forked from ComputeCanada/magic_castle
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpuppetmaster.yaml
92 lines (88 loc) · 3.61 KB
/
puppetmaster.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#cloud-config
packages:
- git
- pciutils
- unzip
users:
- name: ${sudoer_username}
groups: adm, wheel, systemd-journal
homedir: /${sudoer_username}
selinux_user: unconfined_u
sudo: ALL=(ALL) NOPASSWD:ALL
ssh_authorized_keys:
%{ for key in ssh_authorized_keys ~}
- ${key}
%{ endfor ~}
runcmd:
- restorecon -R /${sudoer_username}
- "(echo -e '\nHostKeyAlgorithms ssh-rsa\n' >> /etc/ssh/sshd_config && systemctl restart sshd)"
- yum remove -y firewalld
- yum upgrade -y
# puppet master configuration
- yum -y install https://yum.puppet.com/puppet6-release-el-$(grep -oP 'VERSION_ID="\K[^"]+' /etc/os-release).noarch.rpm
- yum -y install puppetserver-6.13.0 puppet-agent-6.18.0
- mkdir /var/autosign
- chown puppet:puppet /var/autosign
- chmod 750 /var/autosign
- touch /var/log/autosign.log
- chown puppet:puppet /var/log/autosign.log
- /opt/puppetlabs/puppet/bin/gem install autosign
- /opt/puppetlabs/bin/puppet config set autosign /opt/puppetlabs/puppet/bin/autosign-validator --section master
- /opt/puppetlabs/bin/puppet config set allow_duplicate_certs true --section master
- /opt/puppetlabs/bin/puppet config set certname ${node_name}
- /opt/puppetlabs/bin/puppet config set report false
- /opt/puppetlabs/bin/puppet config set postrun_command /opt/puppetlabs/bin/postrun
- install -m 700 /dev/null /opt/puppetlabs/bin/postrun
- chown puppet:puppet /etc/autosign.conf
- sed -i 's/^\(After=.*\)$/\1 puppetserver.service/' /usr/lib/systemd/system/puppet.service
- systemctl daemon-reload
- systemctl enable puppetserver
- systemctl enable puppet
- rm -rf /etc/puppetlabs/code/environments/production
- git clone ${puppetenv_git} /etc/puppetlabs/code/environments/production
- "(cd /etc/puppetlabs/code/environments/production; git checkout ${puppetenv_rev})"
- mkdir -p /etc/puppetlabs/data
- chgrp -R puppet /etc/puppetlabs/data
- ln -sf /etc/puppetlabs/data/terraform_data.yaml /etc/puppetlabs/code/environments/production/data/
- ln -sf /etc/puppetlabs/data/user_data.yaml /etc/puppetlabs/code/environments/production/data/
- /opt/puppetlabs/puppet/bin/gem install librarian-puppet
- "(cd /etc/puppetlabs/code/environments/production/ && HOME=/root PATH=$PATH:/opt/puppetlabs/puppet/bin /opt/puppetlabs/puppet/bin/librarian-puppet install)"
# Bootstrap services that are essential to puppet agents
- /opt/puppetlabs/bin/puppet apply -e 'include profile::consul::server'
# Kernel configuration
- systemctl disable kdump
- sed -i 's/crashkernel=auto/crashkernel=no/' /etc/default/grub
- grub2-mkconfig -o /boot/grub2/grub.cfg
# Remove all ifcfg configuration files that have no corresponding network interface in ip link show.
- for i in /etc/sysconfig/network-scripts/ifcfg-*; do if ! ip link show | grep -q "$${i##*-}:"; then rm -f $i; fi; done
write_files:
- content: |
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 puppet
path: /etc/hosts
permissions: "0644"
- content: |
facts : {
blocklist : [ "EC2" ],
}
path: /etc/puppetlabs/facter/facter.conf
permissions: "0644"
- content: |
---
general:
loglevel: warn
logfile: "/var/log/autosign.log"
jwt_token:
secret: "${puppetmaster_password}"
validity: '7200'
journalfile: "/root/var/autosign/autosign.journal"
password_list:
password: "${puppetmaster_password}"
path: /etc/autosign.conf
permissions: "0640"
disable_ec2_metadata: false
timezone: "UTC"
fqdn: "${node_name}"
output: { all: "| tee -a /var/log/cloud-init-output.log" }
power_state:
delay: now
mode: reboot