139 lines
3.6 KiB
Puppet
139 lines
3.6 KiB
Puppet
# Class kerberos::server
|
|
|
|
class kerberos::server (
|
|
$realm,
|
|
$admin_server = [$::fqdn],
|
|
$kdcs = [$::fqdn],
|
|
$slave = false,
|
|
$slaves = [],
|
|
) {
|
|
|
|
include ::haveged
|
|
|
|
$packages = [
|
|
'krb5-admin-server',
|
|
'krb5-kdc',
|
|
]
|
|
package { $packages:
|
|
ensure => present,
|
|
}
|
|
|
|
file { '/etc/krb5kdc/kdc.conf':
|
|
ensure => present,
|
|
replace => true,
|
|
content => template('kerberos/kdc.conf.erb'),
|
|
require => Package['krb5-kdc'],
|
|
}
|
|
|
|
file { '/etc/krb5kdc/kpropd.acl':
|
|
ensure => present,
|
|
replace => true,
|
|
content => template('kerberos/kpropd.acl.erb'),
|
|
require => Package['krb5-kdc'],
|
|
}
|
|
|
|
file { '/etc/krb5kdc/kadm5.acl':
|
|
ensure => present,
|
|
replace => true,
|
|
source => 'puppet:///modules/kerberos/kadm5.acl',
|
|
require => Package['krb5-admin-server'],
|
|
}
|
|
|
|
file { '/var/krb5kdc':
|
|
ensure => directory,
|
|
}
|
|
|
|
file { '/usr/local/bin/run-kprop.sh':
|
|
ensure => present,
|
|
replace => true,
|
|
mode => '0755',
|
|
content => template('kerberos/run-kprop.sh.erb'),
|
|
require => Package['krb5-admin-server'],
|
|
}
|
|
|
|
if ($slave) {
|
|
$run_kadmind = false # Synonym for stopped
|
|
$run_kpropd = true
|
|
$kprop_cron = absent
|
|
} else {
|
|
$run_kadmind = true # Synonym for running
|
|
$run_kpropd = false
|
|
$kprop_cron = present
|
|
}
|
|
|
|
cron { 'kprop':
|
|
ensure => $kprop_cron,
|
|
user => 'root',
|
|
minute => '*/15',
|
|
command => '/usr/local/bin/run-kprop.sh >/dev/null 2>&1',
|
|
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
|
|
}
|
|
|
|
if ($::operatingsystem == 'Ubuntu') and ($::operatingsystemrelease >= '16.04') {
|
|
# krb5-admin-server generates this, so make sure this runs after we do
|
|
# things with krb5-admin-server
|
|
file { '/etc/default/krb5-admin-server':
|
|
ensure => present,
|
|
replace => true,
|
|
content => template('kerberos/krb5-admin-server.defaults.new.erb'),
|
|
require => Package['krb5-admin-server'],
|
|
}
|
|
|
|
file { '/etc/systemd/system/krb5-kpropd.service':
|
|
ensure => present,
|
|
replace => true,
|
|
source => 'puppet:///modules/kerberos/krb5-kpropd.service',
|
|
require => Package['krb5-admin-server'],
|
|
}
|
|
service { 'krb5-kpropd':
|
|
ensure => $run_kpropd,
|
|
enable => $run_kpropd,
|
|
require => [
|
|
File['/etc/systemd/system/krb5-kpropd.service'],
|
|
],
|
|
}
|
|
# This is a hack to make sure that systemd is aware of the new service
|
|
# before we attempt to start it.
|
|
exec { 'krb5-kpropd-systemd-daemon-reload':
|
|
command => '/bin/systemctl daemon-reload',
|
|
before => Service['krb5-kpropd'],
|
|
subscribe => File['/etc/systemd/system/krb5-kpropd.service'],
|
|
refreshonly => true,
|
|
}
|
|
} else {
|
|
# krb5-admin-server generates this, so make sure this runs after we do
|
|
# things with krb5-admin-server
|
|
file { '/etc/default/krb5-admin-server':
|
|
ensure => present,
|
|
replace => true,
|
|
content => template('kerberos/krb5-admin-server.defaults.erb'),
|
|
require => Package['krb5-admin-server'],
|
|
}
|
|
|
|
file { '/etc/init.d/krb5-kpropd':
|
|
ensure => present,
|
|
replace => true,
|
|
source => 'puppet:///modules/kerberos/krb5-kpropd',
|
|
require => Package['krb5-admin-server'],
|
|
}
|
|
|
|
service { 'krb5-kpropd':
|
|
ensure => $run_kpropd,
|
|
enable => $run_kpropd,
|
|
require => [
|
|
File['/etc/init.d/krb5-kpropd'],
|
|
],
|
|
}
|
|
}
|
|
|
|
service { 'krb5-admin-server':
|
|
ensure => $run_kadmind,
|
|
enable => $run_kadmind,
|
|
subscribe => File['/etc/krb5kdc/kadm5.acl'],
|
|
require => [
|
|
File['/etc/krb5kdc/kadm5.acl'],
|
|
Package['krb5-admin-server'],
|
|
],
|
|
}
|
|
}
|