1 files changed, 202 insertions, 0 deletions

diff --git a/roles/install_gentoo/tasks/puppet.yml b/roles/install_gentoo/tasks/puppet.yml
new file mode 100644
index 0000000..e413297
--- /dev/null
+++ b/roles/install_gentoo/tasks/puppet.yml
@@ -0,0 +1,202 @@
+---
+- name: puppet
+  tags:
+    - puppet
+  block:
+  - name: stat /usr/lib/sysusers.d/acct-group-puppet.conf
+    ansible.builtin.stat:
+      path: "{{ chroot }}/usr/lib/sysusers.d/acct-group-puppet.conf"
+    register: stat_puppet_group
+
+  - name: stat /usr/lib/sysusers.d/acct-user-puppet.conf
+    ansible.builtin.stat:
+      path: "{{ chroot }}/usr/lib/sysusers.d/acct-user-puppet.conf"
+    register: stat_puppet_user
+
+  - name: ensure puppet user & group exist
+    ansible.builtin.command: >
+      chroot {{ chroot }} emerge -1 acct-group/puppet acct-user/puppet
+    when: (not stat_puppet_user.stat.exists) or (not stat_puppet_group.stat.exists)
+  
+  - name: getent puppet
+    ansible.builtin.command: >
+      chroot {{ chroot }} getent passwd puppet
+    register: getent_puppet
+  
+  - name: set puppet uid/gid
+    ansible.builtin.set_fact:
+      puppet_uid: "{{ (getent_puppet.stdout | split(':'))[2]  }}"
+      puppet_gid: "{{ (getent_puppet.stdout | split(':'))[3]  }}"
+  
+  - name: create directories
+    ansible.builtin.file:
+      path: "{{ chroot }}/{{ item.path }}"
+      owner: "{{ item.owner | default('root') }}"
+      group: "{{ item.group | default('root') }}"
+      mode: "{{ item.mode | default('0755') }}"
+      state: directory
+      recurse: true
+    loop:
+      - path: /etc/puppetlabs
+        mode: '0750'
+        group: "{{ puppet_gid }}"
+     #- path: /etc/puppetlabs/puppet # this should be a symlink to /etc/puppet/
+      - path: /etc/puppet
+        mode: '0750'
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/devices
+        mode: '0750'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/facter
+        mode: '0750'
+        owner: root
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/ssl
+        mode: '0751'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/ssl/certs/
+        mode: '0755'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/ssl/certificate_requests
+        mode: '0755'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/ssl/public_keys/
+        mode: '0755'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/ssl/private_keys/
+        mode: '0750'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+      - path: /etc/puppet/ssl/private/
+        mode: '0750'
+        owner: "{{ puppet_uid }}"
+        group: "{{ puppet_gid }}"
+  
+  # If the paths exist and they are only empty, we can safely convert it.
+  - name: cleanup non-symlink /etc/puppetlabs/puppet
+    ansible.builtin.shell: >
+      chroot {{ chroot }} bash -c 'if test ! -L /etc/puppetlabs/puppet && test -d /etc/puppetlabs/puppet ; then rm /etc/puppetlabs/puppet/ssl/.keep_app-admin_puppet-0 ; rmdir -v /etc/puppetlabs/puppet/ssl/* /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/devices /etc/puppetlabs/puppet/ ; ln -vsf /etc/puppet /etc/puppetlabs/puppet; fi'
+  
+  # TODO: add check for non-empty /etc/puppetlabs/puppet/
+  
+  - name: /etc/puppetlabs/puppet
+    ansible.builtin.file:
+      state: link
+      src: "/etc/puppet"
+      dest: "{{ chroot }}/etc/puppetlabs/puppet"
+      follow: false
+      force: true
+  
+  - name: check for /etc/puppet/puppet.conf
+    ansible.builtin.stat:
+      path: "{{ chroot }}/etc/puppet/puppet.conf"
+    register: stat_etc_puppet_puppet_conf
+  
+  - name: bootstrap /etc/puppet/puppet.conf
+    when: not stat_etc_puppet_puppet_conf.stat.exists
+    ansible.builtin.copy:
+      dest: "{{ chroot }}/etc/puppet/puppet.conf"
+      content: |
+        [main]
+        environment = puppet7
+        use_srv_records = true
+        srv_domain = puppet.infra.gentoo.org
+        #server = puppetmaster.gentoo.org
+        #ca_server = puppetca.gentoo.org
+        #pluginsync = true
+        report = true
+        splaylimit = 900
+        certificate_expire_warning = 7d
+        parser = future
+        trusted_node_data = true
+        stringify_facts = false
+        number_of_facts_soft_limit = 16384
+        include_legacy_facts = true
+  
+  - name: check for /etc/puppet/csr_attributes.yaml
+    ansible.builtin.stat:
+      path: "{{ chroot }}/etc/puppet/csr_attributes.yaml"
+    register: stat_etc_puppet_csr_attributes_yaml
+  
+  - name: /etc/puppet/csr_attributes.yaml
+    when: not stat_etc_puppet_csr_attributes_yaml.stat.exists
+    ansible.builtin.copy:
+      dest: "{{ chroot }}/etc/puppet/csr_attributes.yaml"
+      mode: '0640'
+      owner: root
+      group: "{{ puppet_gid }}"
+      # TODO: nicer way to generate YAML here
+      content: |
+        custom_attributes:
+          1.2.840.113549.1.9.7: '{{ puppet_autosign_token }}'
+  
+  - name: check for /usr/bin/puppet
+    ansible.builtin.stat:
+      path: "{{ chroot }}/usr/bin/puppet"
+    register: stat_usr_bin_puppet
+  
+  - name: install puppet
+    ansible.builtin.command: >
+      chroot {{ chroot }} emerge -qu app-admin/puppet
+    when: not stat_usr_bin_puppet.stat.exists
+
+  # Do this AFTER puppet
+  - name: install ~arch msgpack
+    ansible.builtin.shell: >
+      ACCEPT_KEYWORDS=~amd64 chroot {{ chroot }} emerge -qu dev-ruby/msgpack
+    when: not stat_usr_bin_puppet.stat.exists
+  
+  - name: puppet cert check, pass1
+    ansible.builtin.stat:
+      path: "{{ chroot }}/etc/puppet/ssl/certs/{{ hostname }}.gentoo.org.pem"
+    register: stat_puppet_cert_pass1
+  
+  - name: puppet enrollment
+    #chroot {{ chroot }} puppet agent --onetime --test --verbose
+    # TODO: it needs to use wait at least once
+    ansible.builtin.command: >
+      timeout 30 chroot {{ chroot }} /usr/sbin/puppet ssl bootstrap --onetime --verbose --waitforcert=10
+    when: not stat_puppet_cert_pass1.stat.exists
+  
+  - name: puppet cert check, pass2
+    ansible.builtin.stat:
+      path: "{{ chroot }}/etc/puppet/ssl/certs/{{ hostname }}.gentoo.org.pem"
+    register: stat_puppet_cert_pass2
+  
+  - name: puppet enrollment failed
+    ansible.builtin.fail:
+      msg: >
+        You should run this on the master (if the fingerprints match):
+        puppet cert list
+        puppet cert sign {{ hostname }}.gentoo.org
+    when: not stat_puppet_cert_pass2.stat.exists
+  
+  - name: initial puppet run
+    ansible.builtin.command: >
+      chroot {{ chroot }} /usr/bin/puppet agent --onetime --no-daemonize --test
+  
+  # TODO: verify if obsolete
+  - name: make.conf final pass
+    ansible.builtin.command: >
+      chroot {{ chroot }} /usr/local/sbin/update-config /etc/portage/make.conf /etc/portage/make.conf.d .conf
+  
+  # TODO: verify if obsolete
+  - name: etc-update
+    ansible.builtin.command: >
+      chroot {{ chroot }} etc-update --automode -5
+  
+  # TODO: verify if obsolete
+  - name: check if root password is set
+    ansible.builtin.command: >
+      awk -F: '/^root:/{if($2 == "*"){ exit 1; }}' {{chroot}}/etc/shadow
+    register: root_password_set
+  
+  - name: abort if no root password
+    ansible.builtin.fail:
+      msg: "No root password set on {{ hostname }}"
+    when: root_password_set.rc == 1