From 85bcb598df361b48cb3f2331d6538f12332785bf Mon Sep 17 00:00:00 2001 From: jonnybravo Date: Mon, 8 Dec 2025 18:50:29 +0100 Subject: [PATCH] run super --- README.md | 53 +++++++ ca-ssl/ca | 1 - ca-ssl/certs/ca.pem | 63 -------- ca-ssl/certs/puppet.speedport.ip.pem | 34 ----- ca-ssl/crl.pem | 34 ----- ca-ssl/private_keys/puppet.speedport.ip.pem | 51 ------- ca-ssl/public_keys/puppet.speedport.ip.pem | 14 -- .../production/manifests/all_system.pp | 85 ++++++++--- config/openvoxdb/database.ini | 17 +++ .../postgres/script/setup_readonly_user.sql | 33 +++++ config/puppet/puppet.conf | 30 ++++ docker-compose.yml | 29 ++-- docker-entrypoint-debug.sh | 134 ------------------ 13 files changed, 219 insertions(+), 359 deletions(-) create mode 100644 README.md delete mode 120000 ca-ssl/ca delete mode 100755 ca-ssl/certs/ca.pem delete mode 100755 ca-ssl/certs/puppet.speedport.ip.pem delete mode 100755 ca-ssl/crl.pem delete mode 100755 ca-ssl/private_keys/puppet.speedport.ip.pem delete mode 100755 ca-ssl/public_keys/puppet.speedport.ip.pem create mode 100644 config/openvoxdb/database.ini create mode 100644 config/postgres/script/setup_readonly_user.sql create mode 100644 config/puppet/puppet.conf delete mode 100755 docker-entrypoint-debug.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..309ce95 --- /dev/null +++ b/README.md @@ -0,0 +1,53 @@ +# PuppetDB API Abfragen + +Dieses Dokument beschreibt, wie man die PuppetDB-API direkt über `curl` abfragt, um Informationen über den Status der Puppet-Clients zu erhalten. + +Alle Befehle werden innerhalb des `openvox` (Puppet Master) Containers ausgeführt. + +## Alle aktiven Clients (Nodes) auflisten + +Um eine Liste aller von PuppetDB verwalteten Clients zu erhalten, die aktiv sind, verwenden Sie den folgenden Befehl: + +```bash +docker compose exec openvox curl -s http://openvoxdb:8080/pdb/query/v4/nodes +``` + +**Beispiel-Ausgabe (gekürzt):** + +```json +[ + { + "certname": "arch-2.lxd", + "latest_report_status": "changed", + "facts_environment": "production", + ... + } +] +``` +Dies zeigt Ihnen den `certname` jedes Clients, den Sie für weitere Abfragen verwenden können. + +## Reports für einen bestimmten Client abrufen + +Um zu sehen, was auf einem bestimmten Client gelaufen ist, können Sie dessen Reports abfragen. Ersetzen Sie `arch-2.lxd` mit dem `certname` des gewünschten Clients. + +```bash +docker compose exec openvox curl -s -G http://openvoxdb:8080/pdb/query/v4/reports --data-urlencode 'query=["=","certname","arch-2.lxd"]' +``` + +### Interpretation der Report-Ausgabe + +Die Ausgabe ist ein JSON-Array von Reports. Jeder Report enthält wichtige Informationen: + +* `"status"`: Zeigt das Ergebnis des Puppet-Laufs. + * `"changed"`: Der Lauf war erfolgreich und es wurden Änderungen am System vorgenommen. + * `"unchanged"`: Der Lauf war erfolgreich, es waren aber keine Änderungen nötig. + * `"failed"`: Der Lauf ist fehlgeschlagen (z.B. wegen eines Kompilierungsfehlers). +* `"logs"`: Enthält die Log-Meldungen des Puppet-Agenten während des Laufs. Hier finden Sie Details zu Fehlern oder erfolgreichen Aktionen. +* `"resource_events"`: Zeigt im Detail, welche Ressourcen geändert wurden. + +Anhand dieser Reports können Sie genau nachvollziehen, welche Aktionen auf einem Client erfolgreich waren und welche nicht. + +## Weiterführende Informationen + +Für komplexere Abfragen können Sie die offizielle Dokumentation der PuppetDB API konsultieren: +[PuppetDB Query API Documentation](https://puppet.com/docs/puppetdb/latest/api/query/v4/overview.html) diff --git a/ca-ssl/ca b/ca-ssl/ca deleted file mode 120000 index 9977801..0000000 --- a/ca-ssl/ca +++ /dev/null @@ -1 +0,0 @@ -/etc/puppetlabs/puppetserver/ca \ No newline at end of file diff --git a/ca-ssl/certs/ca.pem b/ca-ssl/certs/ca.pem deleted file mode 100755 index 3ca892d..0000000 --- a/ca-ssl/certs/ca.pem +++ /dev/null @@ -1,63 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFgTCCA2mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDDB5QdXBw -ZXQgUm9vdCBDQTogZmZmNjYxYWI3NDBlMjIwHhcNMjUxMjA0MjI1MDE3WhcNMzAx -MjA0MjI1MDE5WjBFMUMwQQYDVQQDDDpQdXBwZXQgQ0EgZ2VuZXJhdGVkIG9uIHB1 -cHBldCBhdCAyMDI1LTEyLTA1IDIyOjUwOjE3ICswMDAwMIICIjANBgkqhkiG9w0B -AQEFAAOCAg8AMIICCgKCAgEArc99Lx0gu8A7HgTaBIyIIVteGLOMxQtWj5KtsqH8 -LgpteNFVQFfOsnFW8LaKGAFCET3I5viNmD+txJVoIkac8NjajViW+y21J3vOxYVI -Etb7eNOyrlBoyzCLVDKgJWySdju7x73Qw1HzAbgSgcM59J88q4YfAvFHpatX6+cp -QQe1WO5JFAHN4hR4Pf47wPi5F4q2s+RRR/Kl9aRflg3dVCQs8MM9tYv8Ca3DYKmw -ZbZM7fFCMnqoAA8CY5f6U6tGiHFi6IOaJQVmNZosep7zzIohhrNx4cW+ORLFaCW1 -5JDy30396jo0sP6QseJEFTue9Q+7ReRXlC5FEIRjGdaQbTN6nUx4ObPl5nmnEkBF -MPqRfSXz1FMsepaOVwpss9Ggb8+91HL+rxyqE6IWUP5A4n/7y3iU/oFFrQ9RC7rE -l3NxyFi87wLyME4gMIkAYZHr5SWFexcYk3Z0zGlMhfysc1HRykh/bMGt8lzUmhRE -Bh1CWs0DumYU7G2z5jdAIlyLSWNU/Vvm+nZMveVPn781DFS+wHYWtgVb0j5giHbl -ph19aidPlIgzCiVKpgi1XCwmlpIUs+yp3VPnkFR5lk1vTSZJkaKnH3kr1WW3J4CU -KDw1ftK3CwV5KAA34xcs1xNI0NxvsdIwQAlGw/KyVaRPmcwwm3dmUjPVtA64Ij6V -VkECAwEAAaOBlzCBlDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd -BgNVHQ4EFgQUaN0DSCpQ9X/vRbjswjh6FRRngmcwMQYJYIZIAYb4QgENBCQWIlB1 -cHBldCBTZXJ2ZXIgSW50ZXJuYWwgQ2VydGlmaWNhdGUwHwYDVR0jBBgwFoAUHZnQ -f1RICLo0IiFV9LjEjG9/9VYwDQYJKoZIhvcNAQELBQADggIBABYWZhcDPtT06g3A -OvdEuejnfj6JFB8SH1OxLV5aKjUWT2fVKqngKlBTDUIX+MosN1yMlkk+gePnIy1Q -+ykEuBgB9b3SVXvT4Qj1j0JNt2e+BoklC2NOmxJHV283DJ7YH0YIl9c3G+5/njb/ -5lKKmk3yDRKxH+rw5U3DOXW0m9Qyj/SOHrBeewGsA0NWvkYRnxvOF8pUdmhaNhTE -wI7PectNkm8rXn+7nVaCXDhW8IEj90ZnirQCoLFASPVhzm5SS3cvXrXuWGaVw0wg -i0qmRWybqXGbpU/NmoYcFfkzBfcPplQU1TXzWS2HtukIKRT1EydljVxw8suFt1sL -02QQgRCxiDNUnQkcXcC/c2Wb8tAs2YQZ6mgxtNb1T05Cf67RfjxGeICsXBa335I+ -ioUp2xt+EBk3qjSJ+TtpfG1vGABxC5T8SOxD3DMyKa/C1SnF8nAAYuIVHJBdkvUR -d8kDnmcWl/bcjS7Zm/KO9ZJud0nb6X54iUnOOQ5IV5WWh1BGCxRvGZD6ItlW21cn -uw+vdmu32RRulApXjZfw4HnG87lZC5LcB3xPpzpA7eAg2nm2bxO/tyJ5RWdVGmKJ -M2uXH67935uckRbQ6hPYji8LMt0OfKDKBXcALeR73RZIbMikdOM0K5AzCBHle0gH -YnDivlWp+jCR7Y21BzJ1jQDgFKK8 ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFZTCCA02gAwIBAgIBATANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDDB5QdXBw -ZXQgUm9vdCBDQTogZmZmNjYxYWI3NDBlMjIwHhcNMjUxMjA0MjI1MDE3WhcNMzAx -MjA0MjI1MDE4WjApMScwJQYDVQQDDB5QdXBwZXQgUm9vdCBDQTogZmZmNjYxYWI3 -NDBlMjIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCY3JYtGQJW6xeD -wg9S/GJ5wQUTgIyHKU+pCB/nD5O7i9VLHjxdttMGvalk8FksVxhIPX1Y6XBAoE6O -3vdmm7pHt+byzpggZhxZQr7oGBopq9iAjDe6s1vX6hRfLYQ5MOBRsiBOJXmE1Px+ -CeIEXrYQYQkkDEh/cXKVuDoUtnue/CmhBn58u2R3jyIp9RRpvMokv9XUujg0oPlL -F+5h66baDZr2USdddj97g7gFOoMiTcG7ZwqSpL7sPfMOzHeOjMCIIAMERJkEC56R -ns+KverL56skAFNUndJpOaTwQEQo1kdjYkkwbLp9sTUTAiYbDBAalEwWKltQ5kOF -J2khyA7nv7LfMU1ob879xAxg47aFwoQEX/aLShBP8lWukr0BfzYrJwMSWRNql35w -Flyzh9Z5jd/WX+aceVkYJ1k4FSCpzUqtszLT1scDFrdbwnxeur2qfA779W5DIAx9 -rNEypRVpj6BqM5ckhHD8v8SgAitEETXV9lyIlJYtnFU2rfwIRujRIoVNwxw76aip -aWDcPO2cH90lLyInh43Ab+8Mf+KL86VeGKDrwkB6L3rMnFfVyefC9DfH0Yvmo3vI -i8jb1znM8WLhHDIz3Ikj+vTyfffx0qyatrpthcNNZ5TbdL5WWksu8iyqdiPvoxfX -FPSbWGN7CR/WxjOf952B+Ni2rWTRSwIDAQABo4GXMIGUMA8GA1UdEwEB/wQFMAMB -Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQdmdB/VEgIujQiIVX0uMSMb3/1 -VjAxBglghkgBhvhCAQ0EJBYiUHVwcGV0IFNlcnZlciBJbnRlcm5hbCBDZXJ0aWZp -Y2F0ZTAfBgNVHSMEGDAWgBQdmdB/VEgIujQiIVX0uMSMb3/1VjANBgkqhkiG9w0B -AQsFAAOCAgEAgo+7VyVvAuYmUvw+fR78zjQpijFBAJuPMGKFRgJnOe+PaCBRDtex -3vFtwZR2BjhkW4/1+33gD45cjAIjZ65oeTBo0M7Z3LbGlIsZCl/zAK7pjBuJpiFP -mgxaRPm/zO8Hgz9uozoMlDq/Bao2HfxD4tf/yOhgkA8rZ2UMdMNZhpXQU3zK+3MJ -5lIhGzkrGLxbKjYXiTL0POQCYK5IhNStfsl2Kmk7I3K6G52Y9oYt0D0heZdzrorp -RsoGwJGRgX+RRcMybWppHCNWrFtBDUA0yZ6daJjXpEMizErsocS+Fla/YnjbJVMh -xxfHVMvFKZVNnYic0qi+ip4uA0SfrtV63pmBCGPmab0e7FiZUYJZkTxmszF3i0wP -L9CcXnrU1uH0tog38jcDzTVKqjDQULyctygc/7N+CJLCkgE3ch/aDrtEdcKxOuQf -xXfkG189jf5HYgzNCGvzPbq964PnAA+Vx/gkMXhSItUWr1tzD62vFI6AiS4p0fQo -PGQYiVKGUKnkDCwLceENTJZ88g9+YeWQQtPtcc2yfD9OCWNMpij/gr5xCkQL+cCf -ER2RAQLYGCcUuVkC6ObDcy/FxKDtgIHhoRNox+mehmjEoHWU40wjvTshUin5+F57 -OkFoxPyB9VE0hzJM0ccgY4iRo1Dt0R8EZnTqtDotRESo+aNtB7bEUlc= ------END CERTIFICATE----- diff --git a/ca-ssl/certs/puppet.speedport.ip.pem b/ca-ssl/certs/puppet.speedport.ip.pem deleted file mode 100755 index bcd36f6..0000000 --- a/ca-ssl/certs/puppet.speedport.ip.pem +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIF1DCCA7ygAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMUMwQQYDVQQDDDpQdXBw -ZXQgQ0EgZ2VuZXJhdGVkIG9uIHB1cHBldCBhdCAyMDI1LTEyLTA1IDIyOjUwOjE3 -ICswMDAwMB4XDTI1MTIwNDIyNTAxN1oXDTMwMTIwNDIyNTAyMlowHjEcMBoGA1UE -AwwTcHVwcGV0LnNwZWVkcG9ydC5pcDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBAMPWIb7BpU7q9ROWWDnhbY/YWU26j13DW5Kxz4rWUOXzv3ebqyFTA+e9 -tExvCHfCq555ROAtYAlHKRQSz6aA7bLoQGNywxpdbeJfcG0C9cGv1C3bHk9+qql5 -YeNNfirj1THRanH/ZbW1fNUO3XehntKveEXb8mgFfAh4CQAXOcVR0eSjY7LyfPRX -vXYkd/LtHlTDaR9PNnBUaAZcur3/ylTPvBR8UwOKbchGr7ZEkzqW6EaEA0r8Culy -OJY+StBlHU0owuPi6u6HsIR2YEA/rRx/ERtUhROPXXsymQPWjp07Rl1JFLPIRYwW -8F2fH50ViFloouQPNnj/HDzX6+Zfcc388EpE3l42/z4Hm3l8JjrFlDzSq+mk1frW -uZz3n+NsZGTkWKZa4qp3UiIxidjwJgrrGres3UgBv65hgq54fg/5jGAOstSnYKzU -biNAxytSipECRstUWsKIuX0cIdMZzhYVIRSnaDWzUa/EiareBVG3uZ7AD6BFQyhv -MOMCtG3hcmC+SjVTZWs4JSHJs84Bo20+uS7AjG9FDrbPrqPi5SoCPQuBLsggghkN -YMiB/sNqErbpT2KtVEcn1jIT71HqSQ9NGLi5g4fg+YnOIIYVBIHG+PD7AsatUWwQ -84imemjwq4HW9u48lw9H/JQk6kb9X5pz4MAlXd1B1ApZSuQtg+DXAgMBAAGjgfUw -gfIwDAYDVR0TAQH/BAIwADAxBglghkgBhvhCAQ0EJBYiUHVwcGV0IFNlcnZlciBJ -bnRlcm5hbCBDZXJ0aWZpY2F0ZTAfBgNVHSMEGDAWgBRo3QNIKlD1f+9FuOzCOHoV -FGeCZzAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/ -BAQDAgWgMB0GA1UdDgQWBBSztTQjy5ZflFlzOoyfzXRJK7BpVjAVBgsrBgEEAYKM -TAEDJwQGDAR0cnVlMCYGA1UdEQQfMB2CBnB1cHBldIITcHVwcGV0LnNwZWVkcG9y -dC5pcDANBgkqhkiG9w0BAQsFAAOCAgEARLvJc6SeWMXrPLunZBsdFc6WuBrQgkh4 -1lUwqZ3hYViCWP/Enm3BefloZAst0ZXUDV6nFADCwU4ODv07KmWeG5jUL4GcA6G4 -zMrwmUNWzioI42oVtPqFT6dvCz6WMh9UqZmp5upkMp3Yi2S+kEwOlPD4VVx2CGSt -JC28rA59EcWMhoVzsnlgzyLcBPDHj05D/pU23zwl9aHommTMczpiqDuKgihTNwZt -sMpLQoyqorZyJ8+1QkHXH2etYevv01x3g5l/NuXOavDrFcSYEaEKmtORkRMOF6fA -L4N5I1olc0RaMelWccx+XyaUQm1G1NVY0qLM25T3QpODylLLEkfxxVsAS5uHwotZ -M+GhwI5JLrCluaJ6BXpcoQj6kZ8b5NF9R0DbCZlNC1lwLRPtDuyLTDxqMStRIIVn -Jt9JCnA+6PKSfPZ0soPkbZE0oYOkar3gAP5FAVBZJi/0AXMCs9/VJLW8Ow6tQW1q -6YshhtXEALZaFnZ9gqS+9y5/cTi62g4vZ9faACf9E/h5xhow2YlUyz3at8U7Xlno -VAmaOBxmB+zVzbyL+XjUfyW8aIhPRap6t6R14077GunuSH8XYYi3XHoz0pd4uZ3S -NQZ0H+NPCqH/RWN0+BglrdfIOoTkMM2PUu2ekWLHzp0pM3WHQqb8nJJ9V5/4QbsB -11h1JX9+0Zw= ------END CERTIFICATE----- diff --git a/ca-ssl/crl.pem b/ca-ssl/crl.pem deleted file mode 100755 index e98b875..0000000 --- a/ca-ssl/crl.pem +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN X509 CRL----- -MIICvzCBqAIBATANBgkqhkiG9w0BAQsFADBFMUMwQQYDVQQDDDpQdXBwZXQgQ0Eg -Z2VuZXJhdGVkIG9uIHB1cHBldCBhdCAyMDI1LTEyLTA1IDIyOjUwOjE3ICswMDAw -Fw0yNTEyMDQyMjUwMTdaFw0zMDEyMDQyMjUwMTlaoC8wLTAfBgNVHSMEGDAWgBRo -3QNIKlD1f+9FuOzCOHoVFGeCZzAKBgNVHRQEAwIBADANBgkqhkiG9w0BAQsFAAOC -AgEAVrcpf7vF0dD8t4LfLFvh4wWMCHgo+veFNTMqHUbandRjMTLHUqbujnHj3C5B -qrbHtTp6lzTDw8W25niJtIkLSMiYue666RzePcvBoknDvvw4/OEIPa6gaSSJgc9k -DGu1qRd7btbILeXWO5jCb0KElS8aWSHT51gH9eAbTRICETltAKwbXWPFg/0AQv3R -ab5Fyj7vYO9+JfdfP8BNyUSKeQls+7UVTOsFOYACFZqhXzPUUlc4+vKj/gpeujgc -58w+IPPMNyPXG8xeleFYTzZ1/zMIXbW14YTBdTtPPWjcU2DriRL9fJmH5wYkU2/0 -MDfaZOByf8twhe1V7nT3hiBkjflYywNXFgsojE+TYqkoIrtkMmFtpL40UA8zAUW9 -GfV6O+6wzkG9FXKiG/ZUbviQFd5sE3/5fPJt6qukH9E7612PJ5C1mgdiW4c+181v -TqaZuHkWTY1U7Ciwn0aj0Cxp00HyIeKDAVp17rNCYnfhNbwZC6Vu0Edyn2r1qztN -BQrRL3AmbS4yjkEGIwtj/FP3UvyZqNBVyEbgDlDZClyo/aOoW090DNx9V4b1jzX6 -UpjOLTvb0u72e6vCbo6zhMD1TqnLBzzUaGbMkVg+xmsdrxAmTvy0B/roldkCdxQ2 -FtEFGyLnh8m8wInA7J8s4noutmS4GWOAX3h+PAqufrXY/Hw= ------END X509 CRL----- ------BEGIN X509 CRL----- -MIICozCBjAIBATANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDDB5QdXBwZXQgUm9v -dCBDQTogZmZmNjYxYWI3NDBlMjIXDTI1MTIwNDIyNTAxN1oXDTMwMTIwNDIyNTAx -OFqgLzAtMB8GA1UdIwQYMBaAFB2Z0H9USAi6NCIhVfS4xIxvf/VWMAoGA1UdFAQD -AgEAMA0GCSqGSIb3DQEBCwUAA4ICAQArWJW4adDARe/rySBK2oq7IDXdz+8HRghZ -bOs4E9pdrmVSVNYdTTvbcAPd2T0RhJaZPph+djfyj+/yijmaunnACTAwLiaoroJf -LcHCgOSu/n3zUMkszkzsuVYN7p0sV3OAUKMknvzz2qNV/P0ErQUN4yShemi71K0N -HklGuVIk3UOswVzw/6jn0DglCIOtpYgRiB2fixYUMMSK1u0FxtXDTQqdholqjv3F -1kRDCiy7qXQeQe6Xa5tc+Jm1UILk7pUo1MulTIJpuEQXqjVaVU8/HrWGCAYejN9A -9IW97leVo6x3tsP3OYixX2jefpvkLbnJWe+tFCqhMjF3Tpy32ru93ThCB8EAz0BN -THiqMQZ21YLsxSgd7elaEtV66lior9ciJC6wUNuYmXlwXuzMtI+Z39I+bXacmUNg -6sk0Mos+Bnmf0vGypRMxsrhe2v30ndFdkYKTG1PP4nMowJ5DYxEG+KS72LpsysHt -aQHiwZ2HJLX5E79q2gvJ9KMWTijSy0ZnSLa4c1fBuSkJ0t8pLFFUP9nvbpbw8P5H -9LG+mYfopxOgeRPg4my5Fxh5Y4+rAxZRuetzuVi8nDU63QGCiwoU8Hc7CBdGAUvd -MD3aiZAB6w/tJ1+IAoZw7yoSqOeqs9YaXA2bZG+1NYsjOB+ttglte3TDTPsCd75I -lRa0kJ2NoQ== ------END X509 CRL----- diff --git a/ca-ssl/private_keys/puppet.speedport.ip.pem b/ca-ssl/private_keys/puppet.speedport.ip.pem deleted file mode 100755 index 767290c..0000000 --- a/ca-ssl/private_keys/puppet.speedport.ip.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAw9YhvsGlTur1E5ZYOeFtj9hZTbqPXcNbkrHPitZQ5fO/d5ur -IVMD5720TG8Id8KrnnlE4C1gCUcpFBLPpoDtsuhAY3LDGl1t4l9wbQL1wa/ULdse -T36qqXlh401+KuPVMdFqcf9ltbV81Q7dd6Ge0q94RdvyaAV8CHgJABc5xVHR5KNj -svJ89Fe9diR38u0eVMNpH082cFRoBly6vf/KVM+8FHxTA4ptyEavtkSTOpboRoQD -SvwK6XI4lj5K0GUdTSjC4+Lq7oewhHZgQD+tHH8RG1SFE49dezKZA9aOnTtGXUkU -s8hFjBbwXZ8fnRWIWWii5A82eP8cPNfr5l9xzfzwSkTeXjb/PgebeXwmOsWUPNKr -6aTV+ta5nPef42xkZORYplriqndSIjGJ2PAmCusat6zdSAG/rmGCrnh+D/mMYA6y -1KdgrNRuI0DHK1KKkQJGy1Rawoi5fRwh0xnOFhUhFKdoNbNRr8SJqt4FUbe5nsAP -oEVDKG8w4wK0beFyYL5KNVNlazglIcmzzgGjbT65LsCMb0UOts+uo+LlKgI9C4Eu -yCCCGQ1gyIH+w2oStulPYq1URyfWMhPvUepJD00YuLmDh+D5ic4ghhUEgcb48PsC -xq1RbBDziKZ6aPCrgdb27jyXD0f8lCTqRv1fmnPgwCVd3UHUCllK5C2D4NcCAwEA -AQKCAgARGra/znH9vo/BMjRqecHz+lVycITtD48D9PvHiIhwTSW/8Jy1wGZq6yrA -MkJvE1Wh9b2KRuxIYyq3Uh1I0aHxKk/VX8SinN5oEyXin4uPaygBCU5QayPEwZFH -JRGL9XI9c6j0Y/YiNMO+aBn3xOn2RNUgZOF7LF907eb7Vwv4q/jFG3AtxPgc7zzh -ALZpRUSM6rRXw7dhgD3FsHuu9JRba/llYKZvfLux7lqSdNLXHy8SWZ1gAzuAwDUp -Ci/Gm84/WvwKo1sZkkhciWpGskkQYBjCZlNpLfBgPj8XErpKCU9P/n4MZcWNQsOj -qa49LhBGntj7SkjbsIxq1AEKkfOCfuWDv1en0qglpTc+UVPs1/VVK4VyIA6UInyA -HccfOstXLrIL8/jzj1KI/r5LX8EsqdXGvmEfvBhNoIdRqtOUG3LNbtqQyoVK9jbZ -kaW+FCEXUbDatBsWhpqLEfJ4SZEp10jv92XNan9VTeClsURoVDrjFjtitOHeFb02 -OKbK3Lb97ikUHrj3QORAa3twC2wBkk7jXyVL3RFiSx012xLfQ02Ukz57E8RYKKYQ -ICwFB1oaoubGfA7JOlDZl+9KJvm+41uv5qXkog2TCzXvdQMiVxEeJduj3e65752z -jINP/50+EsemVZJsIqn+1nWbUzZjM+KfBxSCZkF0fl1EHmJt4QKCAQEA+mjevs/a -79Nx9yVk/wNOx4a6zVsJNgecbloYWintBEy0uTZxECKNE/H1ZIMGW01Wm2SvMyIB -8YI91+BNtdt8Tdqy++14yebNU6b/N5BHXVkiUwXgRHy3UkwmcT6VY0cOFM7gPvKe -3esIPF+sumi6o0kCkmzrivAX55UX2vnvLPeFAjs8QQGIKnxO7ZN29w4rQU1mupbh -NN79wTKbZBi9muBD2ACNepeP0iOdtJMEoeJmrMQaNyXeTmoZ35TInyDoFv5qn8OU -HfYuta0mA92oA5l2Wq9R4UZp6Jt/KKwqpVPG925Fmz0rm62VqYBNlT4TtKigGLJU -pR2sTeFfaA2RtQKCAQEAyDVeEXF6xDh8Nz3tdsZV52ogIGQfsdxQZ/ymrqs6evDH -g0Y6CCklyLdIePo0hlTW4fBTyKFrClWxQr/MLkZQcwhmsXOei3LUbvx2IIBtzYPt -k4RYJUE2m9Axb2zkFaKbkf87AyAKYw2Suc9PzxQzOjjTOmfOp99dePh2ogxFqMTN -jN/SQqS83Y8BBuOJXLGoZM1iI/vcUFqvu1HzA91QZhKLKD0nDEU9VcuIn3Ap9/4i -Nx0zOahb62XWVfJTWDiHOqONJXoJO0+yAPi2V4VWLR/qqTDaKSG77Pd4fJqyzbPJ -LxC/pziJ0Zo9+ENujAMvWBf4+V64nIo8a5RXtIgv2wKCAQEAoA2hufKfLMVIxcB4 -Emtp0ixyf8mdVJR+zyX1BMRhg2sH5I5ArCB5bfMsdycsS/Vd0wsC1Lr65QPrRW1Q -HloA1L5hwpbhqqNEQCCwZjJo+uh7APfzhbL1dbvIon9u+rqy7GfiezmWg5+zbut0 -Ot2v1ahX5YGK+A5IKTRpwAQadPJsaKW1+JLjFszHoiCsXHMJAL9ZVxATODkDlpYj -LlKF9lU75/dKdr4jJhyvs3h48IQGPo1FeFRTCGnWycqOhO+CiRfqzN00cgYliuf2 -MWhe+JYBSStgOY5JKW0iVLvesjefKA2qnfP2SJYl3+ZrMGYyMDnLwp1RbwxNUqYn -1hk+NQKCAQBGeSqknzpkqbFnzJ+zCHuimuO2IyhY9kFDaVbO8y0Bq5G/LtAsoTdQ -oNuc4g3tHx4IqA0F+XPxTlq4MUVRIKUe6N0lJ5quYXxPmQSHyk1cY00UeSiB7KOp -Uy6jl0PuLa/vQ1VlczjUxylXyJbCQM0LeIc57uJ6ixCfDW7M+d7nWmc0aHDdzplA -sB7fauamP08UNIuQOQ7DJjjniiAtwxCS7YIYZvZAxnqhoaR04wmS5tzqY5ftesro -YI+C72rRCgzn4jxD7eIkA5iX6PReeGvuNGboqW6RvfMlpbK+wcGg0OFHdPDRjwBM -TKv1oN7f4BshOkcEmIgJakt8XtpEjQ+zAoIBAQCxiw8kpdNXybadaWhQ+Fv2pW/m -gZsnyxuMwM7+TM5/CfCt5lepS5mUQXc064fdoOc2gCY1HaBV06PCPYQ0X00zBU3L -8Md1F7X5apTIv7ltoF/OxeLTWepW+QUJZBXoxys3uW4qbAp1BA+m9D03hR3csZX/ -wAT7QF3mtGpmTndLBmNw2W0vGMI80P/53jAPvHqlX/AXAshvKcsnTfRt05oqbHny -gI2stRw1TVKjvGtkAOA6KHakLZdtZNqYn3QJktYMiBNVV+eLHcjJYU+5+eT7fe/P -7BpYp98YutcQrksgHvORNaPlX/eKKL7jca0/5LQkiW8QaQaj49D79ICVbI8z ------END RSA PRIVATE KEY----- diff --git a/ca-ssl/public_keys/puppet.speedport.ip.pem b/ca-ssl/public_keys/puppet.speedport.ip.pem deleted file mode 100755 index fe1db2a..0000000 --- a/ca-ssl/public_keys/puppet.speedport.ip.pem +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw9YhvsGlTur1E5ZYOeFt -j9hZTbqPXcNbkrHPitZQ5fO/d5urIVMD5720TG8Id8KrnnlE4C1gCUcpFBLPpoDt -suhAY3LDGl1t4l9wbQL1wa/ULdseT36qqXlh401+KuPVMdFqcf9ltbV81Q7dd6Ge -0q94RdvyaAV8CHgJABc5xVHR5KNjsvJ89Fe9diR38u0eVMNpH082cFRoBly6vf/K -VM+8FHxTA4ptyEavtkSTOpboRoQDSvwK6XI4lj5K0GUdTSjC4+Lq7oewhHZgQD+t -HH8RG1SFE49dezKZA9aOnTtGXUkUs8hFjBbwXZ8fnRWIWWii5A82eP8cPNfr5l9x -zfzwSkTeXjb/PgebeXwmOsWUPNKr6aTV+ta5nPef42xkZORYplriqndSIjGJ2PAm -Cusat6zdSAG/rmGCrnh+D/mMYA6y1KdgrNRuI0DHK1KKkQJGy1Rawoi5fRwh0xnO -FhUhFKdoNbNRr8SJqt4FUbe5nsAPoEVDKG8w4wK0beFyYL5KNVNlazglIcmzzgGj -bT65LsCMb0UOts+uo+LlKgI9C4EuyCCCGQ1gyIH+w2oStulPYq1URyfWMhPvUepJ -D00YuLmDh+D5ic4ghhUEgcb48PsCxq1RbBDziKZ6aPCrgdb27jyXD0f8lCTqRv1f -mnPgwCVd3UHUCllK5C2D4NcCAwEAAQ== ------END PUBLIC KEY----- diff --git a/code/environments/production/manifests/all_system.pp b/code/environments/production/manifests/all_system.pp index c39c80c..f5d0595 100644 --- a/code/environments/production/manifests/all_system.pp +++ b/code/environments/production/manifests/all_system.pp @@ -4,26 +4,79 @@ class all_system { owner => 'root', group => 'root', mode => '0644', - content => "Willkommen auf diesem Server von JonnyBravo ein neuer Nerd am Himmel DANIEL. Er wird von Puppet verwaltet.\n", + content => "<-----------------------Dieser Server wird zum Teil von Puppet verwaltet.----------------------->\n", } -} - -class apt_upgrade { - cron { 'apt_update_upgrade': - command => '/usr/bin/apt-get update && /usr/bin/apt-get -y upgrade', - user => 'root', - weekday => 0, # 0 = Sonntag - hour => '2', - minute => '0', - require => File['/usr/bin/apt-get'], + user { 'jonnybravo': + ensure => present, # Der Benutzer soll vorhanden sein + managehome => true, # Stellt sicher, dass das Home-Verzeichnis erstellt wird + purge_ssh_keys => true, + shell => '/bin/fish', # Setzt die Standard-Shell für den Benutzer } - file { '/usr/bin/apt-get': - ensure => 'file', - owner => 'root', - group => 'root', - mode => '0755', + ssh_authorized_key { 'jonnybravo_root': + ensure => present, + user => 'jonnybravo', + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABgQC0N6XKCM67FFpM0VRlEjZXIVROWNOPV1xDDA5VW4VAhe9II+rLnAg4KMNaJZgutANh1pQGh2Yv6SUPTmgjxi+uBv+HLNvJ41NWrPMH0w7XUSzvOXJbYx8GdebvhuurBiH+3kjyubE8YCq6xZHDqpuhZaZySc9AEp8QFgtN86jUD1U5pMpMKmw7tTLtZK9WWIktFzLjjqk+xnLHVsN4mS0VaJRWzLIqwI5AT38CMpuBTZEhY2ySORY0bUvEpxU6oqcNwHEJ3KLCOPZrtOtmUAo8s8NEN+cgxd6m9DkkU2x/jFVdnfNlfIG1Qk2XvkLPrakBy8czQvBsdlPoaRg+qawEl9PlE0p5G1fMbUKQjqSPUfcnkKjdQThOIU632Az3XnOQ4T9xXyXPzMwTRaI51uUnwCkIRKq3EuSG83PFTCPTMZ31P0mT9+Nm4lTAfzBbuO4rV58tPL4+zNe1HJt6pq+GI4Swe76xE588iWgFbCmJHKPHHOxDUnCK5afJwvs/4tE=', + } + + + case $facts['os']['name'] { + 'CentOS', 'RedHat': { + # Configuration for RedHat-based systems + } + 'Ubuntu', 'Debian': { + # Configuration for Debian-based systems + file { '/usr/bin/apt-get': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + } + cron { 'apt_update_upgrade': + command => '/usr/bin/apt-get update && /usr/bin/apt-get -y upgrade', + user => 'root', + weekday => 0, # 0 = Sonntag + hour => '2', + minute => '0', + require => File['/usr/bin/apt-get'], + } + package { 'apache2': + ensure => 'present', + provider => 'apt', + } + } + 'Archlinux' : { + # Configuration for Arch-based systems + $basic_package_list = ['fish', 'tmux', 'python'] + + package { $basic_package_list: + ensure => 'present', + provider => 'pacman', + } + # Configuration for Arch-based systems + schedule { 'weekly': + period => weekly, + repeat => 1, + } + + # Führen Sie die Systemaktualisierung durch + exec { 'pacman-update': + command => '/usr/bin/pacman -Syu --noconfirm', + provider => 'shell', + logoutput => 'on_failure', + schedule => 'weekly', + path => ['/usr/bin', '/bin'], + user => 'root', + group => 'root', + timeout => 0, + } + } + default: { + fail("Unsupported operating system ${facts['os']['name']}") + } } } + diff --git a/config/openvoxdb/database.ini b/config/openvoxdb/database.ini new file mode 100644 index 0000000..5c3f117 --- /dev/null +++ b/config/openvoxdb/database.ini @@ -0,0 +1,17 @@ +# This file configures the database connections for PuppetDB. +# It is mounted from the host system via docker-compose.yml. + +[database] +classname = org.postgresql.Driver +subprotocol = postgresql +# The subname points to the postgres service defined in docker-compose. +subname = //postgres:5432/openvoxdb +username = openvox +password = StartStart1234 + +[read-database] +classname = org.postgresql.Driver +subprotocol = postgresql +subname = //postgres:5432/openvoxdb +username = openvox_ro +password = Start1234 diff --git a/config/postgres/script/setup_readonly_user.sql b/config/postgres/script/setup_readonly_user.sql new file mode 100644 index 0000000..88d1bf7 --- /dev/null +++ b/config/postgres/script/setup_readonly_user.sql @@ -0,0 +1,33 @@ +-- Dieses Skript enthält die Logik zur Erstellung eines dedizierten Read-Only-Benutzers +-- und zur Anpassung des Hauptbenutzers. + +-- Dieses Skript enthält die Logik zur Erstellung eines dedizierten Read-Only-Benutzers +-- und zur Anpassung des Hauptbenutzers. + +-- 1. Erstellen Sie einen neuen Benutzer mit einem sicheren Passwort. +CREATE USER openvox_ro WITH PASSWORD 'Start1234'; + +-- 2. Entziehen Sie alle Standardberechtigungen für den neuen Benutzer. +ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM openvox_ro; +ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM openvox_ro; +ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM openvox_ro; + +-- 3. Erteilen Sie die erforderlichen Mindestberechtigungen. +-- Erlauben Sie die Verbindung zur Datenbank. +GRANT CONNECT ON DATABASE openvoxdb TO openvox_ro; + +-- Erlauben Sie die Nutzung des 'public'-Schemas. +GRANT USAGE ON SCHEMA public TO openvox_ro; + +-- Erteilen Sie Lesezugriff (SELECT) auf alle vorhandenen Tabellen. +GRANT SELECT ON ALL TABLES IN SCHEMA public TO openvox_ro; + +-- 4. Stellen Sie sicher, dass der Benutzer auch Lesezugriff auf zukünftig erstellte Tabellen hat. +ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO openvox_ro; + +-- HINWEIS: Der Hauptbenutzer 'openvox' sollte idealerweise kein Superuser sein, +-- nachdem die Initialisierung abgeschlossen ist. Der folgende Befehl würde dies tun, +-- könnte aber zukünftige Schema-Migrationen verhindern oder mit Postgres 18+ zu Fehlern führen. +-- ALTER USER openvox NOSUPERUSER; + +COMMIT; diff --git a/config/puppet/puppet.conf b/config/puppet/puppet.conf new file mode 100644 index 0000000..53b2366 --- /dev/null +++ b/config/puppet/puppet.conf @@ -0,0 +1,30 @@ +[main] +confdir = /etc/puppetlabs/puppet +vardir = /opt/puppetlabs/puppet/cache +logdir = /var/log/puppetlabs/puppet +codedir = /etc/puppetlabs/code +rundir = /var/run/puppetlabs +manage_internal_file_permissions = false +serverport = 8140 +# This file can be used to override the default puppet settings. +# See the following links for more details on what settings are available: +# - https://puppet.com/docs/puppet/latest/config_important_settings.html +# - https://puppet.com/docs/puppet/latest/config_about_settings.html +# - https://puppet.com/docs/puppet/latest/config_file_main.html +# - https://puppet.com/docs/puppet/latest/configuration.html +[server] +vardir = /opt/puppetlabs/server/data/puppetserver +logdir = /var/log/puppetlabs/puppetserver +rundir = /var/run/puppetlabs/puppetserver +pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid +codedir = /etc/puppetlabs/code +environmentpath = /etc/puppetlabs/code/environments +hiera_config = $confdir/hiera.yaml +autosign = true +environment_timeout = 10 +storeconfigs_backend = puppetdb +storeconfigs = true +reports = puppetdb +ca_ttl = 157680000 +ca_server = puppet +ca_port = 8140 diff --git a/docker-compose.yml b/docker-compose.yml index 7ca46c5..d10fdee 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,7 @@ services: openvox: - image: ghcr.io/openvoxproject/openvoxserver:8.8.0-latest + image: ghcr.io/openvoxproject/openvoxserver:latest + # image: ghcr.io/openvoxproject/openvoxserver:8.8.0-latest container_name: openvox hostname: puppet ports: @@ -8,15 +9,17 @@ services: - "8141:8141" # Puppet Server HTTP - "8142:8142" # Puppet Server HTTPS volumes: + - ./config/puppet/puppet.conf:/etc/puppetlabs/puppet/puppet.conf - ./code:/etc/puppetlabs/code - - ./ca-ssl:/etc/puppetlabs/puppet/ssl + - ca_ssl_data:/etc/puppetlabs/puppet/ssl environment: - OPENVOXSERVER_ENVIRONMENT_TIMEOUT=10 networks: - openvox_network postgres: - image: postgres:16.2 + image: postgres:latest + # image: postgres:16.2 container_name: postgres hostname: postgres environment: @@ -25,9 +28,9 @@ services: POSTGRES_DB: openvoxdb POSTGRES_EXTENSIONS: pg_trgm volumes: - - postgres_data:/var/lib/postgresql/data - - ./config/postgres/postgresql.conf:/etc/postgresql/postgresql.conf - - ./config/postgres/pg_hba.conf:/etc/postgresql/pg_hba.conf + - postgres_data:/var/lib/postgresql + # - ./config/postgres/postgresql.conf:/etc/postgresql/postgresql.conf + # - ./config/postgres/pg_hba.conf:/etc/postgresql/pg_hba.conf - ./config/postgres/script:/docker-entrypoint-initdb.d ports: - "5432:5432" @@ -41,16 +44,17 @@ services: start_period: 10s openvoxdb: - image: ghcr.io/openvoxproject/openvoxdb:8.9.0-latest + image: ghcr.io/openvoxproject/openvoxdb:latest + # image: ghcr.io/openvoxproject/openvoxdb:8-latest container_name: openvoxdb environment: - OPENVOXDB_POSTGRES_HOSTNAME: postgres - OPENVOXDB_POSTGRES_PORT: 5432 - OPENVOXDB_POSTGRES_USER: openvox - OPENVOXDB_POSTGRES_DATABASE: openvoxdb - OPENVOXDB_POSTGRES_PASSWORD: StartStart1234 OPENVOXSERVER_HOSTNAME: puppet OPENVOXSERVER_PORT: 8140 + OPENVOXDB_POSTGRES_HOSTNAME: postgres + OPENVOXDB_POSTGRES_PORT: 5432 + OPENVOXDB_POSTGRES_DATABASE: openvoxdb + OPENVOXDB_POSTGRES_USER: openvox + OPENVOXDB_POSTGRES_PASSWORD: StartStart1234 networks: - openvox_network volumes: @@ -70,6 +74,7 @@ volumes: postgres_data: openvoxdb_data: openvoxdb_ca: + ca_ssl_data: networks: openvox_network: diff --git a/docker-entrypoint-debug.sh b/docker-entrypoint-debug.sh deleted file mode 100755 index efc7fe1..0000000 --- a/docker-entrypoint-debug.sh +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash -# bash is required to pass ENV vars with dots as sh cannot - -set -o errexit -set -o pipefail -set -o nounset - -pid=0 # Initialize pid to 0 - -echoerr() { echo "$@" 1>&2; } - -echoerr "Entrypoint PID $$" - -## Pre execution handler -pre_execution_handler() { - export CA_ENABLED=true # Force CA_ENABLED to true - if [ -d /docker-custom-entrypoint.d/ ]; then - if [ -d /docker-custom-entrypoint.d/pre-default/ ]; then - find /docker-custom-entrypoint.d/pre-default/ -type f -name "*.sh" \ - -exec chmod +x {} \; - sync - for f in /docker-custom-entrypoint.d/pre-default/*.sh; do - if [[ -f "$f" && -x $(realpath "$f") ]]; then - echo "Running $f" - "$f" - fi - done - fi - fi - - # Removed 'set -x' as it was only for pre-execution scripts - # set -x # Enable debug output for pre-execution scripts - echo "CA_ENABLED is: $CA_ENABLED" - for f in /docker-entrypoint.d/*.sh; do - echo "Running $f" - "$f" - done - - if [ -d /docker-custom-entrypoint.d/ ]; then - find /docker-custom-entrypoint.d/ -type f -name "*.sh" \ - -exec chmod +x {} \; - sync - for f in /docker-custom-entrypoint.d/*.sh; do - if [[ -f "$f" && -x $(realpath "$f") ]]; then - echo "Running $f" - "$f" - fi - done - fi -} - -## Post startup handler -post_startup_handler() { - if [ -d /docker-custom-entrypoint.d/ ]; then - if [ -d /docker-custom-entrypoint.d/post-startup/ ]; then - find /docker-custom-entrypoint.d/post-startup/ -type f -name "*.sh" \ - -exec chmod +x {} \; - sync - for f in /docker-custom-entrypoint.d/post-startup/*.sh; do - if [[ -f "$f" && -x $(realpath "$f") ]]; then - echo "Running $f" - "$f" - fi - done - fi - fi -} - -## Post execution handler -post_execution_handler() { - if [ -d /docker-custom-entrypoint.d/ ]; then - if [ -d /docker-custom-entrypoint.d/post-execution/ ]; then - find /docker-custom-entrypoint.d/post-execution/ -type f -name "*.sh" \ - -exec chmod +x {} \; - sync - for f in /docker-custom-entrypoint.d/post-execution/*.sh; do - if [[ -f "$f" && -x $(realpath "$f") ]]; then - echo "Running $f" - "$f" - fi - done - fi - fi -} - -## Sigterm Handler -sigterm_handler() { - echoerr "Catching SIGTERM" - if [ $pid -ne 0 ]; then - echoerr "sigterm_handler for PID '${pid}' triggered" - if [ -d /docker-custom-entrypoint.d/ ]; then - if [ -d /docker-custom-entrypoint.d/sigterm-handler/ ]; then - find /docker-custom-entrypoint.d/sigterm-handler/ -type f -name "*.sh" \ - -exec chmod +x {} \; - sync - for f in /docker-custom-entrypoint.d/sigterm-handler/*.sh; do - if [[ -f "$f" && -x $(realpath "$f") ]]; then - echo "Running $f" - "$f" - fi - done - fi - fi - kill -15 "$pid" - wait "$pid" - post_execution_handler - fi - exit 143; # 128 + 15 -- SIGTERM -} - -## Setup signal trap -trap sigterm_handler SIGTERM - -## Initialization -pre_execution_handler - -## Start Process -echoerr "DEBUG: Attempting to start Puppetserver in foreground." -# run process in foreground -# set -x # Enable debug output - moved to be after pid capture -/opt/puppetlabs/bin/puppetserver foreground "$@" & -pid=$! # Capture the PID of the background process -echoerr "DEBUG: Puppetserver started with PID $pid." -set -x # Enable debug output after pid capture - -wait "$pid" # Wait for the puppetserver process to finish -return_code=$? -echoerr "DEBUG: Puppetserver exited with code $return_code." -exit $return_code - -# The following lines will not be reached if exec is successful -# If exec fails, the script will continue here, which indicates an issue -# echoerr "ERROR: Puppetserver failed to start in foreground." -# exit 1