From 661ae7fc810c5d07704bdf3b1fd529a822762986 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Wed, 26 Feb 2025 18:27:57 +0100
Subject: [PATCH] add user control

---
 manifests/main/config.pp    |  2 +-
 manifests/main/dirs.pp      |  2 +-
 manifests/main/user.pp      | 46 +++++++++++++++++++++++
 manifests/params.pp         | 75 ++++++++++++++++++++++++-------------
 manifests/server/service.pp |  1 +
 templates/puppet.conf       | 44 ++++++++++++++++++++++
 templates/puppet.conf.erb   | 10 +++++
 7 files changed, 152 insertions(+), 28 deletions(-)
 create mode 100644 manifests/main/user.pp
 create mode 100644 templates/puppet.conf
 create mode 100644 templates/puppet.conf.erb

diff --git a/manifests/main/config.pp b/manifests/main/config.pp
index 69856c3..dec6216 100644
--- a/manifests/main/config.pp
+++ b/manifests/main/config.pp
@@ -1,7 +1,7 @@
 ## puppet_cd::main::config.pp
 # Module name: puppet_cd
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages parameters for the puppet_cd module.
+# @summary  Class manages main logic for the puppet_cd module.
 ###############################################################################
 class puppet_cd::main::config (
 
diff --git a/manifests/main/dirs.pp b/manifests/main/dirs.pp
index ae4bfb6..1489834 100644
--- a/manifests/main/dirs.pp
+++ b/manifests/main/dirs.pp
@@ -13,7 +13,7 @@ class puppet_cd::main::dirs (
     path     => $pt_main_dir,
     owner    => 'root',
     group    => 'root',
-    mode     => '0750',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => puppet_etc_t,
diff --git a/manifests/main/user.pp b/manifests/main/user.pp
new file mode 100644
index 0000000..6f50fe1
--- /dev/null
+++ b/manifests/main/user.pp
@@ -0,0 +1,46 @@
+## puppet_cd::main::user.pp
+# Module name: puppet_cd
+# Author: Arne Teuke (arne_teuke@confdroid)
+# @summary  Class manages user settings for the puppet_cd module.
+###############################################################################
+class puppet_cd::main::user (
+
+) inherits puppet_cd::params {
+  if ($fqdn == $pt_pm_fqdn) and ($pt_manage_user == true) {
+    user { $pt_user:
+      ensure     => present,
+      name       => $pt_user,
+      allowdupe  => false,
+      comment    => $pt_user_comment,
+      gid        => $pt_user,
+      managehome => true,
+      home       => $pt_user_home,
+      shell      => $pt_user_shell,
+    }
+
+    group { $pt_user:
+      ensure    => present,
+      name      => $pt_user,
+      allowdupe => false,
+    }
+  }
+
+  if ($fqdn == $pt_db_fqdn) and ($pt_manage_db_user == true) {
+    user { $pt_db_user:
+      ensure     => present,
+      name       => $pt_db_user,
+      allowdupe  => false,
+      comment    => $pt_db_user_comment,
+      gid        => $pt_db_user,
+      managehome => true,
+      home       => $pt_db_user_home,
+      shell      => $pt_db_user_shell,
+    }
+
+    group { $pt_db_user:
+      ensure    => present,
+      name      => $pt_db_user,
+      allowdupe => false,
+    }
+  }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
index 9cb715c..db8cae8 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -14,43 +14,66 @@
 # @param [string] pt_no_ssl_port non-ssl port number for puppetdb
 # @param [string] pt_ssl_port ssl port for puppetdb
 # @param [boolean] pt_use_ssl_only whether to use ssl only.
+# @param [boolean] pt_manage_user whether to manage the puppet user
+# @param [string] pt_user the puppet user
+# @param [string] pt_user_comment the user comment
+# @param [string] pt_user_home the user home
+# @param [string] pt_user_shell the user shell
+# @param [boolean] pt_manage_db_user whether to manage the user for puppetdb
+# @param [string] pt_db_user the puppetdb user
+# @param [string] pt_db_user_comment the user comment for puppetdb user
+# @param [string] pt_db_user_home the user home for the puppetdb user
+# @param [string] pt_db_user_shell the shell for the puppetdb user
 ###############################################################################
 class puppet_cd::params (
 
-  Boolean $pt_manage_fw     = true,
-  String $pt_pm_fqdn        = 'puppetmaster.example.net',
-  String $pt_db_fqdn        = 'puppetdb.example.net',
+  Boolean $pt_manage_fw       = true,
+  String $pt_pm_fqdn          = 'puppetmaster.example.net',
+  String $pt_db_fqdn          = 'puppetdb.example.net',
 
   # installation
-  String $pt_package_url    = 'https://yum.puppet.com/puppet8-release-el-9.noarch.rpm',
-  String $pt_pkg_ensure     = 'present',
-  String $pt_agent_pkg      = 'puppet-agent',
-  String $pt_server_pkg     = 'puppetserver',
-  Array $pt_db_pkg          = ['puppetdb','puppetdb-termini'],
-
-  String $pt_no_ssl_port    = '8080',
-  String $pt_ssl_port       = '8081',
-  Boolean $pt_use_ssl_only  = true,
+  String $pt_package_url      = 'https://yum.puppet.com/puppet8-release-el-9.noarch.rpm',
+  String $pt_pkg_ensure       = 'present',
+  String $pt_agent_pkg        = 'puppet-agent',
+  String $pt_server_pkg       = 'puppetserver',
+  Array $pt_db_pkg            = ['puppetdb','puppetdb-termini'],
+  # puppetdb
+  String $pt_no_ssl_port      = '8080',
+  String $pt_ssl_port         = '8081',
+  Boolean $pt_use_ssl_only    = true,
+  # user settings
+  ## puppet user
+  Boolean $pt_manage_user     = true,
+  String $pt_user             = 'puppet',
+  String $pt_user_comment     = 'puppetserver daemon',
+  String $pt_user_home        = '/opt/puppetlabs/server/data/puppetserver',
+  String $pt_user_shell       = '/sbin/nologin',
+  ## puppetdb user
+  Boolean $pt_manage_db_user  = true,
+  String $pt_db_user          = 'puppetdb',
+  String $pt_db_user_comment  = 'PuppetDB daemon',
+  String $pt_db_user_home     = '/opt/puppetlabs/server/data/puppetdb',
+  String $pt_db_user_shell    = '/sbin/nologin',
 
 ) {
-  $fqdn                     = $facts['networking']['fqdn']
+  $fqdn                       = $facts['networking']['fqdn']
 
 # directories
-  $pt_main_dir              = '/etc/puppetlabs'
-  $pt_puppetdir             = "${pt_main_dir}/puppet"
-  $pt_code_dir              = "${pt_main_dir}/code"
-  $pt_environmentspath      = "${pt_code_dir}/environments"
-  $pt_ssldir                = "${pt_puppetdir}/ssl"
-  $pt_privatekeydir         = "${pt_ssldir}/private_keys"
-  $pt_rundir                = '/var/run/puppetlabs'
-  $pt_rundir_master         = '/var/run/puppetlabs/puppetserver'
-  $pt_vardir                = '/opt/puppetlabs/puppet/cache'
-  $pt_vardir_master         = '/opt/puppetlabs/server/data/puppetserver'
+  $pt_main_dir                = '/etc/puppetlabs'
+  $pt_puppetdir               = "${pt_main_dir}/puppet"
+  $pt_code_dir                = "${pt_main_dir}/code"
+  $pt_environmentspath        = "${pt_code_dir}/environments"
+  $pt_ssldir                  = "${pt_puppetdir}/ssl"
+  $pt_privatekeydir           = "${pt_ssldir}/private_keys"
+  $pt_rundir                  = '/var/run/puppetlabs'
+  $pt_rundir_master           = '/var/run/puppetlabs/puppetserver'
+  $pt_vardir                  = '/opt/puppetlabs/puppet/cache'
+  $pt_vardir_master           = '/opt/puppetlabs/server/data/puppetserver'
 
 # service
-  $pt_server_service        = 'puppetserver'
-  $pt_agent_service         = 'puppet'
-  $pt_db_service            = 'puppetdb'
+  $pt_server_service          = 'puppetserver'
+  $pt_agent_service           = 'puppet'
+  $pt_db_service              = 'puppetdb'
 
 #
   # includes must be last
diff --git a/manifests/server/service.pp b/manifests/server/service.pp
index 423d149..680be62 100644
--- a/manifests/server/service.pp
+++ b/manifests/server/service.pp
@@ -19,6 +19,7 @@ class puppet_cd::server::service (
   # manage puppet server service
   if $fqdn == $pt_pm_fqdn {
     require puppet_cd::firewall::iptables
+    require puppet_cd::main::user
 
     service { $pt_server_service:
       ensure     => running,
diff --git a/templates/puppet.conf b/templates/puppet.conf
new file mode 100644
index 0000000..6f2ca0c
--- /dev/null
+++ b/templates/puppet.conf
@@ -0,0 +1,44 @@
+# file managed by puppet
+[main]
+    basemodulepath = /etc/puppetlabs/code/environments/common:/etc/puppetlabs/code/modules:/opt/puppetlabs/puppet/modules:/usr/share/puppet/modules
+    certname = fm002.confdroid.com
+    codedir = /etc/puppetlabs/code
+    environmentpath = /etc/puppetlabs/code/environments
+    hiera_config = $confdir/hiera.yaml
+    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
+    logdir = /var/log/puppetlabs/puppet
+    pluginfactsource = puppet:///pluginfacts
+    pluginsource = puppet:///plugins
+    privatekeydir = $ssldir/private_keys { group = service }
+    reports = foreman
+    rundir = /var/run/puppetlabs
+    server = fm002.confdroid.com
+    show_diff = false
+    ssldir = /etc/puppetlabs/puppet/ssl
+    vardir = /opt/puppetlabs/puppet/cache
+
+[agent]
+    classfile = $statedir/classes.txt
+    default_schedules = false
+    environment = production
+    masterport = 8140
+    noop = false
+    report = true
+    runinterval = 1800
+    splay = false
+    splaylimit = 1800
+    usecacheonfailure = true
+
+[server]
+    autosign = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
+    ca = true
+    certname = fm002.confdroid.com
+    external_nodes = /etc/puppetlabs/puppet/node.rb
+    logdir = /var/log/puppetlabs/puppetserver
+    node_terminus = exec
+    parser = current
+    rundir = /var/run/puppetlabs/puppetserver
+    ssldir = /etc/puppetlabs/puppet/ssl
+    storeconfigs = false
+    strict_variables = false
+    vardir = /opt/puppetlabs/server/data/puppetserver
diff --git a/templates/puppet.conf.erb b/templates/puppet.conf.erb
new file mode 100644
index 0000000..a651899
--- /dev/null
+++ b/templates/puppet.conf.erb
@@ -0,0 +1,10 @@
+###############################################################################
+##########          puppet.conf generated by puppet                 ###########
+###############################################################################
+
+<% if @fqdn == @pt_pm_fqdn  -%>
+
+<% end end -%>
+<% if @fqdn != @pt_pm_fqdn  -%>
+
+<% end end -%>
\ No newline at end of file