tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of bitbucket.org:tmakinen/puppet

Browse source
This commit is contained in:
Ossi Salmi 2013-10-03 17:13:13 +03:00
commit f92b06922f
9 changed files with 280 additions and 166 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

88
cups/files/cupsd.conf
View file

@ -1,88 +0,0 @@
#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
MaxLogSize 2000000000
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info
# Administrator user group...
SystemGroup sys root sysadm
# Disable preserving jobs
PreserveJobFiles Off
PreserveJobHistory Off
# Only listen for connections from the local machine.
Listen *:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
Order allow,deny
Allow @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an administrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#

48
cups/manifests/init.pp
View file

@ -55,20 +55,56 @@ class cups::client {
# Install cups server
#
class cups::server inherits cups::client {
# === Parameters:
#
# $admin_group:
# Group name which is allowed to modify printers.
#
# $manager_group:
# Group name which is allowed to remove jobs from print
# queues.
#
# $ssl_cert:
# Path to SSL certificate. Defaults to auto generated
# certificate.
#
# $ssl_key:
# Path to SSL key. Defaults to auto generated key.
#
class cups::server($admin_group=undef, $manager_group=undef,
$ssl_cert=undef, $ssl_key=undef) inherits cups::client {
require ssl
package { [ "ghostscript", "system-config-printer" ]:
ensure => installed,
}
if $ssl_key and $ssl_cert {
file { "${ssl::private}/cups.key":
ensure => present,
source => $ssl_key,
mode => "0600",
owner => "root",
group => "root",
notify => Service["cups"],
}
file { "${ssl::certs}/cups.crt":
ensure => present,
source => $ssl_cert,
mode => "0644",
owner => "root",
group => "root",
notify => Service["cups"],
}
}
file { "/etc/cups/cupsd.conf":
ensure => present,
source => [ "puppet:///files/cups/cupsd.conf.${::homename}",
"puppet:///files/cups/cupsd.conf",
"puppet:///modules/cups/cupsd.conf", ],
content => template("cups/cupsd.conf.erb"),
mode => "0640",
owner => root,
group => lp,
owner => "root",
group => "lp",
require => Package["cups"],
notify => Service["cups"],
}

135
cups/templates/cupsd.conf.erb Normal file
View file

@ -0,0 +1,135 @@
MaxLogSize 0
#
# "$Id: cupsd.conf.in 8805 2009-08-31 16:34:06Z mike $"
#
# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
<% if @ssl_cert and @ssl_key -%>
# SSL support
ServerCertificate <%= scope.lookupvar('ssl::certs') %>/cups.crt
ServerKey <%= scope.lookupvar('ssl::private') %>/cups.key
<% end -%>
# Do not preserve history
PreserveJobFiles Off
PreserveJobHistory Off
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel info
AccessLog syslog
ErrorLog syslog
# Administrator user group...
SystemGroup sys root <% if @admin_group %><%= @admin_group %><% end %>
# Listen all interfaces for connections.
ServerAlias *
Listen *:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseLocalProtocols CUPS dnssd
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an administrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM <% if @manager_group %>@<%= @manager_group %><% end %>
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM <% if @manager_group %>@<%= @manager_group %><% end %>
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
# End of "$Id: cupsd.conf.in 8805 2009-08-31 16:34:06Z mike $".
#

66
kerberos/lib/puppet/parser/functions/keytab_generate.rb Normal file
View file

@ -0,0 +1,66 @@
require 'base64'
require 'expect'
require 'tempfile'
module Puppet::Parser::Functions
newfunction(:keytab_generate) do |args|
name = args[0]
principals = args[1]
# get output file name
outfile = File.join('/srv/puppet/files/generated',
lookupvar('homename'), Base64.encode64(name)).strip
begin
Dir.mkdir(File.dirname(outfile))
rescue
nil
end
# check if we have cached keytab up to date
cached = true
if File.exists?(outfile)
if not check_keytab(outfile, principals)
cached = false
File.unlink(outfile)
end
else
cached = false
end
# create new keytab if cache is not up to date
if not cached
cmd = sprintf('kadmin -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s" 1>&2',
lookupvar('kerberos_user'), outfile, principals.join(' '))
output = ''
IO.popen(cmd, mode='r') { |f|
output = f.read
}
if not File.exists?(outfile)
raise 'Failed to create keytab ' + name + ' error was: ' + output
elsif not check_keytab(outfile, principals)
raise 'Invalid keytab ' + name + ' created'
end
end
end
end
# function to check if keytab contains required principals
def check_keytab(keytab, principals)
entries = []
IO.popen(sprintf('klist -k %s', keytab), mode='r') { |f|
f.readlines.each do |l|
next unless l =~ /[ ]+\d+ .*/
entries << l.split()[1]
end
}
principals.each do |p|
if not entries.include?(p)
return false
end
end
return true
end

8
kerberos/manifests/init.pp
View file

@ -244,7 +244,8 @@ class kerberos::server::ldap inherits kerberos::server {
# principals => [ "host/testhost.foo.sh@FOO.SH" ],
# }
#
define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") {
define kerberos::keytab($principals=[], $ensure=present, $owner="root",
$group="", $mode="0600") {
case $group {
"": {
@ -258,9 +259,12 @@ define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $g
}
}
keytab_generate($name, $principals)
$source = base64($name)
file { $name:
ensure => $ensure,
content => template("kerberos/keytab.erb"),
source => "puppet:///generated/${source}",
mode => $mode,
owner => $owner,
group => $real_group,

62
kerberos/templates/keytab.erb
View file

@ -1,62 +0,0 @@
<%
require 'digest/md5'
require 'expect'
require 'tempfile'
config = {}
config['cachedir'] = '/var/cache/puppet'
config['kadmin'] = '/usr/bin/kadmin'
config['klist'] = '/usr/bin/klist'
# set global vars
cachefile = File.join(config['cachedir'],
homename + '.' + Digest::MD5.hexdigest(name))
# function to check if keytab contains required principals
def check_keytab(config, keytab, principals)
entries = []
IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f|
f.readlines.each do |l|
next unless l =~ /[ ]+\d+ .*/
entries << l.split()[1]
end
}
principals.each do |p|
if not entries.include?(p)
return false
end
end
return true
end
# check if we have cached keytab up to date
cached = true
if File.exists?(cachefile)
if not check_keytab(config, cachefile, principals)
cached = false
File.unlink(cachefile)
end
else
cached = false
end
# create new keytab if cache is not up to date
if not cached
cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"',
config['kadmin'], kerberos_user, cachefile, principals.join(' '))
output = `#{cmd} 2>&1`
if not File.exists?(cachefile)
raise 'Failed to create keytab ' + name + ' error was: ' + output
elsif not check_keytab(config, cachefile, principals)
raise 'Invalid keytab ' + name + ' created'
end
end
# read keytab into memory
data = File.open(cachefile).read
-%><%= data -%>

4
puppet/files/fileserver.conf
View file

@ -5,3 +5,7 @@
[private]
path /srv/puppet/files/private/%H
allow *
[generated]
path /srv/puppet/files/generated/%H
allow *

25
puppet/manifests/init.pp
View file

@ -111,6 +111,20 @@ class puppet::client {
notify => Service["puppet"],
}
}
"fedora": {
service { "puppet":
name => $::operatingsystemrelease ? {
/^1[0-8]/ => "puppet",
default => "puppetagent",
},
enable => true,
restart => $::puppetversion ? {
/^[0-2]\./ => "pkill -HUP puppetd",
default => "pkill -HUP -f '/usr/bin/puppet agent'",
},
subscribe => File["/etc/puppet/puppet.conf"],
}
}
default: {
service { "puppet":
ensure => running,
@ -338,10 +352,14 @@ class puppet::server::common inherits puppet::client {
seltype => "usr_t",
require => File[$puppet_datadir],
}
selinux::manage_fcontext { "/srv/puppet(/.*)?":
selinux::manage_fcontext { "/srv/puppet":
type => "usr_t",
before => File["/srv/puppet"],
}
selinux::manage_fcontext { "/srv/puppet/.*":
type => $seltype,
before => File["/srv/puppet"],
}
} else {
file { "/srv/puppet":
ensure => directory,
@ -361,13 +379,14 @@ class puppet::server::common inherits puppet::client {
}
file { [ "/srv/puppet/bucket",
"/srv/puppet/reports", ]:
"/srv/puppet/reports",
"/srv/puppet/files/generated", ]:
ensure => directory,
mode => "0750",
owner => $user,
group => $group,
seltype => $seltype,
require => File["/srv/puppet"],
require => [ File["/srv/puppet"], File["/srv/puppet/files"], ],
}
file { [ "/srv/puppet/files",
"/srv/puppet/files/common",

2
util/lib/puppet/parser/functions/base64.rb
View file

@ -3,6 +3,6 @@ require 'base64'
module Puppet::Parser::Functions
newfunction(:base64, :type => :rvalue) do |args|
Base64.encode64(args[0])
Base64.encode64(args[0]).strip
end
end