From 55bcbb6e1cd0feed0ab08271b9358efc02bd0f3b Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Wed, 26 Feb 2025 17:05:18 +0100
Subject: [PATCH] fix firewall

---
 manifests/firewall/iptables.pp | 23 +++++++++++++++++++++++
 manifests/main/files.pp        |  4 +---
 manifests/params.pp            | 11 ++++++++++-
 manifests/server/service.pp    | 28 +++++++++++++++++++++++-----
 4 files changed, 57 insertions(+), 9 deletions(-)

diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index 50bb4eb..daba168 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -18,4 +18,27 @@ class puppet_cd::firewall::iptables (
       jump  => 'accept',
     }
   }
+
+  if $fqdn == $pt_db_fqdn {
+    if $pt_use_ssl_only != true {
+      firewall { "3${pt_no_ssl_port} open port ${pt_no_ssl_port}":
+        proto => 'tcp',
+        dport => $pt_no_ssl_port,
+        jump  => 'accept',
+      }
+      firewall { "3${pt_ssl_port} open port ${pt_ssl_port}":
+        proto => 'tcp',
+        dport => $pt_ssl_port,
+        jump  => 'accept',
+      }
+    }
+
+    if $pt_use_ssl_only == true {
+      firewall { "3${pt_ssl_port} open port ${pt_ssl_port}":
+        proto => 'tcp',
+        dport => $pt_ssl_port,
+        jump  => 'accept',
+      }
+    }
+  }
 }
diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index 77e4dae..1f69a91 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -5,8 +5,6 @@
 ###############################################################################
 class puppet_cd::main::files (
 
-) inherits puppet_cd::params  {
-
+) inherits puppet_cd::params {
   require puppet_cd::main::dirs
-
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 34691d6..983f96d 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -11,6 +11,9 @@
 # @param [string] pt_agent_pkg the packages for agents to install
 # @param [string] pt_server_pkg the server packages to install
 # @param [array] pt_db_pkg the packages for puppetdb
+# @param [string] pt_no_ssl_port non-ssl port number for puppetdb
+# @param [string] pt_ssl_port ssl port for puppetdb
+# @param [boolean] pt_use_ssl_only whether to use ssl only.
 ###############################################################################
 class puppet_cd::params (
 
@@ -25,11 +28,17 @@ class puppet_cd::params (
   String $pt_server_pkg     = 'puppetserver',
   Array $pt_db_pkg          = ['puppetdb','puppetdb-termini'],
 
+  String $pt_no_ssl_port    = '8080',
+  String $pt_ssl_port       = '8081',
+  Boolean $pt_use_ssl_only  = true,
+
 ) {
   $fqdn                     = $facts['networking']['fqdn']
 
 # service
-  $pt_service               = 'puppetserver'
+  $pt_server_service        = 'puppetserver'
+  $pt_agent_service         = 'puppet'
+  $pt_db_service            = 'puppetdb'
 
 #
   # includes must be last
diff --git a/manifests/server/service.pp b/manifests/server/service.pp
index 634b515..423d149 100644
--- a/manifests/server/service.pp
+++ b/manifests/server/service.pp
@@ -6,15 +6,33 @@
 class puppet_cd::server::service (
 
 ) inherits puppet_cd::params {
+  require puppet_cd::main::files
+
+  # manage agent service on all nodes
+  service { $pt_agent_service:
+    ensure     => running,
+    hasstatus  => true,
+    hasrestart => true,
+    enable     => true,
+  }
+
+  # manage puppet server service
   if $fqdn == $pt_pm_fqdn {
-    # manager requirement
-
     require puppet_cd::firewall::iptables
-    require puppet_cd::main::files
 
-    # manage puppet server service
+    service { $pt_server_service:
+      ensure     => running,
+      hasstatus  => true,
+      hasrestart => true,
+      enable     => true,
+    }
+  }
 
-    service { $pt_service:
+  # manage puppetdb service
+  if $fqdn == $pt_db_fqdn {
+    require puppet_cd::firewall::iptables
+
+    service { $pt_db_service:
       ensure     => running,
       hasstatus  => true,
       hasrestart => true,