Am Do., 17. Mai 2018 um 16:07 Uhr schrieb Jochen Haeberle <
jochen.haebe...@gmail.com>:
> I managed to install seafile by now with a lot of puppet support in three
phases:
> 1) Puppet: install files, prepare db, generate answer file, print reminder
> 2) Manual script run, entering db-password
> 3) Puppet: Setup Nginx, Let’s encrypt and move folders to network device
> I do not really like this, but I do not see any other solution at the
moment. I might easily run into concurrency issues
What I did in a similar situation was to detect the different setup phases
with custom facts. I was using this mechanism to generate certificate
requests with puppet, than manually sign them with our internal CA, copy
the signed certificate back to the server and on the next run let puppet
continue the setup when it detects the certificate is present. In case
you're interested, here's my custom fact for that setup:
cat modules/profiles/facts.d/servercert
#!/bin/bash
set -e
set -u
set -o pipefail
CERTDIR=/etc/ssl/servercerts
CERTFILE="$CERTDIR/$(hostname -f).crt"
KEYFILE="/etc/ssl/private/$(hostname -f).pem"
CAFILE="/etc/ssl/certs/ca-certificates.crt"
if [ -a "$KEYFILE" ] ; then
if [ -a "$CERTFILE" ] ; then
CERTMOD="$(openssl x509 -noout -modulus -in "$CERTFILE" | grep
^Modulus= | cut -d= -f2)"
KEYMOD="$(openssl rsa -check -noout -modulus -in "$KEYFILE" | grep
^Modulus= | cut -d= -f2)"
if [ "x$CERTMOD" == "x$KEYMOD" ] ; then
if openssl verify -CAfile "$CAFILE" "$CERTFILE" > /dev/null ; then
echo "servercert=present"
echo "servercertfile=$CERTFILE"
echo "servercertkeyfile=$KEYFILE"
echo "servercertinfo=$(openssl x509 -noout -enddate -in
"$CERTFILE")"
else # Cert/CA mismatch
echo "servercert=absent"
echo "servercertinfo=Certificate from unknown CA"
fi
else
echo "servercert=absent"
echo "servercertinfo=Key/Certificate mismatch"
fi
else # CERTFILE missing
echo "servercert=absent"
echo "servcercertinfo=Certificate missing"
fi
else # KEYFILE missing
echo "servercert=absent"
echo "servercertinfo=Key missing"
fi
This gives me several variables I can check for in the puppet manifest and
depending on where in the installation process we are, for example enable
the apache ssl vhost. (It also makes sure that the certificate is actually
signed by our CA, but that's not really relvant for your problem).
Hope that helps a bit
Karsten
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAL017hCqfA%3DG-zH8QhUbxOY0OepccJRMwVftvSJ%2BUw6_t1xt8Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
