - user => $psick::bolt::ssh_user, - type => 'rsa', + ssh_authorized_key { "bolt_user_${psick::bolt::ssh_user}_rsa-${psick::bolt::master}": + ensure => $ensure, + key => $psick::bolt::bolt_user_pub_key, + user => $psick::bolt::ssh_user, + type => $psick::bolt::ssh_key_type, + options => $psick::bolt::ssh_auth_key_options, } } } diff --git a/manifests/git/clone.pp b/manifests/git/clone.pp index 7271acc..cb940e4 100644 --- a/manifests/git/clone.pp +++ b/manifests/git/clone.pp @@ -83,7 +83,7 @@ } } else { file { "/etc/cron.d/sync_${cron_safe_path}": - ensure => absent, + ensure => absent, } } diff --git a/manifests/hosts/resource.pp b/manifests/hosts/resource.pp index 10c3b12..e7c416a 100644 --- a/manifests/hosts/resource.pp +++ b/manifests/hosts/resource.pp @@ -20,7 +20,7 @@ $all_hosts.each |$k,$v| { host { $k: - * => $v, + * => $v, } } } diff --git a/manifests/nodejs.pp b/manifests/nodejs.pp index 5aa18bb..f6afdb6 100644 --- a/manifests/nodejs.pp +++ b/manifests/nodejs.pp @@ -87,7 +87,7 @@ ensure => $ensure, } package { $package_name: - * => $package_defaults + $package_params, + * => $package_defaults + $package_params, } } diff --git a/manifests/puppet.pp b/manifests/puppet.pp index 6feee46..765e425 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -51,7 +51,7 @@ $modules.each | $mod | { psick::puppet::module { $mod: - user => $module_user, + user => $module_user, } } } diff --git a/manifests/puppet/autosign.pp b/manifests/puppet/autosign.pp index dad463a..a1bf654 100644 --- a/manifests/puppet/autosign.pp +++ b/manifests/puppet/autosign.pp @@ -25,7 +25,7 @@ case $autosign { 'off', default: { ini_setting { 'puppet_server_autosign_off': - ensure => absent, + ensure => absent, } } 'on': { diff --git a/manifests/puppet/ci.pp b/manifests/puppet/ci.pp index e217dab..5f1c618 100644 --- a/manifests/puppet/ci.pp +++ b/manifests/puppet/ci.pp @@ -57,7 +57,7 @@ if $modules != [] { $modules.each | $m | { psick::puppet::module { $m: - user => $modules_user, + user => $modules_user, } } } diff --git a/manifests/puppet/pe_agent.pp b/manifests/puppet/pe_agent.pp index 3267a91..fbd1945 100644 --- a/manifests/puppet/pe_agent.pp +++ b/manifests/puppet/pe_agent.pp @@ -89,7 +89,7 @@ notify => $service_notify, } $ini_settings_hash.each | $k,$v | { - $k.each | $kk,$vv | { + $v.each | $kk,$vv | { $ini_settings = { section => $k, setting => $kk, diff --git a/manifests/puppet/postrun.pp b/manifests/puppet/postrun.pp index 884ffda..b5f2a49 100644 --- a/manifests/puppet/postrun.pp +++ b/manifests/puppet/postrun.pp @@ -36,7 +36,7 @@ } if $command { ini_setting { 'puppet_postrun_command': - value => $command, + value => $command, } } if $path { diff --git a/manifests/tools/gpgkey.pp b/manifests/tools/gpgkey.pp index fd7ab49..3a89d3f 100644 --- a/manifests/tools/gpgkey.pp +++ b/manifests/tools/gpgkey.pp @@ -21,7 +21,7 @@ $short_title = regsubst($title,'RPM-GPG-KEY-','') gpg_key { $short_title: - path => "${rpm_gpg_dir_path}/${title}", + path => "${rpm_gpg_dir_path}/${title}", } if $checksum != '' { diff --git a/manifests/update.pp b/manifests/update.pp index 1413aea..a1b7d0c 100644 --- a/manifests/update.pp +++ b/manifests/update.pp @@ -42,7 +42,7 @@ if $facts['os']['family'] == 'RedHat' and $use_yum_cron { contain psick::yum::cron file { '/etc/cron.d/system_update': - ensure => absent, + ensure => absent, } } else { # Custom update script @@ -53,7 +53,7 @@ } } else { file { '/etc/cron.d/system_update': - ensure => absent, + ensure => absent, } } diff --git a/metadata.json b/metadata.json index aaafaf4..f68d957 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "example42-psick", - "version": "1.1.1", + "version": "1.1.2", "author": "Example42", "summary": "Psick: the infrastructure module.", "license": "Apache-2.0", diff --git a/templates/admin/sudo.epp b/templates/admin/sudo.epp new file mode 100644 index 0000000..b682f74 --- /dev/null +++ b/templates/admin/sudo.epp @@ -0,0 +1,2 @@ +# File managed by Puppet +<%= $psick::admin::user %> ALL = NOPASSWD : ALL