Puppet-Manifest mit Kerberos-Auth

## puppetboard.pp
```puppet

# install and configure puppetboard
class profiles::puppetboard {

  $krb_auth_realm     = lookup('profiles::puppetboard::krb_auth_realm', String)
  $krb_5keytab        = lookup('profiles::puppetboard::krb_5keytab', String)
  $servername         = lookup('profiles::puppetboard::servername', String, 'first')

  class { '::puppetboard':
    manage_git        => false,
    manage_virtualenv => false,
  }

  class { 'apache':
    default_mods      => false,
    default_vhost     => false,
    default_ssl_vhost => false,
    mpm_module        => 'worker',
    purge_configs     => true,
  }

  class { 'apache::mod::wsgi': }
  class { 'apache::mod::auth_kerb': }
  class { 'apache::mod::authnz_pam': }

  $cert = "/etc/apache2/ssl/${facts['fqdn']}"
  file { 'apachessl':
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
    path   => '/etc/apache2/ssl',
  }

  ipa::sslcert { 'puppetboard':
    fname   => $cert,
    domain  => $facts['fqdn'],
    service => 'http',
  }

  file { 'pam_sssd_http':
    ensure  => present,
    path    => '/etc/pam.d/http',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => @(END)
    auth    required pam_sss.so
    account required pam_sss.so
    | END
  }

  apache::vhost { "ssl_${servername}":
    ensure                      => present,
    auth_kerb                   => true,
    access_log                  => true,
    aliases                     => [{
      alias => '/static',
      path  => '/srv/puppetboard/puppetboard/puppetboard/static'
    }],
    default_vhost               => true,
    directories                 => [{
      path         => '/srv/puppetboard/puppetboard',
      auth_name    => 'Kerberos Login',
      auth_type    => 'Kerberos',
      auth_require => 'pam-account http',
    }],
    docroot                     => '/var/www/html',
    krb_auth_realms             => [$krb_auth_realm],
    krb_5keytab                 => $krb_5keytab,
    krb_local_user_mapping      => 'on',
    krb_method_negotiate        => 'on',
    krb_servicename             => 'http',
    port                        => '443',
    servername                  => $servername,
    ssl                         => true,
    ssl_cert                    => "${cert}.crt",
    ssl_protocol                => 'TLSv1.2',
    ssl_key                     => "${cert}.key",
    vhost_name                  => '*',
    wsgi_daemon_process         => 'puppetboard',
    wsgi_daemon_process_options => {
      processes => 2,
      user      => 'puppetboard',
      group     => 'puppetboard',
      threads   => 5,
    },
    wsgi_process_group          => 'puppetboard',
    wsgi_script_aliases         => { '/' => '/srv/puppetboard/puppetboard/wsgi.py'},
  }
}
	```puppet

	# install and configure puppetboard
	class profiles::puppetboard {

	$krb_auth_realm = lookup('profiles::puppetboard::krb_auth_realm', String)
	$krb_5keytab = lookup('profiles::puppetboard::krb_5keytab', String)
	$servername = lookup('profiles::puppetboard::servername', String, 'first')

	class { '::puppetboard':
	manage_git => false,
	manage_virtualenv => false,
	}

	class { 'apache':
	default_mods => false,
	default_vhost => false,
	default_ssl_vhost => false,
	mpm_module => 'worker',
	purge_configs => true,
	}

	class { 'apache::mod::wsgi': }
	class { 'apache::mod::auth_kerb': }
	class { 'apache::mod::authnz_pam': }

	$cert = "/etc/apache2/ssl/${facts['fqdn']}"
	file { 'apachessl':
	ensure => 'directory',
	owner => 'root',
	group => 'root',
	mode => '0700',
	path => '/etc/apache2/ssl',
	}

	ipa::sslcert { 'puppetboard':
	fname => $cert,
	domain => $facts['fqdn'],
	service => 'http',
	}

	file { 'pam_sssd_http':
	ensure => present,
	path => '/etc/pam.d/http',
	owner => 'root',
	group => 'root',
	mode => '0644',
	content => @(END)
	auth required pam_sss.so
	account required pam_sss.so
	\| END
	}

	apache::vhost { "ssl_${servername}":
	ensure => present,
	auth_kerb => true,
	access_log => true,
	aliases => [{
	alias => '/static',
	path => '/srv/puppetboard/puppetboard/puppetboard/static'
	}],
	default_vhost => true,
	directories => [{
	path => '/srv/puppetboard/puppetboard',
	auth_name => 'Kerberos Login',
	auth_type => 'Kerberos',
	auth_require => 'pam-account http',
	}],
	docroot => '/var/www/html',
	krb_auth_realms => [$krb_auth_realm],
	krb_5keytab => $krb_5keytab,
	krb_local_user_mapping => 'on',
	krb_method_negotiate => 'on',
	krb_servicename => 'http',
	port => '443',
	servername => $servername,
	ssl => true,
	ssl_cert => "${cert}.crt",
	ssl_protocol => 'TLSv1.2',
	ssl_key => "${cert}.key",
	vhost_name => '*',
	wsgi_daemon_process => 'puppetboard',
	wsgi_daemon_process_options => {
	processes => 2,
	user => 'puppetboard',
	group => 'puppetboard',
	threads => 5,
	},
	wsgi_process_group => 'puppetboard',
	wsgi_script_aliases => { '/' => '/srv/puppetboard/puppetboard/wsgi.py'},
	}
	}