Puppet Deployment

Manage OnePAM agent deployment using Puppet modules and manifests.

Install from Puppet Forge

Install the official OnePAM Puppet module from Puppet Forge. Includes manifests, templates, Hiera data, and full documentation.

GitHub
From Puppet Forge (recommended)
puppet module install onepam-onepam
From Source
git clone https://github.com/onepamcom/onepam-puppet.git
cp -r onepam-puppet/onepam \
  /etc/puppetlabs/code/environments/production/modules/

Requirements

Puppet Server
  • Puppet 6.x or 7.x
  • Puppet Enterprise 2019.x or later
  • PuppetDB (optional, for exported resources)
Managed Nodes
  • Linux with systemd
  • Puppet agent 6.x or 7.x
  • Root access for installation

For deprecated or non-systemd distributions, use the Gateway SSH Proxy instead — no agent installation required.

Quick Start

Include the OnePAM class in your node definition or profile: 

# In your site.pp or profile
class { 'onepam':
  server_url => 'https://onepam.com',
  tenant_id  => '00000000-0000-0000-0000-000000000000',
}

Or using Hiera:

# In your Hiera data (e.g., common.yaml)
onepam::server_url: 'https://onepam.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
# In your manifest
include onepam

Module Structure

onepam/
├── manifests/
│   ├── init.pp           # Main class
│   ├── install.pp        # Installation logic
│   ├── config.pp         # Configuration management
│   └── service.pp        # Service management
├── templates/
│   ├── agent.env.epp     # Configuration template
│   └── onepam-agent.service.epp  # Systemd service
├── files/
│   └── (optional static files)
├── data/
│   └── common.yaml       # Default Hiera data
└── metadata.json         # Module metadata
manifests/init.pp
# @summary Manages OnePAM agent installation and configuration
#
# @param server_url
#   The OnePAM server URL to connect to
# @param tenant_id
#   Your organisation UUID (tenant ID)
# @param log_level
#   Logging verbosity (debug, info, warn, error)
# @param ensure
#   Whether the agent should be present or absent
#
class onepam (
  String           $server_url       = 'https://onepam.com',
  String           $tenant_id        = '00000000-0000-0000-0000-000000000000',
  String           $log_level        = 'info',
  Enum['present', 'absent'] $ensure  = 'present',
) {
  contain onepam::install
  contain onepam::config
  contain onepam::service

  Class['onepam::install']
  -> Class['onepam::config']
  ~> Class['onepam::service']
}
manifests/install.pp
# @api private
class onepam::install {
  $install_dir = '/opt/onepam'
  $download_url = 'https://updates.onepam.com/agent/latest/onepam-agent-linux-amd64'

  # Create installation directories
  file { [$install_dir, "${install_dir}/bin", "${install_dir}/data", "${install_dir}/data/queue"]:
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  # Create config directory
  file { '/opt/onepam/etc':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  # Download and install the agent binary
  exec { 'download-onepam-agent':
    command => "/usr/bin/curl -sL ${download_url} -o ${install_dir}/bin/onepam-agent",
    creates => "${install_dir}/bin/onepam-agent",
    require => File["${install_dir}/bin"],
  }

  file { "${install_dir}/bin/onepam-agent":
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
    require => Exec['download-onepam-agent'],
  }
}
manifests/config.pp
# @api private
class onepam::config {
  # Configuration file
  file { '/opt/onepam/etc/agent.env':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => epp('onepam/agent.env.epp', {
      server_url       => $onepam::server_url,
      tenant_id        => $onepam::tenant_id,
      log_level        => $onepam::log_level,
    }),
  }

  # Systemd service file
  file { '/etc/systemd/system/onepam-agent.service':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => epp('onepam/onepam-agent.service.epp'),
    notify  => Exec['systemctl-daemon-reload'],
  }

  exec { 'systemctl-daemon-reload':
    command     => '/bin/systemctl daemon-reload',
    refreshonly => true,
  }
}
manifests/service.pp
# @api private
class onepam::service {
  service { 'onepam-agent':
    ensure => running,
    enable => true,
  }
}
templates/agent.env.epp
<%- | String $server_url, String $tenant_id, String $log_level | -%>
AGENT_API_URL=<%= $server_url %>
AGENT_TENANT_ID=<%= $tenant_id %>
AGENT_LOG_LEVEL=<%= $log_level %>
AGENT_DATA_DIR=/opt/onepam/data
templates/onepam-agent.service.epp
[Unit]
Description=OnePAM Agent
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
EnvironmentFile=/opt/onepam/etc/agent.env
ExecStart=/opt/onepam/bin/onepam-agent \
    --server=${AGENT_API_URL} \
    --tenant-id=${AGENT_TENANT_ID}
Restart=always
RestartSec=10
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target

Parameters Reference

Parameter Type Default Description
server_url String https://onepam.com OnePAM server URL
tenant_id String 00000000-0000-0000-0000-000000000000 Organisation UUID (tenant ID)
log_level String info Logging verbosity
ensure Enum present present or absent

Hiera Configuration

Use Hiera for hierarchical configuration management:

data/common.yaml (Global defaults)
---
onepam::server_url: 'https://onepam.example.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
onepam::log_level: 'info'
data/environment/production.yaml
---
onepam::server_url: 'https://prod.onepam.example.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
onepam::log_level: 'warn'
data/environment/development.yaml
---
onepam::server_url: 'https://dev.onepam.example.com'
onepam::tenant_id: '00000000-0000-0000-0000-000000000000'
onepam::log_level: 'debug'
hiera.yaml
---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data

hierarchy:
  - name: "Per-node data"
    path: "nodes/%{trusted.certname}.yaml"
  
  - name: "Per-environment data"
    path: "environment/%{environment}.yaml"
  
  - name: "Per-OS family"
    path: "os/%{facts.os.family}.yaml"
  
  - name: "Common data"
    path: "common.yaml"

Examples

# Using include (relies on Hiera for parameters)
include onepam

# Or with explicit parameters
class { 'onepam':
  server_url => 'https://onepam.example.com',
  tenant_id  => '00000000-0000-0000-0000-000000000000',
}

# profile::monitoring
class profile::monitoring (
  String $onepam_url,
  String $onepam_tenant,
) {
  class { 'onepam':
    server_url => $onepam_url,
    tenant_id  => $onepam_tenant,
  }
  
  # Additional monitoring tools can be added here
}

# role::webserver
class role::webserver {
  include profile::base
  include profile::monitoring
  include profile::webserver
}

# role::database
class role::database {
  include profile::base
  include profile::monitoring
  include profile::database
}

# Node classification
node 'web01.example.com' {
  include role::webserver
}

node 'db01.example.com' {
  include role::database
}

In Puppet Enterprise, use the Console to classify nodes:

  1. Navigate to Configure > Classification
  2. Create a node group (e.g., "Monitored Servers")
  3. Add the onepam class
  4. Set parameters in the class configuration
  5. Add matching rules or pin specific nodes
Tip: Use r10k or Code Manager to deploy the OnePAM module to your Puppet infrastructure.