sbin/*puppet*: Rework puppet client/ca maintenance scripts.

7 files changed, 207 insertions, 14 deletions

diff --git a/sbin/itzks-puppet-refresh-ssl b/sbin/itzks-puppet-refresh-ssl
deleted file mode 100755
index babebfb..0000000
--- a/sbin/itzks-puppet-refresh-ssl
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-rm /var/lib/puppet/ssl/certs/ca.pem
-find /var/lib/puppet/ssl/ -name "$HOSTNAME.pem" -delete
-puppet agent --test
-puppet agent --enable
-systemctl enable puppet
-systemctl start puppet
diff --git a/sbin/itzks-puppet-renew-ssl b/sbin/itzks-puppet-renew-ssl
new file mode 100755
index 0000000..3b2dcbf
--- /dev/null
+++ b/sbin/itzks-puppet-renew-ssl
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+if [[ -z "${HOSTNAME}" ]]; then
+	echo "HOSTNAME environment variable is not set... Exiting!"
+	exit 1
+fi
+
+itzks-puppet-reset-ssl
+
+ssh puppetserver itzks-puppetserver-clean-hosts-from-ca "${HOSTNAME}"
+
+puppet agent --test --waitforcert 0
+
+ssh puppetserver itzks-puppetserver-autosign-new-hosts-certificates "${HOSTNAME}"
+
+puppet agent --test
+puppet agent --enable
+systemctl enable puppet
+systemctl start puppet
diff --git a/bin/itzks-puppet-list-known-hosts b/sbin/itzks-puppet-reset-ssl
index 5ca8b8f..7ef6298 100755
--- a/bin/itzks-puppet-list-known-hosts
+++ b/sbin/itzks-puppet-reset-ssl
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -16,6 +16,15 @@
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
-ls /var/lib/puppet/ssl/ca/signed | cut -d "." -f1-2 | while read host;
-    do getent hosts $host
-done  | grep 10.
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+if [[ -z "${HOSTNAME}" ]]; then
+	echo "HOSTNAME environment variable is not set... Exiting!"
+	exit 1
+fi
+
+rm /var/lib/puppet/ssl/certs/ca.pem
+find /var/lib/puppet/ssl/ -name "${HOSTNAME}.pem" -delete
diff --git a/sbin/itzks-puppet-autosign-new-host-certificates b/sbin/itzks-puppetserver-autosign-new-host-certificates
index 4fbf678..56dc9bf 100755
--- a/sbin/itzks-puppet-autosign-new-host-certificates
+++ b/sbin/itzks-puppetserver-autosign-new-host-certificates
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -16,6 +16,11 @@
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
 unset http_proxy
 unset https_proxy
 
@@ -26,6 +31,10 @@ if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then
 	exit 0
 fi
 
+if [[ -n "${1}" ]]; then
+	ONLY_PUPPET_CLIENT="${1}"
+fi
+
 source /etc/os-release
 
 if [ "${ID}" = "debian" ] && \
@@ -43,6 +52,11 @@ if [ "${ID}" = "debian" ] && \
 
 		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
 
+			# Only process one specific client...
+			if [ -n "${ONLY_PUPPET_CLIENT}" ] && [ "${ONLY_PUPPET_CLIENT}" != "${host_csr}" ]; then
+				continue
+			fi
+
 			# strip domain name
 			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
 
@@ -72,6 +86,11 @@ else
 
 		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
 
+			# Only process one specific client...
+			if [ -n "${ONLY_PUPPET_CLIENT}" ] && [ "${ONLY_PUPPET_CLIENT}" != "${host_csr}" ]; then
+				continue
+			fi
+
 			# strip domain name
 			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
 
diff --git a/sbin/itzks-prepare-reinstall b/sbin/itzks-puppetserver-clean-hosts-from-ca
index 4e7945f..a269ac9 100755
--- a/sbin/itzks-prepare-reinstall
+++ b/sbin/itzks-puppetserver-clean-hosts-from-ca
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2023 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+# Copyright (C) 2023-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
diff --git a/sbin/itzks-puppetserver-detect-broken-hosts b/sbin/itzks-puppetserver-detect-broken-hosts
new file mode 100755
index 0000000..ad13ea7
--- /dev/null
+++ b/sbin/itzks-puppetserver-detect-broken-hosts
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+# Copyright (C) 2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+usage() {
+	echo "$(basename ${0}) [-t|--today] [--exclude=<regexp>] [--include=<regexp>]"
+	exit 1
+}
+
+for arg in "$@"; do
+	case "${arg}" in
+		-t|--today)
+			TODAY=true
+			;;
+		--exclude=*)
+			EXCLUDE="${arg#*=}"
+			;;
+		--include=*)
+			INCLUDE="${arg#*=}"
+			;;
+		--include|--exclude)
+			# options used in wrong way
+			usage
+			;;
+		*)
+			# unknown option
+			usage
+			;;
+	esac
+done
+
+TMPFILE=$(mktemp)
+
+if [[ ! $TODAY ]]; then
+	ls  /var/log/puppetserver/puppetserver-access-*.log.gz | sort | while read file; do
+		zcat $file >> "${TMPFILE}"
+	done
+fi
+cat /var/log/puppetserver/puppetserver-access.log >> "${TMPFILE}"
+
+iplist_with_puppeterrors=$(cat ${TMPFILE} | grep -v ' 200 ' | awk '{ print $1 }' | sort | uniq)
+
+for ip in ${iplist_with_puppeterrors}; do
+	fqdn=$(dig +short -x "${ip}" | sed -e "s/.\$//g")
+
+	if [ "${fqdn}" = "${HOSTNAME}" ]; then
+		continue
+	fi
+
+	if [[ -n "${INCLUDE}" ]] && ! echo "${ip} ${fqdn}" | grep -q -E "${INCLUDE}"; then
+		continue
+	fi
+
+	if [[ -n "${EXCLUDE}" ]] && ! echo "${ip} ${fqdn}" | grep -v -q -E "${EXCLUDE}"; then
+		continue
+	fi
+
+	if [[ -n "$fqdn" ]]; then
+		echo -e "$fqdn\t-\t$ip"
+	else
+		echo -e "(unknown)\t-\t$ip"
+	fi
+done
+
+rm "${TMPFILE}"
diff --git a/sbin/itzks-puppetserver-list-known-hosts b/sbin/itzks-puppetserver-list-known-hosts
new file mode 100755
index 0000000..49d63d7
--- /dev/null
+++ b/sbin/itzks-puppetserver-list-known-hosts
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+        echo "ERROR: This script has to run as super-user root."
+        exit 1
+fi
+
+PUPPET_SERVER="puppetserver.intern"
+TJENER_SERVER="tjener.intern"
+
+if [ "${HOSTNAME}" != "${PUPPET_SERVER}" ] && [ "${HOSTNAME}" != "${TJENER_SERVER}" ]; then
+        echo "$(basename $0): Error: This script may only be run on 'tjener.intern' or 'puppetserver.intern'."
+        exit -1
+fi
+
+source /etc/os-release
+
+if [ "${ID}" = "debian" ] && \
+   ([ "${VERSION_CODENAME}" == "stretch" ] || \
+    [ "${VERSION_CODENAME}" == "buster" ] || \
+    [ "${VERSION_CODENAME}" == "bullseye" ]); then
+
+	SIGNED_CERTS_PATH="/var/lib/puppet/ssl/ca/signed"
+
+else
+
+	SIGNED_CERTS_PATH="/etc/puppet/puppetserver/ca/signed"
+
+}
+
+ls "${SIGNED_CERTS_PATH}" | cut -d "." -f1-2 | while read host; do
+	getent hosts $host
+done  | grep 10.