Revision 875c8377
Added by Ewoud Kohl van Wijngaarden about 4 years ago
| manifests/config.pp | ||
|---|---|---|
|
Class['puppet::server::install'] -> Class['foreman::config']
|
||
|
}
|
||
|
|
||
|
if $::foreman::jobs_manage_service {
|
||
|
if $::foreman::jobs_sidekiq_redis_url != undef {
|
||
|
$jobs_redis_url = $::foreman::jobs_sidekiq_redis_url
|
||
|
if $foreman::jobs_manage_service {
|
||
|
if $foreman::jobs_sidekiq_redis_url != undef {
|
||
|
$jobs_redis_url = $foreman::jobs_sidekiq_redis_url
|
||
|
} else {
|
||
|
include ::redis
|
||
|
include redis
|
||
|
$jobs_redis_url = "redis://localhost:${::redis::port}/6"
|
||
|
}
|
||
|
|
||
| ... | ... | |
|
|
||
|
concat {'/etc/foreman/settings.yaml':
|
||
|
owner => 'root',
|
||
|
group => $::foreman::group,
|
||
|
group => $foreman::group,
|
||
|
mode => '0640',
|
||
|
}
|
||
|
|
||
|
file { '/etc/foreman/database.yml':
|
||
|
owner => 'root',
|
||
|
group => $::foreman::group,
|
||
|
group => $foreman::group,
|
||
|
mode => '0640',
|
||
|
content => template('foreman/database.yml.erb'),
|
||
|
}
|
||
| ... | ... | |
|
default => "${foreman::foreman_service_bind}:${foreman::foreman_service_port}",
|
||
|
}
|
||
|
|
||
|
if $::foreman::use_foreman_service {
|
||
|
if $foreman::use_foreman_service {
|
||
|
systemd::dropin_file { 'foreman-socket':
|
||
|
filename => 'installer.conf',
|
||
|
unit => "${::foreman::foreman_service}.socket",
|
||
|
unit => "${foreman::foreman_service}.socket",
|
||
|
content => template('foreman/foreman.socket-overrides.erb'),
|
||
|
}
|
||
|
|
||
|
systemd::dropin_file { 'foreman-service':
|
||
|
filename => 'installer.conf',
|
||
|
unit => "${::foreman::foreman_service}.service",
|
||
|
unit => "${foreman::foreman_service}.service",
|
||
|
content => template('foreman/foreman.service-overrides.erb'),
|
||
|
}
|
||
|
}
|
||
|
|
||
|
file { $::foreman::app_root:
|
||
|
file { $foreman::app_root:
|
||
|
ensure => directory,
|
||
|
}
|
||
|
|
||
|
if $::foreman::db_root_cert {
|
||
|
$pg_cert_dir = "${::foreman::app_root}/.postgresql"
|
||
|
if $foreman::db_root_cert {
|
||
|
$pg_cert_dir = "${foreman::app_root}/.postgresql"
|
||
|
|
||
|
file { $pg_cert_dir:
|
||
|
ensure => 'directory',
|
||
|
owner => 'root',
|
||
|
group => $::foreman::group,
|
||
|
group => $foreman::group,
|
||
|
mode => '0640',
|
||
|
}
|
||
|
|
||
|
file { "${pg_cert_dir}/root.crt":
|
||
|
ensure => file,
|
||
|
source => $::foreman::db_root_cert,
|
||
|
source => $foreman::db_root_cert,
|
||
|
owner => 'root',
|
||
|
group => $::foreman::group,
|
||
|
group => $foreman::group,
|
||
|
mode => '0640',
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if $::foreman::manage_user {
|
||
|
group { $::foreman::group:
|
||
|
if $foreman::manage_user {
|
||
|
group { $foreman::group:
|
||
|
ensure => 'present',
|
||
|
}
|
||
|
user { $::foreman::user:
|
||
|
user { $foreman::user:
|
||
|
ensure => 'present',
|
||
|
shell => '/bin/false',
|
||
|
comment => 'Foreman',
|
||
|
home => $::foreman::app_root,
|
||
|
gid => $::foreman::group,
|
||
|
groups => $::foreman::user_groups,
|
||
|
home => $foreman::app_root,
|
||
|
gid => $foreman::group,
|
||
|
groups => $foreman::user_groups,
|
||
|
}
|
||
|
}
|
||
|
|
||
| ... | ... | |
|
ensure => absent,
|
||
|
}
|
||
|
|
||
|
if $::foreman::apache {
|
||
|
if $foreman::apache {
|
||
|
class { 'foreman::config::apache':
|
||
|
passenger => $::foreman::passenger,
|
||
|
app_root => $::foreman::app_root,
|
||
|
passenger_ruby => $::foreman::passenger_ruby,
|
||
|
priority => $::foreman::vhost_priority,
|
||
|
servername => $::foreman::servername,
|
||
|
serveraliases => $::foreman::serveraliases,
|
||
|
server_port => $::foreman::server_port,
|
||
|
server_ssl_port => $::foreman::server_ssl_port,
|
||
|
passenger => $foreman::passenger,
|
||
|
app_root => $foreman::app_root,
|
||
|
passenger_ruby => $foreman::passenger_ruby,
|
||
|
priority => $foreman::vhost_priority,
|
||
|
servername => $foreman::servername,
|
||
|
serveraliases => $foreman::serveraliases,
|
||
|
server_port => $foreman::server_port,
|
||
|
server_ssl_port => $foreman::server_ssl_port,
|
||
|
proxy_backend => "http://${listen_socket}/",
|
||
|
ssl => $::foreman::ssl,
|
||
|
ssl_ca => $::foreman::server_ssl_ca,
|
||
|
ssl_chain => $::foreman::server_ssl_chain,
|
||
|
ssl_cert => $::foreman::server_ssl_cert,
|
||
|
ssl_certs_dir => $::foreman::server_ssl_certs_dir,
|
||
|
ssl_key => $::foreman::server_ssl_key,
|
||
|
ssl_crl => $::foreman::server_ssl_crl,
|
||
|
ssl_protocol => $::foreman::server_ssl_protocol,
|
||
|
ssl_verify_client => $::foreman::server_ssl_verify_client,
|
||
|
user => $::foreman::user,
|
||
|
passenger_prestart => $::foreman::passenger_prestart,
|
||
|
passenger_min_instances => $::foreman::passenger_min_instances,
|
||
|
passenger_start_timeout => $::foreman::passenger_start_timeout,
|
||
|
foreman_url => $::foreman::foreman_url,
|
||
|
ipa_authentication => $::foreman::ipa_authentication,
|
||
|
keycloak => $::foreman::keycloak,
|
||
|
keycloak_app_name => $::foreman::keycloak_app_name,
|
||
|
keycloak_realm => $::foreman::keycloak_realm,
|
||
|
ssl => $foreman::ssl,
|
||
|
ssl_ca => $foreman::server_ssl_ca,
|
||
|
ssl_chain => $foreman::server_ssl_chain,
|
||
|
ssl_cert => $foreman::server_ssl_cert,
|
||
|
ssl_certs_dir => $foreman::server_ssl_certs_dir,
|
||
|
ssl_key => $foreman::server_ssl_key,
|
||
|
ssl_crl => $foreman::server_ssl_crl,
|
||
|
ssl_protocol => $foreman::server_ssl_protocol,
|
||
|
ssl_verify_client => $foreman::server_ssl_verify_client,
|
||
|
user => $foreman::user,
|
||
|
passenger_prestart => $foreman::passenger_prestart,
|
||
|
passenger_min_instances => $foreman::passenger_min_instances,
|
||
|
passenger_start_timeout => $foreman::passenger_start_timeout,
|
||
|
foreman_url => $foreman::foreman_url,
|
||
|
ipa_authentication => $foreman::ipa_authentication,
|
||
|
keycloak => $foreman::keycloak,
|
||
|
keycloak_app_name => $foreman::keycloak_app_name,
|
||
|
keycloak_realm => $foreman::keycloak_realm,
|
||
|
}
|
||
|
|
||
|
contain foreman::config::apache
|
||
|
|
||
|
if $::foreman::ipa_authentication {
|
||
|
if $foreman::ipa_authentication {
|
||
|
unless 'ipa' in $facts and 'default_server' in $facts['ipa'] and 'default_realm' in $facts['ipa'] {
|
||
|
fail("${::hostname}: The system does not seem to be IPA-enrolled")
|
||
|
fail("${facts['networking']['hostname']}: The system does not seem to be IPA-enrolled")
|
||
|
}
|
||
|
|
||
|
if $facts['selinux'] {
|
||
|
if $facts['os']['selinux']['enabled'] {
|
||
|
selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
|
||
|
persistent => true,
|
||
|
value => 'on',
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if $::foreman::ipa_manage_sssd {
|
||
|
if $foreman::ipa_manage_sssd {
|
||
|
service { 'sssd':
|
||
|
ensure => running,
|
||
|
enable => true,
|
||
| ... | ... | |
|
exec { 'ipa-getkeytab':
|
||
|
command => "/bin/echo Get keytab \
|
||
|
&& KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \
|
||
|
&& KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['ipa']['default_server']} -k ${foreman::http_keytab} -p HTTP/${::fqdn} \
|
||
|
&& KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['ipa']['default_server']} -k ${foreman::http_keytab} -p HTTP/${facts['networking']['fqdn']} \
|
||
|
&& kdestroy -c KEYRING:session:get-http-service-keytab",
|
||
|
creates => $::foreman::http_keytab,
|
||
|
creates => $foreman::http_keytab,
|
||
|
}
|
||
|
-> file { $::foreman::http_keytab:
|
||
|
-> file { $foreman::http_keytab:
|
||
|
ensure => file,
|
||
|
owner => apache,
|
||
|
mode => '0600',
|
||
| ... | ... | |
|
}
|
||
|
|
||
|
|
||
|
if $::foreman::ipa_manage_sssd {
|
||
|
if $foreman::ipa_manage_sssd {
|
||
|
$sssd_services = join(unique(pick($facts['sssd']['services'], []) + ['ifp']), ', ')
|
||
|
$sssd_ldap_user_extra_attrs = join(unique(pick($facts['sssd']['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ')
|
||
|
$sssd_allowed_uids = join(unique(pick($facts['sssd']['allowed_uids'], []) + ['apache', 'root']), ', ')
|
||
Also available in: Unified diff
Lint autofix + needed spec fixes