diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml new file mode 100644 index 0000000..c181977 --- /dev/null +++ b/.github/workflows/yamllint.yml @@ -0,0 +1,12 @@ +--- +name: "yamllint" +on: + - "push" + - "pull_request" +jobs: + lintAllTheThings: + runs-on: "ubuntu-latest" + steps: + - uses: "actions/checkout@v1" + - name: "yaml-lint" + uses: "ibiqlik/action-yamllint@v3" diff --git a/Puppetfile b/Puppetfile index 6a4b2a0..91b9b08 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,41 +1,46 @@ forge 'https://forge.puppet.com' # mod 'aboe/chrony', '0.3.2' -# mod 'bodgit-bodgitlib', '2.0.1' +mod 'bodgit-bodgitlib', '2.0.1' # mod 'bodgit-dbus', '2.0.1' -# mod 'herculesteam/augeasproviders', '2.4.1' -# mod 'herculesteam/augeasproviders_base', '2.1.0' -# mod 'herculesteam/augeasproviders_core', '2.6.0' -# mod 'herculesteam/augeasproviders_pam', '2.2.1' -# mod 'herculesteam/augeasproviders_ssh', commit: 'e4eee3726d0472cba1d2d66a2d09031f1d100914', git: 'https://github.com/hercules-team/augeasproviders_ssh' -# mod 'inkblot/ipcalc', '2.2.0' -# mod 'ncsa/pam_access', tag: 'v1.0.3', git: 'https://github.com/ncsa/puppet-pam_access' +mod 'herculesteam-augeasproviders', '2.4.1' +mod 'herculesteam/augeasproviders_base', '2.1.0' +mod 'herculesteam/augeasproviders_core', '2.6.0' +mod 'herculesteam/augeasproviders_pam', '2.2.1' +mod 'herculesteam/augeasproviders_ssh', commit: 'e4eee3726d0472cba1d2d66a2d09031f1d100914', git: 'https://github.com/hercules-team/augeasproviders_ssh' +mod 'inkblot/ipcalc', '2.2.0' +# mod 'MiamiOH-pam_access', '1.0.2' +mod 'ncsa/pam_access', tag: 'v1.0.3', git: 'https://github.com/ncsa/puppet-pam_access' mod 'ncsa/profile_additional_packages', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_additional_packages' mod 'ncsa/profile_additional_yumrepos', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_additional_yumrepos' +mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.0', git: 'https://github.com/ncsa/puppet-profile_allow_ssh_from_bastion' # mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony' # mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email' # mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall' -# mod 'ncsa/profile_pam_access', branch: 'include_pam_access', git: 'https://github.com/ncsa/puppet-profile_pam_access' +mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access' # mod 'ncsa/profile_puppet_master', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_puppet_master' # mod 'ncsa/profile_sudo', tag: 'v0.1.0', git: 'https://github.com/ncsa/profile_sudo' # mod 'ncsa/profile_timezone', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_timezone' -# mod 'ncsa/sshd', tag: 'v0.2.0', git: 'https://github.com/ncsa/puppet-sshd' -# mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd' +mod 'ncsa/sshd', tag: 'v0.3.0', git: 'https://github.com/ncsa/puppet-sshd' +mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd' # mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegraf.git' # mod 'puppet/epel', '3.0.1' # mod 'puppet/python', '4.1.1' # mod 'puppet/rsyslog', '5.0.1' # mod 'puppetlabs/apt', '7.3.0' -# mod 'puppetlabs/concat', '6.2.0' -# mod 'puppetlabs/firewall', '2.5.0' +mod 'puppetlabs/concat', '6.4.0' +mod 'puppetlabs/firewall', '2.5.0' +#mod 'puppetlabs-firewall', '2.8.0' # mod 'puppetlabs/inifile', '4.1.0' # mod 'puppetlabs/mailalias_core', '1.0.6' mod 'puppetlabs/stdlib', '6.3.0' # mod 'puppetlabs/translate', '2.1.0' # mod 'puppetlabs/xinetd', '3.3.0' -# mod 'richardc-datacat', '0.6.2' +mod 'richardc-datacat', '0.6.2' # mod 'saz/limits', '3.0.4' # mod 'saz/sudo', '6.0.0' # mod 'saz/timezone', '6.0.0' -# mod 'sharumpe/tcpwrappers', '1.0.4' -# mod 'thrnio-ip', '1.0.1' -# mod 'woodsbw/augeasfacter', commit: '9aea81311d277ed7ff1e8f2d4f79d13cd25f6ded', git: 'https://github.com/woodsbw/augeasfacter' +# mod 'sharumpe-tcpwrappers', '1.0.4' +#mod 'sharumpe-tcpwrappers', tag: '1.0.7', git: 'https://github.com/sharumpe/puppet-tcpwrappers.git' +#mod 'ffquintella-tcpwrappers', tag: '1.0.7', git: 'https://github.com/ffquintella/puppet-tcpwrappers.git' +mod 'thrnio-ip', '1.0.1' +mod 'woodsbw/augeasfacter', commit: '9aea81311d277ed7ff1e8f2d4f79d13cd25f6ded', git: 'https://github.com/woodsbw/augeasfacter' diff --git a/README.md b/README.md index 01940ae..86a48cb 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # A Puppet Control Repository +![yamllint](https://github.com/ncsa/control-repo/workflows/yamllint/badge.svg) + * [What You Get From This control\-repo](#what-you-get-from-this-control-repo) * [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server) * [GitLab](#gitlab) diff --git a/data/common.yaml b/data/common.yaml index 2baa62b..4c053c6 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,2 +1,269 @@ --- message: "This node is using common data" + +profile::sssd::enablemkhomedir: true + +profile_allow_ssh_from_bastion::bastion_nodelist: + - "141.142.148.5" + - "141.142.236.22" + - "141.142.236.23" + - "141.142.148.24" +profile_allow_ssh_from_bastion::groups: + - org_asd + - org_irst + +sssd::debug_level: 0 +sssd::domains: + ncsa.illinois.edu: + access_provider: "simple" + auth_provider: "krb5" + cache_credentials: false + chpass_provider: "krb5" + debug_level: 0 + enumerate: false + id_provider: "ldap" + krb5_auth_timeout: 3 + krb5_lifetime: "25h" + krb5_realm: "NCSA.EDU" + krb5_renew_interval: 3600 + krb5_renewable_lifetime: "7d" + krb5_use_kdcinfo: false + krb5_validate: true + ldap_backup_uri: + - ldaps://ldap.ncsa.illinois.edu + #- ldaps://ldap3.ncsa.illinois.edu + #- ldaps://ldap4.ncsa.illinois.edu + ldap_group_member: "uniqueMember" + ldap_group_search_base: "dc=ncsa,dc=illinois,dc=edu" + ldap_schema: "rfc2307bis" + ldap_search_base: "dc=ncsa,dc=illinois,dc=edu" + #ldap_tls_cacert: "/etc/pki/ca-trust/source/anchors/incommon-ca.pem" + # Above not present on CentOS; below one is + ldap_tls_cacert: "/etc/pki/tls/certs/ca-bundle.crt" + ldap_tls_reqcert: "demand" + ldap_uri: + - ldaps://ldap1.ncsa.illinois.edu + - ldaps://ldap2.ncsa.illinois.edu + ldap_user_search_base: "dc=ncsa,dc=illinois,dc=edu" + # LEAVE simple_allow_groups BLANK - ncsa/sshd MODULE DYNAMICALLY ADDS GROUPS + #simple_allow_groups: + simple_deny_groups: + - all_disabled_usr +sssd::services: + nss: + override_homedir: "/home/%u" + shell_fallback: "/bin/bash" + allowed_shells: + - /usr/ncsa/bin/tcsh + - /usr/ncsa/bin/bash + - /usr/ncsa/bin/zsh + - /bin/csh + - /bin/tcsh + - /bin/zsh + vetoed_shells: + - /usr/ncsa/bin/tcsh + - /usr/ncsa/bin/bash + - /usr/ncsa/bin/zsh + - /bin/csh + filter_groups: + - adm + - apache + - asmadmin + - asmdba + - asmoper + - audio + - avahi + - avahi-autoipd + - backupdba + - bin + - cdrom + - cgred + - chronograf + - chrony + - condor + - conserver + - daemon + - dba + - dbus + - dgdba + - dhcpd + - dialout + - dip + - disk + - docker + - elasticsearch + - floppy + - ftp + - games + - geoclue + - git + - gitlab-prometheus + - gitlab-psql + - gitlab-redis + - gitlab-www + - grafana + - graylog + - graylog-web + - hsqldb + - influxdb + - input + - kmdba + - kmem + - ldap + - levelone + - lock + - lp + - mail + - man + - mem + - mongod + - munge + - myproxy + - myproxyoauth + - mysql + - nagios + - named + - nfsnobody + - nobody + - nrpe + - nscd + - ntp + - oinstall + - oper + - oprofile + - pdagent + - polkitd + - postdrop + - postfix + - postgres + - puppet + - puppetdb + - qserv + - qualys + - rabbitmq + - racdba + - redis + - root + - rpc + - rpcuser + - saslauth + - screen + - sfcb + - simpleca + - slocate + - slurm + - sshd + - ssh_keys + - sssd + - stapdev + - stapsys + - stapusr + - suiadmin + - SupportAssistAdmins + - SupportAssistUsers + - sys + - systemd-bus-proxy + - systemd-journal + - systemd-network + - tape + - tcpdump + - telegraf + - tss + - tty + - unbound + - users + - utempter + - utmp + - video + - wheel + filter_users: + - activemq + - adm + - apache + - avahi + - avahi-autoipd + - bin + - chronograf + - chrony + - condor + - daemon + - dbus + - docker + - elasticsearch + - ftp + - games + - geoclue + - grafana + - graylog + - graylog-web + - grid + - halt + - hsqldb + - influxdb + - ldap + - lp + - mail + - mongod + - munge + - myproxy + - myproxyoauth + - mysql + - nagios + - nfsnobody + - nobody + - nrpe + - nscd + - nslcd + - ntp + - operator + - oprofile + - oracle + - pdagent + - polkitd + - postfix + - rabbitmq + - redis + - rsbackup + - qserv + - qualys + - root + - rpc + - rpcuser + - saslauth + - shutdown + - simpleca + - slurm + - sshd + - sssd + - suiadmin + - sync + - systemd-bus-proxy + - systemd-network + - tcpdump + - telegraf + - tomcat + - tss + - unbound + - wireshark + # NCSA LDAP users w/ uid below 1000: + - acraig + - bw + - cbushell + - ceperley + - cox + - ferguson + - johns + - lex + - norman + - proth + - radha + - redman + - rkufrin + - scott + - scoyle + - straka + - svinson + - u10956 + - welge + - wicker + pam: {} diff --git a/site-modules/profile/data/os/RedHat.yaml b/site-modules/profile/data/os/RedHat.yaml new file mode 100644 index 0000000..aa60ba1 --- /dev/null +++ b/site-modules/profile/data/os/RedHat.yaml @@ -0,0 +1,3 @@ +--- +profile::sssd::authconfig_pkgs: + - authconfig diff --git a/site-modules/profile/manifests/base.pp b/site-modules/profile/manifests/base.pp index 8ef071f..a965c41 100644 --- a/site-modules/profile/manifests/base.pp +++ b/site-modules/profile/manifests/base.pp @@ -3,11 +3,12 @@ class profile::base { include ::profile_additional_packages include ::profile_additional_yumrepos + include ::profile_allow_ssh_from_bastion # include ::profile_email -# include ::profile_pam_access + include ::profile_pam_access # include ::profile_sudo # include ::profile_timezone -# include ::sshd -# include ::tcpwrappers + include ::profile::sssd + include ::sshd } diff --git a/site-modules/profile/manifests/sssd.pp b/site-modules/profile/manifests/sssd.pp new file mode 100644 index 0000000..f3e0b4b --- /dev/null +++ b/site-modules/profile/manifests/sssd.pp @@ -0,0 +1,54 @@ +# Configure SSSD for use with LDAP and Kerberos +# +# @summary Configure SSSD for use with LDAP and Kerberos +# Requires ncsa/sssd and bodgit/sssd as dependancy. +# +# @example +# include profile::sssd +class profile::sssd ( + # PARAMETERS: general + Boolean $enablemkhomedir, + Array[String] $authconfig_pkgs, + #String $cacert-content, + #String $cacert-file-path, + +) { + + # INSTALL INCOMMON ROOT CA + # TODO - make this a paramter, then use a hiera interpolation lookup in hiera + #file { ${cacert-file-path} : + # content => "${cacert-content}", + # mode => '0444', + # before => Service['sssd'], + #} + + include ::sssd + + # ENABLE MKHOMEDIR (create homedir on first login) + ensure_packages( $authconfig_pkgs ) + # create appropriate args + if $enablemkhomedir { + $authconfig_args = ['--enablemkhomedir', '--enablesssd', '--enablesssdauth'] + } + else { + $authconfig_args = ['--disablemkhomedir', '--enablesssd', '--enablesssdauth'] + } + $authconfig_args_f = join($authconfig_args, ' ') + # run authconfig + exec { 'enablesssdauth': + path => '/bin/:/sbin/:/usr/bin/:/usr/sbin/', + onlyif => 'test `grep -i "SSSD" /etc/sysconfig/authconfig | grep "=yes" | wc -l` -lt 2', + command => "authconfig ${authconfig_args_f} --updateall", # should we just be using '--update'? + } + + # ENSURE SSSD SERVICE IS RESTARTED IF/WHEN ANY KRB5 CFG FILES CHANGE +# $krb_cfgfile_data = lookup( 'system_authnz::kerberos::cfg_file_settings', +# Hash, +# 'hash' ) +# # setup a "notify" relationship from filename to service +# $krb_cfgfile_data.each() | $filename, $junk | { +# File[ $filename ] ~> Class[ '::sssd::service' ] +# } + +} +