diff --git a/data/common.yaml b/data/common.yaml index ce95316..019390a 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,18 +1,24 @@ --- icingaweb2::conf_group: icingaweb2 +icingaweb2::admin_role: + name: default admin users + users: + - icingaadmin +icingaweb2::default_admin_username: icingaadmin +icingaweb2::default_admin_password: icinga icingaweb2::module::businessprocess::git_repository: https://github.com/Icinga/icingaweb2-module-businessprocess.git icingaweb2::module::cube::git_repository: https://github.com/Icinga/icingaweb2-module-cube.git icingaweb2::module::director::git_repository: https://github.com/Icinga/icingaweb2-module-director.git icingaweb2::module::elasticsearch::git_repository: https://github.com/Icinga/icingaweb2-module-elasticsearch.git icingaweb2::module::fileshipper::git_repository: https://github.com/Icinga/icingaweb2-module-fileshipper.git icingaweb2::module::generictts::git_repository: https://github.com/Icinga/icingaweb2-module-generictts.git icingaweb2::module::graphite::git_repository: https://github.com/Icinga/icingaweb2-module-graphite.git icingaweb2::module::incubator::git_repository: https://github.com/Icinga/icingaweb2-module-incubator.git icingaweb2::module::incubator::git_revision: v0.5.0 icingaweb2::module::ipl::git_repository: https://github.com/Icinga/icingaweb2-module-ipl.git icingaweb2::module::ipl::git_revision: v0.5.0 icingaweb2::module::puppetdb::git_repository: https://github.com/Icinga/icingaweb2-module-puppetdb.git icingaweb2::module::reactbundle::git_repository: https://github.com/Icinga/icingaweb2-module-reactbundle.git icingaweb2::module::reactbundle::git_revision: v0.7.0 icingaweb2::module::vsphere::git_repository: https://github.com/Icinga/icingaweb2-module-vsphere.git icingaweb2::module::vspheredb::git_repository: https://github.com/Icinga/icingaweb2-module-vspheredb.git diff --git a/manifests/config.pp b/manifests/config.pp index e832104..ea06992 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,188 +1,194 @@ # @summary # Configures Icinga Web 2. # # @api private # class icingaweb2::config { $conf_dir = $::icingaweb2::globals::conf_dir $conf_user = $::icingaweb2::conf_user $conf_group = $::icingaweb2::conf_group $logging = $::icingaweb2::logging $logging_file = $::icingaweb2::logging_file $logging_dir = dirname($::icingaweb2::logging_file) $logging_level = $::icingaweb2::logging_level $logging_facility = $::icingaweb2::logging_facility $logging_application = $::icingaweb2::logging_application $show_stacktraces = $::icingaweb2::show_stacktraces $module_path = $::icingaweb2::module_path $theme = $::icingaweb2::theme $theme_disabled = $::icingaweb2::theme_disabled $cookie_path = $::icingaweb2::cookie_path $import_schema = $::icingaweb2::import_schema $mysql_db_schema = $::icingaweb2::globals::mysql_db_schema $pgsql_db_schema = $::icingaweb2::globals::pgsql_db_schema $db_name = $::icingaweb2::db_name $db_host = $::icingaweb2::db_host $db_port = $::icingaweb2::db_port $db_type = $::icingaweb2::db_type $db_username = $::icingaweb2::db_username $db_password = $::icingaweb2::db_password $default_domain = $::icingaweb2::default_domain + $admin_role = $::icingaweb2::admin_role + $admin_username = $::icingaweb2::default_admin_username + $admin_password = $::icingaweb2::default_admin_password $config_backend = $::icingaweb2::config_backend $config_resource = $::icingaweb2::config_backend ? { 'ini' => undef, 'db' => "${db_type}-icingaweb2", } File { mode => '0660', owner => $conf_user, group => $conf_group } Exec { user => 'root', path => $::path, } file { $logging_dir: ensure => directory, mode => '0750', } file { $logging_file: ensure => file, mode => '0640', } icingaweb2::inisection { 'config-logging': section_name => 'logging', target => "${conf_dir}/config.ini", settings => { 'log' => $logging, 'file' => $logging_file, 'level' => $logging_level, 'facility' => $logging_facility, 'application' => $logging_application, }, } $settings = { 'show_stacktraces' => $show_stacktraces, 'module_path' => $module_path, 'config_backend' => $config_backend, 'config_resource' => $config_resource, } icingaweb2::inisection { 'config-global': section_name => 'global', target => "${conf_dir}/config.ini", settings => delete_undef_values($settings), } if $default_domain { icingaweb2::inisection { 'config-authentication': section_name => 'authentication', target => "${conf_dir}/config.ini", settings => { 'default_domain' => $default_domain, } } } icingaweb2::inisection { 'config-themes': section_name => 'themes', target => "${conf_dir}/config.ini", settings => { 'default' => $theme, 'disabled' => $theme_disabled, }, } if $cookie_path { icingaweb2::inisection {'config-cookie': section_name => 'cookie', target => "${conf_dir}/config.ini", settings => { 'path' => $cookie_path, }, } } file { "${conf_dir}/modules": ensure => 'directory', mode => '2770', } file { "${conf_dir}/enabledModules": ensure => 'directory', mode => '2770', } if $import_schema or $config_backend == 'db' { icingaweb2::config::resource { "${db_type}-icingaweb2": type => 'db', host => $db_host, port => $db_port, db_type => $db_type, db_name => $db_name, db_username => $db_username, db_password => $db_password, } - } - if $import_schema { + icingaweb2::config::groupbackend { "${db_type}-group": + backend => 'db', + resource => "${db_type}-icingaweb2" + } + icingaweb2::config::authmethod { "${db_type}-auth": backend => 'db', resource => "${db_type}-icingaweb2" } + } - icingaweb2::config::role { 'default admin user': - users => 'icingaadmin', + if $admin_role { + icingaweb2::config::role { $admin_role['name']: + users => if $admin_role['users'] { join(union([$admin_username], $admin_role['users'])) } else { $admin_username }, + groups => if $admin_role['groups'] { join($admin_role['groups']) } else { undef }, permissions => '*', } + } - icingaweb2::config::groupbackend { "${db_type}-group": - backend => 'db', - resource => "${db_type}-icingaweb2" - } - + if $import_schema { case $db_type { 'mysql': { exec { 'import schema': command => "mysql -h '${db_host}' -P '${db_port}' -u '${db_username}' -p'${db_password}' '${db_name}' < '${mysql_db_schema}'", unless => "mysql -h '${db_host}' -P '${db_port}' -u '${db_username}' -p'${db_password}' '${db_name}' -Ns -e 'SELECT 1 FROM icingaweb_user'", - notify => Exec['create default user'], + notify => Exec['create default admin user'], } - exec { 'create default user': - command => "mysql -h '${db_host}' -P '${db_port}' -u '${db_username}' -p'${db_password}' '${db_name}' -Ns -e 'INSERT INTO icingaweb_user (name, active, password_hash) VALUES (\"icingaadmin\", 1, \"\$1\$3no6eqZp\$FlcHQDdnxGPqKadmfVcCU.\")'", + exec { 'create default admin user': + command => "echo \"INSERT INTO icingaweb_user (name, active, password_hash) VALUES (\\\"${admin_username}\\\", 1, \\\"`php -r 'echo password_hash(\"${admin_password}\", PASSWORD_DEFAULT);'`\\\")\" | mysql -h '${db_host}' -P '${db_port}' -u '${db_username}' -p'${db_password}' '${db_name}' -Ns", refreshonly => true, } } 'pgsql': { exec { 'import schema': environment => ["PGPASSWORD=${db_password}"], command => "psql -h '${db_host}' -p '${db_port}' -U '${db_username}' -d '${db_name}' -w -f ${pgsql_db_schema}", - unless => "psql -h '${db_host}' -p '${db_port}' -U '${db_username}' -d '${db_name}' -w -c 'SELECT 1 FROM icingaweb_user'", - notify => Exec['create default user'], + unless => "echo \"INSERT INTO icingaweb_user (name, active, password_hash) VALUES (\\\"${admin_username}\\\", 1, \\\"`php -r 'echo password_hash(\"${admin_password}\", PASSWORD_DEFAULT);'`\\\")\" | psql -h '${db_host}' -p '${db_port}' -U '${db_username}' -d '${db_name}' -w", + notify => Exec['create default admin user'], } - exec { 'create default user': + exec { 'create default admin user': environment => ["PGPASSWORD=${db_password}"], command => "psql -h '${db_host}' -p '${db_port}' -U '${db_username}' -d '${db_name}' -w -c \"INSERT INTO icingaweb_user(name, active, password_hash) VALUES ('icingaadmin', 1, '\\\$1\\\$3no6eqZp\\\$FlcHQDdnxGPqKadmfVcCU.')\"", refreshonly => true, } } default: { fail('The database type you provided is not supported.') } } } } diff --git a/manifests/inisection.pp b/manifests/inisection.pp index c55888e..fd82310 100644 --- a/manifests/inisection.pp +++ b/manifests/inisection.pp @@ -1,53 +1,53 @@ # @summary # Manage settings in INI configuration files. # # @param [Stdlib::Absolutepath] target # Absolute path to the configuration file. # # @param [String] section_name # Name of the target section. Settings are set under [$section_name] # # @param [Hash] settings # A hash of settings and their settings. Single settings may be set to absent. # # @param [Variant[String, Integer]] order # Ordering of the INI section within a file. Defaults to `01` # # @example Create the configuration file and set two settings for the section `global`: # include icingawebeb2 # # icingaweb2::inisection { '/path/to/config.ini': # settings => { # 'global' => { # 'setting1' => 'value', # 'setting2' => 'value', # }, # }, # } # define icingaweb2::inisection( Stdlib::Absolutepath $target, String $section_name = $title, Hash $settings = {}, Variant[String, Integer] $order = '01', -){ +) { $conf_user = $::icingaweb2::conf_user $conf_group = $::icingaweb2::conf_group if !defined(Concat[$target]) { concat { $target: ensure => present, warn => false, owner => $conf_user, group => $conf_group, mode => '0640', } } concat::fragment { "${title}-${section_name}-${order}": target => $target, content => template('icingaweb2/inisection.erb'), order => $order, } } diff --git a/manifests/init.pp b/manifests/init.pp index 68092d8..e5ceeea 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,171 +1,190 @@ # @summary # Installs and configures Icinga Web 2. # # @param [Enum['file', 'syslog', 'php', 'none']] logging # Whether Icinga Web 2 should log to 'file', 'syslog' or 'php' (web server's error log). Setting 'none' disables logging. # # @param [Stdlib::Absolutepath] logging_file # If 'logging' is set to 'file', this is the target log file. # # @param [Enum['ERROR', 'WARNING', 'INFO', 'DEBUG']] logging_level # Logging verbosity. Possible values are 'ERROR', 'WARNING', 'INFO' and 'DEBUG'. # # @param [Pattern[/user|local[0-7]/]] logging_facility # Logging facility when using syslog. Possible values are 'user' or 'local0' up to 'local7'. # # @param [String] logging_application # Logging application name when using syslog. # # @param [Boolean] show_stacktraces # Whether to display stacktraces in the web interface or not. # # @param [Stdlib::Absolutepath] module_path # Path to module sources. Multiple paths must be separated by colon. # # @param [String] theme # The default theme setting. Users may override this settings. # # @param [Boolean] theme_disabled # Whether users can change themes or not. # # @param [Boolean] manage_repo # Deprecated, use manage_repos. # # @param [Boolean] manage_repos # When set to true this module will use the module icinga/puppet-icinga to manage repositories, # e.g. the release repo on packages.icinga.com repository by default, the EPEL repository or Backports. # For more information, see http://github.com/icinga/puppet-icinga. # # @param [Boolean] manage_package # If set to `false` packages aren't managed. # # @param [Optional[Array[String]]] extra_packages # An array of packages to install additionally. # # @param [Boolean] import_schema # Import database scheme. Make sure you have an existing database if you use this option. # # @param [Enum['mysql', 'pgsql']] db_type # Database type, can be either `mysql` or `pgsql`. This parameter is only used if `import_schema` is `true` or # `config_backend` is `db`. # # @param [Stdlib::Host] db_host # Database hostname. This parameter is only used if `import_schema` is `true` or # `config_backend` is `db`. # # @param [Stdlib::Port] db_port # Port of database host. This parameter is only used if `import_schema` is `true` or # `config_backend` is `db`. # # @param [String] db_name # Database name. This parameter is only used if `import_schema` is `true` or # `config_backend` is `db`. # # @param [Optional[String]] db_username # Username for database access. This parameter is only used if `import_schema` is `true` or # `config_backend` is `db`. # # @param [Optional[String]] db_password # Password for database access. This parameter is only used if `import_schema` is `true` or # `config_backend` is `db`. # # @param [Enum['ini', 'db']] config_backend # The global Icinga Web 2 preferences can either be stored in a database or in ini files. This parameter can either # be set to `db` or `ini`. # # @param [String] conf_user # By default this module expects Apache2 on the server. You can change the owner of the config files with this # parameter. # # @param [String] conf_group # Group membership of config files. # # @param [Optional[String]] default_domain # When using domain-aware authentication, you can set a default domain here. # # @param [Optional[Stdlib::Absolutepath]] cookie_path # Path to where cookies are stored. # +# @param [Variant[Struct[{name => String, users => Optional[Array[String]], groups => Optional[Array[String]]}], Boolean[false]]] admin_role +# Manage a role for admin access. +# +# @param String default_admin_username +# Default username for initial admin access. This parameter is only used +# if `import_schema` is set to `true` and only during the import itself. +# +# @param String default_admin_password +# Default password for initial admin access. This parameter is only used +# if `import_schema` is set to `true` and only during the import itself. +# # @example Use MySQL as backend for user authentication: # include ::mysql::server # # mysql::db { 'icingaweb2': # user => 'icingaweb2', # password => 'supersecret', # host => 'localhost', # grant => [ 'ALL' ], # } # # class {'icingaweb2': # manage_repos => true, # import_schema => true, # db_type => 'mysql', # db_host => 'localhost', # db_port => 3306, # db_username => 'icingaweb2', # db_password => 'supersecret', # require => Mysql::Db['icingaweb2'], # } # # @example Use PostgreSQL as backend for user authentication: # include ::postgresql::server # # postgresql::server::db { 'icingaweb2': # user => 'icingaweb2', # password => postgresql_password('icingaweb2', 'icingaweb2'), # } # # class {'icingaweb2': # manage_repos => true, # import_schema => true, # db_type => 'pgsql', # db_host => 'localhost', # db_port => 5432, # db_username => 'icingaweb2', # db_password => 'icingaweb2', # require => Postgresql::Server::Db['icingaweb2'], # } # class icingaweb2 ( Stdlib::Absolutepath $module_path, Stdlib::Absolutepath $logging_file, String $conf_user, String $conf_group, Enum['file', 'syslog', 'php', 'none'] $logging = 'file', Enum['ERROR', 'WARNING', 'INFO', 'DEBUG'] $logging_level = 'INFO', Pattern[/user|local[0-7]/] $logging_facility = 'user', String $logging_application = 'icingaweb2', Boolean $show_stacktraces = false, String $theme = 'Icinga', Boolean $theme_disabled = false, Boolean $manage_repo = false, Boolean $manage_repos = false, Boolean $manage_package = true, Optional[Array[String]] $extra_packages = undef, Boolean $import_schema = false, Enum['mysql', 'pgsql'] $db_type = 'mysql', Stdlib::Host $db_host = 'localhost', Stdlib::Port $db_port = 3306, String $db_name = 'icingaweb2', Optional[String] $db_username = undef, Optional[String] $db_password = undef, Enum['ini', 'db'] $config_backend = 'ini', Optional[String] $default_domain = undef, Optional[Stdlib::Absolutepath] $cookie_path = undef, + Variant[ + Struct[{ + name => String, + users => Optional[Array[String]], + groups => Optional[Array[String]] + }], Boolean[false]] $admin_role, + String $default_admin_username, + String $default_admin_password, ) { require ::icingaweb2::globals if $manage_repos or $manage_repo { require ::icinga::repos if $manage_repo { deprecation('manage_repo', 'manage_repo is deprecated and will be replaced by manage_repos in the future.') } } class { '::icingaweb2::install': } -> class { '::icingaweb2::config': } contain ::icingaweb2::install contain ::icingaweb2::config }