--- - name: puppet tags: - puppet block: - name: stat /usr/lib/sysusers.d/acct-group-puppet.conf ansible.builtin.stat: path: "{{ chroot }}/usr/lib/sysusers.d/acct-group-puppet.conf" register: stat_puppet_group - name: stat /usr/lib/sysusers.d/acct-user-puppet.conf ansible.builtin.stat: path: "{{ chroot }}/usr/lib/sysusers.d/acct-user-puppet.conf" register: stat_puppet_user - name: ensure puppet user & group exist ansible.builtin.command: > chroot {{ chroot }} emerge -1 acct-group/puppet acct-user/puppet when: (not stat_puppet_user.stat.exists) or (not stat_puppet_group.stat.exists) - name: getent puppet ansible.builtin.command: > chroot {{ chroot }} getent passwd puppet register: getent_puppet - name: set puppet uid/gid ansible.builtin.set_fact: puppet_uid: "{{ (getent_puppet.stdout | split(':'))[2] }}" puppet_gid: "{{ (getent_puppet.stdout | split(':'))[3] }}" - name: create directories ansible.builtin.file: path: "{{ chroot }}/{{ item.path }}" owner: "{{ item.owner | default('root') }}" group: "{{ item.group | default('root') }}" mode: "{{ item.mode | default('0755') }}" state: directory recurse: true loop: - path: /etc/puppetlabs mode: '0750' group: "{{ puppet_gid }}" #- path: /etc/puppetlabs/puppet # this should be a symlink to /etc/puppet/ - path: /etc/puppet mode: '0750' group: "{{ puppet_gid }}" - path: /etc/puppet/devices mode: '0750' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" - path: /etc/puppet/facter mode: '0750' owner: root group: "{{ puppet_gid }}" - path: /etc/puppet/ssl mode: '0751' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" - path: /etc/puppet/ssl/certs/ mode: '0755' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" - path: /etc/puppet/ssl/certificate_requests mode: '0755' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" - path: /etc/puppet/ssl/public_keys/ mode: '0755' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" - path: /etc/puppet/ssl/private_keys/ mode: '0750' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" - path: /etc/puppet/ssl/private/ mode: '0750' owner: "{{ puppet_uid }}" group: "{{ puppet_gid }}" # If the paths exist and they are only empty, we can safely convert it. - name: cleanup non-symlink /etc/puppetlabs/puppet ansible.builtin.shell: > chroot {{ chroot }} bash -c 'if test ! -L /etc/puppetlabs/puppet && test -d /etc/puppetlabs/puppet ; then rm /etc/puppetlabs/puppet/ssl/.keep_app-admin_puppet-0 ; rmdir -v /etc/puppetlabs/puppet/ssl/* /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/devices /etc/puppetlabs/puppet/ ; ln -vsf /etc/puppet /etc/puppetlabs/puppet; fi' # TODO: add check for non-empty /etc/puppetlabs/puppet/ - name: /etc/puppetlabs/puppet ansible.builtin.file: state: link src: "/etc/puppet" dest: "{{ chroot }}/etc/puppetlabs/puppet" follow: false force: true - name: check for /etc/puppet/puppet.conf ansible.builtin.stat: path: "{{ chroot }}/etc/puppet/puppet.conf" register: stat_etc_puppet_puppet_conf - name: bootstrap /etc/puppet/puppet.conf when: not stat_etc_puppet_puppet_conf.stat.exists ansible.builtin.copy: dest: "{{ chroot }}/etc/puppet/puppet.conf" content: | [main] environment = puppet7 use_srv_records = true srv_domain = puppet.infra.gentoo.org #server = puppetmaster.gentoo.org #ca_server = puppetca.gentoo.org #pluginsync = true report = true splaylimit = 900 certificate_expire_warning = 7d parser = future trusted_node_data = true stringify_facts = false number_of_facts_soft_limit = 16384 include_legacy_facts = true - name: check for /etc/puppet/csr_attributes.yaml ansible.builtin.stat: path: "{{ chroot }}/etc/puppet/csr_attributes.yaml" register: stat_etc_puppet_csr_attributes_yaml - name: /etc/puppet/csr_attributes.yaml when: not stat_etc_puppet_csr_attributes_yaml.stat.exists ansible.builtin.copy: dest: "{{ chroot }}/etc/puppet/csr_attributes.yaml" mode: '0640' owner: root group: "{{ puppet_gid }}" # TODO: nicer way to generate YAML here content: | custom_attributes: 1.2.840.113549.1.9.7: '{{ puppet_autosign_token }}' - name: check for /usr/bin/puppet ansible.builtin.stat: path: "{{ chroot }}/usr/bin/puppet" register: stat_usr_bin_puppet - name: install puppet ansible.builtin.command: > chroot {{ chroot }} emerge -qu app-admin/puppet when: not stat_usr_bin_puppet.stat.exists # Do this AFTER puppet - name: install ~arch msgpack ansible.builtin.shell: > ACCEPT_KEYWORDS=~amd64 chroot {{ chroot }} emerge -qu dev-ruby/msgpack when: not stat_usr_bin_puppet.stat.exists - name: puppet cert check, pass1 ansible.builtin.stat: path: "{{ chroot }}/etc/puppet/ssl/certs/{{ hostname }}.gentoo.org.pem" register: stat_puppet_cert_pass1 - name: puppet enrollment #chroot {{ chroot }} puppet agent --onetime --test --verbose # TODO: it needs to use wait at least once ansible.builtin.command: > timeout 30 chroot {{ chroot }} /usr/sbin/puppet ssl bootstrap --onetime --verbose --waitforcert=10 when: not stat_puppet_cert_pass1.stat.exists - name: puppet cert check, pass2 ansible.builtin.stat: path: "{{ chroot }}/etc/puppet/ssl/certs/{{ hostname }}.gentoo.org.pem" register: stat_puppet_cert_pass2 - name: puppet enrollment failed ansible.builtin.fail: msg: > You should run this on the master (if the fingerprints match): puppet cert list puppet cert sign {{ hostname }}.gentoo.org when: not stat_puppet_cert_pass2.stat.exists - name: initial puppet run ansible.builtin.command: > chroot {{ chroot }} /usr/bin/puppet agent --onetime --no-daemonize --test # TODO: verify if obsolete - name: make.conf final pass ansible.builtin.command: > chroot {{ chroot }} /usr/local/sbin/update-config /etc/portage/make.conf /etc/portage/make.conf.d .conf # TODO: verify if obsolete - name: etc-update ansible.builtin.command: > chroot {{ chroot }} etc-update --automode -5 # TODO: verify if obsolete - name: check if root password is set ansible.builtin.command: > awk -F: '/^root:/{if($2 == "*"){ exit 1; }}' {{chroot}}/etc/shadow register: root_password_set - name: abort if no root password ansible.builtin.fail: msg: "No root password set on {{ hostname }}" when: root_password_set.rc == 1