add user control

manifests/main/config.pp

@@ -1,7 +1,7 @@
 ## puppet_cd::main::config.pp
 # Module name: puppet_cd
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages parameters for the puppet_cd module.
+# @summary  Class manages main logic for the puppet_cd module.
 ###############################################################################
 class puppet_cd::main::config (
 

manifests/main/dirs.pp

@@ -13,7 +13,7 @@ class puppet_cd::main::dirs (
     path     => $pt_main_dir,
     owner    => 'root',
     group    => 'root',
-    mode     => '0750',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => puppet_etc_t,

manifests/main/user.pp

@@ -0,0 +1,46 @@
+## puppet_cd::main::user.pp
+# Module name: puppet_cd
+# Author: Arne Teuke (arne_teuke@confdroid)
+# @summary  Class manages user settings for the puppet_cd module.
+###############################################################################
+class puppet_cd::main::user (
+
+) inherits puppet_cd::params {
+  if ($fqdn == $pt_pm_fqdn) and ($pt_manage_user == true) {
+    user { $pt_user:
+      ensure     => present,
+      name       => $pt_user,
+      allowdupe  => false,
+      comment    => $pt_user_comment,
+      gid        => $pt_user,
+      managehome => true,
+      home       => $pt_user_home,
+      shell      => $pt_user_shell,
+    }
+
+    group { $pt_user:
+      ensure    => present,
+      name      => $pt_user,
+      allowdupe => false,
+    }
+  }
+
+  if ($fqdn == $pt_db_fqdn) and ($pt_manage_db_user == true) {
+    user { $pt_db_user:
+      ensure     => present,
+      name       => $pt_db_user,
+      allowdupe  => false,
+      comment    => $pt_db_user_comment,
+      gid        => $pt_db_user,
+      managehome => true,
+      home       => $pt_db_user_home,
+      shell      => $pt_db_user_shell,
+    }
+
+    group { $pt_db_user:
+      ensure    => present,
+      name      => $pt_db_user,
+      allowdupe => false,
+    }
+  }
+}

manifests/params.pp

@@ -14,6 +14,16 @@
 # @param [string] pt_no_ssl_port non-ssl port number for puppetdb
 # @param [string] pt_ssl_port ssl port for puppetdb
 # @param [boolean] pt_use_ssl_only whether to use ssl only.
+# @param [boolean] pt_manage_user whether to manage the puppet user
+# @param [string] pt_user the puppet user
+# @param [string] pt_user_comment the user comment
+# @param [string] pt_user_home the user home
+# @param [string] pt_user_shell the user shell
+# @param [boolean] pt_manage_db_user whether to manage the user for puppetdb
+# @param [string] pt_db_user the puppetdb user
+# @param [string] pt_db_user_comment the user comment for puppetdb user
+# @param [string] pt_db_user_home the user home for the puppetdb user
+# @param [string] pt_db_user_shell the shell for the puppetdb user
 ###############################################################################
 class puppet_cd::params (
 
@@ -27,10 +37,23 @@ class puppet_cd::params (
   String $pt_agent_pkg        = 'puppet-agent',
   String $pt_server_pkg       = 'puppetserver',
   Array $pt_db_pkg            = ['puppetdb','puppetdb-termini'],
-
+  # puppetdb
   String $pt_no_ssl_port      = '8080',
   String $pt_ssl_port         = '8081',
   Boolean $pt_use_ssl_only    = true,
+  # user settings
+  ## puppet user
+  Boolean $pt_manage_user     = true,
+  String $pt_user             = 'puppet',
+  String $pt_user_comment     = 'puppetserver daemon',
+  String $pt_user_home        = '/opt/puppetlabs/server/data/puppetserver',
+  String $pt_user_shell       = '/sbin/nologin',
+  ## puppetdb user
+  Boolean $pt_manage_db_user  = true,
+  String $pt_db_user          = 'puppetdb',
+  String $pt_db_user_comment  = 'PuppetDB daemon',
+  String $pt_db_user_home     = '/opt/puppetlabs/server/data/puppetdb',
+  String $pt_db_user_shell    = '/sbin/nologin',
 
 ) {
   $fqdn                       = $facts['networking']['fqdn']

manifests/server/service.pp

@@ -19,6 +19,7 @@ class puppet_cd::server::service (
   # manage puppet server service
   if $fqdn == $pt_pm_fqdn {
     require puppet_cd::firewall::iptables
+    require puppet_cd::main::user
 
     service { $pt_server_service:
       ensure     => running,

templates/puppet.conf

@@ -0,0 +1,44 @@
+# file managed by puppet
+[main]
+    basemodulepath = /etc/puppetlabs/code/environments/common:/etc/puppetlabs/code/modules:/opt/puppetlabs/puppet/modules:/usr/share/puppet/modules
+    certname = fm002.confdroid.com
+    codedir = /etc/puppetlabs/code
+    environmentpath = /etc/puppetlabs/code/environments
+    hiera_config = $confdir/hiera.yaml
+    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
+    logdir = /var/log/puppetlabs/puppet
+    pluginfactsource = puppet:///pluginfacts
+    pluginsource = puppet:///plugins
+    privatekeydir = $ssldir/private_keys { group = service }
+    reports = foreman
+    rundir = /var/run/puppetlabs
+    server = fm002.confdroid.com
+    show_diff = false
+    ssldir = /etc/puppetlabs/puppet/ssl
+    vardir = /opt/puppetlabs/puppet/cache
+
+[agent]
+    classfile = $statedir/classes.txt
+    default_schedules = false
+    environment = production
+    masterport = 8140
+    noop = false
+    report = true
+    runinterval = 1800
+    splay = false
+    splaylimit = 1800
+    usecacheonfailure = true
+
+[server]
+    autosign = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
+    ca = true
+    certname = fm002.confdroid.com
+    external_nodes = /etc/puppetlabs/puppet/node.rb
+    logdir = /var/log/puppetlabs/puppetserver
+    node_terminus = exec
+    parser = current
+    rundir = /var/run/puppetlabs/puppetserver
+    ssldir = /etc/puppetlabs/puppet/ssl
+    storeconfigs = false
+    strict_variables = false
+    vardir = /opt/puppetlabs/server/data/puppetserver

templates/puppet.conf.erb

@@ -0,0 +1,10 @@
+###############################################################################
+##########          puppet.conf generated by puppet                 ###########
+###############################################################################
+
+<% if @fqdn == @pt_pm_fqdn  -%>
+
+<% end end -%>
+<% if @fqdn != @pt_pm_fqdn  -%>
+
+<% end end -%>