diff --git a/apparmor/lib/facter/apparmor.rb b/apparmor/lib/facter/apparmor.rb new file mode 100644 index 0000000..a32738a --- /dev/null +++ b/apparmor/lib/facter/apparmor.rb @@ -0,0 +1,20 @@ + +Facter.add("apparmor") do + setcode do + result = false + if File.exists?("/sys/module/apparmor") + begin + f = File.new("/proc/mounts") + while (line = f.gets) + if line.split()[2] == "securityfs" + if File.exists?(File.join(line.split()[1], "apparmor")) + result = true + end + end + end + rescue + end + end + result + end +end diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index ecc373d..0555f1b 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -279,6 +279,11 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], $zone = "$2/$3" $zonefile = "$2-$3" } else { + case dirname($name) { + ".": { $view = "" } + "default": { $view = "" } + default: { $view = dirname($name) } + } $zone = basename($name) $zonefile = $zone } @@ -347,7 +352,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], mode => "0750", owner => "root", group => $dns::server::group, - before => File["${dns::server::chroot}${dns::server::confdir}/${view}zone.${zonefile}"], + before => File["${dns::server::chroot}${dns::server::confdir}/${view}/zone.${zonefile}"], } } } @@ -363,14 +368,14 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], owner => "root", group => $dns::server::group, before => $role ? { - "master" => File["${dns::server::chroot}${zonedir}db.${zonefile}"], + "master" => File["${dns::server::chroot}${zonedir}/db.${zonefile}"], default => undef, }, } } } - file { "${dns::server::chroot}${dns::server::confdir}/${view}zone.${zonefile}": + file { "${dns::server::chroot}${dns::server::confdir}/${view}/zone.${zonefile}": ensure => present, content => template("dns/zone.$role.erb"), mode => "0640", @@ -385,7 +390,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], if $role == "master" and $zone != "." { if $source != "AUTO" { - file { "${dns::server::chroot}${zonedir}db.${zonefile}": + file { "${dns::server::chroot}${zonedir}/db.${zonefile}": ensure => present, source => $source, mode => "0640", diff --git a/ldap/files/slapd.default b/ldap/files/slapd.default new file mode 100644 index 0000000..2416fa8 --- /dev/null +++ b/ldap/files/slapd.default @@ -0,0 +1,45 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF="/etc/ldap/slapd.conf" + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 814fbe0..e14c9fc 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -340,7 +340,7 @@ class ldap::client::ruby { # class ldap::server { - include ssl + require ssl if !$ldap_server_key { $ldap_server_key = "${puppet_ssldir}/private_keys/${homename}.pem" @@ -356,7 +356,15 @@ class ldap::server { $package_name = "slapd" $service_name = "slapd" $config = "/etc/ldap" - $modulepath = "/usr/lib/openldap" + $modulepath = "/usr/lib/ldap" + $rundir = "/var/run/slapd" + exec { "usermod-openldap": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G ssl-cert openldap", + unless => "id -n -G openldap | grep '\\bssl-cert\\b'", + require => Package["openldap-server"], + before => Service["slapd"], + } } "fedora": { $user = "ldap" @@ -368,6 +376,7 @@ class ldap::server { "x86_64" => "/usr/lib64/openldap", default => "/usr/lib/openldap", } + $rundir = "/var/run/openldap" } "centos","redhat": { $user = "ldap" @@ -385,6 +394,7 @@ class ldap::server { "x86_64" => "/usr/lib64/openldap", default => "/usr/lib/openldap", } + $rundir = "/var/run/openldap" } "openbsd": { $user = "_openldap" @@ -393,6 +403,7 @@ class ldap::server { $service_name = "slapd" $config = "/etc/openldap" $modulepath = "" + $rundir = "/var/run/openldap" } } @@ -446,15 +457,29 @@ class ldap::server { notify => Exec["generate-slapd-database-config"], } - if $::operatingsystem in ["CentOS","RedHat"] and $operatinsystemrelease !~ /^5\./ { - file { "/etc/sysconfig/ldap": - ensure => present, - source => "puppet:///modules/ldap/ldap.sysconfig", - mode => "0644", - owner => "root", - group => "root", - notify => Service["slapd"], - require => Package["openldap-server"], + case $::operatingsystem { + "centos","redhat": { + if $::operatinsystemrelease !~ /^5\./ { + file { "/etc/sysconfig/ldap": + ensure => present, + source => "puppet:///modules/ldap/ldap.sysconfig", + mode => "0644", + owner => "root", + group => "root", + notify => Service["slapd"], + require => Package["openldap-server"], + } + } + } + "debian","ubuntu": { + file { "/etc/default/slapd": + source => "puppet:///modules/ldap/slapd.default", + mode => "0644", + owner => "root", + group => "root", + notify => Service["slapd"], + require => Package["openldap-server"], + } } } diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb index 6f47f8e..ac54d77 100644 --- a/ldap/templates/slapd.conf.erb +++ b/ldap/templates/slapd.conf.erb @@ -19,14 +19,18 @@ security simple_bind=128 sizelimit size.soft=500 sizelimit size.hard=none -pidfile /var/run/openldap/slapd.pid -argsfile /var/run/openldap/slapd.args +pidfile <%= scope.lookupvar('ldap::server::rundir') %>/slapd.pid +argsfile <%= scope.lookupvar('ldap::server::rundir') %>/slapd.args # overlay modules to load <% if scope.lookupvar('ldap::server::modulepath') != '' -%> modulepath <%= modulepath %> moduleload ppolicy.la moduleload syncprov.la +<% if ['Ubuntu','Debian'].index(operatingsystem) -%> +moduleload back_hdb.la +moduleload back_monitor.la +<% end -%> <% if has_variable?('ldap_server_modules') -%> <% ldap_server_modules.each do |name| -%> moduleload <%= name %>.la diff --git a/ssl/manifests/init.pp b/ssl/manifests/init.pp index 53f42ed..9428d28 100644 --- a/ssl/manifests/init.pp +++ b/ssl/manifests/init.pp @@ -12,9 +12,15 @@ class ssl { $certs = "/etc/ssl" $private = "/etc/ssl/private" } - default: { + "debian","ubuntu": { $certs = "/etc/ssl/certs" $private = "/etc/ssl/private" + package { "ssl-cert": + ensure => installed, + } + } + default: { + fail("Class ssl not supported on ${::operatingsystem}") } }