#!/usr/bin/env ruby | |
require 'optparse' | |
require 'resolv' | |
require 'net/scp' | |
require 'net/ssh' | |
require 'tempfile' | |
require 'erb' | |
def puppet_url(puppet_version, ubuntu_release) | |
puppet_version = '' if puppet_version == '4' | |
"https://apt.puppetlabs.com/puppet#{puppet_version}-release-#{ubuntu_release}.deb" | |
end | |
def parse_options | |
options = { | |
dns: '10.0.0.52', | |
ubuntu: 'bionic', | |
puppet_version: '6', | |
admin_user: 'lokal' | |
} | |
OptionParser.new do |opts| | |
opts.banner = 'Usage: ./deploy [options]' | |
opts.on('-nFQDN', '--node=FQDN') do |n| | |
options[:node] = n | |
end | |
opts.on('-d IP', '--dns-server IP') do |d| | |
options[:dns] = d | |
end | |
opts.on('-u', '--ubuntu RELEASE') do |u| | |
options[:ubuntu] = u | |
end | |
opts.on('-p NUMBER', '--puppet-version NUMBER') do |p| | |
options[:puppet_version] = p | |
end | |
opts.on('-a', '--admin-user USER') do |a| | |
options[:admin_user] = a | |
end | |
end.parse! | |
options[:puppet_url] = puppet_url(options[:puppet_version], options[:ubuntu]) | |
options[:ip] = Resolv.getaddress(options[:node]) | |
options[:hostname] = options[:node].split('.').first | |
options[:domain] = options[:node].split('.')[1..-1].join('.') | |
puts 'Enter password for host enrollment' | |
options[:enroller_pw] = gets.chomp | |
options | |
end | |
def install_ssh_keys(node, admin_user) | |
`ssh-copy-id #{admin_user}@#{node}` | |
end | |
def setup_script_contents(options) | |
template = ERB.new(File.read('setup.sh.erb')) | |
template.result_with_hash(options) | |
end | |
def transfer_setup_scripts(node, admin_user, setup_script) | |
tmpfile = Tempfile.new("setup_#{node}") | |
begin | |
tmpfile.write(setup_script) | |
tmpfile.close | |
Net::SCP.start(node, admin_user) do |scp| | |
scp.upload!('puppet.conf', 'puppet.conf') | |
scp.upload!('krb5.conf', 'krb5.conf') | |
scp.upload!(tmpfile.path, 'setup.sh') | |
end | |
ensure | |
tmpfile.unlink | |
end | |
end | |
def setup(node, admin_user) | |
Net::SSH.start(node, admin_user) do |ssh| | |
ssh.exec! 'sudo bash ~/setup.sh' | |
end | |
end | |
options = parse_options | |
install_ssh_keys(options[:node], options[:admin_user]) | |
setup_script = setup_script_contents(options) | |
transfer_setup_scripts(options[:node], options[:admin_user], setup_script) | |
setup(options[:node], options[:admin_user]) |
includedir /var/lib/sss/pubconf/krb5.include.d/ | |
[libdefaults] | |
default_realm = IPA.EXAMPLE.COM | |
dns_lookup_realm = false | |
dns_lookup_kdc = false | |
rdns = false | |
ticket_lifetime = 24h | |
forwardable = true | |
udp_preference_limit = 0 | |
[realms] | |
IPA.EXAMPLE.COM = { | |
kdc = auth.example.com:88 | |
master_kdc = auth.example.com:88 | |
admin_server = auth.example.com:749 | |
default_domain = ipa.example.com | |
pkinit_anchors = FILE:/etc/ipa/ca.crt | |
} | |
[domain_realm] | |
.ipa.example.com = IPA.EXAMPLE.COM | |
ipa.example.com = IPA.EXAMPLE.COM | |
.example.com = IPA.EXAMPLE.COM | |
example.com = IPA.EXAMPLE.COM |
[main] | |
environment = production | |
server = puppet.example.com | |
ca_server = puppet.example.com | |
[agent] | |
certificate_revocation = false |
#!/bin/bash | |
HOSTNAME=<%= hostname %> | |
DOMAIN=<%= domain %> | |
DNSSERVER=<%= dns %> | |
IP=<%= ip %> | |
PUPPET_URL=<%= puppet_url %> | |
ENROLLER_PW=<%= enroller_pw %> | |
echo "Adding Puppet repository" | |
wget -q -O /tmp/puppet.deb "$PUPPET_URL" | |
dpkg -i /tmp/puppet.deb | |
echo "System Update" | |
apt-get update -qq && sudo apt-get dist-upgrade -qq | |
echo "Installing Puppet" | |
apt-get install puppet-agent -qq | |
systemctl enable puppet | |
echo "Fixing locale warnings for de_DE.UTF-8" | |
locale-gen de_DE.UTF-8 | |
echo "Cleaning up caches for APT" | |
apt-get clean -qq && apt-get autoclean -qq && apt-get autoremove -qq | |
echo "Making sure Proxmox leaves DNS alone" | |
touch /etc/.pve-ignore.{hosts,resolv.conf} | |
cat <<EOF > /etc/resolv.conf | |
search $DOMAIN | |
nameserver $DNSSERVER | |
EOF | |
cat <<EOF > /etc/hosts | |
127.0.0.1 localhost | |
::1 localhost6 ip6-localhost ip6-loopback | |
ff02::1 ip6-allnodes | |
ff02::2 ip6-allrouters | |
$IP $HOSTNAME.$DOMAIN $HOSTNAME | |
EOF | |
echo "Installing freeipa client" | |
apt-get install freeipa-client -qq | |
echo "Fixing Kerberos" | |
cp ~/krb5.conf /etc/krb5.conf | |
echo "Enrolling host to FreeIPA" | |
ipa-client-install --mkhomedir --no-dns-sshfp -U -p enroller -w "${ENROLLER_PW}" --force-join | |
echo "Fixing Kerberos again" | |
cp ~/krb5.conf /etc/krb5.conf | |
echo "Adding Service Principal for Puppet on this host" | |
echo "$ENROLLER_PW"|kinit enroller | |
ipa service-add "puppet/$HOSTNAME.$DOMAIN" | |
echo "Requesting Certificate for Puppet" | |
mkdir -p /etc/puppetlabs/puppet/ssl/{private_keys,certs} | |
ipa-getcert request -K "puppet/$HOSTNAME.$DOMAIN" \ | |
-k "/etc/puppetlabs/puppet/ssl/private_keys/$HOSTNAME.$DOMAIN.pem" \ | |
-f "/etc/puppetlabs/puppet/ssl/certs/$HOSTNAME.$DOMAIN.pem" \ | |
-N "$HOSTNAME.$DOMAIN" | |
cp /etc/ipa/ca.crt /etc/puppetlabs/puppet/ssl/certs/ca.pem | |
echo "Configuring Puppet to use CA and restart" | |
cp puppet.conf /etc/puppetlabs/puppet/puppet.conf | |
systemctl restart puppet |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment