diff --git a/manifests/agent.pp b/manifests/agent.pp index 139c0ab..a30f549 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -1,9 +1,10 @@ # Puppet agent +# @api private class puppet::agent { contain puppet::agent::install contain puppet::agent::config contain puppet::agent::service Class['puppet::agent::install'] ~> Class['puppet::agent::config'] Class['puppet::config', 'puppet::agent::config'] ~> Class['puppet::agent::service'] } diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index c2c9d94..f9b12d2 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -1,62 +1,63 @@ # Puppet agent configuration +# @api private class puppet::agent::config inherits puppet::config { puppet::config::agent{ 'classfile': value => $::puppet::classfile; 'localconfig': value => '$vardir/localconfig'; 'default_schedules': value => false; 'report': value => $::puppet::report; 'pluginsync': value => $::puppet::pluginsync; 'masterport': value => $::puppet::port; 'environment': value => $::puppet::environment; 'listen': value => $::puppet::listen; 'splay': value => $::puppet::splay; 'splaylimit': value => $::puppet::splaylimit; 'runinterval': value => $::puppet::runinterval; 'noop': value => $::puppet::agent_noop; 'usecacheonfailure': value => $::puppet::usecacheonfailure; } if $::puppet::configtimeout != undef { puppet::config::agent { 'configtimeout': value => $::puppet::configtimeout; } } if $::puppet::prerun_command { puppet::config::agent { 'prerun_command': value => $::puppet::prerun_command; } } if $::puppet::postrun_command { puppet::config::agent { 'postrun_command': value => $::puppet::postrun_command; } } if $::puppet::client_certname { puppet::config::agent { 'certname': value => $::puppet::client_certname; } } $::puppet::agent_additional_settings.each |$key,$value| { puppet::config::agent { $key: value => $value } } if $::puppet::runmode == 'service' { $should_start = 'yes' } else { $should_start = 'no' } if $::osfamily == 'Debian' { augeas {'puppet::set_start': context => '/files/etc/default/puppet', changes => "set START ${should_start}", incl => '/etc/default/puppet', lens => 'Shellvars.lns', } if $::puppet::remove_lock { file {'/var/lib/puppet/state/agent_disabled.lock': ensure => absent, } } } } diff --git a/manifests/agent/install.pp b/manifests/agent/install.pp index 3a99623..e9e2cc6 100644 --- a/manifests/agent/install.pp +++ b/manifests/agent/install.pp @@ -1,16 +1,17 @@ -# Install the puppet client installation +# Install the puppet agent package +# @api private class puppet::agent::install( $manage_packages = $::puppet::manage_packages, $package_name = $::puppet::client_package, $package_version = $::puppet::version, $package_provider = $::puppet::package_provider, $package_source = $::puppet::package_source, ) { if $manage_packages == true or $manage_packages == 'agent' { package { $package_name: ensure => $package_version, provider => $package_provider, source => $package_source, } } } diff --git a/manifests/agent/service.pp b/manifests/agent/service.pp index 1065479..23ed70c 100644 --- a/manifests/agent/service.pp +++ b/manifests/agent/service.pp @@ -1,48 +1,49 @@ -# Set up the puppet client as a service +# Set up the puppet agent as a service +# @api private class puppet::agent::service { case $::puppet::runmode { 'service': { $service_enabled = true $cron_enabled = false $systemd_enabled = false } 'cron': { $service_enabled = false $cron_enabled = true $systemd_enabled = false } 'systemd.timer', 'systemd': { $service_enabled = false $cron_enabled = false $systemd_enabled = true } 'none': { $service_enabled = false $cron_enabled = false $systemd_enabled = false } default: { fail("Runmode of ${puppet::runmode} not supported by puppet::agent::config!") } } if $::puppet::runmode in $::puppet::unavailable_runmodes { fail("Runmode of ${puppet::runmode} not supported on ${::kernel} operating systems!") } class { 'puppet::agent::service::daemon': enabled => $service_enabled, } contain puppet::agent::service::daemon class { 'puppet::agent::service::systemd': enabled => $systemd_enabled, } contain puppet::agent::service::systemd class { 'puppet::agent::service::cron': enabled => $cron_enabled, } contain puppet::agent::service::cron } diff --git a/manifests/agent/service/cron.pp b/manifests/agent/service/cron.pp index b790cd3..478b7ae 100644 --- a/manifests/agent/service/cron.pp +++ b/manifests/agent/service/cron.pp @@ -1,20 +1,22 @@ +# Set up running the agent via cron +# @api private class puppet::agent::service::cron ( Boolean $enabled = false, ) { unless 'cron' in $::puppet::unavailable_runmodes { if $enabled { $command = pick($::puppet::cron_cmd, "${::puppet::puppet_cmd} agent --config ${::puppet::dir}/puppet.conf --onetime --no-daemonize") $times = extlib::ip_to_cron($::puppet::runinterval) cron { 'puppet': command => $command, user => root, hour => $times[0], minute => $times[1], } } else{ cron { 'puppet': ensure => absent, } } } } diff --git a/manifests/agent/service/daemon.pp b/manifests/agent/service/daemon.pp index 3b82519..b8ebdb5 100644 --- a/manifests/agent/service/daemon.pp +++ b/manifests/agent/service/daemon.pp @@ -1,23 +1,25 @@ +# Set up running the agent as a daemon +# @api private class puppet::agent::service::daemon ( Boolean $enabled = false, ) { unless 'service' in $::puppet::unavailable_runmodes { if $enabled { service {'puppet': ensure => running, name => $puppet::service_name, hasstatus => true, hasrestart => $puppet::agent_restart_command != undef, enable => true, restart => $puppet::agent_restart_command, } } else { service {'puppet': ensure => stopped, name => $puppet::service_name, hasstatus => true, enable => false, } } } } diff --git a/manifests/agent/service/systemd.pp b/manifests/agent/service/systemd.pp index 24eec86..f4400a4 100644 --- a/manifests/agent/service/systemd.pp +++ b/manifests/agent/service/systemd.pp @@ -1,66 +1,68 @@ +# Set up running the agent via a systemd timer +# @api private class puppet::agent::service::systemd ( Boolean $enabled = false, ) { unless 'systemd.timer' in $::puppet::unavailable_runmodes { exec { 'systemctl-daemon-reload-puppet': refreshonly => true, path => $::path, command => 'systemctl daemon-reload', } if $enabled { # Use the same times as for cron $times = extlib::ip_to_cron($::puppet::runinterval) $command = $::puppet::systemd_cmd ? { undef => "${::puppet::puppet_cmd} agent --config ${::puppet::dir}/puppet.conf --onetime --no-daemonize --detailed-exitcode --no-usecacheonfailure", default => $::puppet::systemd_cmd, } $randomizeddelaysec = $::puppet::systemd_randomizeddelaysec file { "/etc/systemd/system/${::puppet::systemd_unit_name}.timer": content => template('puppet/agent/systemd.puppet-run.timer.erb'), notify => [ Exec['systemctl-daemon-reload-puppet'], Service['puppet-run.timer'], ], } file { "/etc/systemd/system/${::puppet::systemd_unit_name}.service": content => template('puppet/agent/systemd.puppet-run.service.erb'), notify => Exec['systemctl-daemon-reload-puppet'], } service { 'puppet-run.timer': ensure => running, provider => 'systemd', name => "${::puppet::systemd_unit_name}.timer", enable => true, require => Exec['systemctl-daemon-reload-puppet'], } } else { # Reverse order - stop, delete files, exec service { 'puppet-run.timer': ensure => stopped, provider => 'systemd', name => "${::puppet::systemd_unit_name}.timer", enable => false, before => [ File["/etc/systemd/system/${::puppet::systemd_unit_name}.timer"], File["/etc/systemd/system/${::puppet::systemd_unit_name}.service"], ], } file { "/etc/systemd/system/${::puppet::systemd_unit_name}.timer": ensure => absent, notify => Exec['systemctl-daemon-reload-puppet'], } file { "/etc/systemd/system/${::puppet::systemd_unit_name}.service": ensure => absent, notify => Exec['systemctl-daemon-reload-puppet'], } } } } diff --git a/manifests/config.pp b/manifests/config.pp index e1f1141..7cbd1b2 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,91 +1,92 @@ # Set up the puppet config +# @api private class puppet::config( $allow_any_crl_auth = $::puppet::allow_any_crl_auth, $auth_allowed = $::puppet::auth_allowed, $auth_template = $::puppet::auth_template, $ca_server = $::puppet::ca_server, $ca_port = $::puppet::ca_port, $dns_alt_names = $::puppet::dns_alt_names, $listen_to = $::puppet::listen_to, $module_repository = $::puppet::module_repository, $pluginsource = $::puppet::pluginsource, $pluginfactsource = $::puppet::pluginfactsource, $puppet_dir = $::puppet::dir, $puppetmaster = $::puppet::puppetmaster, $syslogfacility = $::puppet::syslogfacility, $srv_domain = $::puppet::srv_domain, $use_srv_records = $::puppet::use_srv_records, $additional_settings = $::puppet::additional_settings, ) { puppet::config::main{ 'vardir': value => $::puppet::vardir; 'logdir': value => $::puppet::logdir; 'rundir': value => $::puppet::rundir; 'ssldir': value => $::puppet::ssldir; 'privatekeydir': value => '$ssldir/private_keys { group = service }'; 'hostprivkey': value => '$privatekeydir/$certname.pem { mode = 640 }'; 'show_diff': value => $::puppet::show_diff; 'codedir': value => $::puppet::codedir; } if $module_repository and !empty($module_repository) { puppet::config::main{'module_repository': value => $module_repository; } } if $ca_server and !empty($ca_server) { puppet::config::main{'ca_server': value => $ca_server; } } if $ca_port { puppet::config::main{'ca_port': value => $ca_port; } } if $dns_alt_names and !empty($dns_alt_names) { puppet::config::main{'dns_alt_names': value => $dns_alt_names; } } if $use_srv_records { unless $srv_domain { fail('$::domain fact found to be undefined and $srv_domain is undefined') } puppet::config::main{ 'use_srv_records': value => true; 'srv_domain': value => $srv_domain; } } else { puppet::config::main { 'server': value => pick($puppetmaster, $::fqdn); } } if $pluginsource { puppet::config::main{'pluginsource': value => $pluginsource; } } if $pluginfactsource { puppet::config::main{'pluginfactsource': value => $pluginfactsource; } } if $syslogfacility and !empty($syslogfacility) { puppet::config::main{'syslogfacility': value => $syslogfacility; } } $additional_settings.each |$key,$value| { puppet::config::main { $key: value => $value } } file { $puppet_dir: ensure => directory, owner => $::puppet::dir_owner, group => $::puppet::dir_group, } -> case $::osfamily { 'Windows': { concat { "${puppet_dir}/puppet.conf": } } default: { concat { "${puppet_dir}/puppet.conf": owner => 'root', group => $::puppet::params::root_group, mode => '0644', } } } ~> file { "${puppet_dir}/auth.conf": content => template($auth_template), } } diff --git a/manifests/config/agent.pp b/manifests/config/agent.pp index 206c3df..e676e6d 100644 --- a/manifests/config/agent.pp +++ b/manifests/config/agent.pp @@ -1,13 +1,21 @@ +# Set a config entry in the [agent] section +# +# @param value +# The value for the config entry +# @param key +# The key of the config entry +# @param joiner +# How to join an array value into a string define puppet::config::agent ( Variant[Array[String], Boolean, String, Integer] $value, String $key = $name, String $joiner = ',' ) { puppet::config::entry{"agent_${name}": key => $key, value => $value, joiner => $joiner, section => 'agent', sectionorder => 2, } } diff --git a/manifests/config/entry.pp b/manifests/config/entry.pp index 50d3bb6..6fc3ff0 100644 --- a/manifests/config/entry.pp +++ b/manifests/config/entry.pp @@ -1,39 +1,52 @@ +# Set a config entry +# +# @param key +# The key of the config entry +# @param value +# The value for the config entry +# @param section +# The section for the config entry +# @param sectionorder +# How to order the section. This is only used on the first definition of the +# section via ensure_resource. +# @param joiner +# How to join an array value into a string define puppet::config::entry ( String $key, Variant[Array[String], Boolean, String, Integer] $value, String $section, Variant[Integer[0], String] $sectionorder = 5, String $joiner = ',', ) { if ($value =~ Array) { $_value = join(flatten($value), $joiner) } elsif ($value =~ Boolean) { $_value = bool2str($value) } else { $_value = $value } # note the spaces at he end of the 'order' parameters, # they make sure that '1_main ' is ordered before '1_main_*' ensure_resource('concat::fragment', "puppet.conf_${section}", { target => "${::puppet::dir}/puppet.conf", content => "\n\n[${section}]", order => "${sectionorder}_${section} ", }) # this adds the '$key =' for the first value, # otherwise it just appends it with the joiner to separate it from the previous value. if (!defined(Concat::Fragment["puppet.conf_${section}_${key}"])){ concat::fragment{"puppet.conf_${section}_${key}": target => "${::puppet::dir}/puppet.conf", content => "\n ${key} = ${_value}", order => "${sectionorder}_${section}_${key} ", } } else { concat::fragment{"puppet.conf_${section}_${key}_${name}": target => "${::puppet::dir}/puppet.conf", content => "${joiner}${_value}", order => "${sectionorder}_${section}_${key}_${name} ", } } } diff --git a/manifests/config/main.pp b/manifests/config/main.pp index 0770135..8d8e03d 100644 --- a/manifests/config/main.pp +++ b/manifests/config/main.pp @@ -1,13 +1,21 @@ +# Set a config entry in the [main] section +# +# @param value +# The value for the config entry +# @param key +# The key of the config entry +# @param joiner +# How to join an array value into a string define puppet::config::main ( Variant[Array[String], Boolean, String, Integer] $value, String $key = $name, String $joiner = ',' ) { puppet::config::entry{"main${name}": key => $key, value => $value, joiner => $joiner, section => 'main', sectionorder => 1, } } diff --git a/manifests/config/master.pp b/manifests/config/master.pp index 27570c5..0aadd78 100644 --- a/manifests/config/master.pp +++ b/manifests/config/master.pp @@ -1,13 +1,21 @@ +# Set a config entry in the [master] section +# +# @param value +# The value for the config entry +# @param key +# The key of the config entry +# @param joiner +# How to join an array value into a string define puppet::config::master ( Variant[Array[String], Boolean, String, Integer] $value, String $key = $name, String $joiner = ',' ) { puppet::config::entry{"master_${name}": key => $key, value => $value, joiner => $joiner, section => 'master', sectionorder => 3, } } diff --git a/manifests/params.pp b/manifests/params.pp index 623966c..7806d59 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,459 +1,460 @@ # Default parameters +# @api private class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $::osfamily ? { 'Debian' => '/etc/puppet/code', default => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $puppetserver_cmd = "${bindir}/puppetserver" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_certname = $::clientcert $server_strict_variables = false $server_http = false $server_http_port = 8139 # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef $puppet_major = regsubst($::puppetversion, '^(\d+)\..*$', '\1') if ($::osfamily =~ /(FreeBSD|DragonFly)/ and versioncmp($puppet_major, '5') >= 0) { $server_package = "puppetserver${puppet_major}" } else { $server_package = undef } $server_ssl_dir = $ssldir $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { $client_package = ["puppet${puppet_major}"] } else { $client_package = ['puppet'] } # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" if ($::operatingsystem == 'Debian' or $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '15.04') >= 0) { $unavailable_runmodes = [] } else { $unavailable_runmodes = ['systemd.timer'] } } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' if versioncmp($::puppetversion, '5.0.0') < 0 { $server_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $server_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false $server_ca_allow_sans = false $server_ca_allow_auth_extensions = false $server_ca_enable_infra_crl = false # Puppetserver >= 2.2 Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here. if versioncmp($::puppetversion, '6.0.0') >= 0 { $server_puppetserver_version = '6.0.0' } elsif versioncmp($::puppetversion, '5.5.7') >= 0 { $server_puppetserver_version = '5.3.6' } elsif versioncmp($::puppetversion, '5.5.0') >= 0 { $server_puppetserver_version = '5.3.0' } elsif versioncmp($::puppetversion, '5.1.0') >= 0 { $server_puppetserver_version = '5.1.0' } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { $server_puppetserver_version = '5.0.0' } else { $server_puppetserver_version = '2.7.0' } # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = versioncmp($::puppetversion, '5.0.0') >= 0 # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/manifests/server.pp b/manifests/server.pp index 4dfbab4..33ce92a 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,433 +1,477 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $manage_user:: Whether to manage the puppet user resource # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $http_port:: Puppet master HTTP port; defaults to 8139. # # $reports:: List of report types to include on the puppetmaster # # $external_nodes:: External nodes classifier executable # # $git_repo:: Use git repository as a source of modules # # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $common_modules_path:: Common modules paths # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $puppetdb_host:: PuppetDB host # # $puppetdb_port:: PuppetDB port # # $puppetdb_swf:: PuppetDB soft_write_failure # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # === Advanced server parameters: # +# $codedir:: Override the puppet code directory. +# # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # -# $enc_api:: What version of enc script to deploy. Valid -# values are 'v2' for latest, and 'v1' -# for Foreman =< 1.2 +# $enc_api:: What version of enc script to deploy. # # $report_api:: What version of report processor to deploy. -# Valid values are 'v2' for latest, and 'v1' -# for Foreman =< 1.2 +# +# $compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. +# # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # +# $puppetserver_rundir:: The path of the puppetserver run dir +# +# $puppetserver_logdir:: The path of the puppetserver log dir +# # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently, # and there's no easy way of determining which version is being installed. # Defaults to '2.3.1' but can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # +# $max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a +# JRuby from the pool. (Puppetserver 5.x only) +# Defaults to 0 (disabled) for Puppetserver >= 5.0 +# +# $max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on +# 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) +# Defaults to 1800 for Puppetserver >= 5.0 +# # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] -# $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef +# $custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # +# $check_for_updates:: Should the puppetserver phone home to check for available updates? +# +# $environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the +# environment_classes API. +# +# # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # # $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # # # $ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # # $ca_enable_infra_crl:: Enable the separate CRL for Puppet infrastructure nodes # Defaults to false # +# $acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting +# socket connections for unencrypted HTTP traffic. If not provided, the webserver +# defaults to the number of virtual cores on the host divided by 8, with a minimum +# of 1 and maximum of 4. +# +# $selector_threads:: This sets the number of selectors that the webserver will dedicate to processing +# events on connected sockets for unencrypted HTTPS traffic. If not provided, +# the webserver defaults to the minimum of: virtual cores on the host divided by 2 +# or max-threads divided by 16, with a minimum of 1. +# +# $max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or +# HTTPS requests for a single webserver, effectively changing how many +# concurrent requests can be made at one time. If not provided, the +# webserver defaults to 200. +# +# $ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting +# socket connections for encrypted HTTPS traffic. If not provided, defaults to +# the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. +# +# $ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing +# events on connected sockets for encrypted HTTPS traffic. Defaults to the number of +# virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. +# The number of selector threads actually used by Jetty is twice the number of selectors +# requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, +# Jetty will actually use 6 selector threads. class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign, Array[String] $autosign_entries = $::puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode, Optional[String] $autosign_content = $::puppet::autosign_content, Optional[String] $autosign_source = $::puppet::autosign_source, String $hiera_config = $::puppet::hiera_config, Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist, Boolean $manage_user = $::puppet::server_manage_user, String $user = $::puppet::server_user, String $group = $::puppet::server_group, String $dir = $::puppet::server_dir, Stdlib::Absolutepath $codedir = $::puppet::codedir, Integer $port = $::puppet::server_port, String $ip = $::puppet::server_ip, Boolean $ca = $::puppet::server_ca, Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath, Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $::puppet::server_crl_enable, Boolean $ca_auth_required = $::puppet::server_ca_auth_required, Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $::puppet::server_custom_trusted_oid_mapping, Boolean $http = $::puppet::server_http, Integer $http_port = $::puppet::server_http_port, String $reports = $::puppet::server_reports, Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes, Array[String] $cipher_suites = $::puppet::server_cipher_suites, Optional[String] $config_version = $::puppet::server_config_version, Integer[0] $connect_timeout = $::puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $::puppet::server_git_repo, Boolean $default_manifest = $::puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path, String $default_manifest_content = $::puppet::server_default_manifest_content, String $environments_owner = $::puppet::server_environments_owner, Optional[String] $environments_group = $::puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path, String $git_repo_group = $::puppet::server_git_repo_group, String $git_repo_user = $::puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map, Integer[0] $idle_timeout = $::puppet::server_idle_timeout, String $post_hook_content = $::puppet::server_post_hook_content, String $post_hook_name = $::puppet::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend, Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir, Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $::puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $::puppet::server_package, Optional[String] $version = $::puppet::server_version, String $certname = $::puppet::server_certname, Enum['v2'] $enc_api = $::puppet::server_enc_api, Enum['v2'] $report_api = $::puppet::server_report_api, Integer[0] $request_timeout = $::puppet::server_request_timeout, Boolean $strict_variables = $::puppet::server_strict_variables, Hash[String, Data] $additional_settings = $::puppet::server_additional_settings, Boolean $foreman = $::puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $::puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir, Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host, Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port, Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf, Enum['current', 'future'] $parser = $::puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout, String $jvm_java_bin = $::puppet::server_jvm_java_bin, String $jvm_config = $::puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size, Variant[String,Array[String]] $jvm_extra_args = $::puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $::puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $::puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k, Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics, Boolean $metrics_jmx_enable = $::puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $::puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $::puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $::puppet::server_metrics_graphite_port, String $metrics_server_id = $::puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $::puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $::puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental, Array[String] $puppetserver_trusted_agents = $::puppet::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $compile_mode = $::puppet::server_compile_mode, Optional[Integer[1]] $selector_threads = $::puppet::server_selector_threads, Optional[Integer[1]] $acceptor_threads = $::puppet::server_acceptor_threads, Optional[Integer[1]] $ssl_selector_threads = $::puppet::server_ssl_selector_threads, Optional[Integer[1]] $ssl_acceptor_threads = $::puppet::server_ssl_acceptor_threads, Optional[Integer[1]] $max_threads = $::puppet::server_max_threads, Boolean $ca_allow_sans = $::puppet::server_ca_allow_sans, Boolean $ca_allow_auth_extensions = $::puppet::server_ca_allow_auth_extensions, Boolean $ca_enable_infra_crl = $::puppet::server_ca_enable_infra_crl, ) { if $ca { $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" $ssl_chain = $ssl_chain_filepath $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } contain puppet::server::install contain puppet::server::config contain puppet::server::service Class['puppet::server::install'] ~> Class['puppet::server::config'] Class['puppet::config', 'puppet::server::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 4974022..69df98f 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,303 +1,304 @@ # Set up the puppet server config +# @api private class puppet::server::config inherits puppet::config { contain 'puppet::server::puppetserver' unless empty($::puppet::server::puppetserver_vardir) { puppet::config::master { 'vardir': value => $::puppet::server::puppetserver_vardir; } } unless empty($::puppet::server::puppetserver_rundir) { puppet::config::master { 'rundir': value => $::puppet::server::puppetserver_rundir; } } unless empty($::puppet::server::puppetserver_logdir) { puppet::config::master { 'logdir': value => $::puppet::server::puppetserver_logdir; } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $::puppet::ca_server $ca_port = $::puppet::ca_port $server_storeconfigs_backend = $::puppet::server::storeconfigs_backend $server_external_nodes = $::puppet::server::external_nodes $server_environment_timeout = $::puppet::server::environment_timeout if $server_external_nodes and $server_external_nodes != '' { class{ '::puppet::server::enc': enc_path => $server_external_nodes, } } $autosign = ($::puppet::server::autosign =~ Boolean)? { true => $::puppet::server::autosign, false => "${::puppet::server::autosign} { mode = ${::puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $::puppet::server::reports; 'environmentpath': value => $puppet::server::envs_dir; } if $::puppet::server::hiera_config and !empty($::puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $::puppet::server::hiera_config; } } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $::puppet::server::ca; 'certname': value => $::puppet::server::certname; 'parser': value => $::puppet::server::parser; 'strict_variables': value => $::puppet::server::strict_variables; } if $::puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $::puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } if $server_storeconfigs_backend { puppet::config::master { 'storeconfigs': value => true; 'storeconfigs_backend': value => $server_storeconfigs_backend; } } $::puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${::puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${::puppet::server::ssl_dir}/private_keys/${::puppet::server::certname}.pem": owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0640', } } if $puppet::server::custom_trusted_oid_mapping { $_custom_trusted_oid_mapping = { oid_mapping => $puppet::server::custom_trusted_oid_mapping, } file { "${::puppet::dir}/custom_trusted_oid_mapping.yaml": ensure => file, owner => 'root', group => $::puppet::params::root_group, mode => '0644', content => to_yaml($_custom_trusted_oid_mapping), } } # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $::puppet::server::ssl_dir, command => "/bin/mkdir -p ${::puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $::puppet::server::ca { if versioncmp($::puppetversion, '6.0') > 0 { $command = "${::puppet::puppetserver_cmd} ca setup" } else { $command = "${::puppet::puppet_cmd} cert --generate ${::puppet::server::certname} --allow-dns-alt-names" } exec {'puppet_server_config-generate_ca_cert': creates => $::puppet::server::ssl_cert, command => $command, umask => '0022', require => [ Concat["${::puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } } elsif $::puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $::puppet::server::ssl_ca_crl: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } # autosign file if $::puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $::puppet::server::autosign_content or $::puppet::server::autosign_source { if !empty($::puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $::puppet::server::autosign_content } elsif !empty($::puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $::puppet::server::autosign: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => $::puppet::server::autosign_mode, content => $autosign_content, source => $::puppet::server::autosign_source, } } # only manage this file if we provide content if $::puppet::server::default_manifest and $::puppet::server::default_manifest_content != '' { file { $::puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $::puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $::puppet::server::envs_target and $::puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $::puppet::server::envs_dir: ensure => $ensure, owner => $::puppet::server::environments_owner, group => $::puppet::server::environments_group, mode => $::puppet::server::environments_mode, target => $::puppet::server::envs_target, force => true, } if $::puppet::server::git_repo { # need to chown the $vardir before puppet does it, or else # we can't write puppet.git/ on the first run include ::git git::repo { 'puppet_repo': bare => true, target => $::puppet::server::git_repo_path, mode => $::puppet::server::git_repo_mode, user => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, require => File[$::puppet::server::envs_dir], } $git_branch_map = $::puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${::puppet::server::git_repo_path}/hooks/${::puppet::server::post_hook_name}": content => template($::puppet::server::post_hook_content), owner => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, mode => $::puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } } file { $puppet::sharedir: ensure => directory, } if $::puppet::server::common_modules_path and !empty($::puppet::server::common_modules_path) { file { $::puppet::server::common_modules_path: ensure => directory, owner => $::puppet::server_environments_owner, group => $::puppet::server_environments_group, mode => $::puppet::server_environments_mode, } } ## Foreman if $::puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. class { 'foreman::puppetmaster': foreman_url => $::puppet::server::foreman_url, receive_facts => $::puppet::server::server_foreman_facts, puppet_home => $::puppet::server::puppetserver_vardir, puppet_basedir => $::puppet::server::puppet_basedir, puppet_etcdir => $puppet::dir, enc_api => $::puppet::server::enc_api, report_api => $::puppet::server::report_api, timeout => $::puppet::server::request_timeout, ssl_ca => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert), ssl_cert => pick($::puppet::server::foreman_ssl_cert, $::puppet::server::ssl_cert), ssl_key => pick($::puppet::server::foreman_ssl_key, $::puppet::server::ssl_cert_key), } contain foreman::puppetmaster } ## PuppetDB if $::puppet::server::puppetdb_host { class { '::puppetdb::master::config': puppetdb_server => $::puppet::server::puppetdb_host, puppetdb_port => $::puppet::server::puppetdb_port, puppetdb_soft_write_failure => $::puppet::server::puppetdb_swf, manage_storeconfigs => false, restart_puppet => false, } Class['puppetdb::master::puppetdb_conf'] ~> Class['puppet::server::service'] } } diff --git a/manifests/server/enc.pp b/manifests/server/enc.pp index c2b701f..872f0bb 100644 --- a/manifests/server/enc.pp +++ b/manifests/server/enc.pp @@ -1,8 +1,10 @@ +# Set up the ENC config +# @api private class puppet::server::enc( $enc_path = $::puppet::server::external_nodes ) { puppet::config::master { 'external_nodes': value => $enc_path; 'node_terminus': value => 'exec'; } } diff --git a/manifests/server/install.pp b/manifests/server/install.pp index 41f6a70..71368a4 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -1,49 +1,50 @@ # Install the puppet server +# @api private class puppet::server::install { # Mirror the relationship, as defined() is parse-order dependent # Ensures 'puppet' user group is present before managing users if defined(Class['foreman_proxy::config']) { Class['puppet::server::install'] -> Class['foreman_proxy::config'] } if defined(Class['foreman::config']) { Class['puppet::server::install'] -> Class['foreman::config'] } if $::puppet::server::manage_user { $shell = $::puppet::server::git_repo ? { true => $::osfamily ? { /^(FreeBSD|DragonFly)$/ => '/usr/local/bin/git-shell', default => '/usr/bin/git-shell' }, default => undef, } user { $::puppet::server::user: shell => $shell, } } if $::puppet::manage_packages == true or $::puppet::manage_packages == 'server' { $server_package = pick($::puppet::server::package, 'puppetserver') $server_version = pick($::puppet::server::version, $::puppet::version) package { $server_package: ensure => $server_version, } if $::puppet::server::manage_user { Package[$server_package] -> User[$::puppet::server::user] } } if $::puppet::server::git_repo { Class['git'] -> User[$::puppet::server::user] file { $puppet::vardir: ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, } } } diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 4e545ba..1eb1621 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -1,263 +1,259 @@ -# == Class: puppet::server::puppetserver -# # Configures the puppetserver jvm configuration file using augeas. # -# === Parameters: -# -# * `java_bin` -# Path to the java executable to use +# @api private # -# * `config` -# Path to the jvm configuration file. -# This file is usually either /etc/default/puppetserver or -# /etc/sysconfig/puppetserver depending on your *nix flavor. +# @param java_bin +# Path to the java executable to use # -# * `jvm_min_heap_size` -# Translates into the -Xms option and is added to the JAVA_ARGS +# @param config +# Path to the jvm configuration file. +# This file is usually either /etc/default/puppetserver or +# /etc/sysconfig/puppetserver depending on your *nix flavor. # -# * `jvm_max_heap_size` -# Translates into the -Xmx option and is added to the JAVA_ARGS +# @param jvm_min_heap_size +# Translates into the -Xms option and is added to the JAVA_ARGS # -# * `jvm_extra_args` -# Custom options to pass through to the java binary. These get added to -# the end of the JAVA_ARGS variable +# @param jvm_max_heap_size +# Translates into the -Xmx option and is added to the JAVA_ARGS # -# * `jvm_cli_args` -# Custom options to pass through to the java binary when using a -# puppetserver subcommand, (eg puppetserver gem). These get used -# in the JAVA_ARGS_CLI variable. +# @param jvm_extra_args +# Custom options to pass through to the java binary. These get added to +# the end of the JAVA_ARGS variable # -# * `server_puppetserver_dir` -# Puppetserver config directory +# @param jvm_cli_args +# Custom options to pass through to the java binary when using a +# puppetserver subcommand, (eg puppetserver gem). These get used +# in the JAVA_ARGS_CLI variable. # -# * `server_puppetserver_vardir` -# Puppetserver var directory +# @param server_puppetserver_dir +# Puppetserver config directory # -# * `server_jruby_gem_home` -# Puppetserver jruby gemhome +# @param server_puppetserver_vardir +# Puppetserver var directory # -# * `server_cipher_suites` -# Puppetserver array of acceptable ciphers +# @param server_jruby_gem_home +# Puppetserver jruby gemhome # -# * `server_ssl_protocols` -# Puppetserver array of acceptable ssl protocols +# @param server_cipher_suites +# Puppetserver array of acceptable ciphers # -# * `server_max_active_instances` -# Puppetserver number of max jruby instances +# @param server_ssl_protocols +# Puppetserver array of acceptable ssl protocols # -# * `server_max_requests_per_instance` -# Puppetserver number of max requests per jruby instance +# @param server_max_active_instances +# Puppetserver number of max jruby instances # -# * `server_max_queued_requests` -# The maximum number of requests that may be queued waiting -# to borrow a JRuby from the pool. +# @param server_max_requests_per_instance +# Puppetserver number of max requests per jruby instance # -# * `server_max_retry_delay` -# Sets the upper limit for the random sleep set as a Retry-After -# header on 503 responses returned when max-queued-requests is enabled. +# @param server_max_queued_requests +# The maximum number of requests that may be queued waiting +# to borrow a JRuby from the pool. # -# === Example +# @param server_max_retry_delay +# Sets the upper limit for the random sleep set as a Retry-After +# header on 503 responses returned when max-queued-requests is enabled. # # @example # # # configure memory for java < 8 # class {'::puppet::server::puppetserver': # jvm_min_heap_size => '1G', # jvm_max_heap_size => '3G', # jvm_extra_args => '-XX:MaxPermSize=256m', # } # class puppet::server::puppetserver ( $config = $::puppet::server::jvm_config, $java_bin = $::puppet::server::jvm_java_bin, $jvm_extra_args = $::puppet::server::jvm_extra_args, $jvm_cli_args = $::puppet::server::jvm_cli_args, $jvm_min_heap_size = $::puppet::server::jvm_min_heap_size, $jvm_max_heap_size = $::puppet::server::jvm_max_heap_size, $server_puppetserver_dir = $::puppet::server::puppetserver_dir, $server_puppetserver_vardir = $::puppet::server::puppetserver_vardir, $server_puppetserver_rundir = $::puppet::server::puppetserver_rundir, $server_puppetserver_logdir = $::puppet::server::puppetserver_logdir, $server_jruby_gem_home = $::puppet::server::jruby_gem_home, $server_ruby_load_paths = $::puppet::server::ruby_load_paths, $server_cipher_suites = $::puppet::server::cipher_suites, $server_max_active_instances = $::puppet::server::max_active_instances, $server_max_requests_per_instance = $::puppet::server::max_requests_per_instance, $server_max_queued_requests = $::puppet::server::max_queued_requests, $server_max_retry_delay = $::puppet::server::max_retry_delay, $server_ssl_protocols = $::puppet::server::ssl_protocols, $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl, $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert, $server_ssl_cert = $::puppet::server::ssl_cert, $server_ssl_cert_key = $::puppet::server::ssl_cert_key, $server_ssl_chain = $::puppet::server::ssl_chain, $server_crl_enable = $::puppet::server::crl_enable_real, $server_ip = $::puppet::server::ip, $server_port = $::puppet::server::port, $server_http = $::puppet::server::http, $server_http_port = $::puppet::server::http_port, $server_ca = $::puppet::server::ca, $server_dir = $::puppet::server::dir, $codedir = $::puppet::server::codedir, $server_idle_timeout = $::puppet::server::idle_timeout, $server_web_idle_timeout = $::puppet::server::web_idle_timeout, $server_connect_timeout = $::puppet::server::connect_timeout, $server_ca_auth_required = $::puppet::server::ca_auth_required, $server_ca_client_whitelist = $::puppet::server::ca_client_whitelist, $server_admin_api_whitelist = $::puppet::server::admin_api_whitelist, $server_puppetserver_version = $::puppet::server::puppetserver_version, $server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf, $server_check_for_updates = $::puppet::server::check_for_updates, $server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled, $server_jruby9k = $::puppet::server::puppetserver_jruby9k, $server_metrics = $::puppet::server::puppetserver_metrics, $metrics_jmx_enable = $::puppet::server::metrics_jmx_enable, $metrics_graphite_enable = $::puppet::server::metrics_graphite_enable, $metrics_graphite_host = $::puppet::server::metrics_graphite_host, $metrics_graphite_port = $::puppet::server::metrics_graphite_port, $metrics_server_id = $::puppet::server::metrics_server_id, $metrics_graphite_interval = $::puppet::server::metrics_graphite_interval, $metrics_allowed = $::puppet::server::metrics_allowed, $server_experimental = $::puppet::server::puppetserver_experimental, $server_trusted_agents = $::puppet::server::puppetserver_trusted_agents, $allow_header_cert_info = $::puppet::server::allow_header_cert_info, $compile_mode = $::puppet::server::compile_mode, $acceptor_threads = $::puppet::server::acceptor_threads, $selector_threads = $::puppet::server::selector_threads, $ssl_acceptor_threads = $::puppet::server::ssl_acceptor_threads, $ssl_selector_threads = $::puppet::server::ssl_selector_threads, $max_threads = $::puppet::server::max_threads, $ca_allow_sans = $::puppet::server::ca_allow_sans, $ca_allow_auth_extensions = $::puppet::server::ca_allow_auth_extensions, $ca_enable_infra_crl = $::puppet::server::ca_enable_infra_crl, ) { include ::puppet::server if versioncmp($server_puppetserver_version, '2.7') < 0 { fail('puppetserver <2.7 is not supported by this module version') } $puppetserver_package = pick($::puppet::server::package, 'puppetserver') $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args] $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' ')) if $::osfamily == 'FreeBSD' { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", ] # lint:ignore:single_quote_string_with_variables augeas { 'puppet::server::puppetserver::jvm': context => '/files/etc/rc.conf', changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ], } } else { if $jvm_cli_args { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", "set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'", ] } else { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", ] } augeas { 'puppet::server::puppetserver::jvm': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $changes, } $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" if versioncmp($server_puppetserver_version, '5.3') >= 0 { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", "\"/opt/puppetlabs/puppet/lib/ruby/vendor_gems\""] # lint:ignore:single_quote_string_with_variables } else { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", ] # lint:ignore:single_quote_string_with_variables } augeas { 'puppet::server::puppetserver::bootstrap': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'", } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $jruby_jar_changes = $server_jruby9k ? { true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", default => 'rm JRUBY_JAR' } augeas { 'puppet::server::puppetserver::jruby_jar': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $jruby_jar_changes, } } } $servicesd = "${server_puppetserver_dir}/services.d" file { $servicesd: ensure => directory, } file { "${servicesd}/ca.cfg": ensure => file, content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'), } unless $::osfamily == 'FreeBSD' { file { '/opt/puppetlabs/server/apps/puppetserver/config': ensure => directory, } file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d': ensure => directory, } } if versioncmp($server_puppetserver_version, '5.3.6') >= 0 { $ca_conf_ensure = present } else { $ca_conf_ensure = absent } file { "${server_puppetserver_dir}/conf.d/ca.conf": ensure => $ca_conf_ensure, content => template('puppet/server/puppetserver/conf.d/ca.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/puppetserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/auth.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/webserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/webserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/product.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/product.conf.erb'), } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $metrics_conf = "${server_puppetserver_dir}/conf.d/metrics.conf" $metrics_conf_ensure = $server_metrics ? { true => file, default => absent } file { $metrics_conf: ensure => $metrics_conf_ensure, content => template('puppet/server/puppetserver/conf.d/metrics.conf.erb'), } } } diff --git a/manifests/server/service.pp b/manifests/server/service.pp index 5f21e9a..6b99d6d 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,14 +1,15 @@ # Set up the puppet server as a service # # @param $enable Whether to enable the service or not # @param $service_name The service name to manage # +# @api private class puppet::server::service( Boolean $enable = true, String $service_name = 'puppetserver', ) { service { $service_name: ensure => $enable, enable => $enable, } }