Puppet-Manifest mit Kerberos-Auth
```puppet | |
# install and configure puppetboard | |
class profiles::puppetboard { | |
$krb_auth_realm = lookup('profiles::puppetboard::krb_auth_realm', String) | |
$krb_5keytab = lookup('profiles::puppetboard::krb_5keytab', String) | |
$servername = lookup('profiles::puppetboard::servername', String, 'first') | |
class { '::puppetboard': | |
manage_git => false, | |
manage_virtualenv => false, | |
} | |
class { 'apache': | |
default_mods => false, | |
default_vhost => false, | |
default_ssl_vhost => false, | |
mpm_module => 'worker', | |
purge_configs => true, | |
} | |
class { 'apache::mod::wsgi': } | |
class { 'apache::mod::auth_kerb': } | |
class { 'apache::mod::authnz_pam': } | |
$cert = "/etc/apache2/ssl/${facts['fqdn']}" | |
file { 'apachessl': | |
ensure => 'directory', | |
owner => 'root', | |
group => 'root', | |
mode => '0700', | |
path => '/etc/apache2/ssl', | |
} | |
ipa::sslcert { 'puppetboard': | |
fname => $cert, | |
domain => $facts['fqdn'], | |
service => 'http', | |
} | |
file { 'pam_sssd_http': | |
ensure => present, | |
path => '/etc/pam.d/http', | |
owner => 'root', | |
group => 'root', | |
mode => '0644', | |
content => @(END) | |
auth required pam_sss.so | |
account required pam_sss.so | |
| END | |
} | |
apache::vhost { "ssl_${servername}": | |
ensure => present, | |
auth_kerb => true, | |
access_log => true, | |
aliases => [{ | |
alias => '/static', | |
path => '/srv/puppetboard/puppetboard/puppetboard/static' | |
}], | |
default_vhost => true, | |
directories => [{ | |
path => '/srv/puppetboard/puppetboard', | |
auth_name => 'Kerberos Login', | |
auth_type => 'Kerberos', | |
auth_require => 'pam-account http', | |
}], | |
docroot => '/var/www/html', | |
krb_auth_realms => [$krb_auth_realm], | |
krb_5keytab => $krb_5keytab, | |
krb_local_user_mapping => 'on', | |
krb_method_negotiate => 'on', | |
krb_servicename => 'http', | |
port => '443', | |
servername => $servername, | |
ssl => true, | |
ssl_cert => "${cert}.crt", | |
ssl_protocol => 'TLSv1.2', | |
ssl_key => "${cert}.key", | |
vhost_name => '*', | |
wsgi_daemon_process => 'puppetboard', | |
wsgi_daemon_process_options => { | |
processes => 2, | |
user => 'puppetboard', | |
group => 'puppetboard', | |
threads => 5, | |
}, | |
wsgi_process_group => 'puppetboard', | |
wsgi_script_aliases => { '/' => '/srv/puppetboard/puppetboard/wsgi.py'}, | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment