-
Notifications
You must be signed in to change notification settings - Fork 193
/
Copy pathdebian.pp
127 lines (112 loc) · 4.6 KB
/
debian.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
class puppet_agent::osfamily::debian{
assert_private()
if $::puppet_agent::absolute_source {
# Absolute sources are expected to be actual packages (not repos)
# so when absolute_source is set just download the package to the
# system and finish with this class.
$source = $::puppet_agent::absolute_source
class { '::puppet_agent::prepare::package':
source => $source,
}
contain puppet_agent::prepare::package
} else {
if getvar('::puppet_agent::manage_repo') == true {
include ::apt
if ($::puppet_agent::is_pe and (!$::puppet_agent::use_alternate_sources)) {
$pe_server_version = pe_build_version()
if $::puppet_agent::source {
$source = "${::puppet_agent::source}/packages/${pe_server_version}/${::platform_tag}"
} elsif $::puppet_agent::alternate_pe_source {
$source = "${::puppet_agent::alternate_pe_source}/packages/${pe_server_version}/${::platform_tag}"
} else {
$source = "https://${::puppet_master_server}:8140/packages/${pe_server_version}/${::platform_tag}"
}
# In Puppet Enterprise, agent packages are served by the same server
# as the master, which can be using either a self signed CA, or an external CA.
# In order for apt to authenticate to the repo on the PE Master, it will need
# to be configured to pass in the agents certificates. By the time this code is called,
# the module has already moved the certs to $ssl_dir/{certs,private_keys}, which
# happen to be the default in PE already.
$_ssl_dir = $::puppet_agent::params::ssldir
$_sslcacert_path = "${_ssl_dir}/certs/ca.pem"
$_sslclientcert_path = "${_ssl_dir}/certs/${::clientcert}.pem"
$_sslclientkey_path = "${_ssl_dir}/private_keys/${::clientcert}.pem"
# For debian based platforms, in order to add SSL verification, you need to add a
# configuration file specific to just the sources host
$source_host = uri_host_from_string($source)
$_ca_cert_verification = [
"Acquire::https::${source_host}::CaInfo \"${_sslcacert_path}\";",
]
$_proxy_host = [
"Acquire::http::proxy::${source_host} DIRECT;",
]
$_apt_settings = concat(
$_ca_cert_verification,
$_proxy_host)
apt::setting { 'conf-pc_repo':
content => $_apt_settings.join(''),
priority => 90,
}
# Due to the file paths changing on the PE Master, the 3.8 repository is no longer valid.
# On upgrade, remove the repo file so that a dangling reference is not left behind returning
# a 404 on subsequent runs.
# Pass in an empty content string since apt requires it even though we are removing it
apt::setting {'list-puppet-enterprise-installer':
ensure => absent,
content => '',
}
apt::setting { 'conf-pe-repo':
ensure => absent,
priority => '90',
content => '',
}
} else {
$source = $::puppet_agent::apt_source
}
$legacy_keyname = 'GPG-KEY-puppet'
$legacy_gpg_path = "/etc/pki/deb-gpg/${legacy_keyname}"
$keyname = 'GPG-KEY-puppet-20250406'
$gpg_path = "/etc/pki/deb-gpg/${keyname}"
if getvar('::puppet_agent::manage_pki_dir') == true {
file { ['/etc/pki', '/etc/pki/deb-gpg']:
ensure => directory,
}
}
file { $legacy_gpg_path:
ensure => present,
owner => 0,
group => 0,
mode => '0644',
source => "puppet:///modules/puppet_agent/${legacy_keyname}",
}
apt::key { 'legacy key':
id => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
source => $legacy_gpg_path,
}
file { $gpg_path:
ensure => present,
owner => 0,
group => 0,
mode => '0644',
source => "puppet:///modules/puppet_agent/${keyname}",
}
apt::source { 'pc_repo':
location => $source,
repos => $::puppet_agent::collection,
key => {
'id' => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
'source' => $gpg_path,
},
notify => Exec['pc_repo_force'],
}
# apt_update doesn't inherit the future class dependency, so it
# can wait until the end of the run to exec. Force it to happen now.
exec { 'pc_repo_force':
command => "/bin/echo 'forcing apt update for pc_repo ${::puppet_agent::collection}'",
refreshonly => true,
logoutput => true,
subscribe => Exec['apt_update'],
}
}
}
}