ansible-role-puppet_server/tasks/configure.yml

---
- name: Find puppetserver command
  shell: which puppetserver | awk '{print($1)}' | true
  register: which_puppetserver

- name: Find puppetserver command with where
  shell: "whereis -b puppetserver | awk 'BEGIN {FS=\": \"} {print($2)}'"
  register: which_puppetserver
  when: which_puppetserver.stdout == ""

- name: Fail if not found puppetserver command
  fail:
    msg: "Puppet server command couldn't be found"
  when: which_puppetserver.stdout == ""

- name: Create self-signed certificate authority
  shell: "{{ which_puppetserver.stdout }} ca setup --subject-alt-names {{ subject_alt_names | join(',') }} --ca-name {{ puppet_server_name }} --certname {{ puppet_server_name }}"
  args:
    creates: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem

- name: Find puppet command
  shell: which puppet | awk '{print($1)}' | true
  register: which_puppet
- name: Show puppet command
  debug:
    msg: "Puppet command: '{{ which_puppet.stdout }}'"

- name: Find puppet command with where
  shell: "whereis -b puppet | awk 'BEGIN {FS=\" \"} {print($2)}'"
  register: which_puppet
  when: which_puppet.stdout == ""

- name: Fail if not found puppet command
  fail:
    msg: "Puppet command couldn't be found"
  when: which_puppet.stdout == ""

- name: Get puppet configuration file
  shell: "{{ which_puppet.stdout }} config print config"
  register: puppet_config_file_result

- name: Set variable for Puppet configuration file
  set_fact:
    puppet_config_file: "{{ puppet_config_file_result.stdout }}"

- name: Ensure puppet server master section is configured
  ini_file:
    path: "{{ puppet_config_file }}"
    section: master
    option: "{{ item.key }}"
    value: "{{ item.value }}"
    mode: '0644'
    backup: true
    create: true
  loop: "{{ puppet_master_config | dict2items }}"
  notify: 'Restart puppetserver'

- name: Ensure puppet server main section is configured
  ini_file:
    path: "{{ puppet_config_file }}"
    section: main
    option: "{{ item.key }}"
    value: "{{ item.value }}"
    mode: '0644'
    backup: true
    create: true
  loop: "{{ puppet_master_config | dict2items }}"
  notify: 'Restart puppetserver'

- name: Ensure puppet server server section is configured
  ini_file:
    path: "{{ puppet_config_file }}"
    section: server
    option: "{{ item.key }}"
    value: "{{ item.value }}"
    mode: '0644'
    backup: true
    create: true
  loop: "{{ puppet_server_config | dict2items }}"
  notify: 'Restart puppetserver'

- name: Configure CA server
  ini_file:
    path: "{{ puppet_config_file }}"
    section: master
    option: ca_server
    value: "{{ puppet_server_name }}"
#  shell: "{{ which_puppet.stdout }} config set ca_server {{ puppet_server_name }}"

- name: Configure autosign server
  ini_file:
    path: "{{ puppet_config_file }}"
    section: master
    option: autosign
    value: "true"
#  shell: "{{ which_puppet.stdout }} config set autosign true"

- name: Check if puppet code folder exists
  stat:
    path: /etc/puppetlabs/code/environments/production
  register: puppet_code

- name: Check if readme file exists in puppet code folder
  stat:
    path: /etc/puppetlabs/code/environments/production/README.md
  register: code_readme
  when: puppet_code.stat.exists

- name: Copy puppet code folder if there is no readme (not from repo then)
  copy:
    remote_src: true
    src: /etc/puppetlabs/code/environments/production
    dest: /etc/puppetlabs/code/environments/production.bak
  when: puppet_code.stat.exists and not code_readme.stat.exists

- name: Ensure UFW allow access to the server
  ufw:
    rule: allow
    port: "{{ puppet_master_config['serverport'] | default(8140) }}"

- name: Ensure puppetserver service is enabled and start
  service:
    name: puppetserver
    state: started
    enabled: true

- name: Ensure r10k configuration folder exists
  file:
    path: /etc/puppetlabs/r10k
    state: directory
    owner: puppet
    group: puppet

- name: Ensure r10k is configured
  copy:
    dest: /etc/puppetlabs/r10k/r10k.yaml
    content: "{{ r10k_config | to_nice_yaml }}"
    owner: puppet
    group: puppet
    backup: true

- name: Deploy environment
  shell: r10k deploy environment -p --config /etc/puppetlabs/r10k/r10k.yaml

- name: Ensure service unit to update puppet code exists
  template:
    src: templates/update_puppet_code.service.j2
    dest: /etc/systemd/system/update_puppet_code.service
    mode: 0644
    backup: yes
  notify: Reload Systemd daemon

- name: Ensure timer unit to update puppet code exists
  copy:
    src: files/update_puppet_code.timer
    dest: /etc/systemd/system/update_puppet_code.timer
    mode: 0644
    backup: yes
  notify: Reload Systemd daemon

- name: Ensure service to update puppet code is enabled
  service:
    name: update_puppet_code
    enabled: true

- name: Configure reports to prometheus exporter
  copy:
    src: files/prometheus.yaml
    dest: /etc/puppetlabs/puppet/prometheus.yaml
    backup: yes

- name: Configure puppet reports to prometheus
  ini_file:
    path: "{{ puppet_config_file }}"
    section: master
    option: reports
    value: prometheus

- name: Ensure node-exporter folder exists
  file:
    state: directory
    path: /var/lib/prometheus/node-exporter/

- name: Add ACL for user puppet to write in node-exporter folder
  ansible.posix.acl:
    path: /var/lib/prometheus/node-exporter/
    entity: puppet
    etype: user
    permissions: rwx
    state: present

- name: Ensure there is a node_exporter group
  group:
    name: node_exporter

- name: Add puppet to node_exporter group
  user:
    name: puppet
    append: true
    groups:
      - node_exporter

- name: Add prometheus user to puppet group
  user:
    name: prometheus
    append: true
    groups:
      - puppet

- name: Ensure hiera-eyaml is installed
  shell: "{{ which_puppetserver.stdout }} gem install hiera-eyaml"
  args:
    creates: /opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml

- name: Ensure folder for eyaml keys exists
  file:
    path: /etc/puppetlabs/puppet/eyaml
    state: directory
    owner: puppet
    group: puppet
    mode: 0770

- name: Create eyaml keys
  shell: eyaml createkeys
  args:
    chdir: /etc/puppetlabs/puppet/eyaml
    creates: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
  remote_user: puppet

- name: Get eyaml public key
  slurp:
    src: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem
  register: eyaml_public_key

- name: Show public key
  debug:
    msg: "EYAML public key is '{{ eyaml_public_key | b64decode }}'"
Initial commit with previous code 2022-10-11 09:19:09 +02:00			`---`
			`- name: Find puppetserver command`
fix if which find two puppet 2022-10-17 11:14:57 +02:00			`shell: which puppetserver \| awk '{print($1)}' \| true`
Initial commit with previous code 2022-10-11 09:19:09 +02:00			`register: which_puppetserver`

			`- name: Find puppetserver command with where`
update whereis for binaries 2022-10-21 15:43:13 +02:00			`shell: "whereis -b puppetserver \| awk 'BEGIN {FS=\": \"} {print($2)}'"`
Initial commit with previous code 2022-10-11 09:19:09 +02:00			`register: which_puppetserver`
			`when: which_puppetserver.stdout == ""`

			`- name: Fail if not found puppetserver command`
			`fail:`
			`msg: "Puppet server command couldn't be found"`
			`when: which_puppetserver.stdout == ""`

			`- name: Create self-signed certificate authority`
			`shell: "{{ which_puppetserver.stdout }} ca setup --subject-alt-names {{ subject_alt_names \| join(',') }} --ca-name {{ puppet_server_name }} --certname {{ puppet_server_name }}"`
			`args:`
			`creates: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem`

			`- name: Find puppet command`
Add more output 2022-10-17 11:27:52 +02:00			`shell: which puppet \| awk '{print($1)}' \| true`
Initial commit with previous code 2022-10-11 09:19:09 +02:00			`register: which_puppet`
Add more output 2022-10-17 11:27:52 +02:00			`- name: Show puppet command`
			`debug:`
			`msg: "Puppet command: '{{ which_puppet.stdout }}'"`
Initial commit with previous code 2022-10-11 09:19:09 +02:00
			`- name: Find puppet command with where`
update whereis for binaries 2022-10-21 15:43:13 +02:00			`shell: "whereis -b puppet \| awk 'BEGIN {FS=\" \"} {print($2)}'"`
Initial commit with previous code 2022-10-11 09:19:09 +02:00			`register: which_puppet`
			`when: which_puppet.stdout == ""`

			`- name: Fail if not found puppet command`
			`fail:`
			`msg: "Puppet command couldn't be found"`
			`when: which_puppet.stdout == ""`

Get configuration file from puppet 2022-12-01 07:53:46 +01:00			`- name: Get puppet configuration file`
			`shell: "{{ which_puppet.stdout }} config print config"`
			`register: puppet_config_file_result`

			`- name: Set variable for Puppet configuration file`
fix set_fact 2022-12-01 07:56:42 +01:00			`set_fact:`
Get configuration file from puppet 2022-12-01 07:53:46 +01:00			`puppet_config_file: "{{ puppet_config_file_result.stdout }}"`

			`- name: Ensure puppet server master section is configured`
			`ini_file:`
			`path: "{{ puppet_config_file }}"`
			`section: master`
			`option: "{{ item.key }}"`
			`value: "{{ item.value }}"`
			`mode: '0644'`
			`backup: true`
			`create: true`
			`loop: "{{ puppet_master_config \| dict2items }}"`
			`notify: 'Restart puppetserver'`

configure main section 2022-12-01 08:32:59 +01:00			`- name: Ensure puppet server main section is configured`
			`ini_file:`
			`path: "{{ puppet_config_file }}"`
			`section: main`
			`option: "{{ item.key }}"`
			`value: "{{ item.value }}"`
			`mode: '0644'`
			`backup: true`
			`create: true`
			`loop: "{{ puppet_master_config \| dict2items }}"`
			`notify: 'Restart puppetserver'`

Get configuration file from puppet 2022-12-01 07:53:46 +01:00			`- name: Ensure puppet server server section is configured`
			`ini_file:`
			`path: "{{ puppet_config_file }}"`
			`section: server`
			`option: "{{ item.key }}"`
			`value: "{{ item.value }}"`
			`mode: '0644'`
			`backup: true`
			`create: true`
			`loop: "{{ puppet_server_config \| dict2items }}"`
			`notify: 'Restart puppetserver'`

Initial commit with previous code 2022-10-11 09:19:09 +02:00			`- name: Configure CA server`
Get configuration file from puppet 2022-12-01 07:53:46 +01:00			`ini_file:`
			`path: "{{ puppet_config_file }}"`
			`section: master`
			`option: ca_server`
			`value: "{{ puppet_server_name }}"`
			`# shell: "{{ which_puppet.stdout }} config set ca_server {{ puppet_server_name }}"`
Initial commit with previous code 2022-10-11 09:19:09 +02:00
			`- name: Configure autosign server`
Get configuration file from puppet 2022-12-01 07:53:46 +01:00			`ini_file:`
			`path: "{{ puppet_config_file }}"`
			`section: master`
			`option: autosign`
			`value: "true"`
			`# shell: "{{ which_puppet.stdout }} config set autosign true"`
Initial commit with previous code 2022-10-11 09:19:09 +02:00
			`- name: Check if puppet code folder exists`
			`stat:`
			`path: /etc/puppetlabs/code/environments/production`
			`register: puppet_code`

			`- name: Check if readme file exists in puppet code folder`
			`stat:`
change readme filename 2022-10-17 12:19:48 +02:00			`path: /etc/puppetlabs/code/environments/production/README.md`
Initial commit with previous code 2022-10-11 09:19:09 +02:00			`register: code_readme`
			`when: puppet_code.stat.exists`

			`- name: Copy puppet code folder if there is no readme (not from repo then)`
			`copy:`
			`remote_src: true`
			`src: /etc/puppetlabs/code/environments/production`
			`dest: /etc/puppetlabs/code/environments/production.bak`
			`when: puppet_code.stat.exists and not code_readme.stat.exists`

			`- name: Ensure UFW allow access to the server`
			`ufw:`
			`rule: allow`
			`port: "{{ puppet_master_config['serverport'] \| default(8140) }}"`

			`- name: Ensure puppetserver service is enabled and start`
			`service:`
			`name: puppetserver`
			`state: started`
			`enabled: true`
Add r10k config and fix puppet.conf to use 2022-10-17 11:12:27 +02:00
Add more output 2022-10-17 11:27:52 +02:00			`- name: Ensure r10k configuration folder exists`
			`file:`
			`path: /etc/puppetlabs/r10k`
			`state: directory`
			`owner: puppet`
			`group: puppet`

Add r10k config and fix puppet.conf to use 2022-10-17 11:12:27 +02:00			`- name: Ensure r10k is configured`
			`copy:`
			`dest: /etc/puppetlabs/r10k/r10k.yaml`
fix if which find two puppet 2022-10-17 11:14:57 +02:00			`content: "{{ r10k_config \| to_nice_yaml }}"`
Add more output 2022-10-17 11:27:52 +02:00			`owner: puppet`
			`group: puppet`
			`backup: true`
fix if which find two puppet 2022-10-17 11:14:57 +02:00
			`- name: Deploy environment`
Add link to production 2022-10-17 13:39:34 +02:00			`shell: r10k deploy environment -p --config /etc/puppetlabs/r10k/r10k.yaml`

Add service units using r10k 2022-10-17 13:53:02 +02:00			`- name: Ensure service unit to update puppet code exists`
			`template:`
			`src: templates/update_puppet_code.service.j2`
			`dest: /etc/systemd/system/update_puppet_code.service`
			`mode: 0644`
			`backup: yes`
			`notify: Reload Systemd daemon`

			`- name: Ensure timer unit to update puppet code exists`
			`copy:`
			`src: files/update_puppet_code.timer`
			`dest: /etc/systemd/system/update_puppet_code.timer`
			`mode: 0644`
			`backup: yes`
			`notify: Reload Systemd daemon`

			`- name: Ensure service to update puppet code is enabled`
			`service:`
			`name: update_puppet_code`
			`enabled: true`
configure reports to prometheus 2022-10-17 22:57:02 +02:00
			`- name: Configure reports to prometheus exporter`
			`copy:`
			`src: files/prometheus.yaml`
			`dest: /etc/puppetlabs/puppet/prometheus.yaml`
add hiera-eyaml 2022-11-07 14:08:39 +01:00			`backup: yes`

Get configuration file from puppet 2022-12-01 07:53:46 +01:00			`- name: Configure puppet reports to prometheus`
			`ini_file:`
			`path: "{{ puppet_config_file }}"`
			`section: master`
			`option: reports`
			`value: prometheus`

add folder for node-exporter 2023-09-06 16:18:19 +02:00			`- name: Ensure node-exporter folder exists`
			`file:`
			`state: directory`
			`path: /var/lib/prometheus/node-exporter/`

Add ACL for puppet 2022-12-01 13:44:52 +01:00			`- name: Add ACL for user puppet to write in node-exporter folder`
			`ansible.posix.acl:`
			`path: /var/lib/prometheus/node-exporter/`
			`entity: puppet`
			`etype: user`
			`permissions: rwx`
			`state: present`

Add node_exporter group 2023-11-06 13:22:22 +01:00			`- name: Ensure there is a node_exporter group`
			`group:`
			`name: node_exporter`

Add puppet to node exporter 2022-12-01 15:42:13 +01:00			`- name: Add puppet to node_exporter group`
			`user:`
			`name: puppet`
			`append: true`
			`groups:`
			`- node_exporter`

Add prometheus to puppet group 2022-12-01 15:43:28 +01:00			`- name: Add prometheus user to puppet group`
			`user:`
			`name: prometheus`
			`append: true`
			`groups:`
			`- puppet`

add hiera-eyaml 2022-11-07 14:08:39 +01:00			`- name: Ensure hiera-eyaml is installed`
			`shell: "{{ which_puppetserver.stdout }} gem install hiera-eyaml"`
			`args:`
			`creates: /opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml`

			`- name: Ensure folder for eyaml keys exists`
			`file:`
			`path: /etc/puppetlabs/puppet/eyaml`
			`state: directory`
			`owner: puppet`
			`group: puppet`
			`mode: 0770`

			`- name: Create eyaml keys`
			`shell: eyaml createkeys`
			`args:`
			`chdir: /etc/puppetlabs/puppet/eyaml`
Fix path to keys 2023-11-06 13:37:21 +01:00			`creates: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem`
add hiera-eyaml 2022-11-07 14:08:39 +01:00			`remote_user: puppet`

			`- name: Get eyaml public key`
			`slurp:`
Fix path to keys 2023-11-06 13:37:21 +01:00			`src: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem`
add hiera-eyaml 2022-11-07 14:08:39 +01:00			`register: eyaml_public_key`

			`- name: Show public key`
			`debug:`
			`msg: "EYAML public key is '{{ eyaml_public_key \| b64decode }}'"`