mod 'puppetlabs/certregen', '0.2.0'
+# Prosody
+mod 'mayflower-prosody',
+ git: 'https://github.com/mayflower/puppet-prosody.git',
+ ref: '863bb4ee0cd3369ad69a211042b4c5f7d66f4444'
+mod 'puppet-posix_acl', '0.1.1'
+
# OpenStack
-mod 'duritong/sysctl', '0.0.11'
+mod 'duritong/sysctl', '0.0.11'
--- /dev/null
+# Changelog
+
+All notable changes to this project will be documented in this file.
+Each new release typically also includes the latest modulesync defaults.
+These should not affect the functionality of the module.
+
+## [v0.1.1](https://github.com/voxpupuli/puppet-posix_acl/tree/v0.1.1) (2018-10-14)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/v0.1.0...v0.1.1)
+
+**Merged pull requests:**
+
+- modulesync 2.2.0 and allow puppet 6.x [\#53](https://github.com/voxpupuli/puppet-posix_acl/pull/53) ([bastelfreak](https://github.com/bastelfreak))
+
+## [v0.1.0](https://github.com/voxpupuli/puppet-posix_acl/tree/v0.1.0) (2018-07-16)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/0.0.5...v0.1.0)
+
+**Implemented enhancements:**
+
+- Move to Vox Pupuli [\#29](https://github.com/voxpupuli/puppet-posix_acl/issues/29)
+
+**Merged pull requests:**
+
+- Remove docker nodesets [\#47](https://github.com/voxpupuli/puppet-posix_acl/pull/47) ([bastelfreak](https://github.com/bastelfreak))
+- drop EOL OSs; fix puppet version range [\#46](https://github.com/voxpupuli/puppet-posix_acl/pull/46) ([bastelfreak](https://github.com/bastelfreak))
+- Rubocop: Fix Style/PredicateName [\#42](https://github.com/voxpupuli/puppet-posix_acl/pull/42) ([alexjfisher](https://github.com/alexjfisher))
+- Rubocop: Fix Style/GuardClause [\#41](https://github.com/voxpupuli/puppet-posix_acl/pull/41) ([alexjfisher](https://github.com/alexjfisher))
+- Rubocop: Fix Lint/UselessAssignment [\#40](https://github.com/voxpupuli/puppet-posix_acl/pull/40) ([alexjfisher](https://github.com/alexjfisher))
+- Rubocop auto fixes [\#39](https://github.com/voxpupuli/puppet-posix_acl/pull/39) ([alexjfisher](https://github.com/alexjfisher))
+- Fix metadata and add LICENSE file [\#36](https://github.com/voxpupuli/puppet-posix_acl/pull/36) ([alexjfisher](https://github.com/alexjfisher))
+- remove ruby 1.9.3 support [\#35](https://github.com/voxpupuli/puppet-posix_acl/pull/35) ([dobbymoodge](https://github.com/dobbymoodge))
+
+## [0.0.5](https://github.com/voxpupuli/puppet-posix_acl/tree/0.0.5) (2017-12-12)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/0.0.4...0.0.5)
+
+## [0.0.4](https://github.com/voxpupuli/puppet-posix_acl/tree/0.0.4) (2017-12-12)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/0.0.3...0.0.4)
+
+**Fixed bugs:**
+
+- module name conflict [\#26](https://github.com/voxpupuli/puppet-posix_acl/issues/26)
+
+**Closed issues:**
+
+- Race condition with non existing file and recursemode =\> deep [\#22](https://github.com/voxpupuli/puppet-posix_acl/issues/22)
+- Publish to the forge [\#21](https://github.com/voxpupuli/puppet-posix_acl/issues/21)
+
+**Merged pull requests:**
+
+- Time to deprecate Ruby 1.8.7 support [\#31](https://github.com/voxpupuli/puppet-posix_acl/pull/31) ([dobbymoodge](https://github.com/dobbymoodge))
+- Fixes ACL's with spaces [\#30](https://github.com/voxpupuli/puppet-posix_acl/pull/30) ([i1tech](https://github.com/i1tech))
+- fix another Ruby error when the file doesn't exist yet [\#28](https://github.com/voxpupuli/puppet-posix_acl/pull/28) ([tequeter](https://github.com/tequeter))
+- use inspect instead of join to stringify arrays [\#27](https://github.com/voxpupuli/puppet-posix_acl/pull/27) ([tequeter](https://github.com/tequeter))
+- Do not downcase acl group/user names when checking for insync?. [\#25](https://github.com/voxpupuli/puppet-posix_acl/pull/25) ([tdevelioglu](https://github.com/tdevelioglu))
+- Check if a path exists before calling getfacl [\#23](https://github.com/voxpupuli/puppet-posix_acl/pull/23) ([roidelapluie](https://github.com/roidelapluie))
+
+## [0.0.3](https://github.com/voxpupuli/puppet-posix_acl/tree/0.0.3) (2016-01-13)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/650e19723054c74baa662d3f1589398550524b33...0.0.3)
+
+**Closed issues:**
+
+- Accept short acls. [\#4](https://github.com/voxpupuli/puppet-posix_acl/issues/4)
+
+**Merged pull requests:**
+
+- Switch from Modulefile to metadata.json [\#20](https://github.com/voxpupuli/puppet-posix_acl/pull/20) ([roidelapluie](https://github.com/roidelapluie))
+- Fix defaults: behaviour [\#19](https://github.com/voxpupuli/puppet-posix_acl/pull/19) ([roidelapluie](https://github.com/roidelapluie))
+- Add autorequire on parent ACL [\#18](https://github.com/voxpupuli/puppet-posix_acl/pull/18) ([roidelapluie](https://github.com/roidelapluie))
+- Fix ruby 1.8.7 quirks [\#17](https://github.com/voxpupuli/puppet-posix_acl/pull/17) ([dobbymoodge](https://github.com/dobbymoodge))
+- Better support for 'deep' recursive acls [\#15](https://github.com/voxpupuli/puppet-posix_acl/pull/15) ([roidelapluie](https://github.com/roidelapluie))
+- Adds space around operators in ternary expressions [\#14](https://github.com/voxpupuli/puppet-posix_acl/pull/14) ([dobbymoodge](https://github.com/dobbymoodge))
+- Add recursemode parameter to apply ACLs recursively [\#13](https://github.com/voxpupuli/puppet-posix_acl/pull/13) ([dobbymoodge](https://github.com/dobbymoodge))
+- Add the Puppetlabs Skeleton for testing [\#11](https://github.com/voxpupuli/puppet-posix_acl/pull/11) ([roidelapluie](https://github.com/roidelapluie))
+- Drop duplicate ACL's. [\#10](https://github.com/voxpupuli/puppet-posix_acl/pull/10) ([kevincox](https://github.com/kevincox))
+- Update sync [\#7](https://github.com/voxpupuli/puppet-posix_acl/pull/7) ([mwoodson](https://github.com/mwoodson))
+- Normalize ACL's. [\#5](https://github.com/voxpupuli/puppet-posix_acl/pull/5) ([kevincox](https://github.com/kevincox))
+- Make posixacl the default for the redhat family [\#3](https://github.com/voxpupuli/puppet-posix_acl/pull/3) ([nhemingway](https://github.com/nhemingway))
+- Add a acl::requirements class [\#2](https://github.com/voxpupuli/puppet-posix_acl/pull/2) ([duritong](https://github.com/duritong))
+- Fix typo and make Modulefile validate by puppet module tool [\#1](https://github.com/voxpupuli/puppet-posix_acl/pull/1) ([carlossg](https://github.com/carlossg))
+
+
+
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
--- /dev/null
+Checklist (and a short version for the impatient)
+=================================================
+
+ * Commits:
+
+ - Make commits of logical units.
+
+ - Check for unnecessary whitespace with "git diff --check" before
+ committing.
+
+ - Commit using Unix line endings (check the settings around "crlf" in
+ git-config(1)).
+
+ - Do not check in commented out code or unneeded files.
+
+ - The first line of the commit message should be a short
+ description (50 characters is the soft limit, excluding ticket
+ number(s)), and should skip the full stop.
+
+ - Associate the issue in the message. The first line should include
+ the issue number in the form "(#XXXX) Rest of message".
+
+ - The body should provide a meaningful commit message, which:
+
+ - uses the imperative, present tense: "change", not "changed" or
+ "changes".
+
+ - includes motivation for the change, and contrasts its
+ implementation with the previous behavior.
+
+ - Make sure that you have tests for the bug you are fixing, or
+ feature you are adding.
+
+ - Make sure the test suites passes after your commit:
+ `bundle exec rspec spec/acceptance` More information on [testing](#Testing) below
+
+ - When introducing a new feature, make sure it is properly
+ documented in the README.md
+
+ * Submission:
+
+ * Pre-requisites:
+
+ - Make sure you have a [GitHub account](https://github.com/join)
+
+ - [Create a ticket](https://tickets.puppetlabs.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppetlabs.com/browse/) you are patching for.
+
+ * Preferred method:
+
+ - Fork the repository on GitHub.
+
+ - Push your changes to a topic branch in your fork of the
+ repository. (the format ticket/1234-short_description_of_change is
+ usually preferred for this project).
+
+ - Submit a pull request to the repository in the puppetlabs
+ organization.
+
+The long version
+================
+
+ 1. Make separate commits for logically separate changes.
+
+ Please break your commits down into logically consistent units
+ which include new or changed tests relevant to the rest of the
+ change. The goal of doing this is to make the diff easier to
+ read for whoever is reviewing your code. In general, the easier
+ your diff is to read, the more likely someone will be happy to
+ review it and get it into the code base.
+
+ If you are going to refactor a piece of code, please do so as a
+ separate commit from your feature or bug fix changes.
+
+ We also really appreciate changes that include tests to make
+ sure the bug is not re-introduced, and that the feature is not
+ accidentally broken.
+
+ Describe the technical detail of the change(s). If your
+ description starts to get too long, that is a good sign that you
+ probably need to split up your commit into more finely grained
+ pieces.
+
+ Commits which plainly describe the things which help
+ reviewers check the patch and future developers understand the
+ code are much more likely to be merged in with a minimum of
+ bike-shedding or requested changes. Ideally, the commit message
+ would include information, and be in a form suitable for
+ inclusion in the release notes for the version of Puppet that
+ includes them.
+
+ Please also check that you are not introducing any trailing
+ whitespace or other "whitespace errors". You can do this by
+ running "git diff --check" on your changes before you commit.
+
+ 2. Sending your patches
+
+ To submit your changes via a GitHub pull request, we _highly_
+ recommend that you have them on a topic branch, instead of
+ directly on "master".
+ It makes things much easier to keep track of, especially if
+ you decide to work on another thing before your first change
+ is merged in.
+
+ GitHub has some pretty good
+ [general documentation](http://help.github.com/) on using
+ their site. They also have documentation on
+ [creating pull requests](http://help.github.com/send-pull-requests/).
+
+ In general, after pushing your topic branch up to your
+ repository on GitHub, you can switch to the branch in the
+ GitHub UI and click "Pull Request" towards the top of the page
+ in order to open a pull request.
+
+
+ 3. Update the related GitHub issue.
+
+ If there is a GitHub issue associated with the change you
+ submitted, then you should update the ticket to include the
+ location of your branch, along with any other commentary you
+ may wish to make.
+
+Testing
+=======
+
+Getting Started
+---------------
+
+Our puppet modules provide [`Gemfile`](./Gemfile)s which can tell a ruby
+package manager such as [bundler](http://bundler.io/) what Ruby packages,
+or Gems, are required to build, develop, and test this software.
+
+Please make sure you have [bundler installed](http://bundler.io/#getting-started)
+on your system, then use it to install all dependencies needed for this project,
+by running
+
+```shell
+% bundle install
+Fetching gem metadata from https://rubygems.org/........
+Fetching gem metadata from https://rubygems.org/..
+Using rake (10.1.0)
+Using builder (3.2.2)
+-- 8><-- many more --><8 --
+Using rspec-system-puppet (2.2.0)
+Using serverspec (0.6.3)
+Using rspec-system-serverspec (1.0.0)
+Using bundler (1.3.5)
+Your bundle is complete!
+Use `bundle show [gemname]` to see where a bundled gem is installed.
+```
+
+NOTE some systems may require you to run this command with sudo.
+
+If you already have those gems installed, make sure they are up-to-date:
+
+```shell
+% bundle update
+```
+
+With all dependencies in place and up-to-date we can now run the tests:
+
+```shell
+% bundle exec rake spec
+```
+
+This will execute all the [rspec tests](http://rspec-puppet.com/) tests
+under [spec/defines](./spec/defines), [spec/classes](./spec/classes),
+and so on. rspec tests may have the same kind of dependencies as the
+module they are testing. While the module defines in its [Modulefile](./Modulefile),
+rspec tests define them in [.fixtures.yml](./fixtures.yml).
+
+Some puppet modules also come with [beaker](https://github.com/puppetlabs/beaker)
+tests. These tests spin up a virtual machine under
+[VirtualBox](https://www.virtualbox.org/)) with, controlling it with
+[Vagrant](http://www.vagrantup.com/) to actually simulate scripted test
+scenarios. In order to run these, you will need both of those tools
+installed on your system.
+
+You can run them by issuing the following command
+
+```shell
+% bundle exec rake spec_clean
+% bundle exec rspec spec/acceptance
+```
+
+This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml),
+install puppet, copy this module and install its dependencies per [spec/spec_helper_acceptance.rb](./spec/spec_helper_acceptance.rb)
+and then run all the tests under [spec/acceptance](./spec/acceptance).
+
+Writing Tests
+-------------
+
+XXX getting started writing tests.
+
+If you have commit access to the repository
+===========================================
+
+Even if you have commit access to the repository, you will still need to
+go through the process above, and have someone else review and merge
+in your changes. The rule is that all changes must be reviewed by a
+developer on the project (that did not write the code) to ensure that
+all changes go through a code review process.
+
+Having someone other than the author of the topic branch recorded as
+performing the merge is the record that they performed the code
+review.
+
+
+Additional Resources
+====================
+
+* [Getting additional help](http://puppetlabs.com/community/get-help)
+
+* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests)
+
+* [Patchwork](https://patchwork.puppetlabs.com)
+
+* [General GitHub documentation](http://help.github.com/)
+
+* [GitHub pull request documentation](http://help.github.com/send-pull-requests/)
+
--- /dev/null
+source ENV['GEM_SOURCE'] || "https://rubygems.org"
+
+def location_for(place, fake_version = nil)
+ if place =~ /^(git[:@][^#]*)#(.*)/
+ [fake_version, { :git => $1, :branch => $2, :require => false }].compact
+ elsif place =~ /^file:\/\/(.*)/
+ ['>= 0', { :path => File.expand_path($1), :require => false }]
+ else
+ [place, { :require => false }]
+ end
+end
+
+group :test do
+ gem 'puppetlabs_spec_helper', '>= 2.11.0', :require => false
+ gem 'rspec-puppet-facts', '>= 1.8.0', :require => false
+ gem 'rspec-puppet-utils', :require => false
+ gem 'puppet-lint-leading_zero-check', :require => false
+ gem 'puppet-lint-trailing_comma-check', :require => false
+ gem 'puppet-lint-version_comparison-check', :require => false
+ gem 'puppet-lint-classes_and_types_beginning_with_digits-check', :require => false
+ gem 'puppet-lint-unquoted_string-check', :require => false
+ gem 'puppet-lint-variable_contains_upcase', :require => false
+ gem 'metadata-json-lint', :require => false
+ gem 'redcarpet', :require => false
+ gem 'rubocop', '~> 0.49.1', :require => false if RUBY_VERSION >= '2.3.0'
+ gem 'rubocop-rspec', '~> 1.15.0', :require => false if RUBY_VERSION >= '2.3.0'
+ gem 'mocha', '~> 1.4.0', :require => false
+ gem 'coveralls', :require => false
+ gem 'simplecov-console', :require => false
+ gem 'rack', '~> 1.0', :require => false if RUBY_VERSION < '2.2.2'
+ gem 'parallel_tests', :require => false
+end
+
+group :development do
+ gem 'travis', :require => false
+ gem 'travis-lint', :require => false
+ gem 'guard-rake', :require => false
+ gem 'overcommit', '>= 0.39.1', :require => false
+end
+
+group :system_tests do
+ gem 'winrm', :require => false
+ if beaker_version = ENV['BEAKER_VERSION']
+ gem 'beaker', *location_for(beaker_version)
+ else
+ gem 'beaker', '>= 3.9.0', :require => false
+ end
+ if beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION']
+ gem 'beaker-rspec', *location_for(beaker_rspec_version)
+ else
+ gem 'beaker-rspec', :require => false
+ end
+ gem 'serverspec', :require => false
+ gem 'beaker-hostgenerator', '>= 1.1.10', :require => false
+ gem 'beaker-docker', :require => false
+ gem 'beaker-puppet', :require => false
+ gem 'beaker-puppet_install_helper', :require => false
+ gem 'beaker-module_install_helper', :require => false
+ gem 'rbnacl', '>= 4', :require => false if RUBY_VERSION >= '2.2.6'
+ gem 'rbnacl-libsodium', :require => false if RUBY_VERSION >= '2.2.6'
+ gem 'bcrypt_pbkdf', :require => false
+end
+
+group :release do
+ gem 'github_changelog_generator', :require => false, :git => 'https://github.com/github-changelog-generator/github-changelog-generator' if RUBY_VERSION >= '2.2.2'
+ gem 'puppet-blacksmith', :require => false
+ gem 'voxpupuli-release', :require => false, :git => 'https://github.com/voxpupuli/voxpupuli-release-gem'
+ gem 'puppet-strings', '>= 1.0', :require => false
+end
+
+
+
+if facterversion = ENV['FACTER_GEM_VERSION']
+ gem 'facter', facterversion.to_s, :require => false, :groups => [:test]
+else
+ gem 'facter', :require => false, :groups => [:test]
+end
+
+ENV['PUPPET_VERSION'].nil? ? puppetversion = '~> 5.0' : puppetversion = ENV['PUPPET_VERSION'].to_s
+gem 'puppet', puppetversion, :require => false, :groups => [:test]
+
+# vim: syntax=ruby
--- /dev/null
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
--- /dev/null
+#+TITLE: Acl module for Puppet
+
+* Description
+This plugin module provides a way to set POSIX 1.e (and other standards) file ACLs via Puppet.
+
+* Usage:
+ - the =posix_acl= resource =title= is used as the path specifier.
+ - ACLs are specified in the =permission= property as an array of strings in the same format as is used for =setfacl=.
+ - the =action= parameter can be one of =set=, =exact=, =unset= or =purge=. These are described in detail below.
+ - the =provider= parameter allows a choice of filesystem ACL provider. Currently only POSIX 1.e is implemented.
+ - the =recursive= parameter allows you to apply the ACLs to all files under the specified path.
+
+ : posix_acl { "/var/log/httpd":
+ : action => set,
+ : permission => [
+ : "user::rwx",
+ : "group::---",
+ : "mask::r-x",
+ : "other::---",
+ : "group:logview:r-x",
+ : "default:user::rwx",
+ : "default:group::---",
+ : "default:mask::rwx",
+ : "default:other::---",
+ : "default:group:logview:r-x",
+ : ],
+ : provider => posixacl,
+ : require => [
+ : Group["logview"],
+ : Package["httpd"],
+ : Mount["/var"],
+ : ],
+ : recursive => false,
+ : }
+
+** Using action => set:
+The =set= option for the =action= parameter allows you to specify a minimal set of ACLs which will be guaranteed by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:rwx',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : user:apache:rwx
+ : group:webadmin:rwx
+ : group:httpadmin:rwx
+** Using action => exact:
+The =exact= option for the =action= parameter will specify the exact set of ACLs guaranteed and enforced by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will be removed.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:r--',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ - group:httpadmin permission is removed
+ - user:apache permission is added
+ - group:webadmin permission is updated
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r--
+ : user:apache:rwx
+** Using action => unset:
+The =unset= option for the =action= parameter will specify the set of ACLs guaranteed by Puppet to NOT be applied to the path. ACLs applied to the path which match those specified in the =permission= property will be removed. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:r--',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:httpadmin:rwx
+** Using action => purge:
+The =purge= option for the =action= parameter will cause Puppet to remove any file ACLs applied to the path.
+
+NOTE: Although the =permission= property is unused for this action, it needs to have a valid ACL value for the action to work. This is a known issue.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+See above
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:r--',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ - All file ACLs are removed
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+
+* Notes:
+** Conflicts with "file" resource type:
+If the path being modified is managed via the =File= resource type, the path's mode bits must match the value specified in the =permission= property of the ACL
+** Mask check:
+The ACL setter doesn't recalculate the rights mask based on the user/group ACLs specified, so it is possible to specify ACLs on a file for which a more restrictive set of rights is enforced, known as "effective rights". For example, with these =permission= parameters on a file =test=:
+ : permission => [
+ : 'user::rw-',
+ : 'group::---',
+ : 'mask::r--',
+ : 'other::---',
+ : 'user:apache:rwx',
+ : 'group:root:r-x',
+ : 'group:admin:rwx',
+ : ],
+
+The output of =getfacl test= reveals a more restrictive set of effective rights, which might not be what was expected:
+ : # file: test
+ : # owner: root
+ : # group: root
+ : user::rw-
+ : group::---
+ : other::---
+ : mask::r--
+ : user:apache:rwx #effective:r--
+ : group:root:r-x #effective:r--
+ : group:admin:rwx #effective:r--
--- /dev/null
+require 'puppetlabs_spec_helper/rake_tasks'
+
+# load optional tasks for releases
+# only available if gem group releases is installed
+begin
+ require 'puppet_blacksmith/rake_tasks'
+ require 'voxpupuli/release/rake_tasks'
+ require 'puppet-strings/tasks'
+rescue LoadError
+end
+
+PuppetLint.configuration.log_format = '%{path}:%{line}:%{check}:%{KIND}:%{message}'
+PuppetLint.configuration.fail_on_warnings = true
+PuppetLint.configuration.send('relative')
+PuppetLint.configuration.send('disable_140chars')
+PuppetLint.configuration.send('disable_class_inherits_from_params_class')
+PuppetLint.configuration.send('disable_documentation')
+PuppetLint.configuration.send('disable_single_quote_string_with_variables')
+
+exclude_paths = %w(
+ pkg/**/*
+ vendor/**/*
+ .vendor/**/*
+ spec/**/*
+)
+PuppetLint.configuration.ignore_paths = exclude_paths
+PuppetSyntax.exclude_paths = exclude_paths
+
+desc 'Auto-correct puppet-lint offenses'
+task 'lint:auto_correct' do
+ PuppetLint.configuration.fix = true
+ Rake::Task[:lint].invoke
+end
+
+desc 'Run acceptance tests'
+RSpec::Core::RakeTask.new(:acceptance) do |t|
+ t.pattern = 'spec/acceptance'
+end
+
+desc 'Run tests metadata_lint, release_checks'
+task test: [
+ :metadata_lint,
+ :release_checks,
+]
+
+desc "Run main 'test' task and report merged results to coveralls"
+task test_with_coveralls: [:test] do
+ if Dir.exist?(File.expand_path('../lib', __FILE__))
+ require 'coveralls/rake/task'
+ Coveralls::RakeTask.new
+ Rake::Task['coveralls:push'].invoke
+ else
+ puts 'Skipping reporting to coveralls. Module has no lib dir'
+ end
+end
+
+desc "Print supported beaker sets"
+task 'beaker_sets', [:directory] do |t, args|
+ directory = args[:directory]
+
+ metadata = JSON.load(File.read('metadata.json'))
+
+ (metadata['operatingsystem_support'] || []).each do |os|
+ (os['operatingsystemrelease'] || []).each do |release|
+ if directory
+ beaker_set = "#{directory}/#{os['operatingsystem'].downcase}-#{release}"
+ else
+ beaker_set = "#{os['operatingsystem'].downcase}-#{release}-x64"
+ end
+
+ filename = "spec/acceptance/nodesets/#{beaker_set}.yml"
+
+ puts beaker_set if File.exists? filename
+ end
+ end
+end
+
+begin
+ require 'github_changelog_generator/task'
+ GitHubChangelogGenerator::RakeTask.new :changelog do |config|
+ version = (Blacksmith::Modulefile.new).version
+ config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/
+ config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module."
+ config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog}
+ config.user = 'voxpupuli'
+ metadata_json = File.join(File.dirname(__FILE__), 'metadata.json')
+ metadata = JSON.load(File.read(metadata_json))
+ config.project = metadata['name']
+ end
+rescue LoadError
+end
+# vim: syntax=ruby
--- /dev/null
+{
+ "CHANGELOG.md": "a9773633c6662eb81dc1746eab49dc25",
+ "CONTRIBUTING.md": "ad65d271f183b5adb9fdd58207939f5f",
+ "Gemfile": "cdd43fe4fc5ef35ddc132407551180b2",
+ "LICENSE": "3b83ef96387f14655fc854ddc3c6bd57",
+ "README.org": "64db9bd628c28fe105bc2be006b5fd17",
+ "Rakefile": "3c6f218e7e63e1a6e24251f365423e49",
+ "lib/puppet/provider/posix_acl/genericacl.rb": "4f0869eb98de0f3c8d1d7bd57d27ba96",
+ "lib/puppet/provider/posix_acl/posixacl.rb": "de6392553292e752fee9426e83a33e66",
+ "lib/puppet/type/posix_acl.rb": "2d5efc0bf8039f81eb28745b561dd1f6",
+ "manifests/requirements.pp": "899a1e79ead355c8f98aad3520e80d39",
+ "metadata.json": "4f219497dd99654406b0c37e31f8d31f",
+ "spec/acceptance/nodesets/archlinux-2-x64.yml": "daafcfcb4c8c8766856f52cec6ae5e86",
+ "spec/acceptance/nodesets/centos-511-x64.yml": "ca8258bc835dd985a1754689d124cd66",
+ "spec/acceptance/nodesets/centos-59-x64.yml": "57eb3e471b9042a8ea40978c467f8151",
+ "spec/acceptance/nodesets/centos-6-x64.yml": "58065782a8d40780d9728257a23504cd",
+ "spec/acceptance/nodesets/centos-64-x64-pe.yml": "ec075d95760df3d4702abea1ce0a829b",
+ "spec/acceptance/nodesets/centos-65-x64.yml": "3e5c36e6aa5a690229e720f4048bb8af",
+ "spec/acceptance/nodesets/centos-66-x64-pe.yml": "e68e03dc562bf58f7c5bba54a1a34619",
+ "spec/acceptance/nodesets/centos-7-x64.yml": "68d3556f670b8ac0a169a8270ff8c37a",
+ "spec/acceptance/nodesets/debian-78-x64.yml": "56af2760a64c13a0bccd59404435939c",
+ "spec/acceptance/nodesets/debian-82-x64.yml": "26f2f696e6073549fe0a844f9a46f85b",
+ "spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml": "b3dc2d81918fcc6d56855c88ba5b7ce8",
+ "spec/acceptance/nodesets/ec2/image_templates.yaml": "516f9c4c3407993a100090ce9e1a643c",
+ "spec/acceptance/nodesets/ec2/rhel-73-x64.yml": "e74670a1cb8eea32afc879a5d786f9bd",
+ "spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml": "2506efcc9fb420132edc37bf88d6e21d",
+ "spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml": "87efd97ff1b073c3448f429a8ffc5a7c",
+ "spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml": "e9db4dd16c60c52b433694130c2583a0",
+ "spec/acceptance/nodesets/fedora-25-x64.yml": "807fbf45f95fc7bc2af8c689d34e4160",
+ "spec/acceptance/nodesets/fedora-26-x64.yml": "e7ee1e18590548ff098192c2127c6697",
+ "spec/acceptance/nodesets/fedora-27-x64.yml": "326a10c4eb327ccd85775dfa0f76e5c1",
+ "spec/acceptance/nodesets/ubuntu-server-10044-x64.yml": "75e86400b7889888dc0781c0ae1a1297",
+ "spec/acceptance/nodesets/ubuntu-server-1204-x64.yml": "0dd7639bf95bfb18169ebba9a2bac163",
+ "spec/acceptance/nodesets/ubuntu-server-12042-x64.yml": "d30d73e34cd50b043c7d14e305955269",
+ "spec/acceptance/nodesets/ubuntu-server-1404-x64.yml": "7455367b784060b921360b29a56cd74c",
+ "spec/acceptance/nodesets/ubuntu-server-1604-x64.yml": "37673118cc3bf052755d65fb5dd90226",
+ "spec/default_facts.yml": "11504073ebebb30015eb85ff9805f2d9",
+ "spec/spec.opts": "a600ded995d948e393fbe2320ba8e51c",
+ "spec/spec_helper.rb": "2e78c273353985a5b95d70b47019a344",
+ "spec/unit/puppet/provider/posixacl_spec.rb": "9715390fbd16bd566ea0784a1739facc",
+ "spec/unit/puppet/type/acl_spec.rb": "e349f44546d03614e01bbc08a943778c"
+}
\ No newline at end of file
--- /dev/null
+Puppet::Type.type(:posix_acl).provide(:genericacl, parent: Puppet::Provider) do
+end
--- /dev/null
+Puppet::Type.type(:posix_acl).provide(:posixacl, parent: Puppet::Provider) do
+ desc 'Provide posix 1e acl functions using posix getfacl/setfacl commands'
+
+ commands setfacl: '/usr/bin/setfacl'
+ commands getfacl: '/usr/bin/getfacl'
+
+ confine feature: :posix
+ defaultfor operatingsystem: [:debian, :ubuntu, :redhat, :centos, :fedora, :sles]
+
+ def exists?
+ permission
+ end
+
+ def unset_perm(perm, path)
+ # Don't try to unset mode bits, it doesn't make sense!
+ return if perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):}
+
+ perm = perm.split(':')[0..-2].join(':')
+ if check_recursive
+ setfacl('-R', '-n', '-x', perm, path)
+ else
+ setfacl('-n', '-x', perm, path)
+ end
+ end
+
+ def set_perm(perm, path)
+ if check_recursive
+ setfacl('-R', '-n', '-m', perm, path)
+ else
+ setfacl('-n', '-m', perm, path)
+ end
+ end
+
+ def unset
+ @resource.value(:permission).each do |perm|
+ unset_perm(perm, @resource.value(:path))
+ end
+ end
+
+ def purge
+ if check_recursive
+ setfacl('-R', '-b', @resource.value(:path))
+ else
+ setfacl('-b', @resource.value(:path))
+ end
+ end
+
+ def permission
+ return [] unless File.exist?(@resource.value(:path))
+ value = []
+ # String#lines would be nice, but we need to support Ruby 1.8.5
+ getfacl('--absolute-names', '--no-effective', @resource.value(:path)).split("\n").each do |line|
+ # Strip comments and blank lines
+ value << line.gsub('\040', ' ') if line !~ %r{^#} && line != ''
+ end
+ value.sort
+ end
+
+ def check_recursive
+ # Changed functionality to return boolean true or false
+ @resource.value(:recursive) == :true && resource.value(:recursemode) == :lazy
+ end
+
+ def check_exact
+ @resource.value(:action) == :exact
+ end
+
+ def check_unset
+ @resource.value(:action) == :unset
+ end
+
+ def check_purge
+ @resource.value(:action) == :purge
+ end
+
+ def check_set
+ @resource.value(:action) == :set
+ end
+
+ def permission=(_value) # TODO: Investigate why we're not using this parameter
+ Puppet.debug @resource.value(:action)
+ case @resource.value(:action)
+ when :unset
+ unset
+ when :purge
+ purge
+ when :exact, :set
+ cur_perm = permission
+ perm_to_set = @resource.value(:permission) - cur_perm
+ perm_to_unset = cur_perm - @resource.value(:permission)
+ return false if perm_to_set.empty? && perm_to_unset.empty?
+ # Take supplied perms literally, unset any existing perms which
+ # are absent from ACLs given
+ if check_exact
+ perm_to_unset.each do |perm|
+ # Skip base perms in unset step
+ if perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):}
+ Puppet.debug "skipping unset of base perm: #{perm}"
+ else
+ unset_perm(perm, @resource.value(:path))
+ end
+ end
+ end
+ perm_to_set.each do |perm|
+ set_perm(perm, @resource.value(:path))
+ end
+ end
+ end
+end
--- /dev/null
+require 'set'
+require 'pathname'
+
+Puppet::Type.newtype(:posix_acl) do
+ desc <<-EOT
+ Ensures that a set of ACL permissions are applied to a given file
+ or directory.
+
+ Example:
+
+ posix_acl { '/var/www/html':
+ action => exact,
+ permission => [
+ 'user::rwx',
+ 'group::r-x',
+ 'mask::rwx',
+ 'other::r--',
+ 'default:user::rwx',
+ 'default:user:www-data:r-x',
+ 'default:group::r-x',
+ 'default:mask::rwx',
+ 'default:other::r--',
+ ],
+ provider => posixacl,
+ recursive => true,
+ }
+
+ In this example, Puppet will ensure that the user and group
+ permissions are set recursively on /var/www/html as well as add
+ default permissions that will apply to new directories and files
+ created under /var/www/html
+
+ Setting an ACL can change a file's mode bits, so if the file is
+ managed by a File resource, that resource needs to set the mode
+ bits according to what the calculated mode bits will be, for
+ example, the File resource for the ACL above should be:
+
+ file { '/var/www/html':
+ mode => 754,
+ }
+ EOT
+
+ newparam(:action) do
+ desc 'What do we do with this list of ACLs? Options are set, unset, exact, and purge'
+ newvalues(:set, :unset, :exact, :purge)
+ defaultto :set
+ end
+
+ newparam(:path) do
+ desc 'The file or directory to which the ACL applies.'
+ isnamevar
+ validate do |value|
+ path = Pathname.new(value)
+ unless path.absolute?
+ raise ArgumentError, "Path must be absolute: #{path}"
+ end
+ end
+ end
+
+ newparam(:recursemode) do
+ desc "Should Puppet apply the ACL recursively with the -R option or
+ apply it to individual files?
+
+ lazy means -R option
+ deep means apply to every file"
+
+ newvalues(:lazy, :deep)
+ defaultto :lazy
+ end
+
+ # Credits to @itdoesntwork
+ # http://stackoverflow.com/questions/26878341/how-do-i-tell-if-one-path-is-an-ancestor-of-another
+ def self.descendant?(a, b)
+ a_list = File.expand_path(a).split('/')
+ b_list = File.expand_path(b).split('/')
+
+ b_list[0..a_list.size - 1] == a_list && b_list != a_list
+ end
+
+ # Snippet based on upstream Puppet (ASL 2.0)
+ [:posix_acl, :file].each do |autorequire_type|
+ autorequire(autorequire_type) do
+ req = []
+ path = Pathname.new(self[:path])
+ # rubocop:disable Style/MultilineBlockChain
+ if autorequire_type != :posix_acl
+ if self[:recursive] == :true
+ catalog.resources.select do |r|
+ r.is_a?(Puppet::Type.type(autorequire_type)) && self.class.descendant?(self[:path], r[:path])
+ end.each do |found|
+ req << found[:path]
+ end
+ end
+ req << self[:path]
+ end
+ unless path.root?
+ # Start at our parent, to avoid autorequiring ourself
+ parents = path.parent.enum_for(:ascend)
+ # should this be = or == ? I don't know
+ if found = parents.find { |p| catalog.resource(autorequire_type, p.to_s) } # rubocop:disable Lint/AssignmentInCondition
+ req << found.to_s
+ end
+ end
+ req
+ end
+ # rubocop:enable Style/MultilineBlockChain
+ end
+ # End of Snippet
+
+ autorequire(:package) do
+ ['acl']
+ end
+
+ newproperty(:permission, array_matching: :all) do
+ desc 'ACL permission(s).'
+
+ def is_to_s(value) # rubocop:disable Style/PredicateName
+ if value == :absent || value.include?(:absent)
+ super
+ else
+ value.sort.inspect
+ end
+ end
+
+ def should_to_s(value)
+ if value == :absent || value.include?(:absent)
+ super
+ else
+ value.sort.inspect
+ end
+ end
+
+ def retrieve
+ provider.permission
+ end
+
+ # Remove permission bits from an ACL line, eg:
+ # 'user:root:rwx' becomes 'user:root:'
+ def strip_perms(pl)
+ Puppet.debug 'permission.strip_perms'
+ value = []
+ pl.each do |perm|
+ unless perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):}
+ perm = perm.split(':', -1)[0..-2].join(':')
+ value << perm
+ end
+ end
+ value.sort
+ end
+
+ # in unset_insync and set_insync the test_should has been added as a work around
+ # to prevent puppet-posix_acl from interpreting recursive permission notation (e.g. rwX)
+ # from causing a false mismatch. A better solution needs to be implemented to
+ # recursively check permissions, not rely upon getfacl
+ def unset_insync(cur_perm)
+ # Puppet.debug "permission.unset_insync"
+ test_should = []
+ @should.each { |x| test_should << x.downcase }
+ cp = strip_perms(cur_perm)
+ sp = strip_perms(test_should)
+ (sp - cp).sort == sp
+ end
+
+ def set_insync(cur_perm) # rubocop:disable Style/AccessorMethodName
+ should = @should.uniq.sort
+ (cur_perm.sort == should) || (provider.check_set && (should - cur_perm).empty?)
+ end
+
+ def purge_insync(cur_perm)
+ # Puppet.debug "permission.purge_insync"
+ cur_perm.each do |perm|
+ # If anything other than the mode bits are set, we're not in sync
+ return false unless perm =~ %r{^(((u(ser)?)|(g(roup)?)|(o(ther)?)):):}
+ end
+ true
+ end
+
+ def insync?(is)
+ Puppet.debug "permission.insync? is: #{is.inspect} @should: #{@should.inspect}"
+ return purge_insync(is) if provider.check_purge
+ return unset_insync(is) if provider.check_unset
+ set_insync(is)
+ end
+
+ # Munge into normalised form
+ munge do |acl|
+ r = ''
+ a = acl.split ':', -1 # -1 keeps trailing empty fields.
+ raise ArgumentError, "Too few fields. At least 3 required, got #{a.length}." if a.length < 3
+ raise ArgumentError, "Too many fields. At most 4 allowed, got #{a.length}." if a.length > 4
+ if a.length == 4
+ d = a.shift
+ raise ArgumentError, %(First field of 4 must be "d" or "default", got "#{d}".) unless %w[d default].include?(d)
+ r << 'default:'
+ end
+ t = a.shift # Copy the type.
+ r << case t
+ when 'u', 'user'
+ 'user:'
+ when 'g', 'group'
+ 'group:'
+ when 'o', 'other'
+ 'other:'
+ when 'm', 'mask'
+ 'mask:'
+ else
+ raise ArgumentError, %(Unknown type "#{t}", expected "user", "group", "other" or "mask".)
+ end
+ r << "#{a.shift}:" # Copy the "who".
+ p = a.shift
+ if p =~ %r{[0-7]}
+ p = p.oct
+ r << (p | 4 ? 'r' : '-')
+ r << (p | 2 ? 'w' : '-')
+ r << (p | 1 ? 'x' : '-')
+ else
+ # Not the most efficient but checks for multiple and invalid chars.
+ s = p.tr '-', ''
+ r << (s.sub!('r', '') ? 'r' : '-')
+ r << (s.sub!('w', '') ? 'w' : '-')
+ r << (s.sub!('x', '') ? 'x' : '-')
+ raise ArgumentError, %(Invalid permission set "#{p}".) unless s.empty?
+ end
+ r
+ end
+ end
+
+ newparam(:recursive) do
+ desc 'Apply ACLs recursively.'
+ newvalues(:true, :false)
+ defaultto :false
+ end
+
+ def self.pick_default_perms(acl)
+ acl.reject { |a| a.split(':', -1).length == 4 }
+ end
+
+ def newchild(path)
+ options = @original_parameters.merge(name: path).reject { |_param, value| value.nil? }
+ unless File.directory?(options[:name])
+ options[:permission] = self.class.pick_default_perms(options[:permission]) if options.include?(:permission)
+ end
+ [:recursive, :recursemode, :path].each do |param|
+ options.delete(param) if options.include?(param)
+ end
+ self.class.new(options)
+ end
+
+ def generate
+ return [] unless self[:recursive] == :true && self[:recursemode] == :deep
+ results = []
+ paths = Set.new
+ if File.directory?(self[:path])
+ Dir.chdir(self[:path]) do
+ Dir['**/*'].each do |path|
+ paths << ::File.join(self[:path], path)
+ end
+ end
+ end
+ # At the time we generate extra resources, all the files might now be present yet.
+ # In prediction to that we also create ACL resources for child file resources that
+ # might not have been applied yet.
+ catalog.resources.select do |r|
+ r.is_a?(Puppet::Type.type(:file)) && self.class.descendant?(self[:path], r[:path])
+ end.each do |found| # rubocop:disable Style/MultilineBlockChain
+ paths << found[:path]
+ end
+ paths.each do |path|
+ results << newchild(path)
+ end
+ results
+ end
+
+ validate do
+ unless self[:permission]
+ raise(Puppet::Error, 'permission is a required property.')
+ end
+ end
+end
--- /dev/null
+class posix_acl::requirements {
+ package { 'acl':
+ ensure => 'present',
+ }
+}
--- /dev/null
+{
+ "name": "puppet-posix_acl",
+ "version": "0.1.1",
+ "author": "Vox Pupuli",
+ "summary": "Puppet ACL Module",
+ "license": "Apache-2.0",
+ "source": "https://github.com/voxpupuli/puppet-posix_acl.git",
+ "project_page": "https://github.com/voxpupuli/puppet-posix_acl",
+ "issues_url": "https://github.com/voxpupuli/puppet-posix_acl/issues",
+ "dependencies": [
+
+ ],
+ "data_provider": null,
+ "operatingsystem_support": [
+ {
+ "operatingsystem": "RedHat",
+ "operatingsystemrelease": [
+ "7"
+ ]
+ },
+ {
+ "operatingsystem": "CentOS",
+ "operatingsystemrelease": [
+ "7"
+ ]
+ },
+ {
+ "operatingsystem": "OracleLinux",
+ "operatingsystemrelease": [
+ "7"
+ ]
+ },
+ {
+ "operatingsystem": "Scientific",
+ "operatingsystemrelease": [
+ "7"
+ ]
+ }
+ ],
+ "requirements": [
+ {
+ "name": "puppet",
+ "version_requirement": ">= 4.10.0 < 7.0.0"
+ }
+ ],
+ "description": "Manages posix 1e ACLs on files, provides base classes so additional ACL standards can be supported."
+}
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ archlinux-2-x64:
+ roles:
+ - master
+ platform: archlinux-2-x64
+ box: archlinux/archlinux
+ hypervisor: vagrant
+CONFIG:
+ type: foss
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ centos-511-x64:
+ roles:
+ - master
+ platform: el-5-x86_64
+ box: puppetlabs/centos-5.11-64-nocm
+ hypervisor: vagrant
+CONFIG:
+ type: foss
+...
+# vim: syntax=yaml
--- /dev/null
+HOSTS:
+ centos-59-x64:
+ roles:
+ - master
+ platform: el-5-x86_64
+ box : centos-59-x64-vbox4210-nocm
+ box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box
+ hypervisor : vagrant
+CONFIG:
+ type: git
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ centos-6-x64:
+ roles:
+ - master
+ platform: el-6-x86_64
+ box: centos/6
+ hypervisor: vagrant
+CONFIG:
+ type: aio
+...
+# vim: syntax=yaml
--- /dev/null
+HOSTS:
+ centos-64-x64:
+ roles:
+ - master
+ - database
+ - dashboard
+ platform: el-6-x86_64
+ box : centos-64-x64-vbox4210-nocm
+ box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box
+ hypervisor : vagrant
+CONFIG:
+ type: pe
--- /dev/null
+HOSTS:
+ centos-65-x64:
+ roles:
+ - master
+ platform: el-6-x86_64
+ box : centos-65-x64-vbox436-nocm
+ box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-nocm.box
+ hypervisor : vagrant
+CONFIG:
+ type: foss
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ centos-66-x64:
+ roles:
+ - master
+ - database
+ - dashboard
+ platform: el-6-x86_64
+ box: puppetlabs/centos-6.6-64-puppet-enterprise
+ hypervisor: vagrant
+CONFIG:
+ type: pe
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ centos-7-x64:
+ roles:
+ - master
+ platform: el-7-x86_64
+ box: centos/7
+ hypervisor: vagrant
+CONFIG:
+ type: aio
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ debian-78-x64:
+ roles:
+ - master
+ platform: debian-7-amd64
+ box: puppetlabs/debian-7.8-64-nocm
+ hypervisor: vagrant
+CONFIG:
+ type: foss
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ debian-82-x64:
+ roles:
+ - master
+ platform: debian-8-amd64
+ box: puppetlabs/debian-8.2-64-nocm
+ hypervisor: vagrant
+CONFIG:
+ type: foss
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# Additional ~/.fog config file with AWS EC2 credentials
+# required.
+#
+# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md
+#
+# Amazon Linux is not a RHEL clone.
+#
+HOSTS:
+ amazonlinux-2016091-x64:
+ roles:
+ - master
+ platform: centos-6-x86_64
+ hypervisor: ec2
+ # refers to image_tempaltes.yaml AMI[vmname] entry:
+ vmname: amazonlinux-2016091-eu-central-1
+ # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]:
+ snapshot: aio
+ # t2.micro is free tier eligible (https://aws.amazon.com/en/free/):
+ amisize: t2.micro
+ # required so that beaker sanitizes sshd_config and root authorized_keys:
+ user: ec2-user
+CONFIG:
+ type: aio
+ :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml
+...
+# vim: syntax=yaml
--- /dev/null
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# see also: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md
+#
+# Hint: image IDs (ami-*) for the same image are different per location.
+#
+AMI:
+ # Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type
+ amazonlinux-2016091-eu-central-1:
+ :image:
+ :aio: ami-af0fc0c0
+ :region: eu-central-1
+ # Red Hat Enterprise Linux 7.3 (HVM), SSD Volume Type
+ rhel-73-eu-central-1:
+ :image:
+ :aio: ami-e4c63e8b
+ :region: eu-central-1
+ # SUSE Linux Enterprise Server 12 SP2 (HVM), SSD Volume Type
+ sles-12sp2-eu-central-1:
+ :image:
+ :aio: ami-c425e4ab
+ :region: eu-central-1
+ # Ubuntu Server 16.04 LTS (HVM), SSD Volume Type
+ ubuntu-1604-eu-central-1:
+ :image:
+ :aio: ami-fe408091
+ :region: eu-central-1
+ # Microsoft Windows Server 2016 Base
+ windows-2016-base-eu-central-1:
+ :image:
+ :aio: ami-88ec20e7
+ :region: eu-central-1
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# Additional ~/.fog config file with AWS EC2 credentials
+# required.
+#
+# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md
+#
+HOSTS:
+ rhel-73-x64:
+ roles:
+ - master
+ platform: el-7-x86_64
+ hypervisor: ec2
+ # refers to image_tempaltes.yaml AMI[vmname] entry:
+ vmname: rhel-73-eu-central-1
+ # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]:
+ snapshot: aio
+ # t2.micro is free tier eligible (https://aws.amazon.com/en/free/):
+ amisize: t2.micro
+ # required so that beaker sanitizes sshd_config and root authorized_keys:
+ user: ec2-user
+CONFIG:
+ type: aio
+ :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# Additional ~/.fog config file with AWS EC2 credentials
+# required.
+#
+# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md
+#
+HOSTS:
+ sles-12sp2-x64:
+ roles:
+ - master
+ platform: sles-12-x86_64
+ hypervisor: ec2
+ # refers to image_tempaltes.yaml AMI[vmname] entry:
+ vmname: sles-12sp2-eu-central-1
+ # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]:
+ snapshot: aio
+ # t2.micro is free tier eligible (https://aws.amazon.com/en/free/):
+ amisize: t2.micro
+ # required so that beaker sanitizes sshd_config and root authorized_keys:
+ user: ec2-user
+CONFIG:
+ type: aio
+ :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# Additional ~/.fog config file with AWS EC2 credentials
+# required.
+#
+# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md
+#
+HOSTS:
+ ubuntu-1604-x64:
+ roles:
+ - master
+ platform: ubuntu-16.04-amd64
+ hypervisor: ec2
+ # refers to image_tempaltes.yaml AMI[vmname] entry:
+ vmname: ubuntu-1604-eu-central-1
+ # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]:
+ snapshot: aio
+ # t2.micro is free tier eligible (https://aws.amazon.com/en/free/):
+ amisize: t2.micro
+ # required so that beaker sanitizes sshd_config and root authorized_keys:
+ user: ubuntu
+CONFIG:
+ type: aio
+ :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# Additional ~/.fog config file with AWS EC2 credentials
+# required.
+#
+# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md
+#
+HOSTS:
+ windows-2016-base-x64:
+ roles:
+ - master
+ platform: windows-2016-64
+ hypervisor: ec2
+ # refers to image_tempaltes.yaml AMI[vmname] entry:
+ vmname: windows-2016-base-eu-central-1
+ # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]:
+ snapshot: aio
+ # t2.micro is free tier eligible (https://aws.amazon.com/en/free/):
+ amisize: t2.micro
+ # required so that beaker sanitizes sshd_config and root authorized_keys:
+ user: ec2-user
+CONFIG:
+ type: aio
+ :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+HOSTS:
+ fedora-25-x64:
+ roles:
+ - master
+ platform: fedora-25-x86_64
+ box: fedora/25-cloud-base
+ hypervisor: vagrant
+CONFIG:
+ type: aio
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+HOSTS:
+ fedora-26-x64:
+ roles:
+ - master
+ platform: fedora-26-x86_64
+ box: fedora/26-cloud-base
+ hypervisor: vagrant
+CONFIG:
+ type: aio
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# platform is fedora 26 because there is no puppet-agent
+# for fedora 27 as of 2017-11-17
+HOSTS:
+ fedora-27-x64:
+ roles:
+ - master
+ platform: fedora-26-x86_64
+ box: fedora/27-cloud-base
+ hypervisor: vagrant
+CONFIG:
+ type: aio
+...
+# vim: syntax=yaml
--- /dev/null
+HOSTS:
+ ubuntu-server-10044-x64:
+ roles:
+ - master
+ platform: ubuntu-10.04-amd64
+ box : ubuntu-server-10044-x64-vbox4210-nocm
+ box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-10044-x64-vbox4210-nocm.box
+ hypervisor : vagrant
+CONFIG:
+ type: foss
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ ubuntu-server-1204-x64:
+ roles:
+ - master
+ platform: ubuntu-12.04-amd64
+ box: puppetlabs/ubuntu-12.04-64-nocm
+ hypervisor: vagrant
+CONFIG:
+ type: foss
+...
+# vim: syntax=yaml
--- /dev/null
+HOSTS:
+ ubuntu-server-12042-x64:
+ roles:
+ - master
+ platform: ubuntu-12.04-amd64
+ box : ubuntu-server-12042-x64-vbox4210-nocm
+ box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box
+ hypervisor : vagrant
+CONFIG:
+ type: foss
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ ubuntu-server-1404-x64:
+ roles:
+ - master
+ platform: ubuntu-14.04-amd64
+ box: puppetlabs/ubuntu-14.04-64-nocm
+ hypervisor: vagrant
+CONFIG:
+ type: foss
+...
+# vim: syntax=yaml
--- /dev/null
+---
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+HOSTS:
+ ubuntu-server-1604-x64:
+ roles:
+ - master
+ platform: ubuntu-16.04-amd64
+ box: puppetlabs/ubuntu-16.04-64-nocm
+ hypervisor: vagrant
+CONFIG:
+ type: foss
+...
+# vim: syntax=yaml
--- /dev/null
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+#
+# use default_module_facts.yaml for module specific
+# facts.
+#
+# Hint if using with rspec-puppet-facts ("on_supported_os.each"):
+# if a same named fact exists in facterdb it will be overridden.
+---
+ipaddress: "172.16.254.254"
+is_pe: false
+macaddress: "AA:AA:AA:AA:AA:AA"
--- /dev/null
+--format
+s
+--colour
+--loadby
+mtime
+--backtrace
--- /dev/null
+# This file is managed via modulesync
+# https://github.com/voxpupuli/modulesync
+# https://github.com/voxpupuli/modulesync_config
+require 'puppetlabs_spec_helper/module_spec_helper'
+require 'rspec-puppet-facts'
+include RspecPuppetFacts
+
+if Dir.exist?(File.expand_path('../../lib', __FILE__))
+ require 'coveralls'
+ require 'simplecov'
+ require 'simplecov-console'
+ SimpleCov.formatters = [
+ SimpleCov::Formatter::HTMLFormatter,
+ SimpleCov::Formatter::Console
+ ]
+ SimpleCov.start do
+ track_files 'lib/**/*.rb'
+ add_filter '/spec'
+ add_filter '/vendor'
+ add_filter '/.vendor'
+ end
+end
+
+RSpec.configure do |c|
+ default_facts = {}
+ default_facts.merge!(YAML.load(File.read(File.expand_path('../default_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_facts.yml', __FILE__))
+ default_facts.merge!(YAML.load(File.read(File.expand_path('../default_module_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_module_facts.yml', __FILE__))
+ c.default_facts = default_facts
+
+ # Coverage generation
+ c.after(:suite) do
+ RSpec::Puppet::Coverage.report!
+ end
+end
--- /dev/null
+require 'spec_helper'
+require 'rspec/mocks'
+
+provider_class = Puppet::Type.type(:posix_acl).provider(:posixacl)
+
+describe provider_class do
+ it 'declares a getfacl command' do
+ expect do
+ provider_class.command :getfacl
+ end.not_to raise_error
+ end
+ it 'declares a setfacl command' do
+ expect do
+ provider_class.command :setfacl
+ end.not_to raise_error
+ end
+ it 'encodes spaces in group names' do
+ RSpec::Mocks.with_temporary_scope do
+ Puppet::Type.stubs(:getfacl).returns("group:test group:rwx\n")
+ File.stubs(:exist?).returns(true)
+ expect do
+ provider_class.command :permission
+ end == ['group:test\040group:rwx']
+ end
+ end
+end
--- /dev/null
+require 'spec_helper'
+
+# rubocop:disable RSpec/MultipleExpectations
+acl_type = Puppet::Type.type(:posix_acl)
+
+describe acl_type do
+ context 'when not setting parameters' do
+ it 'fails without permissions' do
+ expect do
+ acl_type.new name: '/tmp/foo'
+ end.to raise_error
+ end
+ end
+ context 'when setting parameters' do
+ it 'works with a correct permission parameter' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['user:root:rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:permission]).to eq(['user:root:rwx'])
+ end
+ it 'converts a permission string to an array' do
+ resource = acl_type.new name: '/tmp/foo', permission: 'user:root:rwx'
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:permission]).to eq(['user:root:rwx'])
+ end
+ it 'converts the u: shorcut to user:' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['u:root:rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:permission]).to eq(['user:root:rwx'])
+ end
+ it 'converts the g: shorcut to group:' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['g:root:rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:permission]).to eq(['group:root:rwx'])
+ end
+ it 'converts the m: shorcut to mask:' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['m::rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:permission]).to eq(['mask::rwx'])
+ end
+ it 'converts the o: shorcut to other:' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:permission]).to eq(['other::rwx'])
+ end
+ it 'has the "set" action by default' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:action]).to eq(:set)
+ end
+ it 'accepts an action "set"' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :set
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:action]).to eq(:set)
+ end
+ it 'accepts an action "purge"' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :purge
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:action]).to eq(:purge)
+ end
+ it 'accepts an action "unset"' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :unset
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:action]).to eq(:unset)
+ end
+ it 'accepts an action "exact"' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :exact
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:action]).to eq(:exact)
+ end
+ it 'has path as namevar' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:path]).to eq(resource[:name])
+ end
+ it 'accepts a path parameter' do
+ resource = acl_type.new path: '/tmp/foo', permission: ['o::rwx'], action: :exact
+ expect(resource[:path]).to eq('/tmp/foo')
+ expect(resource[:name]).to eq(resource[:path])
+ end
+ it 'is not recursive by default' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:recursive]).to eq(:false)
+ end
+ it 'accepts a recursive "true"' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursive: true
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:recursive]).to eq(:true)
+ end
+ it 'accepts a recurse "false"' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursive: false
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:recursive]).to eq(:false)
+ end
+ it 'gets recursemode lazy by default' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx']
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:recursemode]).to eq(:lazy)
+ end
+ it 'accepts a recursemode deep' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursemode: 'deep'
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:recursemode]).to eq(:deep)
+ end
+ it 'accepts a recursemode lazy' do
+ resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursemode: :lazy
+ expect(resource[:name]).to eq('/tmp/foo')
+ expect(resource[:recursemode]).to eq(:lazy)
+ end
+ it 'fails with a wrong action' do
+ expect do
+ acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :xset
+ end.to raise_error
+ end
+ it 'fails with a wrong recurselimit' do
+ expect do
+ acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recurselimit: :a
+ end.to raise_error
+ end
+ it 'fails with a wrong first argument' do
+ expect do
+ acl_type.new name: '/tmp/foo', permission: ['wrong::rwx']
+ end.to raise_error
+ end
+ it 'fails with a wrong last argument' do
+ expect do
+ acl_type.new name: '/tmp/foo', permission: ['user::-_-']
+ end.to raise_error
+ end
+ end
+
+ context 'when removing default parameters' do
+ basic_perms = ['user:foo:rwx', 'group:foo:rwx']
+ advanced_perms = ['user:foo:rwx', 'group:foo:rwx', 'default:user:foo:---']
+ advanced_perms_results = ['user:foo:rwx', 'group:foo:rwx']
+ mysql_perms = [
+ 'user:mysql:rwx',
+ 'd:user:mysql:rw',
+ 'mask::rwx'
+ ]
+ mysql_perms_results = [
+ 'user:mysql:rwx',
+ 'mask::rwx'
+ ]
+ it 'does not do anything with no defaults' do
+ expect(acl_type.pick_default_perms(basic_perms)).to match_array(basic_perms)
+ end
+ it 'removes defaults' do
+ expect(acl_type.pick_default_perms(advanced_perms)).to match_array(advanced_perms_results)
+ end
+ it 'removes defaults with d:' do
+ expect(acl_type.pick_default_perms(mysql_perms)).to match_array(mysql_perms_results)
+ end
+ end
+end
+# rubocop:enable RSpec/MultipleExpectations
--- /dev/null
+---
+fixtures:
+ repositories:
+ stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+ symlinks:
+ prosody: "#{source_dir}"
--- /dev/null
+.idea
+.rvmrc
+.bundle
+Gemfile.lock
+pkg
+vendor
+coverage/*
+spec/fixtures/*
--- /dev/null
+---
+AllCops:
+ Exclude:
+ - 'spec/fixtures/**/*'
+Metrics/BlockLength: {Enabled: false}
+Metrics/LineLength: {Enabled: true, Max: 180}
+Style/FormatStringToken: {Enabled: false}
--- /dev/null
+---
+language: ruby
+script: "bundle exec rake validate lint spec"
+matrix:
+ include:
+ - env: PUPPET_VERSION=5.5.10
+ rvm: 2.4.1
+ - env: PUPPET_VERSION=6.2.0
+ rvm: 2.5.1
--- /dev/null
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+group :development, :test do
+ gem 'metadata-json-lint'
+ gem 'puppet-blacksmith', '>= 3.1.0'
+ gem 'puppet-lint', '>= 2'
+ gem 'puppet-lint-absolute_classname-check'
+ gem 'puppet-lint-empty_string-check'
+ gem 'puppet-lint-file_ensure-check'
+ gem 'puppet-lint-leading_zero-check'
+ gem 'puppet-lint-spaceship_operator_without_tag-check'
+ gem 'puppet-lint-trailing_comma-check'
+ gem 'puppet-lint-undef_in_function-check'
+ gem 'puppet-lint-unquoted_string-check'
+ gem 'puppet-lint-variable_contains_upcase'
+ gem 'puppetlabs_spec_helper'
+ gem 'rake'
+ gem 'rspec'
+ gem 'rspec-puppet'
+ gem 'semantic_puppet'
+ gem 'simplecov'
+end
+
+if ENV['FACTER_VERSION']
+ gem 'facter', ENV['FACTER_VERSION']
+else
+ gem 'facter' # rubocop:disable Bundler/DuplicatedGem
+end
+
+if ENV['PUPPET_VERSION']
+ gem 'puppet', ENV['PUPPET_VERSION']
+else
+ gem 'puppet' # rubocop:disable Bundler/DuplicatedGem
+end
--- /dev/null
+![Prosody](http://prosody.im/prosody.png)
+
+[![Build Status](https://travis-ci.org/mayflower/puppet-prosody.svg?branch=master)](https://travis-ci.org/mayflower/puppet-prosody)
+
+Puppet module for the [Prosody](http://prosody.im/) Jabber/XMPP server.
+
+This module is a fork of rtyler/puppet-prosody because the upstream is dead. A
+bunch of features were added and bugs were fixed.
+
+If you want to use Prosody in a production environment, this is the Puppet
+module to use.
+
+## Using
+
+**Note:** This module has currently been tested on CentOS 7, Ubuntu and OpenBSD.
+
+```puppet
+node myserver {
+
+ class { 'prosody':
+ user => 'prosody',
+ group => 'prosody',
+ community_modules => ['mod_auth_ldap'],
+ authentication => 'ldap',
+ custom_options => {
+ 'ldap_base' => 'OU="accounts",DC="mydomain",DC="com"',
+ 'ldap_server' => 'ldapserver1:636 ldapserver2:636',
+ 'ldap_rootdn' => 'DN="prosody",OU="accounts",DC="mydomain",DC="com"',
+ 'ldap_password' => hiera(prosody-ldap-password),
+ 'ldap_scope' => 'subtree',
+ 'ldap_tls' => 'true',
+ },
+ }
+
+ prosody::virtualhost {
+ 'mydomain.com' :
+ ensure => present,
+ ssl_key => '/etc/ssl/key/mydomain.com.key',
+ ssl_cert => '/etc/ssl/crt/mydomain.com.crt',
+ }
+
+ prosody::user { 'foo':
+ host => 'mydomain.com',
+ pass => 'itsasecret',
+ }
+}
+```
+
+## Support
+
+Please file bugs and enhancement requests in the [GitHub issue tracker](https://github.com/mayflower/puppet-prosody/issues)
--- /dev/null
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+
+PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'tests/**/*.pp', 'pkg/**/*.pp', 'vendor/**/*.pp']
+PuppetLint.configuration.log_format = '%{path}:%{line}:%{KIND}: %{message}'
+
+desc 'Validate manifests, templates, and ruby files'
+task :validate do
+ Dir['manifests/**/*.pp'].each do |manifest|
+ sh "puppet parser validate --noop #{manifest}"
+ end
+ Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
+ sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{/spec\/fixtures/}
+ end
+ Dir['templates/**/*.erb'].each do |template|
+ sh "erb -P -x -T '-' #{template} | ruby -c"
+ end
+end
+
+# blacksmith is broken with ruby 1.8.7
+if Gem::Version.new(RUBY_VERSION) > Gem::Version.new('1.8.7')
+ # blacksmith isn't always present, e.g. on Travis with --without development
+ begin
+ require 'puppet_blacksmith/rake_tasks'
+ Blacksmith::RakeTask.new do |t|
+ t.tag_pattern = '%s'
+ end
+ rescue LoadError => e
+ warn(e)
+ end
+end
--- /dev/null
+---
+prosody::admins: []
+prosody::allow_registration: false
+prosody::authentication: internal_plain
+prosody::c2s_require_encryption: true
+prosody::community_modules: []
+prosody::components: {}
+prosody::custom_options: {}
+prosody::daemonize: true
+prosody::error_log: /var/log/prosody/prosody.err
+prosody::group: prosody
+prosody::info_log: /var/log/prosody/prosody.log
+prosody::interfaces:
+ - '0.0.0.0'
+ - '::'
+prosody::log_level: info
+prosody::log_sinks:
+ - syslog
+prosody::log_advanced: {}
+prosody::modules: []
+prosody::modules_base:
+ - admin_adhoc
+ - dialback
+ - disco
+ - pep
+ - ping
+ - posix
+ - private
+ - roster
+ - saslauth
+ - time
+ - tls
+ - uptime
+ - vcard
+ - version
+prosody::modules_disabled: []
+prosody::package_ensure: present
+prosody::package_name: prosody
+prosody::pidfile: /var/run/prosody/prosody.pid
+prosody::s2s_insecure_domains: []
+prosody::s2s_require_encryption: true
+prosody::s2s_secure_auth: true
+prosody::s2s_secure_domains: []
+prosody::ssl_ciphers: 'DH+AES:ECDH+AES:+ECDH+SHA:AES:!PSK:!SRP:!DSS:!ADH:!AECDH'
+prosody::ssl_curve: secp521r1
+prosody::ssl_custom_config: true
+prosody::ssl_dhparam: ''
+prosody::ssl_options:
+ - cipher_server_preference
+ - no_compression
+ - no_sslv2
+ - no_sslv3
+ - no_ticket
+ - single_dh_use
+ - single_ecdh_use
+prosody::storage: internal
+prosody::use_libevent: true
+prosody::user: prosody
+prosody::virtualhost_defaults: {}
+prosody::virtualhosts: {}
+
+prosody::community_modules::ensure: present
+prosody::community_modules::path: /var/lib/prosody/modules
+prosody::community_modules::source: https://hg.prosody.im/prosody-modules/
+prosody::community_modules::type: hg
--- /dev/null
+---
+version: 5
+hierarchy:
+ - name: common
+ path: common.yaml
--- /dev/null
+# == Class: prosody::community_modules
+class prosody::community_modules(
+ Enum[present, latest] $ensure,
+ Stdlib::Absolutepath $path,
+ String $source,
+ Prosody::Moduletype $type,
+ Optional[String] $revision = undef,
+) {
+ case $type {
+ 'hg': { $_packages = ['mercurial'] }
+ 'git': { $_packages = ['git'] }
+ default: { $_packages = [] }
+ }
+ ensure_packages($_packages)
+ -> vcsrepo { $path:
+ ensure => $ensure,
+ provider => $type,
+ source => $source,
+ revision => $revision,
+ }
+}
--- /dev/null
+# == Class: prosody::config
+class prosody::config {
+ file { '/etc/prosody/conf.avail':
+ ensure => directory,
+ }
+
+ file { '/etc/prosody/conf.d':
+ ensure => directory,
+ }
+
+ file { '/etc/prosody/prosody.cfg.lua':
+ content => template('prosody/prosody.cfg.erb'),
+ require => Class['::prosody::package'],
+ notify => Class['::prosody::service'],
+ }
+}
--- /dev/null
+# == Class: prosody
+class prosody(
+ Array[String] $admins,
+ Boolean $allow_registration,
+ Prosody::Authentication $authentication,
+ Boolean $c2s_require_encryption,
+ Array[String] $community_modules,
+ Hash $components,
+ Hash $custom_options,
+ Boolean $daemonize,
+ Stdlib::Absolutepath $error_log,
+ String $group,
+ Stdlib::Absolutepath $info_log,
+ Array[Stdlib::IP::Address] $interfaces,
+ Prosody::Loglevel $log_level,
+ Array[String] $log_sinks,
+ Hash[Optional[Prosody::Loglevel], Data] $log_advanced,
+ Array[String] $modules,
+ Array[String] $modules_base,
+ Array[String] $modules_disabled,
+ Prosody::Packageensure $package_ensure,
+ String $package_name,
+ Stdlib::Absolutepath $pidfile,
+ Array[Stdlib::Fqdn] $s2s_insecure_domains,
+ Boolean $s2s_require_encryption,
+ Boolean $s2s_secure_auth,
+ Array[Stdlib::Fqdn] $s2s_secure_domains,
+ String $ssl_ciphers,
+ String $ssl_curve,
+ Boolean $ssl_custom_config,
+ String $ssl_dhparam,
+ Array[String] $ssl_options,
+ Prosody::Storage $storage,
+ Boolean $use_libevent,
+ String $user,
+ Hash $virtualhost_defaults,
+ Hash $virtualhosts,
+ Optional[Hash] $sql = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cert = undef,
+ Optional[Stdlib::Absolutepath] $ssl_key = undef,
+ Optional[String] $ssl_protocol = undef,
+) {
+ if ($community_modules != []) {
+ class { '::prosody::community_modules':
+ require => Class['::prosody::package'],
+ before => Class['::prosody::config'],
+ }
+ }
+
+ anchor { 'prosody::begin': }
+ -> class { '::prosody::package': }
+ -> class { '::prosody::config': }
+ -> class { '::prosody::service': }
+ -> anchor { '::prosody::end': }
+
+ # create virtualhost resources via hiera
+ create_resources('prosody::virtualhost', $virtualhosts, $virtualhost_defaults)
+}
--- /dev/null
+# == Class: prosody::package
+class prosody::package {
+ package { $::prosody::package_name:
+ ensure => $::prosody::package_ensure,
+ }
+}
--- /dev/null
+# == Class: prosody::service
+class prosody::service {
+ if $::prosody::daemonize {
+ case $::osfamily {
+ 'OpenBSD': {
+ service { 'prosody':
+ ensure => running,
+ enable => true,
+ require => Class[prosody::config],
+ }
+ }
+ default: {
+ service { 'prosody' :
+ ensure => running,
+ hasstatus => false,
+ restart => '/usr/bin/prosodyctl reload',
+ require => Class[prosody::config],
+ }
+ }
+ }
+ }
+}
--- /dev/null
+# == Define: prosody::user
+define prosody::user(
+ String $pass,
+ Prosody::Host $host = 'localhost',
+) {
+ $dir = regsubst($host, '\.', '%2e', 'G')
+
+ ensure_resource('file', "/var/lib/prosody/${dir}", {
+ ensure => 'directory',
+ owner => 'prosody',
+ group => 'prosody',
+ })
+
+ ensure_resource('file', "/var/lib/prosody/${dir}/accounts", {
+ ensure => 'directory',
+ owner => 'prosody',
+ group => 'prosody',
+ require => File["/var/lib/prosody/${dir}"],
+ })
+
+ $_content = "
+return {
+ [\"password\"] = \"${pass}\";
+};
+"
+ file {"/var/lib/prosody/${dir}/accounts/${name}.dat":
+ owner => 'prosody',
+ group => 'prosody',
+ mode => '0640',
+ content => $_content,
+ require => File["/var/lib/prosody/${dir}/accounts"],
+ }
+}
--- /dev/null
+# == Type: prosody::virtualhost
+define prosody::virtualhost(
+ Hash $custom_options = {},
+ Enum[present, absent] $ensure = present,
+ Optional[Stdlib::Absolutepath] $ssl_key = undef,
+ Optional[Stdlib::Absolutepath] $ssl_cert = undef,
+ Boolean $ssl_copy = true,
+ Optional[String] $user = undef,
+ Optional[String] $group = undef,
+ Hash $components = {},
+) {
+ # Check if SSL set correctly
+ if (($ssl_key != undef) and ($ssl_cert == undef)) {
+ fail('The prosody::virtualhost type needs both ssl_key *and* ssl_cert set')
+ }
+ if (($ssl_key == undef) and ($ssl_cert != undef)) {
+ fail('The prosody::virtualhost type needs both ssl_key *and* ssl_cert set')
+ }
+
+ if (($ssl_key != undef) and ($ssl_cert != undef) and ($ssl_copy == true)) {
+ # Copy the provided sources to prosody certs folder
+ $prosody_ssl_key = "/etc/prosody/certs/${name}.key"
+ $prosody_ssl_cert = "/etc/prosody/certs/${name}.crt"
+
+ $file_user = pick_default($user, 'prosody')
+ $file_group = pick_default($group, 'prosody')
+
+ file {
+ $prosody_ssl_key:
+ source => $ssl_key,
+ links => follow,
+ mode => '0640',
+ owner => $file_user,
+ group => $file_group;
+ $prosody_ssl_cert:
+ source => $ssl_cert,
+ links => follow,
+ mode => '0644',
+ owner => $file_user,
+ group => $file_group;
+ }
+
+ $config_requires = [File[$prosody_ssl_key], File[$prosody_ssl_cert], Class['::prosody::package']]
+ }
+
+ elsif (($ssl_key != undef) and ($ssl_cert != undef) and ($ssl_copy == false)) {
+ $prosody_ssl_key = $ssl_key
+ $prosody_ssl_cert = $ssl_cert
+ }
+
+ else {
+ $config_requires = Class['::prosody::package']
+ }
+
+ $conf_avail_fn = "/etc/prosody/conf.avail/${name}.cfg.lua"
+
+ file { $conf_avail_fn:
+ ensure => $ensure,
+ require => $config_requires,
+ content => template('prosody/virtualhost.cfg.erb'),
+ notify => Class['::prosody::service'],
+ }
+
+ $cfg_ensure = $ensure ? {
+ 'present' => link,
+ 'absent' => absent,
+ }
+
+ file { "/etc/prosody/conf.d/${name}.cfg.lua":
+ ensure => $cfg_ensure,
+ target => $conf_avail_fn,
+ notify => Class['::prosody::service'],
+ require => File[$conf_avail_fn];
+ }
+}
--- /dev/null
+{
+ "name": "mayflower-prosody",
+ "version": "0.4.1",
+ "author": "Franz Pletz",
+ "summary": "Simple Puppet module for managing the Prosody Jabber/XMPP server",
+ "license": "Apache-2.0",
+ "source": "https://github.com/mayflower/puppet-prosody",
+ "issues_url": "https://github.com/mayflower/puppet-prosody/issues",
+ "description": "This module supports most configuration options and installing community modules",
+ "dependencies": [
+ {
+ "name": "puppetlabs/stdlib",
+ "version_requirement": ">= 4.25.0"
+ },
+ {
+ "name": "puppetlabs/vcsrepo",
+ "version_requirement": ">= 1.0.0 < 3.0.0"
+ }
+ ],
+ "requirements": [
+ {
+ "name": "puppet",
+ "version_requirement": ">= 5.5.10 < 7"
+ }
+ ]
+}
--- /dev/null
+require 'spec_helper'
+
+describe 'prosody' do
+ let(:facts) do
+ { osfamily: 'SomeOS' }
+ end
+ context 'on every platform' do
+ it { should contain_class 'prosody::package' }
+ it { should contain_class 'prosody::config' }
+ it { should contain_class 'prosody::service' }
+
+ it { should contain_package('prosody').with(ensure: 'present') }
+ end
+
+ context 'with daemonize => true' do
+ let(:params) { { daemonize: true } }
+ it {
+ should contain_service('prosody').with(
+ ensure: 'running'
+ )
+ }
+ end
+
+ context 'with daemonize => false' do
+ let(:params) { { daemonize: false } }
+ it {
+ should_not contain_service('prosody').with(
+ ensure: 'running'
+ )
+ }
+ end
+
+ context 'with custom options' do
+ let(:params) { { custom_options: { 'foo' => 'bar', 'baz' => 'quux' } } }
+ it {
+ should contain_file('/etc/prosody/prosody.cfg.lua') \
+ .with_content(/^foo = "bar"$/, /^baz = "quux"$/)
+ }
+ end
+
+ context 'with deeply nested custom options' do
+ let(:params) { { custom_options: { 'foo' => { 'fnord' => '23', 'xyzzy' => '42' }, 'bar' => %w[cool elements], 'baz' => 'quux' } } }
+ it {
+ should contain_file('/etc/prosody/prosody.cfg.lua') \
+ .with_content(/^foo = {\n fnord = "23";\n xyzzy = "42";\n}$/, /^baz = "quux"$/, /^bar = [ "cool"; "elements" ]$/)
+ }
+ end
+end
--- /dev/null
+require 'spec_helper'
+require 'erb'
+
+describe 'prosody::virtualhost' do
+ let(:pre_condition) do
+ 'include ::prosody'
+ end
+ let(:facts) do
+ {
+ osfamily: 'SomeOS'
+ }
+ end
+ let(:title) { 'mockvirtualhost' }
+
+ before :each do
+ @path_avail = "/etc/prosody/conf.avail/#{title}.cfg.lua"
+ @path_link = "/etc/prosody/conf.d/#{title}.cfg.lua"
+ end
+
+ context 'with no parameters' do
+ it {
+ should contain_file(@path_avail).with(
+ ensure: 'present'
+ )
+ }
+
+ it {
+ should contain_file(@path_link).with(
+ ensure: 'link',
+ target: @path_avail,
+ require: "File[#{@path_avail}]"
+ )
+ }
+ end
+
+ context 'with ssl_key but no ssl_cert' do
+ let(:params) { { ssl_key: 'bananas' } }
+ it {
+ expect do
+ should contain_class('prosody')
+ end.to raise_error(Puppet::Error)
+ }
+ end
+
+ context 'with ssl_cert but no ssl_key' do
+ let(:params) { { ssl_cert: 'bananas' } }
+ it {
+ expect do
+ should contain_class('prosody')
+ end.to raise_error(Puppet::Error)
+ }
+ end
+
+ context 'with ssl keys and certs' do
+ let(:ssl_key) { '/etc/prosody/certs/rspec-puppet.com.key' }
+ let(:ssl_cert) { '/etc/prosody/certs/rspec-puppet.com.crt' }
+ let(:params) { { ssl_key: ssl_key, ssl_cert: ssl_cert } }
+
+ before :each do
+ @ssl_key = ssl_key
+ @ssl_cert = ssl_cert
+ end
+
+ it {
+ # This require statment is bananas
+ should contain_file(@path_avail).with(
+ ensure: 'present',
+ require: ['File[/etc/prosody/certs/mockvirtualhost.key]', 'File[/etc/prosody/certs/mockvirtualhost.crt]', 'Class[Prosody::Package]']
+ )
+
+ should contain_file('/etc/prosody/certs/mockvirtualhost.key').with_source(@ssl_key)
+ should contain_file('/etc/prosody/certs/mockvirtualhost.crt').with_source(@ssl_cert)
+ }
+ end
+
+ context 'ensure => absent' do
+ let(:params) { { ensure: 'absent' } }
+ it {
+ @ensure = 'absent'
+ should contain_file(@path_avail).with(
+ ensure: @ensure
+ )
+ }
+
+ it {
+ should contain_file(@path_link).with_ensure('absent')
+ }
+ end
+
+ context 'with custom options' do
+ let(:params) { { custom_options: { 'foo' => 'bar', 'baz' => 'quux' } } }
+ it {
+ should contain_file(@path_avail) \
+ .with_content(/^foo = "bar"$/, /^baz = "quux"$/)
+ }
+ end
+
+ context 'with deeply nested custom options' do
+ let(:params) { { custom_options: { 'foo' => { 'fnord' => '23', 'xyzzy' => '42' }, 'bar' => %w[cool elements], 'baz' => 'quux' } } }
+ it {
+ should contain_file(@path_avail) \
+ .with_content(/^foo = {\n fnord = "23";\n xyzzy = "42";\n}$/, /^baz = "quux"$/, /^bar = [ "cool"; "elements" ]$/)
+ }
+ end
+end
--- /dev/null
+require 'puppetlabs_spec_helper/module_spec_helper'
+require 'simplecov'
+
+SimpleCov.start do
+ add_filter '/spec/'
+end
--- /dev/null
+-- Prosody XMPP Server Configuration
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+-- prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = {
+<% scope.lookupvar('prosody::admins').each do |admin| -%>
+ "<%= admin %>",
+<% end -%>
+}
+
+<% if scope.lookupvar('prosody::user') != '' -%>
+-- User to run prosody as
+prosody_user = "<%= scope.lookupvar('prosody::user') %>"
+<% end -%>
+<% if scope.lookupvar('prosody::group') != '' -%>
+-- Group to run prosody as
+prosody_group = "<%= scope.lookupvar('prosody::group') %>"
+<% end -%>
+
+-- Which interfaces (addresses) to listen on
+interfaces = {
+<% scope.lookupvar('prosody::interfaces').each do |interface| -%>
+ "<%= interface %>",
+<% end -%>
+}
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+use_libevent = <%= scope.lookupvar('prosody::use_libevent') %>;
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation on modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+ -- Base modules
+<% scope.lookupvar('prosody::modules_base').each do |mod| -%>
+ "<%= mod %>";
+<% end -%>
+
+ -- Custom modules
+<% scope.lookupvar('prosody::modules').each do |mod| -%>
+ "<%= mod %>";
+<% end -%>
+
+};
+
+<%- community_modules = scope.lookupvar('prosody::community_modules')
+ if community_modules != [] -%>
+-- Where to search for plugins/modules
+plugin_paths = {
+<%- base_path = scope.lookupvar('prosody::community_modules::path')
+ community_modules.each do |mod| -%>
+ "<%= base_path + '/mod_' + mod %>";
+<%- end -%>
+};
+<%- end -%>
+
+<%- modules_disabled = scope.lookupvar('prosody::modules_disabled')
+ if modules_disabled != [] -%>
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+<% scope.lookupvar('prosody::modules_disabled').each do |mod| -%>
+ "<%= mod %>";
+<%- end -%>
+};
+<%- end -%>
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = <%= scope.lookupvar('prosody::allow_registration') %>;
+
+-- Debian:
+-- send the server to background.
+--
+daemonize = <%= scope.lookupvar('prosody::daemonize') %>;
+
+<% if scope.lookupvar('prosody::ssl_custom_config') -%>
+-- These are the SSL/TLS-related settings. If you don't want
+-- to use SSL/TLS, you may comment or remove this
+ssl = {
+ <% unless scope.lookupvar('prosody::ssl_protocol').nil? -%>
+ protocol = "<%= scope.lookupvar('prosody::ssl_protocol') %>";
+ <% end -%>
+ options = {
+ <%- scope.lookupvar('prosody::ssl_options').each do |option| -%>
+ "<%= option %>",
+ <%- end -%>
+ };
+ ciphers = "<%= scope.lookupvar('prosody::ssl_ciphers') %>";
+ curve = "<%= scope.lookupvar('prosody::ssl_curve') %>";
+ <%- dhparam = scope.lookupvar('prosody::ssl_dhparam')
+ if dhparam != '' -%>
+ dhparam = "<%= dhparam %>";
+ <%- end -%>
+ <%- ssl_key = scope.lookupvar('prosody::ssl_key')
+ if ssl_key != :undef -%>
+ key = "<%= ssl_key %>";
+ <%- end -%>
+ <%- ssl_cert = scope.lookupvar('prosody::ssl_cert')
+ if ssl_cert != :undef -%>
+ certificate = "<%= ssl_cert %>";
+ <%- end -%>
+}
+<% end -%>
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = <%= scope.lookupvar('prosody::c2s_require_encryption') %>
+
+-- Force servers to use encrypted connections?
+
+s2s_require_encryption = <%= scope.lookupvar('prosody::s2s_require_encryption') %>
+
+
+-- Force certificate authentication for server-to-server connections?
+-- This provides ideal security, but requires servers you communicate
+-- with to support encryption AND present valid, trusted certificates.
+-- NOTE: Your version of LuaSec must support certificate verification!
+-- For more information see https://prosody.im/doc/s2s#security
+
+s2s_secure_auth = <%= scope.lookupvar('prosody::s2s_secure_auth') %>
+
+-- Many servers don't support encryption or have invalid or self-signed
+-- certificates. You can list domains here that will not be required to
+-- authenticate using certificates. They will be authenticated using DNS.
+
+s2s_insecure_domains = {
+<% scope.lookupvar('prosody::s2s_insecure_domains').each do |domain| -%>
+ "<%= domain %>",
+<% end -%>
+}
+
+-- Even if you leave s2s_secure_auth disabled, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+s2s_secure_domains = {
+<% scope.lookupvar('prosody::s2s_secure_domains').each do |domain| -%>
+ "<%= domain %>",
+<% end -%>
+}
+
+------ Custom config options ------
+
+<%-
+def print_recursive(object, indentation = 0)
+ case object
+ when Array
+ '{ "' + object.join('"; "') + '" }'
+ when Hash
+ "{\n" + ' ' * (indentation + 2) + object.map {|k,v| + "#{k} = " + print_recursive(v, indentation + 2)}.join(";\n" + ' ' * (indentation + 2)) + ";\n" + (' ' * indentation) + '}'
+ when TrueClass, FalseClass
+ object.to_s
+ else
+ '"' + object.to_s + '"'
+ end
+end
+-%>
+
+<% scope.lookupvar('prosody::custom_options').sort.each do |option, value| -%>
+<%= option %> = <%= print_recursive(value) %>
+<% end -%>
+
+-- Required for init scripts and prosodyctl
+pidfile = "<%= scope.lookupvar('prosody::pidfile') %>"
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+-- To allow Prosody to offer secure authentication mechanisms to clients, the
+-- default provider stores passwords in plaintext. If you do not trust your
+-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed
+-- for information about using the hashed backend.
+
+authentication = "<%= scope.lookupvar('prosody::authentication') %>"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+<%- storage = scope.lookupvar('prosody::storage')
+ if storage != :undef
+ if storage.is_a?(String) -%>
+storage = "<%= storage %>"
+ <%- elsif storage.is_a?(Hash) -%>
+storage = {
+ <%- storage.sort.each do |type,location| -%>
+ <%= type %> = "<%= location %>";
+ <%- end -%>
+}
+ <%- end -%>
+<%- end -%>
+
+<%- sql = scope.lookupvar('prosody::sql')
+unless sql.nil? -%>
+sql = { driver = "<%= sql['driver'] %>", database = "<%= sql ['database'] %>", username = "<%= sql['username'] %>", password = "<%= sql['password'] %>", host = "<%= sql['host'] %>" }
+<%- end -%>
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+ <%= scope.lookupvar('prosody::log_level') -%> = "<%= scope.lookupvar('prosody::info_log') -%>"; -- Change 'info' to 'debug' for verbose logging
+ error = "<%= scope.lookupvar('prosody::error_log') -%>";
+<% scope.lookupvar('prosody::log_sinks').each do |sink| -%>
+ "*<%= sink %>";
+<% end -%>
+<% scope.lookupvar('prosody::log_advanced').each do |level, destination| -%>
+ { levels = { <%= level %> }; to = <%= destination %>; };
+<% end -%>
+}
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+<% scope.lookupvar('prosody::components').sort.each do |name, component| %>
+Component "<%= name %>" <% if component.include?('type') then %>"<%= component['type'] %>"<% end %>
+ <%- if component.include?('secret') -%>
+ component_secret = "<%= component['secret'] %>"
+ <%- end -%>
+ <%- if component.include?('options') -%>
+ <%- component['options'].sort.each do |k, v| -%>
+ <%- if ( v.is_a? Array ) -%>
+ <%= k %> = { "<%= v.join('", "') %>" };
+ <%- else -%>
+ <%= k %> = <%= v %>;
+ <%- end -%>
+ <%- end -%>
+ <%- end -%>
+<% end -%>
+
+------ Additional config files ------
+-- For organizational purposes you may prefer to add VirtualHost and
+-- Component definitions in their own config files. This line includes
+-- all config files in /etc/prosody/conf.d/
+
+Include "conf.d/*.cfg.lua"
--- /dev/null
+VirtualHost "<%= @name %>"
+<% if @ensure == 'present' -%>
+ enabled = true
+<% else -%>
+ enabled = false
+<% end -%>
+
+<% if (@ssl_key != 'UNSET') && (@ssl_cert != 'UNSET') -%>
+ -- Assign this host a certificate for TLS, otherwise it would use the one
+ -- set in the global section (if any).
+ -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+ -- use the global one.
+ ssl = {
+ key = "<%= @prosody_ssl_key %>";
+ certificate = "<%= @prosody_ssl_cert %>";
+ }
+<% end -%>
+
+<%- if @custom_options != {} -%>
+<%-
+def print_recursive(object, indentation = 0)
+ case object
+ when Array
+ '{ "' + object.join('"; "') + '" }'
+ when Hash
+ "{\n" + ' ' * (indentation + 2) + object.map {|k,v| + "#{k} = " + print_recursive(v, indentation + 2)}.join(";\n" + ' ' * (indentation + 2)) + ";\n" + (' ' * indentation) + '}'
+ when TrueClass, FalseClass
+ object.to_s
+ else
+ '"' + object.to_s + '"'
+ end
+end
+-%>
+------ Custom config options ------
+<%- @custom_options.sort.each do |option, value| -%>
+<%= option %> = <%= print_recursive(value) %>
+<%- end; end -%>
+
+<%- if @components != {} -%>
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see http://prosody.im/doc/components
+
+<% @components.sort.each do |name, component| %>
+Component "<%= name %>" <% if component.include?('type') then %>"<%= component['type'] %>"<% end %>
+ <%- if component.include?('secret') -%>
+ component_secret = "<%= component['secret'] %>"
+ <%- end -%>
+ <%- if component.include?('options') -%>
+ <%- component['options'].sort.each do |k, v| -%>
+ <%= k %> = <%= v %>;
+ <%- end -%>
+ <%- end -%>
+<% end -%>
+<% end -%>
--- /dev/null
+node default {
+ include ::prosody
+
+ prosody::virtualhost {
+ 'puppetlabs.com' :
+ ensure => present;
+ }
+}
--- /dev/null
+../../../manifests
\ No newline at end of file
--- /dev/null
+../../../templates
\ No newline at end of file
--- /dev/null
+type Prosody::Authentication = Enum['internal_plain', 'internal_hashed', 'cyrus', 'anonymous', 'ha1']
--- /dev/null
+# Note: Stdlib::Host does not match "localhost"
+type Prosody::Host = Variant[Pattern[/^localhost$/], Stdlib::Host]
--- /dev/null
+type Prosody::Loglevel = Enum['debug', 'info', 'warn', 'error']
--- /dev/null
+type Prosody::Moduletype = Enum['hg', 'git']
--- /dev/null
+type Prosody::Packageensure = Variant[Enum[present, latest], String]
--- /dev/null
+type Prosody::Storage = Variant[Hash, Enum['internal', 'sql', 'memory', 'null', 'none']]
--- /dev/null
+# Please contact the RTC team about this service at debian-rtc-team@alioth-lists.debian.net
+#
+
+class profile::prosody {
+
+ class { 'prosody':
+ user => 'prosody',
+ group => 'prosody',
+ use_libevent => false,
+ daemonize => true,
+ s2s_secure_auth => false,
+ package_name => 'prosody-modules',
+ ssl_custom_config => false,
+ log_sinks => [],
+ log_advanced => {
+ 'error' => 'syslog',
+ },
+ authentication => 'ha1',
+ custom_options => {
+ 'auth_ha1_file' => '/var/local/rtc-passwords.prosody',
+ 'auth_ha1_use_ha1b' => true,
+ 'auth_ha1_realm' => 'rtc.debian.org',
+ },
+ # we override whatever the module decides as a base
+ modules_base => [
+ 'roster', 'saslauth', 'tls', 'dialback', 'disco', 'posix', 'private',
+ 'vcard', 'version', 'uptime', 'time', 'ping', 'pep', 'register',
+ ],
+ # and add the modules we want on top
+ modules => [
+ 'admin_adhoc', 'blocking', 'carbons', 'carbons_adhoc',
+ 'cloud_notify', 'csi', 'filter_chatstates', 'http',
+ 'http_upload', 'mam', 'smacks', 'smaks', 'throttle_presence',
+ ],
+ }
+
+ -> prosody::virtualhost {
+ 'debian.org':
+ ensure => present,
+ ssl_key => '/etc/ssl/private/debian.org.key',
+ ssl_cert => '/etc/ssl/debian/certs/debian.org.crt-chained',
+ ssl_copy => false,
+ components => {
+ 'conference.debian.org' => {
+ 'type' => 'muc',
+ }
+ }
+ }
+
+ -> posix_acl { '/etc/prosody/prosody.cfg.lua':
+ action => exact,
+ recursive => false,
+ provider => posixacl,
+ permission => [
+ 'user::rw',
+ 'group::r',
+ 'group:debvoip:rw',
+ 'group:prosody:r',
+ 'mask::r',
+ 'other::',
+ ],
+ }
+
+ -> posix_acl { '/etc/prosody/conf.avail/debian.org.cfg.lua':
+ action => exact,
+ recursive => false,
+ provider => posixacl,
+ permission => [
+ 'user::rw',
+ 'group::r',
+ 'group:debvoip:rw',
+ 'group:prosody:r',
+ 'mask::r',
+ 'other::',
+ ],
+ }
+
+}
+# = Class: roles::rtc
+#
+# Setup for machines used by the RTC Team
+#
+# == Sample Usage:
+#
+# include roles::rtc
+#
class roles::rtc {
- ssl::service { 'debian.org':
- tlsaport => [],
- notify => Service['repro'],
- key => true,
- }
+ include profile::prosody
- ssl::service { 'sip-ws.debian.org':
- notify => Service['repro'],
- key => true,
- }
+ ssl::service { 'debian.org':
+ tlsaport => [],
+ notify => Service['repro', 'prosody'],
+ key => true,
+ }
- dnsextras::tlsa_record{ 'tlsa-xmpp':
- zone => 'debian.org',
- certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt",
- port => [5061, 5222, 5269],
- hostname => $::fqdn,
- }
+ ssl::service { 'sip-ws.debian.org':
+ notify => Service['repro'],
+ key => true,
+ }
- ferm::rule { 'dsa-xmpp-client-ip4':
- domain => 'ip',
- description => 'XMPP connections (client to server)',
- rule => 'proto tcp dport (5222) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-client-ip6':
- domain => 'ip6',
- description => 'XMPP connections (client to server)',
- rule => 'proto tcp dport (5222) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-server-ip4':
- domain => 'ip',
- description => 'XMPP connections (server to server)',
- rule => 'proto tcp dport (5269) ACCEPT'
- }
- ferm::rule { 'dsa-xmpp-server-ip6':
- domain => 'ip6',
- description => 'XMPP connections (server to server)',
- rule => 'proto tcp dport (5269) ACCEPT'
- }
+ dnsextras::tlsa_record{ 'tlsa-xmpp':
+ zone => 'debian.org',
+ certfile => '/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt',
+ port => [5061, 5222, 5269],
+ hostname => $::fqdn,
+ }
- ferm::rule { 'dsa-sip-ws-ip4':
- domain => 'ip',
- description => 'SIP connections (WebSocket; for WebRTC)',
- rule => 'proto tcp dport (443) ACCEPT'
- }
- ferm::rule { 'dsa-sip-ws-ip6':
- domain => 'ip6',
- description => 'SIP connections (WebSocket; for WebRTC)',
- rule => 'proto tcp dport (443) ACCEPT'
- }
- ferm::rule { 'dsa-sip-tls-ip4':
- domain => 'ip',
- description => 'SIP connections (TLS)',
- rule => 'proto tcp dport (5061) ACCEPT'
- }
- ferm::rule { 'dsa-sip-tls-ip6':
- domain => 'ip6',
- description => 'SIP connections (TLS)',
- rule => 'proto tcp dport (5061) ACCEPT'
- }
- ferm::rule { 'dsa-turn-ip4':
- domain => 'ip',
- description => 'TURN connections',
- rule => 'proto udp dport (3478) ACCEPT'
- }
- ferm::rule { 'dsa-turn-ip6':
- domain => 'ip6',
- description => 'TURN connections',
- rule => 'proto udp dport (3478) ACCEPT'
- }
- ferm::rule { 'dsa-turn-tls-ip4':
- domain => 'ip',
- description => 'TURN connections (TLS)',
- rule => 'proto tcp dport (5349) ACCEPT'
- }
- ferm::rule { 'dsa-turn-tls-ip6':
- domain => 'ip6',
- description => 'TURN connections (TLS)',
- rule => 'proto tcp dport (5349) ACCEPT'
- }
- ferm::rule { 'dsa-rtp-ip4':
- domain => 'ip',
- description => 'RTP streams',
- rule => 'proto udp dport (49152:65535) ACCEPT'
- }
- ferm::rule { 'dsa-rtp-ip6':
- domain => 'ip6',
- description => 'RTP streams',
- rule => 'proto udp dport (49152:65535) ACCEPT'
- }
+ ferm::rule { 'dsa-xmpp-client-ip4':
+ domain => 'ip',
+ description => 'XMPP connections (client to server)',
+ rule => 'proto tcp dport (5222) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-client-ip6':
+ domain => 'ip6',
+ description => 'XMPP connections (client to server)',
+ rule => 'proto tcp dport (5222) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-server-ip4':
+ domain => 'ip',
+ description => 'XMPP connections (server to server)',
+ rule => 'proto tcp dport (5269) ACCEPT'
+ }
+ ferm::rule { 'dsa-xmpp-server-ip6':
+ domain => 'ip6',
+ description => 'XMPP connections (server to server)',
+ rule => 'proto tcp dport (5269) ACCEPT'
+ }
- file { '/etc/monit/monit.d/50rtc':
- ensure => absent,
- }
+ ferm::rule { 'dsa-sip-ws-ip4':
+ domain => 'ip',
+ description => 'SIP connections (WebSocket; for WebRTC)',
+ rule => 'proto tcp dport (443) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-ws-ip6':
+ domain => 'ip6',
+ description => 'SIP connections (WebSocket; for WebRTC)',
+ rule => 'proto tcp dport (443) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-tls-ip4':
+ domain => 'ip',
+ description => 'SIP connections (TLS)',
+ rule => 'proto tcp dport (5061) ACCEPT'
+ }
+ ferm::rule { 'dsa-sip-tls-ip6':
+ domain => 'ip6',
+ description => 'SIP connections (TLS)',
+ rule => 'proto tcp dport (5061) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-ip4':
+ domain => 'ip',
+ description => 'TURN connections',
+ rule => 'proto udp dport (3478) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-ip6':
+ domain => 'ip6',
+ description => 'TURN connections',
+ rule => 'proto udp dport (3478) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-tls-ip4':
+ domain => 'ip',
+ description => 'TURN connections (TLS)',
+ rule => 'proto tcp dport (5349) ACCEPT'
+ }
+ ferm::rule { 'dsa-turn-tls-ip6':
+ domain => 'ip6',
+ description => 'TURN connections (TLS)',
+ rule => 'proto tcp dport (5349) ACCEPT'
+ }
+ ferm::rule { 'dsa-rtp-ip4':
+ domain => 'ip',
+ description => 'RTP streams',
+ rule => 'proto udp dport (49152:65535) ACCEPT'
+ }
+ ferm::rule { 'dsa-rtp-ip6':
+ domain => 'ip6',
+ description => 'RTP streams',
+ rule => 'proto udp dport (49152:65535) ACCEPT'
+ }
- service { 'repro':
- ensure => running,
- }
- dsa_systemd::override { 'repro':
- content => @("EOF"),
+ file { '/etc/monit/monit.d/50rtc':
+ ensure => absent,
+ }
+
+ service { 'repro':
+ ensure => running,
+ }
+ dsa_systemd::override { 'repro':
+ content => @("EOF"),
[Unit]
After=network-online.target
| EOF
- }
+ }
- package { 'freeradius':
- ensure => installed,
- }
- service { 'freeradius':
- ensure => running,
- }
- $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
- file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
- content => template('roles/rtc/freeradius-rtc.erb'),
- mode => '0440',
- group => freerad,
- }
- file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
- ensure => link,
- target => '../sites-available/rtc.debian.org',
- }
- file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
- source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
- mode => '0440',
- group => freerad,
- }
- file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
- ensure => link,
- target => '../mods-available/passwd_rtc',
- }
- file { '/etc/repro/radius-servers':
- content => inline_template('localhost/localhost <%= @radius_password %>'),
- mode => '0440',
- group => repro,
- notify => Service['repro'],
- }
- file { '/etc/freeradius/3.0/sites-enabled/default':
- ensure => absent,
- }
- file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
- ensure => absent,
- }
+ package { 'freeradius':
+ ensure => installed,
+ }
+ service { 'freeradius':
+ ensure => running,
+ }
+ $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
+ file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
+ content => template('roles/rtc/freeradius-rtc.erb'),
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
+ ensure => link,
+ target => '../sites-available/rtc.debian.org',
+ }
+ file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
+ source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc',
+ mode => '0440',
+ group => freerad,
+ }
+ file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
+ ensure => link,
+ target => '../mods-available/passwd_rtc',
+ }
+ file { '/etc/repro/radius-servers':
+ content => inline_template('localhost/localhost <%= @radius_password %>'),
+ mode => '0440',
+ group => repro,
+ notify => Service['repro'],
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/default':
+ ensure => absent,
+ }
+ file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel':
+ ensure => absent,
+ }
}