ocf · singingtelegram · May 12, 2023 · May 12, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,9 +3,7 @@ repos:
     rev: v2.1.0
     hooks:
     -   id: puppet-validate
-        additional_dependencies: ['puppet:<7']
     -   id: erb-validate
-        additional_dependencies: ['puppet:<7']
     -   id: puppet-lint
         args:
         -   --fail-on-warnings
@@ -15,13 +13,11 @@ repos:
         -   --no-puppet_url_without_modules-check
         -   --no-arrow_on_right_operand_line-check
         -   --no-variable_is_lowercase-check
-        additional_dependencies: ['puppet:<7', 'puppet-lint']
+        additional_dependencies: ['puppet-lint']
     -   id: epp-validate
-        additional_dependencies: ['puppet:<7']
     -   id: r10k-validate
-        additional_dependencies: ['puppet:<7', 'r10k']
+        additional_dependencies: ['r10k']
     -   id: ruby-validate
-        additional_dependencies: ['puppet:<7']
 -   repo: https://github.com/pre-commit/pre-commit-hooks.git
     # We need to be using python3.6 by default before this can be upgraded to 3.x+
     rev: v2.5.0

diff --git a/manifests/site_ssl.pp b/manifests/site_ssl.pp
@@ -6,7 +6,7 @@
 # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
 #
 # This should be updated from time-to-time.
-if $::lsbdistcodename == 'bullseye' {
+if $facts['facts['os']['distro']['codename']'] == 'bullseye' {
   $ssl_ciphersuite = 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
   $ssl_protocols = 'TLSv1.2 TLSv1.3'
 } else {

diff --git a/modules/ocf/functions/get_host_fqdns.pp b/modules/ocf/functions/get_host_fqdns.pp
@@ -7,6 +7,6 @@
 # CNAME records 'www', then this function (with the suffix 'ocf.io' would
 # return ['death.ocf.io', 'dev-vhost.ocf.io', 'www.ocf.io']
 function ocf::get_host_fqdns(String $suffix = 'ocf.berkeley.edu') >> Array[String] {
-  $dns_entries = concat([$::hostname], delete($::dnsA, '@'), $::dnsCname)
+  $dns_entries = concat([$facts['facts['networking']['hostname']']], delete($facts['dnsA'], '@'), $facts['dnsCname'])
   suffix(delete($dns_entries, ''), ".${suffix}")
 }
diff --git a/modules/ocf/manifests/apt.pp b/modules/ocf/manifests/apt.pp
@@ -11,8 +11,8 @@
 
   $repos = 'main contrib non-free'
 
-  if $::lsbdistid == 'Debian' {
-    if $::operatingsystemmajrelease == '9' {
+  if $facts['facts['os']['distro']['id']'] == 'Debian' {
+    if $facts['facts['os']['release']['major']'] == '9' {
       apt::key { 'freexian':
           id     => 'AB597C4F6F3380BD4B2BEBC2A07310D369055D5A',
           source => 'https://deb.freexian.com/extended-lts/archive-key.gpg';
@@ -21,44 +21,44 @@
       apt::source {
       'debian':
           location => 'https://mirrors.ocf.berkeley.edu/debian/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => $repos,
           include  => {
           src => true
           };
 
       'debian-updates':
           location => 'https://mirrors.ocf.berkeley.edu/debian/',
-          release  => "${::lsbdistcodename}-updates",
+          release  => "${facts['facts['os']['distro']['codename']']}-updates",
           repos    => $repos,
           include  => {
           src => true
           };
 
       'debian-security':
           location => 'https://mirrors.ocf.berkeley.edu/debian-security/',
-          release  => "${::lsbdistcodename}/updates",
+          release  => "${facts['facts['os']['distro']['codename']']}/updates",
           repos    => $repos,
           include  => {
           src => true
           };
 
       'extended-lts':
           location => 'https://mirrors.ocf.berkeley.edu/freexian/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => $repos;
 
       'ocf':
           location => 'https://apt.ocf.berkeley.edu/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => 'main',
           include  => {
           src => true
           };
 
       'ocf-backports':
           location => 'https://apt.ocf.berkeley.edu/',
-          release  => "${::lsbdistcodename}-backports",
+          release  => "${facts['facts['os']['distro']['codename']']}-backports",
           repos    => 'main',
           include  => {
           src => true
@@ -68,7 +68,7 @@
       # Pin anything coming from *-backports to be lower than normal priority
       apt::pin { 'ocf-backports':
       priority => 200,
-      codename => "${::lsbdistcodename}-backports",
+      codename => "${facts['facts['os']['distro']['codename']']}-backports",
       }
 
       # TODO: Submit patch to puppetlabs-apt to enable having includes for
@@ -77,43 +77,43 @@
       location => 'https://mirrors.ocf.berkeley.edu/debian/';
       }
     }
-  elsif $::operatingsystemmajrelease == '10' {
+  elsif $facts['facts['os']['release']['major']'] == '10' {
     apt::source {
       'debian':
           location => 'https://mirrors.ocf.berkeley.edu/debian/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => $repos,
           include  => {
           src => true
           };
 
       'debian-updates':
           location => 'https://mirrors.ocf.berkeley.edu/debian/',
-          release  => "${::lsbdistcodename}-updates",
+          release  => "${facts['facts['os']['distro']['codename']']}-updates",
           repos    => $repos,
           include  => {
           src => true
           };
 
       'debian-security':
           location => 'https://mirrors.ocf.berkeley.edu/debian-security/',
-          release  => "${::lsbdistcodename}/updates",
+          release  => "${facts['facts['os']['distro']['codename']']}/updates",
           repos    => $repos,
           include  => {
           src => true
           };
 
       'ocf':
           location => 'https://apt.ocf.berkeley.edu/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => 'main',
           include  => {
           src => true
           };
 
       'ocf-backports':
           location => 'https://apt.ocf.berkeley.edu/',
-          release  => "${::lsbdistcodename}-backports",
+          release  => "${facts['facts['os']['distro']['codename']']}-backports",
           repos    => 'main',
           include  => {
           src => true
@@ -123,7 +123,7 @@
       # Pin anything coming from *-backports to be lower than normal priority
       apt::pin { 'ocf-backports':
       priority => 200,
-      codename => "${::lsbdistcodename}-backports",
+      codename => "${facts['facts['os']['distro']['codename']']}-backports",
       }
 
       # TODO: Submit patch to puppetlabs-apt to enable having includes for
@@ -137,39 +137,39 @@
     apt::source {
       'debian':
           location => 'https://mirrors.ocf.berkeley.edu/debian/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => $repos,
           include  => {
           src => true
           };
 
       'debian-updates':
           location => 'https://mirrors.ocf.berkeley.edu/debian/',
-          release  => "${::lsbdistcodename}-updates",
+          release  => "${facts['facts['os']['distro']['codename']']}-updates",
           repos    => $repos,
           include  => {
           src => true
           };
 
       'debian-security':
           location => 'https://mirrors.ocf.berkeley.edu/debian-security/',
-          release  => "${::lsbdistcodename}-security",
+          release  => "${facts['facts['os']['distro']['codename']']}-security",
           repos    => $repos,
           include  => {
           src => true
           };
 
       'ocf':
           location => 'https://apt.ocf.berkeley.edu/',
-          release  => $::lsbdistcodename,
+          release  => $facts['facts['os']['distro']['codename']'],
           repos    => 'main',
           include  => {
           src => true
           };
 
       'ocf-backports':
           location => 'https://apt.ocf.berkeley.edu/',
-          release  => "${::lsbdistcodename}-backports",
+          release  => "${facts['facts['os']['distro']['codename']']}-backports",
           repos    => 'main',
           include  => {
           src => true
@@ -179,7 +179,7 @@
       # Pin anything coming from *-backports to be lower than normal priority
       apt::pin { 'ocf-backports':
       priority => 200,
-      codename => "${::lsbdistcodename}-backports",
+      codename => "${facts['facts['os']['distro']['codename']']}-backports",
       }
 
       # TODO: Submit patch to puppetlabs-apt to enable having includes for
@@ -189,19 +189,19 @@
       }
   }
 
-  } elsif $::lsbdistid == 'Raspbian' {
+  } elsif $facts['facts['os']['distro']['id']'] == 'Raspbian' {
     apt::source {
       'raspbian':
         location => 'https://mirrors.ocf.berkeley.edu/raspbian/raspbian/',
-        release  => $::lsbdistcodename,
+        release  => $facts['facts['os']['distro']['codename']'],
         repos    => 'main contrib non-free rpi',
         include  => {
           src => true
         };
 
       'archive-rpi':
         location => 'https://archive.raspberrypi.org/debian/',
-        release  => $::lsbdistcodename,
+        release  => $facts['facts['os']['distro']['codename']'],
         repos    => 'main ui',
         include  => {
           src => true
@@ -212,7 +212,7 @@
   apt::source {
     'puppetlabs':
       location => 'https://mirrors.ocf.berkeley.edu/puppetlabs/apt/',
-      release  => $::lsbdistcodename,
+      release  => $facts['facts['os']['distro']['codename']'],
       repos    => 'puppet',
   }
 

diff --git a/modules/ocf/manifests/auth.pp b/modules/ocf/manifests/auth.pp
@@ -54,7 +54,7 @@
   }
 
   # nameservice configuration
-  if $::skip_ldap {
+  if $facts['skip_ldap'] {
     # use local copy only (never consult LDAP during lookups);
     # this is useful for servers which expect to not have connectivity to ldap
     #
@@ -79,7 +79,7 @@
   }
 
   # PAM user authentication
-  unless $::skip_kerberos {
+  unless $facts['skip_kerberos'] {
     # install Kerberos PAM module
     package { 'libpam-krb5': }
   }
@@ -157,21 +157,21 @@
 
   # Get all DNS names, FQDNs, and IPs for a host to include in SSH keys
   $ssh_aliases = delete(concat(
-    suffix(delete(any2array($::dnsA), ''), ".${::domain}"),
-    $::dnsA,
-    suffix(delete(any2array($::dnsCname), ''), ".${::domain}"),
-    $::dnsCname,
-    $::fqdn,
-    $::ipHostNumber,
-    $::ip6HostNumber,
+    suffix(delete(any2array($facts['dnsA']), ''), ".${facts['facts['networking']['domain']']}"),
+    $facts['dnsA'],
+    suffix(delete(any2array($facts['dnsCname']), ''), ".${facts['facts['networking']['domain']']}"),
+    $facts['dnsCname'],
+    $facts['facts['networking']['fqdn']'],
+    $facts['ipHostNumber'],
+    $facts['ip6HostNumber'],
   ), '')
 
   # Export SSH keys from every host if PuppetDB is running, and use them
   # to populate the global list in /etc/ssh/ssh_known_hosts.
-  if str2bool($::puppetdb_running) {
-    @@sshkey { $::hostname:
+  if str2bool($facts['puppetdb_running']) {
+    @@sshkey { $facts['facts['networking']['hostname']']:
       host_aliases => $ssh_aliases,
-      key          => $::sshecdsakey,
+      key          => $facts['facts['ssh']['ecdsa']['key']'],
       type         => ecdsa-sha2-nistp256,
     }
     Sshkey <<| |>>

diff --git a/modules/ocf/manifests/extrapackages.pp b/modules/ocf/manifests/extrapackages.pp
@@ -194,7 +194,7 @@
     ]:;
   }
 
-  if Integer($::os['distro']['release']['major']) >= 11 {
+  if Integer($facts['os['distro']['release']['major']']) >= 11 {
     package {
       [
         'bat',
@@ -206,7 +206,7 @@
     backport_on =>  ['buster', 'stretch'],
   }
 
-  if $::lsbdistcodename == 'stretch' {
+  if $facts['facts['os']['distro']['codename']'] == 'stretch' {
     package {
       [
         # php-mcrypt is deprecated since PHP 7.1 in favor of using openssl
@@ -220,12 +220,12 @@
         'php7.0-dba',
       ]:;
     }
-  } elsif $::lsbdistcodename == 'buster' {
+  } elsif $facts['facts['os']['distro']['codename']'] == 'buster' {
     # This isn't available as php-dba unfortunately (that's just a virtual
     # package for this), and with virtual packages puppet will try to install
     # them every run, leading to unnecessary noise
     package { 'php7.3-dba':; }
-  } elsif $::lsbdistcodename == 'bullseye' {
+  } elsif $facts['facts['os']['distro']['codename']'] == 'bullseye' {
     # This isn't available as php-dba unfortunately (that's just a virtual
     # package for this), and with virtual packages puppet will try to install
     # them every run, leading to unnecessary noise

diff --git a/modules/ocf/manifests/firewall/firewall46.pp b/modules/ocf/manifests/firewall/firewall46.pp
@@ -2,7 +2,7 @@
   # Ruby's Resolv class doesn't think it should resolve IPv6 addresses if the
   # local host doesn't have a public IPv6 address. Thus we only try to apply
   # IPv6 firewall rules here if the host already has an IPv6 address.
-  $providers = $::ipaddress6 ? {
+  $providers = $facts['facts['networking']['ip6']'] ? {
     undef     => ['iptables'],
     /^fe80::/ => ['iptables'],
     default   => ['iptables', 'ip6tables'],

diff --git a/modules/ocf/manifests/hidepid.pp b/modules/ocf/manifests/hidepid.pp
@@ -13,7 +13,7 @@
     content => "[Service]\nSupplementaryGroups=${procfs_authorized_group}\n",
   }
 
-  if str2bool($::polkit_priv_drop) {
+  if str2bool($facts['polkit_priv_drop']) {
     # Futureproof for policykit for version 0.115. policykit will create this
     # user, we just need to add it to the authorized group
     user { 'polkitd':

diff --git a/modules/ocf/manifests/init.pp b/modules/ocf/manifests/init.pp
@@ -5,7 +5,7 @@
   include ocf::etc
   include ocf::firewall
   include ocf::groups
-  if ($::hostname != 'fallingrocks') {
+  if ($facts['facts['networking']['hostname']'] != 'fallingrocks') {
     include ocf::hidepid
   }
   include ocf::kerberos

diff --git a/modules/ocf/manifests/kerberos.pp b/modules/ocf/manifests/kerberos.pp
@@ -1,5 +1,5 @@
 class ocf::kerberos {
-  if $::skip_kerberos {
+  if $facts['skip_kerberos'] {
     # don't use Kerberos, so remove the packages and config file
     package { [ 'heimdal-clients', 'libsasl2-modules-gssapi-mit' ]:
       ensure => purged;

diff --git a/modules/ocf/manifests/motd.pp b/modules/ocf/manifests/motd.pp
@@ -1,5 +1,5 @@
 class ocf::motd {
-  $motd_from_nfs = str2bool($::ocf_nfs) and !lookup('staff_only')
+  $motd_from_nfs = str2bool($facts['ocf_nfs']) and !lookup('staff_only')
   $owner = lookup('owner', { 'default_value' => undef, })
   $classes_from_hiera = lookup('classes')
 
@@ -9,7 +9,7 @@
       target => '/home/s/st/staff/motd/motd',
     }
   } else {
-    $is_virtual = str2bool($::is_virtual)
+    $is_virtual = str2bool($facts['is_virtual'])
 
     file { '/etc/motd':
       content => template('ocf/motd.erb'),