Defined Type: puppet_nonroot

Defined in:
manifests/init.pp

Overview

Puppet_nonroot

Configure and start a non-root puppet agent (requires root agent already installed and running)

Examples:

Creating a non-root agent instance

puppet_nonroot { "puppet-azure-provisioner.megacorp.com":
  user               => "azure-provisioner",
  puppet_master_fqdn => "puppet.megacorp.com",
}

Parameters:

  • puppet_master_fqdn (String)

    Fully qualified domain name of the Puppet Master to that will be managing this agent instance. Must already be resolvable

  • user (String)

    Local user to run agent as (will be created)

  • certname (String) (defaults to: $title)

    The unique identifier for this agent instance in Puppet

  • homedir (Optional[String]) (defaults to: undef)

    Set a custom homedir for user, otherwise default is /home/$user

  • challenge_password (Optional[String]) (defaults to: undef)

    Password for policy based autosigning @see www.geoffwilliams.me.uk/puppet/policy_based_autosigning

  • extension_requests (Optional[Hash]) (defaults to: {})


21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'manifests/init.pp', line 21

define puppet_nonroot(
    String            $puppet_master_fqdn,
    String            $user,
    String            $certname           = $title,
    Optional[String]  $homedir            = undef,
    Optional[String]  $challenge_password = undef,
    Optional[Hash]    $extension_requests = {},
) {

  $_homedir       = pick($homedir, "/home/${user}")
  $puppet_home    = "${_homedir}/.puppetlabs/etc/puppet"
  $puppet_conf    = "${puppet_home}/puppet.conf"
  $csr_attributes = "${puppet_home}/csr_attributes.yaml"
  $service        = "puppet-${certname}"
  $unit           = "/etc/systemd/system/puppet-${certname}.service"

  # daemon reload - workaround for https://tickets.puppetlabs.com/browse/PUP-3483
  $nasty_systemd_hack = "${module_name}_systemd_hack"

  File {
    owner => $user,
    group => $user,
    mode  => "0640",
  }

  Ini_setting {
    ensure  => present,
    path    => $puppet_conf,
    section => 'agent',
  }

  user { $user:
    ensure => present,
    home   => $_homedir,
  }

  file { [
    $_homedir,
    "${_homedir}/.puppetlabs",
    "${_homedir}/.puppetlabs/etc/",
    "${_homedir}/.puppetlabs/etc/puppet"]:
    ensure => directory,
  }

  file { $puppet_conf:
    ensure => file,
  }

  if $challenge_password or ! empty($extension_requests) {
    file { $csr_attributes:
      ensure  => file,
      content => epp("${module_name}/csr_attributes.yaml.epp", {
        "challenge_password" => $challenge_password,
        "extension_requests" => $extension_requests,
      })
    }
  }

  ini_setting { "${puppet_conf} agent:certname":
    setting => 'certname',
    value   => $certname,
  }

  ini_setting { "${puppet_conf} agent:server":
    setting => 'server',
    value   => $puppet_master_fqdn,
  }

  file { $unit:
    ensure  => file,
    notify  => Exec[$nasty_systemd_hack],
    content => epp("${module_name}/puppet.epp", {
      "user"     => $user,
      "certname" =>$certname
    }),
  }

  if ! defined(Exec[$nasty_systemd_hack]) {
    exec { $nasty_systemd_hack:
      command     => "systemctl daemon-reload",
      refreshonly => true,
      path        => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],
    }
  }

  service { $service:
    ensure  => running,
    enable  => true,
    require => [File[$unit], Exec[$nasty_systemd_hack]],
  }

}