blob: e4132970489febae57ffbefa197326c53967de1f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
---
- name: puppet
tags:
- puppet
block:
- name: stat /usr/lib/sysusers.d/acct-group-puppet.conf
ansible.builtin.stat:
path: "{{ chroot }}/usr/lib/sysusers.d/acct-group-puppet.conf"
register: stat_puppet_group
- name: stat /usr/lib/sysusers.d/acct-user-puppet.conf
ansible.builtin.stat:
path: "{{ chroot }}/usr/lib/sysusers.d/acct-user-puppet.conf"
register: stat_puppet_user
- name: ensure puppet user & group exist
ansible.builtin.command: >
chroot {{ chroot }} emerge -1 acct-group/puppet acct-user/puppet
when: (not stat_puppet_user.stat.exists) or (not stat_puppet_group.stat.exists)
- name: getent puppet
ansible.builtin.command: >
chroot {{ chroot }} getent passwd puppet
register: getent_puppet
- name: set puppet uid/gid
ansible.builtin.set_fact:
puppet_uid: "{{ (getent_puppet.stdout | split(':'))[2] }}"
puppet_gid: "{{ (getent_puppet.stdout | split(':'))[3] }}"
- name: create directories
ansible.builtin.file:
path: "{{ chroot }}/{{ item.path }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0755') }}"
state: directory
recurse: true
loop:
- path: /etc/puppetlabs
mode: '0750'
group: "{{ puppet_gid }}"
#- path: /etc/puppetlabs/puppet # this should be a symlink to /etc/puppet/
- path: /etc/puppet
mode: '0750'
group: "{{ puppet_gid }}"
- path: /etc/puppet/devices
mode: '0750'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
- path: /etc/puppet/facter
mode: '0750'
owner: root
group: "{{ puppet_gid }}"
- path: /etc/puppet/ssl
mode: '0751'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
- path: /etc/puppet/ssl/certs/
mode: '0755'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
- path: /etc/puppet/ssl/certificate_requests
mode: '0755'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
- path: /etc/puppet/ssl/public_keys/
mode: '0755'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
- path: /etc/puppet/ssl/private_keys/
mode: '0750'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
- path: /etc/puppet/ssl/private/
mode: '0750'
owner: "{{ puppet_uid }}"
group: "{{ puppet_gid }}"
# If the paths exist and they are only empty, we can safely convert it.
- name: cleanup non-symlink /etc/puppetlabs/puppet
ansible.builtin.shell: >
chroot {{ chroot }} bash -c 'if test ! -L /etc/puppetlabs/puppet && test -d /etc/puppetlabs/puppet ; then rm /etc/puppetlabs/puppet/ssl/.keep_app-admin_puppet-0 ; rmdir -v /etc/puppetlabs/puppet/ssl/* /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/devices /etc/puppetlabs/puppet/ ; ln -vsf /etc/puppet /etc/puppetlabs/puppet; fi'
# TODO: add check for non-empty /etc/puppetlabs/puppet/
- name: /etc/puppetlabs/puppet
ansible.builtin.file:
state: link
src: "/etc/puppet"
dest: "{{ chroot }}/etc/puppetlabs/puppet"
follow: false
force: true
- name: check for /etc/puppet/puppet.conf
ansible.builtin.stat:
path: "{{ chroot }}/etc/puppet/puppet.conf"
register: stat_etc_puppet_puppet_conf
- name: bootstrap /etc/puppet/puppet.conf
when: not stat_etc_puppet_puppet_conf.stat.exists
ansible.builtin.copy:
dest: "{{ chroot }}/etc/puppet/puppet.conf"
content: |
[main]
environment = puppet7
use_srv_records = true
srv_domain = puppet.infra.gentoo.org
#server = puppetmaster.gentoo.org
#ca_server = puppetca.gentoo.org
#pluginsync = true
report = true
splaylimit = 900
certificate_expire_warning = 7d
parser = future
trusted_node_data = true
stringify_facts = false
number_of_facts_soft_limit = 16384
include_legacy_facts = true
- name: check for /etc/puppet/csr_attributes.yaml
ansible.builtin.stat:
path: "{{ chroot }}/etc/puppet/csr_attributes.yaml"
register: stat_etc_puppet_csr_attributes_yaml
- name: /etc/puppet/csr_attributes.yaml
when: not stat_etc_puppet_csr_attributes_yaml.stat.exists
ansible.builtin.copy:
dest: "{{ chroot }}/etc/puppet/csr_attributes.yaml"
mode: '0640'
owner: root
group: "{{ puppet_gid }}"
# TODO: nicer way to generate YAML here
content: |
custom_attributes:
1.2.840.113549.1.9.7: '{{ puppet_autosign_token }}'
- name: check for /usr/bin/puppet
ansible.builtin.stat:
path: "{{ chroot }}/usr/bin/puppet"
register: stat_usr_bin_puppet
- name: install puppet
ansible.builtin.command: >
chroot {{ chroot }} emerge -qu app-admin/puppet
when: not stat_usr_bin_puppet.stat.exists
# Do this AFTER puppet
- name: install ~arch msgpack
ansible.builtin.shell: >
ACCEPT_KEYWORDS=~amd64 chroot {{ chroot }} emerge -qu dev-ruby/msgpack
when: not stat_usr_bin_puppet.stat.exists
- name: puppet cert check, pass1
ansible.builtin.stat:
path: "{{ chroot }}/etc/puppet/ssl/certs/{{ hostname }}.gentoo.org.pem"
register: stat_puppet_cert_pass1
- name: puppet enrollment
#chroot {{ chroot }} puppet agent --onetime --test --verbose
# TODO: it needs to use wait at least once
ansible.builtin.command: >
timeout 30 chroot {{ chroot }} /usr/sbin/puppet ssl bootstrap --onetime --verbose --waitforcert=10
when: not stat_puppet_cert_pass1.stat.exists
- name: puppet cert check, pass2
ansible.builtin.stat:
path: "{{ chroot }}/etc/puppet/ssl/certs/{{ hostname }}.gentoo.org.pem"
register: stat_puppet_cert_pass2
- name: puppet enrollment failed
ansible.builtin.fail:
msg: >
You should run this on the master (if the fingerprints match):
puppet cert list
puppet cert sign {{ hostname }}.gentoo.org
when: not stat_puppet_cert_pass2.stat.exists
- name: initial puppet run
ansible.builtin.command: >
chroot {{ chroot }} /usr/bin/puppet agent --onetime --no-daemonize --test
# TODO: verify if obsolete
- name: make.conf final pass
ansible.builtin.command: >
chroot {{ chroot }} /usr/local/sbin/update-config /etc/portage/make.conf /etc/portage/make.conf.d .conf
# TODO: verify if obsolete
- name: etc-update
ansible.builtin.command: >
chroot {{ chroot }} etc-update --automode -5
# TODO: verify if obsolete
- name: check if root password is set
ansible.builtin.command: >
awk -F: '/^root:/{if($2 == "*"){ exit 1; }}' {{chroot}}/etc/shadow
register: root_password_set
- name: abort if no root password
ansible.builtin.fail:
msg: "No root password set on {{ hostname }}"
when: root_password_set.rc == 1
|
GitWeb