--- - name: Find puppetserver command shell: which puppetserver | awk '{print($1)}' | true register: which_puppetserver - name: Find puppetserver command with where shell: "whereis -b puppetserver | awk 'BEGIN {FS=\": \"} {print($2)}'" register: which_puppetserver when: which_puppetserver.stdout == "" - name: Fail if not found puppetserver command fail: msg: "Puppet server command couldn't be found" when: which_puppetserver.stdout == "" - name: Create self-signed certificate authority shell: "{{ which_puppetserver.stdout }} ca setup --subject-alt-names {{ subject_alt_names | join(',') }} --ca-name {{ puppet_server_name }} --certname {{ puppet_server_name }}" args: creates: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem - name: Find puppet command shell: which puppet | awk '{print($1)}' | true register: which_puppet - name: Show puppet command debug: msg: "Puppet command: '{{ which_puppet.stdout }}'" - name: Find puppet command with where shell: "whereis -b puppet | awk 'BEGIN {FS=\" \"} {print($2)}'" register: which_puppet when: which_puppet.stdout == "" - name: Fail if not found puppet command fail: msg: "Puppet command couldn't be found" when: which_puppet.stdout == "" - name: Get puppet configuration file shell: "{{ which_puppet.stdout }} config print config" register: puppet_config_file_result - name: Set variable for Puppet configuration file set_fact: puppet_config_file: "{{ puppet_config_file_result.stdout }}" - name: Ensure puppet server master section is configured ini_file: path: "{{ puppet_config_file }}" section: master option: "{{ item.key }}" value: "{{ item.value }}" mode: '0644' backup: true create: true loop: "{{ puppet_master_config | dict2items }}" notify: 'Restart puppetserver' - name: Ensure puppet server main section is configured ini_file: path: "{{ puppet_config_file }}" section: main option: "{{ item.key }}" value: "{{ item.value }}" mode: '0644' backup: true create: true loop: "{{ puppet_master_config | dict2items }}" notify: 'Restart puppetserver' - name: Ensure puppet server server section is configured ini_file: path: "{{ puppet_config_file }}" section: server option: "{{ item.key }}" value: "{{ item.value }}" mode: '0644' backup: true create: true loop: "{{ puppet_server_config | dict2items }}" notify: 'Restart puppetserver' - name: Configure CA server ini_file: path: "{{ puppet_config_file }}" section: master option: ca_server value: "{{ puppet_server_name }}" # shell: "{{ which_puppet.stdout }} config set ca_server {{ puppet_server_name }}" - name: Configure autosign server ini_file: path: "{{ puppet_config_file }}" section: master option: autosign value: "true" # shell: "{{ which_puppet.stdout }} config set autosign true" - name: Check if puppet code folder exists stat: path: /etc/puppetlabs/code/environments/production register: puppet_code - name: Check if readme file exists in puppet code folder stat: path: /etc/puppetlabs/code/environments/production/README.md register: code_readme when: puppet_code.stat.exists - name: Copy puppet code folder if there is no readme (not from repo then) copy: remote_src: true src: /etc/puppetlabs/code/environments/production dest: /etc/puppetlabs/code/environments/production.bak when: puppet_code.stat.exists and not code_readme.stat.exists - name: Ensure UFW allow access to the server ufw: rule: allow port: "{{ puppet_master_config['serverport'] | default(8140) }}" - name: Ensure puppetserver service is enabled and start service: name: puppetserver state: started enabled: true - name: Ensure r10k configuration folder exists file: path: /etc/puppetlabs/r10k state: directory owner: puppet group: puppet - name: Ensure r10k is configured copy: dest: /etc/puppetlabs/r10k/r10k.yaml content: "{{ r10k_config | to_nice_yaml }}" owner: puppet group: puppet backup: true - name: Deploy environment shell: r10k deploy environment -p --config /etc/puppetlabs/r10k/r10k.yaml - name: Ensure service unit to update puppet code exists template: src: templates/update_puppet_code.service.j2 dest: /etc/systemd/system/update_puppet_code.service mode: 0644 backup: yes notify: Reload Systemd daemon - name: Ensure timer unit to update puppet code exists copy: src: files/update_puppet_code.timer dest: /etc/systemd/system/update_puppet_code.timer mode: 0644 backup: yes notify: Reload Systemd daemon - name: Ensure service to update puppet code is enabled service: name: update_puppet_code enabled: true - name: Configure reports to prometheus exporter copy: src: files/prometheus.yaml dest: /etc/puppetlabs/puppet/prometheus.yaml backup: yes - name: Configure puppet reports to prometheus ini_file: path: "{{ puppet_config_file }}" section: master option: reports value: prometheus - name: Add ACL for user puppet to write in node-exporter folder ansible.posix.acl: path: /var/lib/prometheus/node-exporter/ entity: puppet etype: user permissions: rwx state: present - name: Add puppet to node_exporter group user: name: puppet append: true groups: - node_exporter - name: Ensure hiera-eyaml is installed shell: "{{ which_puppetserver.stdout }} gem install hiera-eyaml" args: creates: /opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml - name: Ensure folder for eyaml keys exists file: path: /etc/puppetlabs/puppet/eyaml state: directory owner: puppet group: puppet mode: 0770 - name: Create eyaml keys shell: eyaml createkeys args: chdir: /etc/puppetlabs/puppet/eyaml creates: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem remote_user: puppet - name: Get eyaml public key slurp: src: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem register: eyaml_public_key - name: Show public key debug: msg: "EYAML public key is '{{ eyaml_public_key | b64decode }}'"