This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
require 'optparse' | |
require 'resolv' | |
require 'net/scp' | |
require 'net/ssh' | |
require 'tempfile' | |
require 'erb' | |
def puppet_url(puppet_version, ubuntu_release) | |
puppet_version = '' if puppet_version == '4' | |
"https://apt.puppetlabs.com/puppet#{puppet_version}-release-#{ubuntu_release}.deb" | |
end | |
def parse_options | |
options = { | |
dns: '10.0.0.52', | |
ubuntu: 'bionic', | |
puppet_version: '6', | |
admin_user: 'lokal' | |
} | |
OptionParser.new do |opts| | |
opts.banner = 'Usage: ./deploy [options]' | |
opts.on('-nFQDN', '--node=FQDN') do |n| | |
options[:node] = n | |
end | |
opts.on('-d IP', '--dns-server IP') do |d| | |
options[:dns] = d | |
end | |
opts.on('-u', '--ubuntu RELEASE') do |u| | |
options[:ubuntu] = u | |
end | |
opts.on('-p NUMBER', '--puppet-version NUMBER') do |p| | |
options[:puppet_version] = p | |
end | |
opts.on('-a', '--admin-user USER') do |a| | |
options[:admin_user] = a | |
end | |
end.parse! | |
options[:puppet_url] = puppet_url(options[:puppet_version], options[:ubuntu]) | |
options[:ip] = Resolv.getaddress(options[:node]) | |
options[:hostname] = options[:node].split('.').first | |
options[:domain] = options[:node].split('.')[1..-1].join('.') | |
puts 'Enter password for host enrollment' | |
options[:enroller_pw] = gets.chomp | |
options | |
end | |
def install_ssh_keys(node, admin_user) | |
`ssh-copy-id #{admin_user}@#{node}` | |
end | |
def setup_script_contents(options) | |
template = ERB.new(File.read('setup.sh.erb')) | |
template.result_with_hash(options) | |
end | |
def transfer_setup_scripts(node, admin_user, setup_script) | |
tmpfile = Tempfile.new("setup_#{node}") | |
begin | |
tmpfile.write(setup_script) | |
tmpfile.close | |
Net::SCP.start(node, admin_user) do |scp| | |
scp.upload!('puppet.conf', 'puppet.conf') | |
scp.upload!('krb5.conf', 'krb5.conf') | |
scp.upload!(tmpfile.path, 'setup.sh') | |
end | |
ensure | |
tmpfile.unlink | |
end | |
end | |
def setup(node, admin_user) | |
Net::SSH.start(node, admin_user) do |ssh| | |
ssh.exec! 'sudo bash ~/setup.sh' | |
end | |
end | |
options = parse_options | |
install_ssh_keys(options[:node], options[:admin_user]) | |
setup_script = setup_script_contents(options) | |
transfer_setup_scripts(options[:node], options[:admin_user], setup_script) | |
setup(options[:node], options[:admin_user]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
includedir /var/lib/sss/pubconf/krb5.include.d/ | |
[libdefaults] | |
default_realm = IPA.EXAMPLE.COM | |
dns_lookup_realm = false | |
dns_lookup_kdc = false | |
rdns = false | |
ticket_lifetime = 24h | |
forwardable = true | |
udp_preference_limit = 0 | |
[realms] | |
IPA.EXAMPLE.COM = { | |
kdc = auth.example.com:88 | |
master_kdc = auth.example.com:88 | |
admin_server = auth.example.com:749 | |
default_domain = ipa.example.com | |
pkinit_anchors = FILE:/etc/ipa/ca.crt | |
} | |
[domain_realm] | |
.ipa.example.com = IPA.EXAMPLE.COM | |
ipa.example.com = IPA.EXAMPLE.COM | |
.example.com = IPA.EXAMPLE.COM | |
example.com = IPA.EXAMPLE.COM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[main] | |
environment = production | |
server = puppet.example.com | |
ca_server = puppet.example.com | |
[agent] | |
certificate_revocation = false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
HOSTNAME=<%= hostname %> | |
DOMAIN=<%= domain %> | |
DNSSERVER=<%= dns %> | |
IP=<%= ip %> | |
PUPPET_URL=<%= puppet_url %> | |
ENROLLER_PW=<%= enroller_pw %> | |
echo "Adding Puppet repository" | |
wget -q -O /tmp/puppet.deb "$PUPPET_URL" | |
dpkg -i /tmp/puppet.deb | |
echo "System Update" | |
apt-get update -qq && sudo apt-get dist-upgrade -qq | |
echo "Installing Puppet" | |
apt-get install puppet-agent -qq | |
systemctl enable puppet | |
echo "Fixing locale warnings for de_DE.UTF-8" | |
locale-gen de_DE.UTF-8 | |
echo "Cleaning up caches for APT" | |
apt-get clean -qq && apt-get autoclean -qq && apt-get autoremove -qq | |
echo "Making sure Proxmox leaves DNS alone" | |
touch /etc/.pve-ignore.{hosts,resolv.conf} | |
cat <<EOF > /etc/resolv.conf | |
search $DOMAIN | |
nameserver $DNSSERVER | |
EOF | |
cat <<EOF > /etc/hosts | |
127.0.0.1 localhost | |
::1 localhost6 ip6-localhost ip6-loopback | |
ff02::1 ip6-allnodes | |
ff02::2 ip6-allrouters | |
$IP $HOSTNAME.$DOMAIN $HOSTNAME | |
EOF | |
echo "Installing freeipa client" | |
apt-get install freeipa-client -qq | |
echo "Fixing Kerberos" | |
cp ~/krb5.conf /etc/krb5.conf | |
echo "Enrolling host to FreeIPA" | |
ipa-client-install --mkhomedir --no-dns-sshfp -U -p enroller -w "${ENROLLER_PW}" --force-join | |
echo "Fixing Kerberos again" | |
cp ~/krb5.conf /etc/krb5.conf | |
echo "Adding Service Principal for Puppet on this host" | |
echo "$ENROLLER_PW"|kinit enroller | |
ipa service-add "puppet/$HOSTNAME.$DOMAIN" | |
echo "Requesting Certificate for Puppet" | |
mkdir -p /etc/puppetlabs/puppet/ssl/{private_keys,certs} | |
ipa-getcert request -K "puppet/$HOSTNAME.$DOMAIN" \ | |
-k "/etc/puppetlabs/puppet/ssl/private_keys/$HOSTNAME.$DOMAIN.pem" \ | |
-f "/etc/puppetlabs/puppet/ssl/certs/$HOSTNAME.$DOMAIN.pem" \ | |
-N "$HOSTNAME.$DOMAIN" | |
cp /etc/ipa/ca.crt /etc/puppetlabs/puppet/ssl/certs/ca.pem | |
echo "Configuring Puppet to use CA and restart" | |
cp puppet.conf /etc/puppetlabs/puppet/puppet.conf | |
systemctl restart puppet |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment