Puppet-Manifest mit Kerberos-Auth

puppetboard.pp

```puppet

# install and configure puppetboard
class profiles::puppetboard {

  $krb_auth_realm     = lookup('profiles::puppetboard::krb_auth_realm', String)
  $krb_5keytab        = lookup('profiles::puppetboard::krb_5keytab', String)
  $servername         = lookup('profiles::puppetboard::servername', String, 'first')

  class { '::puppetboard':
    manage_git        => false,
    manage_virtualenv => false,
  }

  class { 'apache':
    default_mods      => false,
    default_vhost     => false,
    default_ssl_vhost => false,
    mpm_module        => 'worker',
    purge_configs     => true,
  }

  class { 'apache::mod::wsgi': }
  class { 'apache::mod::auth_kerb': }
  class { 'apache::mod::authnz_pam': }

  $cert = "/etc/apache2/ssl/${facts['fqdn']}"
  file { 'apachessl':
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
    path   => '/etc/apache2/ssl',
  }

  ipa::sslcert { 'puppetboard':
    fname   => $cert,
    domain  => $facts['fqdn'],
    service => 'http',
  }

  file { 'pam_sssd_http':
    ensure  => present,
    path    => '/etc/pam.d/http',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => @(END)
    auth    required pam_sss.so
    account required pam_sss.so
    | END
  }

  apache::vhost { "ssl_${servername}":
    ensure                      => present,
    auth_kerb                   => true,
    access_log                  => true,
    aliases                     => [{
      alias => '/static',
      path  => '/srv/puppetboard/puppetboard/puppetboard/static'
    }],
    default_vhost               => true,
    directories                 => [{
      path         => '/srv/puppetboard/puppetboard',
      auth_name    => 'Kerberos Login',
      auth_type    => 'Kerberos',
      auth_require => 'pam-account http',
    }],
    docroot                     => '/var/www/html',
    krb_auth_realms             => [$krb_auth_realm],
    krb_5keytab                 => $krb_5keytab,
    krb_local_user_mapping      => 'on',
    krb_method_negotiate        => 'on',
    krb_servicename             => 'http',
    port                        => '443',
    servername                  => $servername,
    ssl                         => true,
    ssl_cert                    => "${cert}.crt",
    ssl_protocol                => 'TLSv1.2',
    ssl_key                     => "${cert}.key",
    vhost_name                  => '*',
    wsgi_daemon_process         => 'puppetboard',
    wsgi_daemon_process_options => {
      processes => 2,
      user      => 'puppetboard',
      group     => 'puppetboard',
      threads   => 5,
    },
    wsgi_process_group          => 'puppetboard',
    wsgi_script_aliases         => { '/' => '/srv/puppetboard/puppetboard/wsgi.py'},
  }
}