fheinle/deploy.rb Secret

## deploy.rb
#!/usr/bin/env ruby

require 'optparse'
require 'resolv'
require 'net/scp'
require 'net/ssh'
require 'tempfile'
require 'erb'

def puppet_url(puppet_version, ubuntu_release)
  puppet_version = '' if puppet_version == '4'
  "https://apt.puppetlabs.com/puppet#{puppet_version}-release-#{ubuntu_release}.deb"
end

def parse_options
  options = {
    dns: '10.0.0.52',
    ubuntu: 'bionic',
    puppet_version: '6',
    admin_user: 'lokal'
  }
  OptionParser.new do |opts|
    opts.banner = 'Usage: ./deploy [options]'
    opts.on('-nFQDN', '--node=FQDN') do |n|
      options[:node] = n
    end
    opts.on('-d IP', '--dns-server IP') do |d|
      options[:dns] = d
    end
    opts.on('-u', '--ubuntu RELEASE') do |u|
      options[:ubuntu] = u
    end
    opts.on('-p NUMBER', '--puppet-version NUMBER') do |p|
      options[:puppet_version] = p
    end
    opts.on('-a', '--admin-user USER') do |a|
      options[:admin_user] = a
    end
  end.parse!
  options[:puppet_url] = puppet_url(options[:puppet_version], options[:ubuntu])
  options[:ip] = Resolv.getaddress(options[:node])
  options[:hostname] = options[:node].split('.').first
  options[:domain] = options[:node].split('.')[1..-1].join('.')
  puts 'Enter password for host enrollment'
  options[:enroller_pw] = gets.chomp
  options
end

def install_ssh_keys(node, admin_user)
  `ssh-copy-id #{admin_user}@#{node}`
end

def setup_script_contents(options)
  template = ERB.new(File.read('setup.sh.erb'))
  template.result_with_hash(options)
end

def transfer_setup_scripts(node, admin_user, setup_script)
  tmpfile = Tempfile.new("setup_#{node}")
  begin
    tmpfile.write(setup_script)
    tmpfile.close
    Net::SCP.start(node, admin_user) do |scp|
      scp.upload!('puppet.conf', 'puppet.conf')
      scp.upload!('krb5.conf', 'krb5.conf')
      scp.upload!(tmpfile.path, 'setup.sh')
    end
  ensure
    tmpfile.unlink
  end
end

def setup(node, admin_user)
  Net::SSH.start(node, admin_user) do |ssh|
    ssh.exec! 'sudo bash ~/setup.sh'
  end
end

options = parse_options
install_ssh_keys(options[:node], options[:admin_user])
setup_script = setup_script_contents(options)
transfer_setup_scripts(options[:node], options[:admin_user], setup_script)
setup(options[:node], options[:admin_user])

## krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0


[realms]
  IPA.EXAMPLE.COM = {
    kdc = auth.example.com:88
    master_kdc = auth.example.com:88
    admin_server = auth.example.com:749
    default_domain = ipa.example.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .ipa.example.com = IPA.EXAMPLE.COM
  ipa.example.com = IPA.EXAMPLE.COM
  .example.com = IPA.EXAMPLE.COM
  example.com = IPA.EXAMPLE.COM

## puppet.conf
[main]
environment = production
server = puppet.example.com
ca_server = puppet.example.com

[agent]
certificate_revocation = false

## setup.sh.erb
#!/bin/bash

HOSTNAME=<%= hostname %>
DOMAIN=<%= domain %>
DNSSERVER=<%= dns %>
IP=<%= ip %>
PUPPET_URL=<%= puppet_url %>
ENROLLER_PW=<%= enroller_pw %>

echo "Adding Puppet repository"
wget -q -O /tmp/puppet.deb "$PUPPET_URL"
dpkg -i /tmp/puppet.deb

echo "System Update"
apt-get update -qq && sudo apt-get dist-upgrade -qq
echo "Installing Puppet"
apt-get install puppet-agent -qq
systemctl enable puppet

echo "Fixing locale warnings for de_DE.UTF-8"
locale-gen de_DE.UTF-8

echo "Cleaning up caches for APT"
apt-get clean -qq && apt-get autoclean -qq && apt-get autoremove -qq

echo "Making sure Proxmox leaves DNS alone"
touch /etc/.pve-ignore.{hosts,resolv.conf}
cat <<EOF > /etc/resolv.conf
search $DOMAIN
nameserver $DNSSERVER
EOF
cat <<EOF > /etc/hosts
127.0.0.1		localhost
::1					localhost6 ip6-localhost ip6-loopback
ff02::1			ip6-allnodes
ff02::2			ip6-allrouters

$IP		$HOSTNAME.$DOMAIN $HOSTNAME
EOF

echo "Installing freeipa client"
apt-get install freeipa-client -qq

echo "Fixing Kerberos"
cp ~/krb5.conf /etc/krb5.conf
echo "Enrolling host to FreeIPA"
ipa-client-install --mkhomedir --no-dns-sshfp -U -p  enroller -w "${ENROLLER_PW}" --force-join
echo "Fixing Kerberos again"
cp ~/krb5.conf /etc/krb5.conf
echo "Adding Service Principal for Puppet on this host"
echo "$ENROLLER_PW"|kinit enroller
ipa service-add "puppet/$HOSTNAME.$DOMAIN"
echo "Requesting Certificate for Puppet"
mkdir -p /etc/puppetlabs/puppet/ssl/{private_keys,certs}
ipa-getcert request -K "puppet/$HOSTNAME.$DOMAIN" \
                    -k "/etc/puppetlabs/puppet/ssl/private_keys/$HOSTNAME.$DOMAIN.pem" \
                    -f "/etc/puppetlabs/puppet/ssl/certs/$HOSTNAME.$DOMAIN.pem" \
                    -N "$HOSTNAME.$DOMAIN"
cp /etc/ipa/ca.crt /etc/puppetlabs/puppet/ssl/certs/ca.pem

echo "Configuring Puppet to use CA and restart"
cp puppet.conf /etc/puppetlabs/puppet/puppet.conf
systemctl restart puppet
	#!/usr/bin/env ruby

	require 'optparse'
	require 'resolv'
	require 'net/scp'
	require 'net/ssh'
	require 'tempfile'
	require 'erb'

	def puppet_url(puppet_version, ubuntu_release)
	puppet_version = '' if puppet_version == '4'
	"https://apt.puppetlabs.com/puppet#{puppet_version}-release-#{ubuntu_release}.deb"
	end

	def parse_options
	options = {
	dns: '10.0.0.52',
	ubuntu: 'bionic',
	puppet_version: '6',
	admin_user: 'lokal'
	}
	OptionParser.new do \|opts\|
	opts.banner = 'Usage: ./deploy [options]'
	opts.on('-nFQDN', '--node=FQDN') do \|n\|
	options[:node] = n
	end
	opts.on('-d IP', '--dns-server IP') do \|d\|
	options[:dns] = d
	end
	opts.on('-u', '--ubuntu RELEASE') do \|u\|
	options[:ubuntu] = u
	end
	opts.on('-p NUMBER', '--puppet-version NUMBER') do \|p\|
	options[:puppet_version] = p
	end
	opts.on('-a', '--admin-user USER') do \|a\|
	options[:admin_user] = a
	end
	end.parse!
	options[:puppet_url] = puppet_url(options[:puppet_version], options[:ubuntu])
	options[:ip] = Resolv.getaddress(options[:node])
	options[:hostname] = options[:node].split('.').first
	options[:domain] = options[:node].split('.')[1..-1].join('.')
	puts 'Enter password for host enrollment'
	options[:enroller_pw] = gets.chomp
	options
	end

	def install_ssh_keys(node, admin_user)
	`ssh-copy-id #{admin_user}@#{node}`
	end

	def setup_script_contents(options)
	template = ERB.new(File.read('setup.sh.erb'))
	template.result_with_hash(options)
	end

	def transfer_setup_scripts(node, admin_user, setup_script)
	tmpfile = Tempfile.new("setup_#{node}")
	begin
	tmpfile.write(setup_script)
	tmpfile.close
	Net::SCP.start(node, admin_user) do \|scp\|
	scp.upload!('puppet.conf', 'puppet.conf')
	scp.upload!('krb5.conf', 'krb5.conf')
	scp.upload!(tmpfile.path, 'setup.sh')
	end
	ensure
	tmpfile.unlink
	end
	end

	def setup(node, admin_user)
	Net::SSH.start(node, admin_user) do \|ssh\|
	ssh.exec! 'sudo bash ~/setup.sh'
	end
	end

	options = parse_options
	install_ssh_keys(options[:node], options[:admin_user])
	setup_script = setup_script_contents(options)
	transfer_setup_scripts(options[:node], options[:admin_user], setup_script)
	setup(options[:node], options[:admin_user])
	includedir /var/lib/sss/pubconf/krb5.include.d/

	[libdefaults]
	default_realm = IPA.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = false
	rdns = false
	ticket_lifetime = 24h
	forwardable = true
	udp_preference_limit = 0


	[realms]
	IPA.EXAMPLE.COM = {
	kdc = auth.example.com:88
	master_kdc = auth.example.com:88
	admin_server = auth.example.com:749
	default_domain = ipa.example.com
	pkinit_anchors = FILE:/etc/ipa/ca.crt

	}


	[domain_realm]
	.ipa.example.com = IPA.EXAMPLE.COM
	ipa.example.com = IPA.EXAMPLE.COM
	.example.com = IPA.EXAMPLE.COM
	example.com = IPA.EXAMPLE.COM
	[main]
	environment = production
	server = puppet.example.com
	ca_server = puppet.example.com

	[agent]
	certificate_revocation = false
	#!/bin/bash

	HOSTNAME=<%= hostname %>
	DOMAIN=<%= domain %>
	DNSSERVER=<%= dns %>
	IP=<%= ip %>
	PUPPET_URL=<%= puppet_url %>
	ENROLLER_PW=<%= enroller_pw %>

	echo "Adding Puppet repository"
	wget -q -O /tmp/puppet.deb "$PUPPET_URL"
	dpkg -i /tmp/puppet.deb

	echo "System Update"
	apt-get update -qq && sudo apt-get dist-upgrade -qq
	echo "Installing Puppet"
	apt-get install puppet-agent -qq
	systemctl enable puppet

	echo "Fixing locale warnings for de_DE.UTF-8"
	locale-gen de_DE.UTF-8

	echo "Cleaning up caches for APT"
	apt-get clean -qq && apt-get autoclean -qq && apt-get autoremove -qq

	echo "Making sure Proxmox leaves DNS alone"
	touch /etc/.pve-ignore.{hosts,resolv.conf}
	cat <<EOF > /etc/resolv.conf
	search $DOMAIN
	nameserver $DNSSERVER
	EOF
	cat <<EOF > /etc/hosts
	127.0.0.1 localhost
	::1 localhost6 ip6-localhost ip6-loopback
	ff02::1 ip6-allnodes
	ff02::2 ip6-allrouters

	$IP $HOSTNAME.$DOMAIN $HOSTNAME
	EOF

	echo "Installing freeipa client"
	apt-get install freeipa-client -qq

	echo "Fixing Kerberos"
	cp ~/krb5.conf /etc/krb5.conf
	echo "Enrolling host to FreeIPA"
	ipa-client-install --mkhomedir --no-dns-sshfp -U -p enroller -w "${ENROLLER_PW}" --force-join
	echo "Fixing Kerberos again"
	cp ~/krb5.conf /etc/krb5.conf
	echo "Adding Service Principal for Puppet on this host"
	echo "$ENROLLER_PW"\|kinit enroller
	ipa service-add "puppet/$HOSTNAME.$DOMAIN"
	echo "Requesting Certificate for Puppet"
	mkdir -p /etc/puppetlabs/puppet/ssl/{private_keys,certs}
	ipa-getcert request -K "puppet/$HOSTNAME.$DOMAIN" \
	-k "/etc/puppetlabs/puppet/ssl/private_keys/$HOSTNAME.$DOMAIN.pem" \
	-f "/etc/puppetlabs/puppet/ssl/certs/$HOSTNAME.$DOMAIN.pem" \
	-N "$HOSTNAME.$DOMAIN"
	cp /etc/ipa/ca.crt /etc/puppetlabs/puppet/ssl/certs/ca.pem

	echo "Configuring Puppet to use CA and restart"
	cp puppet.conf /etc/puppetlabs/puppet/puppet.conf
	systemctl restart puppet