puppetclient.pp

# Configuration for a Puppet client.  Handles the Puppet configuration and
# syslog filtering rules.

# Helper define to generate Puppet configuration files.
define base::puppetclient::config(
  $ensure,
  $template    = 'base/puppetclient/puppet.conf.template.erb',
  $runinterval = '',
  $server      = '',
  $ca_server   = '',
  $in_noop     = false,
  $pm          = false,
  $start       = true,
  $replace     = true,
  $defaultfile = '/etc/default/puppet',
  $is_master   = false,
  $diff_args   = '-u'
) {

  $ssldir = $::operatingsystem ? {
    'debian' => '/etc/puppet/ssl',
    'ubuntu' => '/etc/puppet/ssl',
    'redhat' => '/var/lib/puppet/ssl',
  }

  case $ensure {
    present: {
      if ($is_master) {
        # The file /etc/puppet/puppet.conf is constructed by first writing
        # the ERB template file templates/puppet.conf.template.erb into
        # /etc/puppet/puppet.conf.template.
        #
        # We then convert /etc/puppet/puppet.conf.template into
        # /etc/puppet/puppet.conf using generate_conf.
        #
        # Note that for generate-conf to work we must have the database ini
        # file in place.

        # Puppet masters need the database credentials file, so download
        # the wallet object.
        include base::puppetclient::db_credentials

        # These are some handy definitions
        $template_file = '/etc/puppet/puppet.conf.template'
        $db_config     = $puppetclient::db_credentials::puppet_db_ini_file
        $puppet_config = '/etc/puppet/puppet.conf'


        # 1. Install the template file.
        file { $template_file:
          content => template('base/puppetclient/puppet.conf.template.erb'),
          mode    => '0644',
          owner   => 'root',
          group   => 'root',
        }

        # 2. Convert the template file into /etc/puppet/puppet.conf.
        exec { 'generate-conf puppet.conf':
          command     =>
            "generate-conf --template $template_file --config $db_config --newfile $puppet_config",
          refreshonly => true,
          subscribe   =>
            [
              File[$template_file],
              Base::Wallet[$puppetclient::db_credentials::credentials_wallet_name],
            ]
         }
      } else {
        # not $is_master
        file { $name:
          content => template($template),
          replace => $replace,
        }
      }
    }
    absent:  { file { $name: ensure => absent } }
    default: { crit "Invalid ensure value: $ensure" }
  }

  file { $defaultfile:
    content => template('base/puppetclient/puppet.default.erb'),
  }

}

class base::puppetclient {
  file { '/etc/puppet':
    ensure => directory,
  }
  base::puppetclient::config { '/etc/puppet/puppet.conf':
    ensure => present,
  }
  package { 'puppet':
    ensure  => present,
    require => Base::Puppetclient::Config['/etc/puppet/puppet.conf'],
  }

  # On squeeze systems, default to the backports version of Puppet.
  # Backout the backports preference.  This section can be removed
  # once puppet has run everywhere.
  if $::lsbdistcodename == 'squeeze' {
    file { '/etc/apt/preferences.d/puppet':
      source => 'puppet:///modules/base/puppetclient/etc/apt/preferences.d/puppet',
    }
  }

  # Install an auth.conf as additional protection against a Puppet
  # vulnerability that could unauthenticated Puppet nodes to manipulate
  # its configuration.
  file { '/etc/puppet/auth.conf':
    source => 'puppet:///modules/base/puppetclient/etc/puppet/auth.conf',
  }

  # filter-syslog rules for the Puppet client.
  file { '/etc/filter-syslog/puppet':
    source => 'puppet:///modules/base/puppetclient/etc/filter-syslog/puppet';
  }

  # Check for a puppetd process on an hourly basis.
  file { '/etc/cron.hourly/check-puppet':
    source => 'puppet:///modules/base/puppetclient/etc/cron.hourly/check-puppet';
  }
}

# Used by systems that want to run Puppet in no-op mode.  This class
# probably only supports Debian right now.
class base::puppetclient::noop inherits base::puppetclient {
  Base::Puppetclient::Config['/etc/puppet/puppet.conf'] { in_noop => true }
}

# This class setups up puppetclient with a run interval of once every two
# hours.
class base::puppetclient::infrequent inherits base::puppetclient {
  Base::Puppetclient::Config['/etc/puppet/puppet.conf'] {
    runinterval => 7200,
  }
}

# Puppet client running in our dev environment for puppet testing and
# development (CA -> puppetca-dev).
class base::puppetclient::dev inherits base::puppetclient {
  Base::Puppetclient::Config['/etc/puppet/puppet.conf'] {
    server    => 'jimhenson-dev.stanford.edu',
    ca_server => 'puppetca-dev.stanford.edu',
  }
}

# Puppet client running in our dev environment for puppet testing and
# development (CA -> lsdb-dev).
class base::puppetclient::lsdb_dev inherits base::puppetclient {
  Base::Puppetclient::Config['/etc/puppet/puppet.conf'] {
    server    => 'jimhenson-dev.stanford.edu',
    ca_server => 'lsdb-dev.stanford.edu',
  }
}

# Puppet client that will only list changed lines without context in puppet log
class base::puppetclient::neat inherits base::puppetclient {
  Base::Puppetclient::Config['/etc/puppet/puppet.conf'] {
    diff_args => '--unified=0',
  }
}