gitea-pages/admin-guide/puppet/roles/base.rst

``role::base``
==============

This role is special in that **it cannot be assigned to a system**. It is meant
to be included by all other roles and provide basic functionality that all roles
need anyway.


Parameters
----------

=========================  ========  ====================================================
**Name**                   **Type**  **Default**
-------------------------  --------  ----------------------------------------------------
default_target             string    ``multi-user``
default_enable_afs         bool      undef
default_enable_pmodules    bool      undef
default_pmodules_when_afs  bool      false,
default_local_homes        bool      undef,
default_enable_mta         bool      undef,
enable_afs                 bool      hiera('base::enable_afs')
enable_autofs              bool      hiera('base::enable_autofs')
enable_epics               bool      hiera('base::enable_epics')
enable_filecopy            bool      hiera('base::enable_filecopy')
enable_ganglia             bool      hiera('base::enable_ganglia')
enable_icinga              bool      hiera('base::enable_icinga')
enable_iommu               bool      hiera('base::enable_iommu')
enable_kdump_client        bool      hiera('base::enable_kdump_client')
enable_local_homes         bool      hiera('base::local_homes', undef),
enable_mta                 bool      hiera('base::enable_mta', undef),
enable_multipath           bool      hiera('base::enable_multipath')
enable_nfs_server          bool      hiera('base::enable_nfs_server')
enable_nomachine           bool      hiera('base::enable_nomachine')
enable_platform            bool      hiera('base::enable_platform')
enable_pmodules            bool      hiera('base::enable_pmodules')
enable_print_client        bool      hiera('base::enable_print_client')
enable_rhgb                bool      hiera('base::enable_rhgb')
enable_ssh_client          bool      hiera('base::enable_ssh_client')
enable_telegraf            bool      hiera('base::enable_telegraf')
enable_updatedb            bool      hiera('base::enable_updatedb')
include_aaa                bool      true
include_log_client         bool      true
include_rpm_repos          bool      true
package_groups             array     hiera_array('base::package_groups', [])
package_excludes           array     hiera_array('base::package_exclude', [])
pkg_group::*               array     hiera_array('base::pkg_group::...', [])
selinux_mode               string    hiera('base::selinux_mode', 'enforcing')
update_interval            enum      hiera('base::automatic_updates::interval', 'weekly')
update_type                enum      hiera('base::automatic_updates::type', 'security')
update_exclude             array     hiera_array('base::automatic_updates::exclude', [])
update_kernel              bool      hiera('base::automatic_updates::kernel', false)
=========================  ========  ====================================================


``default_target``
~~~~~~~~~~~~~~~~~~

Specifies the systemd default target to configure. This does not *isolate* the
target (see :manpage:`systemctl(1)`), but merely sets it so it will become
active after a reboot.

``default_enable_afs``
~~~~~~~~~~~~~~~~~~~~~~
Allows the role programmer to define if AFS should be enabled or not when there is no ``base::enable_afs`` Hiera setting and parameter ``enable_afs`` is undefined (default).

``default_enable_pmodules``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allows the role programmer to define if pmodules should be enabled or not when there is no ``base::enable_pmodules`` Hiera setting and parameter ``enable_pmodules`` is undefined (default).

``default_pmodules_when_afs``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allows the role programmer to define if pmodules should be automatically enabled together with AFS. should be enabled or not when there is no ``base::enable_pmodules`` Hiera setting and parameter ``enable_pmodules`` is undefined (default).

This requires the parameters ``default_enable_pmodules`` and  ``enable_pmodules`` to be undefined (default) and that there is no ``base::enable_pmodules`` Hiera setting.

``default_local_homes``
~~~~~~~~~~~~~~~~~~~~~~~
Allows the role programmer to define if local homes should be used if not configured differently in Hiera. This is default on RHEL8.

``default_enable_mta``
~~~~~~~~~~~~~~~~~~~~~~
Allows the role programmer to define if postfix should be enabled or not when there is no ``base::enable_mta`` Hiera setting and parameter ``enable_mta`` is undefined (default).

``enable_afs``
~~~~~~~~~~~~~~

Determines whether to include the :doc:`afs_client <../profiles/afs_client>`
profile to enable AFS access.
For the ``softioc`` role this is ignored, respectively there is a separate ``softioc::enable_afs`` Hiera settings.

Puppet roles should not set this parameter as this overrides ``base::enable_afs`` from Hiera.
Please use ``default_enable_afs`` instead to define the role preference.


``enable_autofs``
~~~~~~~~~~~~~~~~~

Enable the ``autofs`` service. This is **not** needed for automounts! It is only
needed to support the ``-hosts`` map as documented in :manpage:`auto.master`.
The ``-hosts`` map is mounted on ``/net``.


``enable_epics``
~~~~~~~~~~~~~~~~~

Enables the ``EPICS``. TODO: more details...


``enable_filecopy``
~~~~~~~~~~~~~~~~~~~

Enable the ``filecopy`` profile, which allows deploying arbitrary files from
``git.psi.ch`` through Hiera.


``enable_ganglia``
~~~~~~~~~~~~~~~~~~

Determines whether to include the :doc:`ganglia_client
<../profiles/ganglia_client>`.


``enable_ssh_client``
~~~~~~~~~~~~~~~~~~~~~

Deploy global SSH client configuration, ie ``/etc/ssh/ssh_config``.


``enable_telegraf``
~~~~~~~~~~~~~~~~~~~

Enable the telegraf monitoring agent, which reports various system metrics to
InfluxDB servers.


``enable_icinga``
~~~~~~~~~~~~~~~~~

Determines whether to include the :doc:`icinga_client
<../profiles/icinga_client>` profile, which installs the client components
necessary for Icinga-based monitoring.


``enable_iommu``
~~~~~~~~~~~~~~~~~

It enables the IOMMU support in the kernel on boot. The node needs to be rebooted for this change to become active.


``enable_kdump_client``
~~~~~~~~~~~~~~~~~~~~~~~

Determines whether to include the :doc:`kdump_client <../profiles/kdump_client>`
profile.

``enable_local_homes``
~~~~~~~~~~~~~~~~~~~~~~
Configures local homes.

Puppet roles should not set this parameter as this overrides ``base::enable_local_homes`` from Hiera.
Please use ``default_local_homes`` instead to define the role preference.

``enable_mta``
~~~~~~~~~~~~~~
Enables postfix.

Puppet roles should not set this parameter as this overrides ``base::enable_mta`` from Hiera.
Please use ``default_enable_mta`` instead to define the role preference.

``enable_multipath``
~~~~~~~~~~~~~~~~~~~~

Enable the ``multipath`` profile for basic multipath functionality.


``enable_nfs_server``
~~~~~~~~~~~~~~~~~~~~~

Enable the kernel NFS server and configure the :manpage:`exports(5)` file. See
the :doc:`nfs_server <../profiles/nfs_server>` profile for details.


``enable_nomachine``
~~~~~~~~~~~~~~~~~~~~

Include the ``nomachine`` profile, which can install NoMachine NX in various
configurations.


``enable_platform``
~~~~~~~~~~~~~~~~~~~

Enable the ``platform`` profile, which installs and configures hardware-specific
tools and configurations.


``enable_pmodules``
~~~~~~~~~~~~~~~~~~~

Determines whether to enable the :doc:`pmodules <../profiles/pmodules>` profile.
When true, the necessary configuration is automatically sourced for all normal
users (ie UID >= 1000 and no ``-adm`` suffix) using :manpage:`bash(1)`.

Requires AFS to work, as the required configuration files are stored on AFS.

Puppet roles should not set this parameter as this overrides ``base::enable_pmodules`` from Hiera.
Please use ``default_enable_pmodules`` or even ``default_pmodules_when_afs`` instead to define the role preference.


``enable_print_client``
~~~~~~~~~~~~~~~~~~~~~~~

Enable and configure CUPS as a client. See the :doc:`print_client
<../profiles/print_client>` profile for details.


``enable_rhgb``
~~~~~~~~~~~~~~~

Determines whether the graphical boot screen is enabled.


``enable_updatedb``
~~~~~~~~~~~~~~~~~~~

Determines whether or not :manpage:`updatedb(8)` (aka :manpage:`locate(1)`) is
enabled or not. When enabled, it is still possible to exclude certain
directories for indexing. This is also supported directly by the mounter module.


``include_aaa``
~~~~~~~~~~~~~~~

Determines whether to include the :doc:`aaa <../profiles/aaa>` profile, which
configures authentication, authorization, and (partly) auditing.


``include_log_client``
~~~~~~~~~~~~~~~~~~~~~~

Include the :doc:`log_client <../profiles/log_client>` profile. This is only
meant to allow roles customization of the :doc:`log_client
<../profiles/log_client>` profile.


``include_rpm_repos``
~~~~~~~~~~~~~~~~~~~~~~

Determines whether to install the default RPM package repositories.


``package_groups``
~~~~~~~~~~~~~~~~~~

The list of package groups to install. Package groups are defined in Hiera using
``base::pkg_group::NAME``.


``pkg_group::NAME``
~~~~~~~~~~~~~~~~~~~

An array defining the package group ``NAME``. It contains the package name with optionally
one or more tags, separated by ``:``. Following tags are allowed:

========== =====================================================
Tag        Description
---------- -----------------------------------------------------
latest     ensure the latest version of the package is installed
absent     ensure the package is not installed
os=redhat7 install it only on this OS
os!redhat7 install on any OS except this one
========== =====================================================


``package_excludes``
~~~~~~~~~~~~~~~~~~~~

An array with packages which are not made available on the system.


``selinux_mode``
~~~~~~~~~~~~~~~~

The SELinux mode to use, one of ``enforcing``, ``permissive``, and ``disabled``.
The *configured* SELinux mode (ie the setting in ``/etc/sysconfig/selinux``) is
changed immediately. The runtime mode is changed as follows, as certain
transitions are impossible without a reboot:

==========  ==========  ===========
Current     Setting     New runtime
----------  ----------  -----------
Enforcing   Disabled    Permissive
Enforcing   Permissive  Permissive
Permissive  Enforcing   Enforcing
Permissive  Disabled    Permissive
Disabled    Permissive  Disabled
Disabled    Enforcing   Disabled
==========  ==========  ===========


``update_interval``
~~~~~~~~~~~~~~~~~~~
How often should the automatic updates be installed. Valid options are ``never``, ``daily`` and ``weekly``.


``update_type``
~~~~~~~~~~~~~~~
What type of package updates should be installed automatically, either ``security`` for only security updates or ``all`` for all updates.


``update_exclude``
~~~~~~~~~~~~~~~~~~
List of packages which shall not be updated automatically. Wildcards like * are allowed. The kernel is excluded by default.

``update_kernel``
~~~~~~~~~~~~~~~~~
Marks if also the kernel package should be automatically updated. Note that the necessary reboot to run the new kernel needs to be done manually.


Examples
--------

The most basic usage is::

  class role::some_role () {

    include role::base

    ...
  }

Most profiles that are included can be excluded when necessary::

  class role::some_role () {

    class {'role::base':
      include_icinga => false,
    }

    ...
  }

This can be used to customize some of the basic profiles::

  class role::base () {

    class {'role::base':
      include_aaa => false,
    }

    class {'profile::aaa':
      allow_sudoers_d => true,
    }

    ...
  }