diff --git a/.readme/footer.md b/.readme/footer.md
index b799ea2..72e547a 100644
--- a/.readme/footer.md
+++ b/.readme/footer.md
@@ -2,13 +2,13 @@
### Option 1:
1. Clone the repo and use the modules
```bash
-git clone https://github.com/JasonN3/puppet_modules.git
+git clone https://github.com/JasonN3/openvox_modules.git
```
### Option 2:
-1. Edit your Puppetfile so r10k will clone the repo:
+1. Edit your Puppetfile so g10k will clone the repo:
```
mod 'github',
- :git => 'https://github.com/JasonN3/puppet_modules.git',
+ :git => 'https://github.com/JasonN3/openvox_modules.git',
:ref => 'main',
:install_path => 'git'
```
diff --git a/.readme/header.md b/.readme/header.md
index 4c1471b..2af4850 100644
--- a/.readme/header.md
+++ b/.readme/header.md
@@ -1,5 +1,5 @@
-# Puppet Modules
+# OpenVox Modules
## Description
-This is a collection of Puppet modules that I commonly use that make management of various Linux systems easier.
+This is a collection of OpenVox modules that I commonly use that make management of various Linux systems easier.
diff --git a/README.md b/README.md
index ce0dd42..b0ed290 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
-# Puppet Modules
+# OpenVox Modules
## Description
-This is a collection of Puppet modules that I commonly use that make management of various Linux systems easier.
+This is a collection of OpenVox modules that I commonly use that make management of various Linux systems easier.
---
## Modules list
@@ -16,13 +16,13 @@ Configires the node to use client/host certificates from Hashicorp Vault
### Option 1:
1. Clone the repo and use the modules
```bash
-git clone https://github.com/JasonN3/puppet_modules.git
+git clone https://github.com/JasonN3/openvox_modules.git
```
### Option 2:
-1. Edit your Puppetfile so r10k will clone the repo:
+1. Edit your Puppetfile so g10k will clone the repo:
```
mod 'github',
- :git => 'https://github.com/JasonN3/puppet_modules.git',
+ :git => 'https://github.com/JasonN3/openvox_modules.git',
:ref => 'main',
:install_path => 'git'
```
diff --git a/domain_join/README.md b/domain_join/README.md
index 91a8f03..e9ae86e 100644
--- a/domain_join/README.md
+++ b/domain_join/README.md
@@ -39,19 +39,27 @@ The following parameters are available in the `domain_join` class:
* [`ad_trust`](#ad_trust)
* [`update_os_info`](#update_os_info)
* [`enable_smartcard_ssh`](#enable_smartcard_ssh)
+* [`oidc`](#oidc)
+* [`client_id`](#client_id)
+* [`client_secret`](#client_secret)
+* [`tenant_id`](#tenant_id)
##### `username`
-Data type: `String`
+Data type: `Optional[String]`
The username used to domain join
+Default value: ``undef``
+
##### `sensitive_password`
-Data type: `Sensitive[String]`
+Data type: `Optional[Sensitive[String]]`
The password used to domain join
+Default value: ``undef``
+
##### `global_admins`
Data type: `String`
@@ -190,3 +198,35 @@ Enable smartcard authentication for SSH (Only seems to work on RHEL 8+)
Default value: ``false``
+##### `oidc`
+
+Data type: `Boolean`
+
+Use OIDC for authentication
+
+Default value: ``false``
+
+##### `client_id`
+
+Data type: `Optional[String]`
+
+Client ID for OIDC authentication
+
+Default value: ``undef``
+
+##### `client_secret`
+
+Data type: `Optional[Sensitive[String]]`
+
+Optional secret for client
+
+Default value: ``undef``
+
+##### `tenant_id`
+
+Data type: `Optional[String]`
+
+Tenant ID for Entra ID authentication
+
+Default value: ``undef``
+
diff --git a/domain_join/manifests/init.pp b/domain_join/manifests/init.pp
index c826fe4..3dcec10 100644
--- a/domain_join/manifests/init.pp
+++ b/domain_join/manifests/init.pp
@@ -43,9 +43,17 @@
# Configures a service to update the OS information on the AD object on startup
# @param enable_smartcard_ssh
# Enable smartcard authentication for SSH (Only seems to work on RHEL 8+)
+# @param oidc
+# Use OIDC for authentication
+# @param client_id
+# Client ID for OIDC authentication
+# @param client_secret
+# Optional secret for client
+# @param tenant_id
+# Tenant ID for Entra ID authentication
class domain_join (
- String $username,
- Sensitive[String] $sensitive_password,
+ Optional[String] $username = undef,
+ Optional[Sensitive[String]] $sensitive_password = undef,
String $global_admins,
String $global_ssh,
String $local_admins,
@@ -63,8 +71,27 @@
Enum['disabled', 'enabled', 'required', 'lock-on-removal'] $smartcard = 'disabled',
Optional[Array[String]] $ad_trust = undef,
Boolean $update_os_info = false,
- Boolean $enable_smartcard_ssh = false
+ Boolean $enable_smartcard_ssh = false,
+ Boolean $oidc = false,
+ Optional[String] $client_id = undef,
+ Optional[Sensitive[String]] $client_secret = undef,
+ Optional[String] $tenant_id = undef
) {
+ if $oidc {
+ if !$client_id {
+ fail('domain_join: client_id must be provided when oidc is enabled')
+ }
+ if !$tenant_id {
+ fail('domain_join: tenant_id must be provided when oidc is enabled')
+ }
+ } else {
+ if !$username {
+ fail('domain_join: username must be provided when oidc is disabled')
+ }
+ if !$sensitive_password {
+ fail('domain_join: sensitive_password must be provided when oidc is disabled')
+ }
+ }
if $override_domain {
$currdomain = $override_domain
# This is only used if $override_domain is defined
@@ -83,7 +110,7 @@
} elsif $::file_header {
$file_header_local = $::file_header
} else {
- $file_header_local = 'This file is being maintained by Puppet. Do not edit.'
+ $file_header_local = 'This file is being maintained by OpenVox. Do not edit.'
}
# lint:endignore
@@ -139,8 +166,15 @@
package { 'samba-common':
ensure => installed,
}
- package { 'sssd':
- ensure => installed,
+ if $oidc {
+ package { 'sssd':
+ ensure => installed,
+ name => 'sssd-idp',
+ }
+ } else {
+ package { 'sssd':
+ ensure => installed,
+ }
}
if $ad_trust != undef {
@@ -167,41 +201,46 @@
}
}
- if($override_domain) {
- # lint:ignore:140chars
- $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -H ${forced_fqdn} -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
- # lint:endignore
- } else {
- # lint:ignore:140chars
- $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
- # lint:endignore
- }
+ unless $oidc {
+ if($override_domain) {
+ # lint:ignore:140chars
+ $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -H ${forced_fqdn} -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
+ # lint:endignore
+ } else {
+ # lint:ignore:140chars
+ $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
+ # lint:endignore
+ }
- exec { 'Join':
- command => $command,
- path => $facts['path'],
- notify => Service['sssd'],
- creates => '/etc/krb5.keytab',
- require => [
- Package['adcli'],
- Package['krb5-workstation'],
- Package['samba-common'],
- Package['samba-common-tools'],
- Package['sssd'],
- File['/etc/krb5.conf'],
- File['/etc/sssd/sssd.conf'],
- ],
- }
+ exec { 'Join':
+ command => $command,
+ path => $facts['path'],
+ notify => [
+ Service['sssd'],
+ Exec['Enable SSSD Authentication']
+ ],
+ creates => '/etc/krb5.keytab',
+ require => [
+ Package['adcli'],
+ Package['krb5-workstation'],
+ Package['samba-common'],
+ Package['samba-common-tools'],
+ Package['sssd'],
+ File['/etc/krb5.conf'],
+ File['/etc/sssd/sssd.conf'],
+ ],
+ }
- file { '/etc/systemd/system/update_adcli.service':
- ensure => file,
- content => template('domain_join/update_adcli.service.erb'),
- require => Exec['Join'],
- notify => Service['update_adcli'],
- }
+ file { '/etc/systemd/system/update_adcli.service':
+ ensure => file,
+ content => template('domain_join/update_adcli.service.erb'),
+ require => Exec['Join'],
+ notify => Service['update_adcli'],
+ }
- service { 'update_adcli':
- enable => true,
+ service { 'update_adcli':
+ enable => true,
+ }
}
file { '/etc/krb5.conf':
@@ -210,14 +249,22 @@
notify => Service['sssd'],
require => Package['krb5-workstation'],
}
+ if $oidc {
+ $sssd_src = 'domain_join/sssd.oidc.conf.erb'
+ } else {
+ $sssd_src = 'domain_join/sssd.conf.erb'
+ }
file { '/etc/sssd/sssd.conf':
ensure => file,
- content => template('domain_join/sssd.conf.erb'),
+ content => template($sssd_src),
owner => root,
group => root,
mode => '0400',
- notify => Service['sssd'],
+ notify => [
+ Service['sssd'],
+ Exec['Enable SSSD Authentication']
+ ],
require => Package['sssd'],
}
@@ -292,29 +339,30 @@
}
}
- case $smartcard {
- 'disabled': {
- $enable_smartcard = ''
- }
- 'enabled': {
- $enable_smartcard = 'with-smartcard'
- }
- 'required': {
- $enable_smartcard = 'with-smartcard-required'
- }
- 'lock-on-removal': {
- $enable_smartcard = 'with-smartcard-lock-on-removal'
- }
- default: {
- err('How??')
+ if $oidc {
+ $enable_smartcard = ''
+ } else {
+ case $smartcard {
+ 'disabled': {
+ $enable_smartcard = ''
+ }
+ 'enabled': {
+ $enable_smartcard = 'with-smartcard'
+ }
+ 'required': {
+ $enable_smartcard = 'with-smartcard-required'
+ }
+ 'lock-on-removal': {
+ $enable_smartcard = 'with-smartcard-lock-on-removal'
+ }
+ default: {
+ err('How??')
+ }
}
}
exec { 'Enable SSSD Authentication':
command => "${enablesssd} ${enable_smartcard}",
- subscribe => [
- Exec['Join'],
- ],
path => $facts['path'],
refreshonly => true,
require => [
diff --git a/domain_join/spec/classes/domain_join_spec.rb b/domain_join/spec/classes/domain_join_spec.rb
index 6e85ef5..f603fdb 100644
--- a/domain_join/spec/classes/domain_join_spec.rb
+++ b/domain_join/spec/classes/domain_join_spec.rb
@@ -15,7 +15,7 @@
'global_ssh' => 'EXAMPLE Linux SSH Users',
'local_admins' => 'EXAMPLE %HOSTNAME% Admins',
'local_ssh' => 'EXAMPLE %HOSTNAME% SSH Users',
- 'file_header' => 'Puppet managed'
+ 'file_header' => 'OpenVox managed'
}
}
diff --git a/domain_join/templates/sssd.oidc.conf.erb b/domain_join/templates/sssd.oidc.conf.erb
new file mode 100644
index 0000000..15fa382
--- /dev/null
+++ b/domain_join/templates/sssd.oidc.conf.erb
@@ -0,0 +1,21 @@
+[sssd]
+services = nss, pam
+domains = <%= @currdomain.upcase %>
+
+[domain/<%= @currdomain.upcase %>]
+id_provider = idp
+idp_type = entra_id
+idp_client_id = <%= @client_id %>
+<% if @client_secret -%>
+idp_client_secret = <%= @client_secret.call('unwrap') %>
+<% end -%>
+idp_token_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/token
+idp_device_auth_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/devicecode
+idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
+idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
+idp_auth_scope = openid profile email
+override_homedir = <%= @sssd_home -%>/%u
+
+[nss]
+default_shell = /bin/bash
+fallback_homedir = /home/%u