Install from Puppet Forge

Install the official OnePAM Puppet module from Puppet Forge. Includes manifests, templates, Hiera data, and full documentation.

GitHub

From Puppet Forge (recommended)

puppet module install onepam-onepam

From Source

git clone https://github.com/onepamcom/onepam-puppet.git
cp -r onepam-puppet/onepam \
  /etc/puppetlabs/code/environments/production/modules/

Requirements

Puppet Server

Puppet 6.x, 7.x, or 8.x
Puppet Enterprise 2019.x or later
PuppetDB (optional, for exported resources)
puppetlabs-stdlib >= 6.0.0

Managed Nodes

Linux with systemd
Puppet agent 6.x, 7.x, or 8.x
Root access for installation

For deprecated or non-systemd distributions, use the Gateway SSH Proxy instead — no agent installation required.

Quick Start

Include the OnePAM class in your node definition or profile:

# In your site.pp or profile
class { 'onepam':
  server_url => 'https://onepam.com',
  tenant_id  => '00000000-0000-0000-0000-000000000000',
}

Or using Hiera:

# In your Hiera data (e.g., common.yaml)
onepam::server_url: 'https://onepam.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'

# In your manifest
include onepam

Module Structure

onepam/
├── manifests/
│   ├── init.pp           # Main class
│   ├── install.pp        # Installation logic
│   ├── config.pp         # Configuration management
│   └── service.pp        # Service management
├── templates/
│   ├── agent.env.epp     # Configuration template
│   └── onepam-agent.service.epp  # Systemd service
├── files/
│   └── (optional static files)
├── data/
│   └── common.yaml       # Default Hiera data
├── metadata.json         # Module metadata
└── README.md             # Documentation

manifests/init.pp

class onepam (
  String              $server_url    = 'https://onepam.com',
  String              $tenant_id     = '',
  String              $group_uuid    = '',
  String              $agent_version = 'latest',
  Enum['debug','info','warn','error'] $log_level = 'info',
  Stdlib::HTTPUrl     $release_url   = 'https://updates.onepam.com',
  Stdlib::Absolutepath $install_dir  = '/opt/onepam',
  Enum['present','absent'] $ensure   = 'present',
) {
  if $facts['kernel'] != 'Linux' {
    fail('The onepam module only supports Linux')
  }
  if $ensure == 'present' and $tenant_id == '' {
    fail('onepam::tenant_id is required')
  }
  if $ensure == 'present' {
    contain onepam::install
    contain onepam::config
    contain onepam::service
    Class['onepam::install']
    -> Class['onepam::config']
    ~> Class['onepam::service']
  } else {
    contain onepam::service
    contain onepam::config
    contain onepam::install
    Class['onepam::service']
    -> Class['onepam::config']
    -> Class['onepam::install']
  }
}

manifests/install.pp

# @api private
class onepam::install {
  $install_dir   = $onepam::install_dir
  $release_url   = $onepam::release_url
  $agent_version = $onepam::agent_version
  $ensure        = $onepam::ensure

  if $ensure == 'present' {
    ensure_packages(['curl'])

    file { [$install_dir, "${install_dir}/bin",
            "${install_dir}/etc", "${install_dir}/data",
            "${install_dir}/data/queue"]:
      ensure => directory,
      owner  => 'root',
      group  => 'root',
      mode   => '0750',
    }

    $download_url  = "${release_url}/agent/${agent_version}/onepam-agent-linux-amd64"
    $checksum_url  = "${download_url}.sha256"
    $binary_path   = "${install_dir}/bin/onepam-agent"
    $version_file  = "${install_dir}/bin/.version"

    exec { 'download-onepam-agent':
      command => "/usr/bin/curl -sfL ${download_url} -o ${binary_path} && \
                  /usr/bin/curl -sfL ${checksum_url} | /usr/bin/sha256sum -c - && \
                  echo '${agent_version}' > ${version_file}",
      unless  => "/usr/bin/test -f ${version_file} && \
                  /bin/grep -qx '${agent_version}' ${version_file}",
      require => [File["${install_dir}/bin"], Package['curl']],
    }

    file { $binary_path:
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0755',
      require => Exec['download-onepam-agent'],
    }
  } else {
    file { $install_dir:
      ensure  => absent,
      recurse => true,
      purge   => true,
      force   => true,
    }
  }
}

manifests/config.pp

# @api private
class onepam::config {
  $install_dir = $onepam::install_dir
  $ensure      = $onepam::ensure

  if $ensure == 'present' {
    exec { 'generate-agent-id':
      command => "/bin/cat /proc/sys/kernel/random/uuid > ${install_dir}/etc/agent-id",
      creates => "${install_dir}/etc/agent-id",
    }

    file { "${install_dir}/etc/agent.env":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0600',
      content => epp('onepam/agent.env.epp', {
        server_url => $onepam::server_url,
        tenant_id  => $onepam::tenant_id,
        log_level  => $onepam::log_level,
        group_uuid => $onepam::group_uuid,
      }),
    }
  } else {
    file { "${install_dir}/etc/agent.env":
      ensure => absent,
    }
  }
}

manifests/service.pp

# @api private
class onepam::service {
  $install_dir = $onepam::install_dir
  $ensure      = $onepam::ensure

  if $ensure == 'present' {
    file { '/etc/systemd/system/onepam-agent.service':
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => epp('onepam/onepam-agent.service.epp', {
        install_dir => $install_dir,
      }),
      notify  => Exec['systemctl-daemon-reload'],
    }

    exec { 'systemctl-daemon-reload':
      command     => '/bin/systemctl daemon-reload',
      refreshonly => true,
    }

    service { 'onepam-agent':
      ensure    => running,
      enable    => true,
      require   => File['/etc/systemd/system/onepam-agent.service'],
      subscribe => File["${install_dir}/etc/agent.env"],
    }
  } else {
    service { 'onepam-agent':
      ensure => stopped,
      enable => false,
    }

    file { '/etc/systemd/system/onepam-agent.service':
      ensure  => absent,
      require => Service['onepam-agent'],
      notify  => Exec['systemctl-daemon-reload'],
    }

    exec { 'systemctl-daemon-reload':
      command     => '/bin/systemctl daemon-reload',
      refreshonly => true,
    }
  }
}

templates/agent.env.epp

<%- | String $server_url, String $tenant_id, String $log_level, String $group_uuid | -%>
# OnePAM Agent Configuration
# Managed by Puppet — do not edit manually

AGENT_API_URL="<%= $server_url %>"
AGENT_TENANT_ID="<%= $tenant_id %>"
AGENT_LOG_LEVEL="<%= $log_level %>"
<% if $group_uuid != '' { -%>
AGENT_GROUP_UUID="<%= $group_uuid %>"
<% } -%>

templates/onepam-agent.service.epp

<%- | String $install_dir | -%>
[Unit]
Description=OnePAM Agent
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
User=root
EnvironmentFile=<%= $install_dir %>/etc/agent.env
ExecStart=/bin/bash -c '<%= $install_dir %>/bin/onepam-agent \
    --agent-id=$(cat <%= $install_dir %>/etc/agent-id)'
Restart=always
RestartSec=10
WatchdogSec=120
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target

Parameters Reference

Parameter	Type	Default	Description
`server_url`	String	`https://onepam.com`	OnePAM server URL
`tenant_id`	String	`''` (empty)	Organisation UUID (tenant ID) — required when ensure is present
`group_uuid`	String	`''` (empty)	Optional group UUID to assign the agent to
`agent_version`	String	`latest`	Version of the agent binary to install
`log_level`	Enum['debug','info','warn','error']	`info`	Logging verbosity
`release_url`	Stdlib::HTTPUrl	`https://updates.onepam.com`	Base URL for agent binary downloads
`install_dir`	Stdlib::Absolutepath	`/opt/onepam`	Installation directory for the agent
`ensure`	Enum['present','absent']	`present`	Whether the agent should be installed or removed

Hiera Configuration

Use Hiera for hierarchical configuration management:

data/common.yaml (Global defaults)

---
onepam::server_url: 'https://onepam.example.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
onepam::log_level: 'info'

data/environment/production.yaml

---
onepam::server_url: 'https://prod.onepam.example.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
onepam::log_level: 'warn'

data/environment/development.yaml

---
onepam::server_url: 'https://dev.onepam.example.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
onepam::log_level: 'debug'

hiera.yaml

---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data

hierarchy:
  - name: "Per-node data"
    path: "nodes/%{trusted.certname}.yaml"
  
  - name: "Per-environment data"
    path: "environment/%{environment}.yaml"
  
  - name: "Per-OS family"
    path: "os/%{facts.os.family}.yaml"
  
  - name: "Common data"
    path: "common.yaml"

Examples

# Using include (relies on Hiera for parameters)
include onepam

# Or with explicit parameters
class { 'onepam':
  server_url => 'https://onepam.example.com',
  tenant_id  => '00000000-0000-0000-0000-000000000000',
}

# profile::monitoring
class profile::monitoring (
  String $onepam_url,
  String $onepam_tenant,
) {
  class { 'onepam':
    server_url => $onepam_url,
    tenant_id  => $onepam_tenant,
  }
  
  # Additional monitoring tools can be added here
}

# role::webserver
class role::webserver {
  include profile::base
  include profile::monitoring
  include profile::webserver
}

# role::database
class role::database {
  include profile::base
  include profile::monitoring
  include profile::database
}

# Node classification
node 'web01.example.com' {
  include role::webserver
}

node 'db01.example.com' {
  include role::database
}

In Puppet Enterprise, use the Console to classify nodes:

Navigate to Configure > Classification
Create a node group (e.g., "Monitored Servers")
Add the onepam class
Set parameters in the class configuration
Add matching rules or pin specific nodes

Tip: Use r10k or Code Manager to deploy the OnePAM module to your Puppet infrastructure.

Puppet Deployment