Add OIDC support to domain_join

.readme/footer.md

@@ -2,13 +2,13 @@
 ### Option 1:
 1. Clone the repo and use the modules  
 ```bash
-git clone https://github.com/JasonN3/puppet_modules.git
+git clone https://github.com/JasonN3/openvox_modules.git
 ```
 ### Option 2:
-1. Edit your Puppetfile so r10k will clone the repo:  
+1. Edit your Puppetfile so g10k will clone the repo:  
 ```
 mod 'github',
-  :git          => 'https://github.com/JasonN3/puppet_modules.git',
+  :git          => 'https://github.com/JasonN3/openvox_modules.git',
   :ref          => 'main',
   :install_path => 'git'
 ```

.readme/header.md

@@ -1,5 +1,5 @@
-# Puppet Modules
+# OpenVox Modules
 
 ## Description
-This is a collection of Puppet modules that I commonly use that make management of various Linux systems easier.
+This is a collection of OpenVox modules that I commonly use that make management of various Linux systems easier.
 

README.md

@@ -1,7 +1,7 @@
-# Puppet Modules
+# OpenVox Modules
 
 ## Description
-This is a collection of Puppet modules that I commonly use that make management of various Linux systems easier.
+This is a collection of OpenVox modules that I commonly use that make management of various Linux systems easier.
 
 ---
 ## Modules list
@@ -16,13 +16,13 @@ Configires the node to use client/host certificates from Hashicorp Vault
 ### Option 1:
 1. Clone the repo and use the modules  
 ```bash
-git clone https://github.com/JasonN3/puppet_modules.git
+git clone https://github.com/JasonN3/openvox_modules.git
 ```
 ### Option 2:
-1. Edit your Puppetfile so r10k will clone the repo:  
+1. Edit your Puppetfile so g10k will clone the repo:  
 ```
 mod 'github',
-  :git          => 'https://github.com/JasonN3/puppet_modules.git',
+  :git          => 'https://github.com/JasonN3/openvox_modules.git',
   :ref          => 'main',
   :install_path => 'git'
 ```

domain_join/README.md

@@ -39,19 +39,27 @@ The following parameters are available in the `domain_join` class:
 * [`ad_trust`](#ad_trust)
 * [`update_os_info`](#update_os_info)
 * [`enable_smartcard_ssh`](#enable_smartcard_ssh)
+* [`oidc`](#oidc)
+* [`client_id`](#client_id)
+* [`client_secret`](#client_secret)
+* [`tenant_id`](#tenant_id)
 
 ##### <a name="username"></a>`username`
 
-Data type: `String`
+Data type: `Optional[String]`
 
 The username used to domain join
 
+Default value: ``undef``
+
 ##### <a name="sensitive_password"></a>`sensitive_password`
 
-Data type: `Sensitive[String]`
+Data type: `Optional[Sensitive[String]]`
 
 The password used to domain join
 
+Default value: ``undef``
+
 ##### <a name="global_admins"></a>`global_admins`
 
 Data type: `String`
@@ -190,3 +198,35 @@ Enable smartcard authentication for SSH (Only seems to work on RHEL 8+)
 
 Default value: ``false``
 
+##### <a name="oidc"></a>`oidc`
+
+Data type: `Boolean`
+
+Use OIDC for authentication
+
+Default value: ``false``
+
+##### <a name="client_id"></a>`client_id`
+
+Data type: `Optional[String]`
+
+Client ID for OIDC authentication
+
+Default value: ``undef``
+
+##### <a name="client_secret"></a>`client_secret`
+
+Data type: `Optional[Sensitive[String]]`
+
+Optional secret for client
+
+Default value: ``undef``
+
+##### <a name="tenant_id"></a>`tenant_id`
+
+Data type: `Optional[String]`
+
+Tenant ID for Entra ID authentication
+
+Default value: ``undef``
+

domain_join/manifests/init.pp

@@ -43,9 +43,17 @@
 #   Configures a service to update the OS information on the AD object on startup
 # @param enable_smartcard_ssh
 #   Enable smartcard authentication for SSH (Only seems to work on RHEL 8+)
+# @param oidc
+#   Use OIDC for authentication
+# @param client_id
+#   Client ID for OIDC authentication
+# @param client_secret
+#   Optional secret for client
+# @param tenant_id
+#   Tenant ID for Entra ID authentication
 class domain_join (
-  String                                                     $username,
-  Sensitive[String]                                          $sensitive_password,
+  Optional[String]                                           $username             = undef,
+  Optional[Sensitive[String]]                                $sensitive_password   = undef,
   String                                                     $global_admins,
   String                                                     $global_ssh,
   String                                                     $local_admins,
@@ -63,8 +71,27 @@
   Enum['disabled', 'enabled', 'required', 'lock-on-removal'] $smartcard            = 'disabled',
   Optional[Array[String]]                                    $ad_trust             = undef,
   Boolean                                                    $update_os_info       = false,
-  Boolean                                                    $enable_smartcard_ssh = false
+  Boolean                                                    $enable_smartcard_ssh = false,
+  Boolean                                                    $oidc                 = false,
+  Optional[String]                                           $client_id            = undef,
+  Optional[Sensitive[String]]                                $client_secret        = undef,
+  Optional[String]                                           $tenant_id            = undef
 ) {
+  if $oidc {
+    if !$client_id {
+      fail('domain_join: client_id must be provided when oidc is enabled')
+    }
+    if !$tenant_id {
+      fail('domain_join: tenant_id must be provided when oidc is enabled')
+    }
+  } else {
+    if !$username {
+      fail('domain_join: username must be provided when oidc is disabled')
+    }
+    if !$sensitive_password {
+      fail('domain_join: sensitive_password must be provided when oidc is disabled')
+    }
+  }
   if $override_domain {
     $currdomain = $override_domain
     # This is only used if $override_domain is defined
@@ -83,7 +110,7 @@
   } elsif $::file_header {
     $file_header_local = $::file_header
   } else {
-    $file_header_local = 'This file is being maintained by Puppet. Do not edit.'
+    $file_header_local = 'This file is being maintained by OpenVox. Do not edit.'
   }
   # lint:endignore
 
@@ -139,8 +166,15 @@
   package { 'samba-common':
     ensure => installed,
   }
-  package { 'sssd':
-    ensure => installed,
+  if $oidc {
+    package { 'sssd':
+      ensure => installed,
+      name   => 'sssd-idp',
+    }
+  } else {
+    package { 'sssd':
+      ensure => installed,
+    }
   }
 
   if $ad_trust != undef {
@@ -167,41 +201,46 @@
     }
   }
 
-  if($override_domain) {
-    # lint:ignore:140chars
-    $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -H ${forced_fqdn} -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
-    # lint:endignore
-  } else {
-    # lint:ignore:140chars
-    $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
-    # lint:endignore
-  }
+  unless $oidc {
+    if($override_domain) {
+      # lint:ignore:140chars
+      $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -H ${forced_fqdn} -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
+      # lint:endignore
+    } else {
+      # lint:ignore:140chars
+      $command = Sensitive("bash -c 'source /etc/os-release; echo -n \"${$sensitive_password.unwrap}\" | adcli join -D ${currdomain} -U \"${username}\" --stdin-password --os-name=\"\${NAME}\" --os-version=\"\${VERSION}\" --os-service-pack=\"\${VERSION_ID}\"'")
+      # lint:endignore
+    }
 
-  exec { 'Join':
-    command => $command,
-    path    => $facts['path'],
-    notify  => Service['sssd'],
-    creates => '/etc/krb5.keytab',
-    require => [
-      Package['adcli'],
-      Package['krb5-workstation'],
-      Package['samba-common'],
-      Package['samba-common-tools'],
-      Package['sssd'],
-      File['/etc/krb5.conf'],
-      File['/etc/sssd/sssd.conf'],
-    ],
-  }
+    exec { 'Join':
+      command => $command,
+      path    => $facts['path'],
+      notify  => [
+        Service['sssd'],
+        Exec['Enable SSSD Authentication']
+      ],
+      creates => '/etc/krb5.keytab',
+      require => [
+        Package['adcli'],
+        Package['krb5-workstation'],
+        Package['samba-common'],
+        Package['samba-common-tools'],
+        Package['sssd'],
+        File['/etc/krb5.conf'],
+        File['/etc/sssd/sssd.conf'],
+      ],
+    }
 
-  file { '/etc/systemd/system/update_adcli.service':
-    ensure  => file,
-    content => template('domain_join/update_adcli.service.erb'),
-    require => Exec['Join'],
-    notify  => Service['update_adcli'],
-  }
+    file { '/etc/systemd/system/update_adcli.service':
+      ensure  => file,
+      content => template('domain_join/update_adcli.service.erb'),
+      require => Exec['Join'],
+      notify  => Service['update_adcli'],
+    }
 
-  service { 'update_adcli':
-    enable => true,
+    service { 'update_adcli':
+      enable => true,
+    }
   }
 
   file { '/etc/krb5.conf':
@@ -210,14 +249,22 @@
     notify  => Service['sssd'],
     require => Package['krb5-workstation'],
   }
+  if $oidc {
+    $sssd_src = 'domain_join/sssd.oidc.conf.erb'
+  } else {
+    $sssd_src = 'domain_join/sssd.conf.erb'
+  }
 
   file { '/etc/sssd/sssd.conf':
     ensure  => file,
-    content => template('domain_join/sssd.conf.erb'),
+    content => template($sssd_src),
     owner   => root,
     group   => root,
     mode    => '0400',
-    notify  => Service['sssd'],
+    notify  => [
+      Service['sssd'],
+      Exec['Enable SSSD Authentication']
+    ],
     require => Package['sssd'],
   }
 
@@ -292,29 +339,30 @@
     }
   }
 
-  case $smartcard {
-    'disabled': {
-      $enable_smartcard = ''
-    }
-    'enabled': {
-      $enable_smartcard = 'with-smartcard'
-    }
-    'required': {
-      $enable_smartcard = 'with-smartcard-required'
-    }
-    'lock-on-removal': {
-      $enable_smartcard = 'with-smartcard-lock-on-removal'
-    }
-    default: {
-      err('How??')
+  if $oidc {
+    $enable_smartcard = ''
+  } else {
+    case $smartcard {
+      'disabled': {
+        $enable_smartcard = ''
+      }
+      'enabled': {
+        $enable_smartcard = 'with-smartcard'
+      }
+      'required': {
+        $enable_smartcard = 'with-smartcard-required'
+      }
+      'lock-on-removal': {
+        $enable_smartcard = 'with-smartcard-lock-on-removal'
+      }
+      default: {
+        err('How??')
+      }
     }
   }
 
   exec { 'Enable SSSD Authentication':
     command     => "${enablesssd} ${enable_smartcard}",
-    subscribe   => [
-      Exec['Join'],
-    ],
     path        => $facts['path'],
     refreshonly => true,
     require     => [

domain_join/spec/classes/domain_join_spec.rb

@@ -15,7 +15,7 @@
           'global_ssh' => 'EXAMPLE Linux SSH Users',
           'local_admins' => 'EXAMPLE %HOSTNAME% Admins',
           'local_ssh' => 'EXAMPLE %HOSTNAME% SSH Users',
-          'file_header' => 'Puppet managed'
+          'file_header' => 'OpenVox managed'
         }
       }
 

domain_join/templates/sssd.oidc.conf.erb

@@ -0,0 +1,21 @@
+[sssd]
+services = nss, pam
+domains = <%= @currdomain.upcase %>
+
+[domain/<%= @currdomain.upcase %>]
+id_provider = idp
+idp_type = entra_id
+idp_client_id = <%= @client_id %>
+<% if @client_secret -%>
+idp_client_secret = <%= @client_secret.call('unwrap') %>
+<% end -%>
+idp_token_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/token
+idp_device_auth_endpoint = https://login.microsoftonline.com/<%= @tenant_id %>/oauth2/v2.0/devicecode
+idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
+idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
+idp_auth_scope = openid profile email
+override_homedir = <%= @sssd_home -%>/%u
+
+[nss]
+default_shell = /bin/bash
+fallback_homedir = /home/%u