18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
# File 'manifests/client.pp', line 18
class ipa::client(
$name = '', # what define was called with...
$hostname = $::hostname,
$domain = $::domain,
$realm = '', # defaults to upcase($domain)
$server = '', # ipa server
$password = '', # seemingly no password restrictions...
$admin = false, # should we get admin tools installed ?
$ssh = false,
$sshd = false,
$ntp = false,
$ntp_server = '',
$shorewall = false, # TODO ?
$zone = 'net',
$allow = 'all',
$debug = false,
$ensure = present # TODO: support uninstall with 'absent'
) {
include ipa::vardir
#$vardir = $::ipa::vardir::module_vardir # with trailing slash
$vardir = regsubst($::ipa::vardir::module_vardir, '\/$', '')
$valid_domain = downcase($domain) # TODO: validate ?
$valid_realm = $realm ? {
'' => upcase($valid_domain),
default => upcase($realm),
}
$valid_server = "${server}" ? {
'' => "ipa.${valid_domain}", # default if unspecified...
default => "${server}",
}
if "${hostname}" != delete("${hostname}", '.') {
fail('The $hostname value must not contain periods. It is not the FQDN.')
}
if "${valid_domain}" == '' {
fail('A $domain value is required.')
}
$valid_name = "${name}" ? {
'' => "${hostname}.${domain}", # defaults to fqdn if empty...
default => "${name}", # this could be fqdn or not...
}
if $debug {
# just used for debugging
$valid_fqdn = "${hostname}.${valid_domain}"
$valid_principal = "host/${valid_fqdn}@${valid_realm}"
notify { "ipa-client-host-${name}":
message => "Host: '${name}', principal: '${valid_principal}'",
}
}
package { 'ipa-client':
ensure => present,
}
# an administrator machine requires the ipa-admintools package as well:
package { 'ipa-admintools':
ensure => $admin ? {
true => present,
false => absent,
},
require => Package['ipa-client'],
}
# store the passwords in text files instead of having them on cmd line!
# TODO: storing plain text passwords is not good, so what should we do?
file { "${vardir}/password":
content => "${password}\n", # temporarily secret...
owner => root,
group => nobody,
mode => 600, # u=rw,go=
backup => false,
require => File["${vardir}/"],
ensure => present,
}
# these are the arguments to ipa-server-install in the prompted order
$args01 = "--hostname='${hostname}.${valid_domain}'"
$args02 = "--domain='${valid_domain}'"
$args03 = "--realm='${valid_realm}'"
$args04 = "--server='${valid_server}'"
#$args05 = "--password='${password}'" # password to join IPA realm
$args05 = "--password=`/bin/cat '${vardir}/password'`"
$args06 = $ssh ? {
true => '',
default => '--no-ssh',
}
$args07 = $sshd ? {
true => '',
default => '--no-sshd',
}
$args08 = $ntp ? {
true => '',
default => '--no-ntp',
}
$args09 = $ntp_server ? {
'' => '',
default => $ntp ? {
true => "--ntp-server=${ntp_server}",
default => '',
},
}
$arglist = ["${args01}", "${args02}", "${args03}", "${args04}", "${args05}", "${args06}", "${args07}", "${args08}", "${args09}"]
#$args = inline_template('<%= arglist.delete_if {|x| x.empty? }.join(" ") %>')
$args = join(delete($arglist, ''), ' ')
# this makes the install wait if a valid password hasn't been exported!
# this happens because it takes a second run of the ipa puppet after it
# has configured the host, because, on this second puppet run, the fact
# will finally now see the password, and it can be properly exported...
$has_auth = "${password}" ? {
'' => 'false',
default => 'true',
}
$onlyif = "/usr/bin/test '${has_auth}' = 'true'"
$unless = "/usr/bin/python -c 'import sys,ipapython.sysrestore; sys.exit(0 if ipapython.sysrestore.FileStore(\"/var/lib/ipa-client/sysrestore\").has_files() else 1)'"
exec { "/usr/sbin/ipa-client-install ${args} --unattended":
logoutput => on_failure,
onlyif => "${onlyif}", # needs a password or authentication...
unless => "${unless}", # can't install if already installed...
require => [
Package['ipa-client'],
File["${vardir}/password"],
],
alias => 'ipa-install', # same alias as server to prevent both!
}
# this file is a tag that lets nfs know that the ipa host is now ready!
file { "${vardir}/ipa_client_installed":
content => "true\n",
owner => root,
group => nobody,
mode => 600, # u=rw,go=
backup => false,
require => [
File["${vardir}/"],
Exec['ipa-install'],
],
ensure => present,
}
# normally when this resource is created by collection, the password is
# exported which allows the client to boostrap itself without a ticket.
# once this host gets built, the password gets "used" on the ipa server
# which causes it to show 'has_password: False', which would cause that
# password to get regenerated, however this exported resource will stop
# that from happening when it gets collected on the server as a tag. if
# this client dissapears, then, the exported resource should eventually
# get removed when a client runs puppet, which will cause a new pass to
# be created for the new ipa client install if we happen to want one...
#if "${password}" == '' {
@@ipa::server::host::pwtag { "${valid_name}":
tag => "${valid_name}", # collection by name is buggy, use tag!
}
#}
# send ssh keys back so that server updates its database if they change
@@ipa::server::host::sshpubkeys { "${valid_name}":
# FIXME: redo this resource so that we specify an array instead
# this is needed in case we decide to export other keys perhaps
# it's more important because static things aren't very elegant
rsa => "${::sshrsakey}", # built in fact
dsa => "${::sshdsakey}", # built in fact
tag => "${valid_name}", # same name as ipa::server::host
}
}
|