Skip to content

Instantly share code, notes, and snippets.

@fheinle fheinle/deploy.rb Secret
Last active Jan 21, 2019

Embed
What would you like to do?
#!/usr/bin/env ruby
require 'optparse'
require 'resolv'
require 'net/scp'
require 'net/ssh'
require 'tempfile'
require 'erb'
def puppet_url(puppet_version, ubuntu_release)
puppet_version = '' if puppet_version == '4'
"https://apt.puppetlabs.com/puppet#{puppet_version}-release-#{ubuntu_release}.deb"
end
def parse_options
options = {
dns: '10.0.0.52',
ubuntu: 'bionic',
puppet_version: '6',
admin_user: 'lokal'
}
OptionParser.new do |opts|
opts.banner = 'Usage: ./deploy [options]'
opts.on('-nFQDN', '--node=FQDN') do |n|
options[:node] = n
end
opts.on('-d IP', '--dns-server IP') do |d|
options[:dns] = d
end
opts.on('-u', '--ubuntu RELEASE') do |u|
options[:ubuntu] = u
end
opts.on('-p NUMBER', '--puppet-version NUMBER') do |p|
options[:puppet_version] = p
end
opts.on('-a', '--admin-user USER') do |a|
options[:admin_user] = a
end
end.parse!
options[:puppet_url] = puppet_url(options[:puppet_version], options[:ubuntu])
options[:ip] = Resolv.getaddress(options[:node])
options[:hostname] = options[:node].split('.').first
options[:domain] = options[:node].split('.')[1..-1].join('.')
puts 'Enter password for host enrollment'
options[:enroller_pw] = gets.chomp
options
end
def install_ssh_keys(node, admin_user)
`ssh-copy-id #{admin_user}@#{node}`
end
def setup_script_contents(options)
template = ERB.new(File.read('setup.sh.erb'))
template.result_with_hash(options)
end
def transfer_setup_scripts(node, admin_user, setup_script)
tmpfile = Tempfile.new("setup_#{node}")
begin
tmpfile.write(setup_script)
tmpfile.close
Net::SCP.start(node, admin_user) do |scp|
scp.upload!('puppet.conf', 'puppet.conf')
scp.upload!('krb5.conf', 'krb5.conf')
scp.upload!(tmpfile.path, 'setup.sh')
end
ensure
tmpfile.unlink
end
end
def setup(node, admin_user)
Net::SSH.start(node, admin_user) do |ssh|
ssh.exec! 'sudo bash ~/setup.sh'
end
end
options = parse_options
install_ssh_keys(options[:node], options[:admin_user])
setup_script = setup_script_contents(options)
transfer_setup_scripts(options[:node], options[:admin_user], setup_script)
setup(options[:node], options[:admin_user])
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
[realms]
IPA.EXAMPLE.COM = {
kdc = auth.example.com:88
master_kdc = auth.example.com:88
admin_server = auth.example.com:749
default_domain = ipa.example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.ipa.example.com = IPA.EXAMPLE.COM
ipa.example.com = IPA.EXAMPLE.COM
.example.com = IPA.EXAMPLE.COM
example.com = IPA.EXAMPLE.COM
[main]
environment = production
server = puppet.example.com
ca_server = puppet.example.com
[agent]
certificate_revocation = false
#!/bin/bash
HOSTNAME=<%= hostname %>
DOMAIN=<%= domain %>
DNSSERVER=<%= dns %>
IP=<%= ip %>
PUPPET_URL=<%= puppet_url %>
ENROLLER_PW=<%= enroller_pw %>
echo "Adding Puppet repository"
wget -q -O /tmp/puppet.deb "$PUPPET_URL"
dpkg -i /tmp/puppet.deb
echo "System Update"
apt-get update -qq && sudo apt-get dist-upgrade -qq
echo "Installing Puppet"
apt-get install puppet-agent -qq
systemctl enable puppet
echo "Fixing locale warnings for de_DE.UTF-8"
locale-gen de_DE.UTF-8
echo "Cleaning up caches for APT"
apt-get clean -qq && apt-get autoclean -qq && apt-get autoremove -qq
echo "Making sure Proxmox leaves DNS alone"
touch /etc/.pve-ignore.{hosts,resolv.conf}
cat <<EOF > /etc/resolv.conf
search $DOMAIN
nameserver $DNSSERVER
EOF
cat <<EOF > /etc/hosts
127.0.0.1 localhost
::1 localhost6 ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
$IP $HOSTNAME.$DOMAIN $HOSTNAME
EOF
echo "Installing freeipa client"
apt-get install freeipa-client -qq
echo "Fixing Kerberos"
cp ~/krb5.conf /etc/krb5.conf
echo "Enrolling host to FreeIPA"
ipa-client-install --mkhomedir --no-dns-sshfp -U -p enroller -w "${ENROLLER_PW}" --force-join
echo "Fixing Kerberos again"
cp ~/krb5.conf /etc/krb5.conf
echo "Adding Service Principal for Puppet on this host"
echo "$ENROLLER_PW"|kinit enroller
ipa service-add "puppet/$HOSTNAME.$DOMAIN"
echo "Requesting Certificate for Puppet"
mkdir -p /etc/puppetlabs/puppet/ssl/{private_keys,certs}
ipa-getcert request -K "puppet/$HOSTNAME.$DOMAIN" \
-k "/etc/puppetlabs/puppet/ssl/private_keys/$HOSTNAME.$DOMAIN.pem" \
-f "/etc/puppetlabs/puppet/ssl/certs/$HOSTNAME.$DOMAIN.pem" \
-N "$HOSTNAME.$DOMAIN"
cp /etc/ipa/ca.crt /etc/puppetlabs/puppet/ssl/certs/ca.pem
echo "Configuring Puppet to use CA and restart"
cp puppet.conf /etc/puppetlabs/puppet/puppet.conf
systemctl restart puppet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.