diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..01d0a08 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +pkg/ diff --git a/.pmtignore b/.pmtignore new file mode 100644 index 0000000..3b056e1 --- /dev/null +++ b/.pmtignore @@ -0,0 +1,5 @@ +pkg/ +tests/ +assets/ +_config.yml +.fixtures.yml diff --git a/README.markdown b/README.markdown index a48b3f0..08428aa 100644 --- a/README.markdown +++ b/README.markdown @@ -1,12 +1,26 @@ -# xd7mastercontroller # +# Citrix XenDesktop 7 delivery controller Puppet Module # -This modules install an enterprise production grade Citrix 7.x Delivery Controller, including Citrix site creation and administrator rights setup. +Puppet module installing a production grade Citrix XenDesktop 7.x Delivery Controller, including XenDesktop site creation, high availability configuration and administrator rights setup. The following options are available for a production-grade installation : - Fault tolerance : AlwaysOn database membership activation for Citrix databases created by the package - Sécurity : SSL configuration to secure communications with the Citrix XML Broker Service -## Integration informations +## Requirements ## + +The minimum Windows Management Framework (PowerShell) version required is 5.0 or higher, which ships with Windows 10 or Windows Server 2016, but can also be installed on Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2. + +This module requires SQLServer powershell module v21.0.17199. The module will install this dependancy : +- From Powershell Gallery if **sqlservermodulesource** parameter is set to **internet** +- From an enterprise location if **sqlservermodulesource** parameter is set to **offline**. In this case, the ZIP file containing the SQLServer v21.0.17199 (_sqlserver_powershell_21.0.17199.zip_) has to be manually downloaded from Powershell Gallery using the `Save-Module -Name SqlServer -Path -RequiredVersion 21.0.17199` powershell command. + +This module requires a custom version of the puppetlabs-dsc module compiled with [XenDesktop Powershell DSC Resource](https://github.com/VirtualEngine/XenDesktop7) as a dependency. Ready to use virtualdesktopdevops/dsc v1.5.0 puppet module provided on [Puppet Forge](https://forge.puppet.com/virtualdesktopdevops/dsc). + +## Change log ## + +A full list of changes in each version can be found in the [change log](CHANGELOG.md). + +## Integration informations ## The Citrix databases will be installed in the default MSSQLSERVER SQL Server instance. This module does not provide the capability to install the databases in another SQL intance. The database failover mecanism integrated in this module is SQL Server AlwaysOn. @@ -15,51 +29,76 @@ The SSL certificate provided needs to be a password protected p12/pfx certificat The module can be installed on a Standard, Datacenter version of Windows 2012R2 or Windows 2016. **Core version is not supported by Citrix for delivery Controller installation**. -## Usage -- **svc_username** : (string) Privileged account used by Puppet for installing the software and the Xendesktop Site (cred_ssp server and client, SQL server write access, local administrator privilèges needed) -- **svc_password** : (string) Password of the privileged account. Should be encrypted with hiera-eyaml. -- **sitename** : (string) Name of the Xendesktop site -- **databaseserver** : (string) FQDN of the SQL server used for citrix database hosting. If using a AlwaysOn SQL cluster, use the Listener FQDN. -- **licenceserver** : (string) FQDN of the Citrix Licence server. -- **sitedatabasename** : (string) Name of the citrix site database to be created -- **loggingdatabasename** : (string) Name of the citrix logging database to be created -- **monitordatabasename** : (string) Name of the citrix monitor database to be created -- **sourcepath** : (string) Path of a folder containing the Xendesktop 7.x installer (unarchive the ISO image in this folder). -- **xd7administrator** : (string) ActiveDirectory user or group which will be granted Citrix Administrator rights. -- **domainNetbiosName** : (string) : Domain NETBIOS name. -- **sqlalwayson** : (boolean) : true or false. Activate database AlwaysOn availability group membership ? Default is false. Needs to be true for a production grade environment -- **sqlavailabilitygroup** : (string) (optionnal if sqlalwayson = false) : Name of the SQL AlwaysOn availability group. -- **sqldbbackuppath** : (string) (optionnal if sqlalwayson = false) : UNC path of a writable network folder to backup/restore databases during AlwaysOn availability group membership configuration. needs to be writable from the sql server nodes. -- **https** : (boolean) : true or false. Deploy SSL certificate and activate SSL access to Citrix XML service ? Default : false -- **sslCertificateSourcePath** : (string) Location of the SSL certificate (p12 / PFX format with private key). Can be local folder, UNC path, HTTP URL) -- **sslCertificatePassword** : (string) Password protecting the p12/pfx SSL certificate file. -- **sslCertificateThumbprint** : (string) Thumbprint of the SSL certificate (available in the SSL certificate). - -## Installing a Citrix Delivery Controller +Migrated puppet example code in README.md to future parser syntax (4.x). Impact on parameters refering to remote locations (file shares) which have to be prefixed with \\\\ instead of the classical \\. This is because of Puppet >= 4.x parsing \\ as a single \ in single-quoted strings. Use parser = future in puppet 3.x /etc/puppet/puppet.conf to use this new configuration in your Puppet 3.x and prepare Puppet 4.x migration. + +## Usage ## +**Mandatory parameters :** +* **`[String]` setup_svc_username** _(Required)_: Privileged account used by Puppet for installing the software and the Xendesktop Site (cred_ssp server and client, SQL server write access, local administrator privilèges needed) +- **`[String]` setup_svc_password** _(Required)_: Password of the privileged account. Should be encrypted with hiera-eyaml. +- **`[String]` sourcepath** _(Required)_: Path of a folder containing the Xendesktop 7.x installer (unarchive the ISO image in this folder). Has to be prefixed with \\\\ instead of the classical \\ if using UNC Path and Puppet >= 4.x or Puppet 3.x future parser. +- **`[String]` sitename** _(Required)_: Name of the Xendesktop site +- **`[String]` role** _(Required `[primary|secondary]`)_: Needs to be 'primary' for the first Citrix Delivery Controller of a site to initialize the databases and the Xendesktop site. Configure as 'secondary' for all other delivery Controllers of the site as they will join an existing Xendesktop site. + +**Required parameters if role='primary' :** +- **`[String]` databaseserver** _(Required if role='primary')_: FQDN of the SQL server used for citrix database hosting. If using a AlwaysOn SQL cluster, use the Listener FQDN. +- **`[String]` licenceserver** _(Required if role='primary')_: FQDN of the Citrix Licence server. +- **`[String]` xd7administrator** _(Required if role='primary')_: ActiveDirectory user or group which will be granted Citrix Administrator rights. + +**Required parameters if role='secondary' :** +- **`[String]` site_primarycontroller** _(Required if role='secondary')_: Primary controller of the existing Xendesktop site to which the newly configured Delivery Controller has to be joined. + +**Optional parameters :** +- **`[String]` sitedatabasename** _(Optional, default is CitrixSiteDB)_: Name of the citrix site database to be created +- **`[String]` loggingdatabasename** _(Optional, default is CitrixLogDB)_: Name of the citrix logging database to be created +- **`[String]` monitordatabasename** _(Optional, default is CitrixMonitorDB)_: Name of the citrix monitor database to be created +- **`[Boolean]` sqlalwayson** _(Optional, default is false)_: Activate database AlwaysOn availability group membership ? Default is false. Needs to be true for a production grade environment +- **`[String]` sqlavailabilitygroup** _(Required if sqlalwayson = true)_: Name of the SQL AlwaysOn availability group. +- **`[String]` sqldbbackuppath** _(Required if sqlalwayson = true)_: UNC path of a writable network folder to backup/restore databases during AlwaysOn availability group membership configuration. needs to be writable from the sql server nodes. Has to be prefixed with \\\\ instead of the classical \\ if using Puppet >= 4.x or Puppet 3.x future parser. +* **`[String]` sqlservermodulesource** _(Optional, `[internet|offline]`)_: Source of SQLServer Powershell module v21.0.17199 (see requirements at the beginning of this readme). Valid values are **internet** or **offline**. Default is 'internet'. +* **`[String]` sqlservermodulesourcepath** _(Required if sqlservermodulesource = 'offline' )_: Path of the SQLServer Powershell module v21.0.17199 ZIP file. Can be a local or an UNC path. +- **`[Boolean]` https** _(Optional, default is false)_: Deploy SSL certificate and activate SSL access to Citrix XML service ? Default : false +- **`[String]` sslCertificateSourcePath** _(Required if https = true)_: Location of the SSL certificate (p12 / PFX format with private key). Can be local folder, UNC path, HTTP URL). Has to be prefixed with \\\\ instead of the classical \\ if using UNC Path and Puppet >= 4.x or Puppet 3.x future parser. +- **`[String]` sslCertificatePassword** _(Required if https = true)_: Password protecting the p12/pfx SSL certificate file. +- **`[String]` sslCertificateThumbprint** _(Required if https = true)_: Thumbprint of the SSL certificate (available in the SSL certificate). + +## Installing a Citrix Delivery Controller ## ~~~puppet -node 'CXDC' { - class{'xd7mastercontroller': - svc_username => 'TESTLAB\svc-puppet', - svc_password => 'P@ssw0rd', - sitename => 'XD7TestSite', - databaseserver => 'CLSDB01LI.TESTLAB.COM', - licenceserver => 'LICENCE.TESTLAB.COM', - sitedatabasename => 'SITE_DB', - loggingdatabasename => 'LOG_DB', - monitordatabasename => 'MONITOR_DB', - sourcepath => '\\fileserver\xendesktop715', - xd7administrator => 'TESTLAB\Domain Admins', - domainNetbiosName=> 'TESTLAB', - sqlalwayson => true, - sqlavailabilitygroup => 'CLSDB01', - sqldbbackuppath => '\\fileserver\backup\sql', - https => true, - sslCertificateSourcePath => '\\fileserver\ssl\cxdc.pfx', - sslCertificatePassword => 'P@ssw0rd', - sslCertificateThumbprint => '44cce73845feef4da4d369a37386c862eb3bd4e1' +node 'CXDC01' { + class{'xd7deliverycontroller': + setup_svc_username => 'TESTLAB\svc-puppet', + setup_svc_password => 'P@ssw0rd', + sourcepath => '\\\\fileserver\xendesktop715', + sitename => 'XD7TestSite', + role => 'primary' + databaseserver => 'CLSDB01LI.TESTLAB.COM', + licenceserver => 'LICENCE.TESTLAB.COM', + xd7administrator => 'TESTLAB\Domain Admins', + sitedatabasename => 'SITE_DB', + loggingdatabasename => 'LOG_DB', + monitordatabasename => 'MONITOR_DB', + sqlalwayson => true, + sqlavailabilitygroup => 'CLSDB01', + sqldbbackuppath => '\\\\fileserver\backup\sql', + https => true, + sslCertificateSourcePath => '\\\\fileserver\ssl\cxdc.pfx', + sslCertificatePassword => 'P@ssw0rd', + sslCertificateThumbprint => '44cce73845feef4da4d369a37386c862eb3bd4e1' } } -~~~ - +node 'CXDC02' { + class{'xd7deliverycontroller': + setup_svc_username => 'TESTLAB\svc-puppet', + setup_svc_password => 'P@ssw0rd', + sourcepath => '\\\\fileserver\xendesktop715', + sitename => 'XD7TestSite', + role => 'secondary', + site_primarycontroller => 'CXDC01', + https => true, + sslCertificateSourcePath => '\\\\fileserver\ssl\cxdc.pfx', + sslCertificatePassword => 'P@ssw0rd', + sslCertificateThumbprint => '44cce73845feef4da4d369a37386c862eb3bd4e1' + } +} +~~~ diff --git a/changelog.md b/changelog.md new file mode 100644 index 0000000..567ea9b --- /dev/null +++ b/changelog.md @@ -0,0 +1,17 @@ +# Changelog - xd7deliverycontroller # + +## Version 2.0.0 ## +- **BREAKING CHANGE** : Merged **xd7mastercontroller** and **xd7slavecontroller** into **xd7deliverycontroller**. Added a **role** parameter to install a **primary** controller with XenDesktop site creation or a **secondary** controller joined to an existing XenDesktop site. +- **BREAKING CHANGE** : Require virtualdesktopdevops/dsc >= 1.5.0 (puppetlabs/dsc fork compiled with XenDesktop7 DSC resource) +- **BREAKING CHANGE** : Removed unneeded $domainNetbiosName parameter. +- **BREAKING CHANGE** : Migrated puppet example code in README.md to future parser syntax (4.x). Impact on parameters refering to remote locations (file shares) which have to be prefixed with \\\\ instead of the classical \\. This is because of Puppet >= 4.x parsing \\ as a single \ in single-quoted strings. Use parser = future in puppet 3.x /etc/puppet/puppet.conf to use this new configuration in your Puppet 3.x and prepare Puppet 4.x migration. +- **BREAKING CHANGE** : Changed all module parameters to lowercase to comply with puppet guidelines. +- **BREAKING CHANGE** : Removed SQLServer Powershell resource from the module. Added **sqlservermodulesource** and **sqlservermodulesourcepath** parameters to install is from the internet or from an enterprise file share. +- Compliance with puppet language style guide and puppet forge standards. +- Class parameters data types. + + + +## Version 1.1.0 ## +- Initial release +- Module compatible with xSQLServer <= 9.0.0.0 diff --git a/files/sqlserver_powershell_21.0.17199.zip b/files/sqlserver_powershell_21.0.17199.zip deleted file mode 100644 index 204c5c7..0000000 Binary files a/files/sqlserver_powershell_21.0.17199.zip and /dev/null differ diff --git a/lib/facter/credsspclientgpo.rb b/lib/facter/credsspclientgpo.rb new file mode 100644 index 0000000..1ed827b --- /dev/null +++ b/lib/facter/credsspclientgpo.rb @@ -0,0 +1,17 @@ +#https://puppet.com/blog/starting-out-writing-custom-facts-windows +Facter.add('credsspclientgpo') do + confine :osfamily => :windows + setcode do + begin + result=false + value = nil + Win32::Registry::HKEY_LOCAL_MACHINE.open('SOFTWARE\Policies\Microsoft\Windows\WinRM\Client') do |regkey| + value = regkey['AllowCredSSP'] + result=true + end + result + rescue + false + end + end +end diff --git a/lib/facter/credsspservicegpo.rb b/lib/facter/credsspservicegpo.rb new file mode 100644 index 0000000..b032bf7 --- /dev/null +++ b/lib/facter/credsspservicegpo.rb @@ -0,0 +1,17 @@ +#https://puppet.com/blog/starting-out-writing-custom-facts-windows +Facter.add('credsspservicegpo') do + confine :osfamily => :windows + setcode do + begin + result=false + value = nil + Win32::Registry::HKEY_LOCAL_MACHINE.open('SOFTWARE\Policies\Microsoft\Windows\WinRM\Service') do |regkey| + value = regkey['AllowCredSSP'] + result=true + end + result + rescue + false + end + end +end diff --git a/manifests/databasehighavailability.pp b/manifests/databasehighavailability.pp index c83233a..830077e 100644 --- a/manifests/databasehighavailability.pp +++ b/manifests/databasehighavailability.pp @@ -1,65 +1,82 @@ -class xd7mastercontroller::databasehighavailability inherits xd7mastercontroller { - - if $sqlalwayson { - #Recovery mode configuration - dsc_xsqlserverdatabaserecoverymodel{'SiteDatabaseRecoveryModel': - dsc_name => $sitedatabasename, - dsc_recoverymodel => 'Full', - dsc_sqlserver => $databaseserver, - dsc_sqlinstancename => 'MSSQLSERVER', - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } - - dsc_xsqlserverdatabaserecoverymodel{'LoggingDatabaseRecoveryModel': - dsc_name => $loggingdatabasename, - dsc_recoverymodel => 'Full', - dsc_sqlserver => $databaseserver, - dsc_sqlinstancename => 'MSSQLSERVER', - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } - - dsc_xsqlserverdatabaserecoverymodel{'MonitorDatabaseRecoveryModel': - dsc_name => $monitordatabasename, - dsc_recoverymodel => 'Full', - dsc_sqlserver => $databaseserver, - dsc_sqlinstancename => 'MSSQLSERVER', - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } - - #AlwaysOn cluster databases membership activation - dsc_xsqlserveralwaysonavailabilitygroupdatabasemembership{'SiteDatabaseAlwaysOn': - dsc_databasename => $sitedatabasename, - dsc_availabilitygroupname => $sqlavailabilitygroup, - dsc_sqlserver => $databaseserver, - dsc_sqlinstancename => 'MSSQLSERVER', - dsc_backuppath => $sqldbbackuppath, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - #require => Dsc_xsqlserverdatabaserecoverymodel['SiteDatabaseRecoveryModel'] - } - - dsc_xsqlserveralwaysonavailabilitygroupdatabasemembership{'LoggingDatabaseAlwaysOn': - dsc_databasename => $loggingdatabasename, - dsc_availabilitygroupname => $sqlavailabilitygroup, - dsc_sqlserver => $databaseserver, - dsc_sqlinstancename => 'MSSQLSERVER', - dsc_backuppath => $sqldbbackuppath, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - #require => Dsc_xsqlserverdatabaserecoverymodel['LoggingDatabaseRecoveryModel'] - } - - dsc_xsqlserveralwaysonavailabilitygroupdatabasemembership{'MonitorDatabaseAlwaysOn': - dsc_databasename => $monitordatabasename, - dsc_availabilitygroupname => $sqlavailabilitygroup, - dsc_sqlserver => $databaseserver, - dsc_sqlinstancename => 'MSSQLSERVER', - dsc_backuppath => $sqldbbackuppath, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - #require => Dsc_xsqlserverdatabaserecoverymodel['MonitorDatabaseRecoveryModel'] - } - - } - +#Class configuring SQL Server AlwaysOn High-Availability feature for Citrix databases +class xd7deliverycontroller::databasehighavailability inherits xd7deliverycontroller { + + if ($xd7deliverycontroller::role == 'primary') and ($xd7deliverycontroller::sqlalwayson) { + #Recovery mode configuration + dsc_sqldatabaserecoverymodel{'SiteDatabaseRecoveryModel': + dsc_name => $xd7deliverycontroller::sitedatabasename, + dsc_recoverymodel => 'Full', + dsc_servername => $xd7deliverycontroller::databaseserver, + dsc_instancename => 'MSSQLSERVER', + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } + + dsc_sqldatabaserecoverymodel{'LoggingDatabaseRecoveryModel': + dsc_name => $xd7deliverycontroller::loggingdatabasename, + dsc_recoverymodel => 'Full', + dsc_servername => $xd7deliverycontroller::databaseserver, + dsc_instancename => 'MSSQLSERVER', + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } + + dsc_sqldatabaserecoverymodel{'MonitorDatabaseRecoveryModel': + dsc_name => $xd7deliverycontroller::monitordatabasename, + dsc_recoverymodel => 'Full', + dsc_servername => $xd7deliverycontroller::databaseserver, + dsc_instancename => 'MSSQLSERVER', + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } + + #AlwaysOn cluster databases membership activation + dsc_sqlagdatabase{'SiteDatabaseAlwaysOn': + dsc_databasename => $xd7deliverycontroller::sitedatabasename, + dsc_availabilitygroupname => $xd7deliverycontroller::sqlavailabilitygroup, + dsc_servername => $xd7deliverycontroller::databaseserver, + dsc_instancename => 'MSSQLSERVER', + dsc_backuppath => $xd7deliverycontroller::sqldbbackuppath, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + #require => Dsc_sqldatabaserecoverymodel['SiteDatabaseRecoveryModel'] + } + + dsc_sqlagdatabase{'LoggingDatabaseAlwaysOn': + dsc_databasename => $xd7deliverycontroller::loggingdatabasename, + dsc_availabilitygroupname => $xd7deliverycontroller::sqlavailabilitygroup, + dsc_servername => $xd7deliverycontroller::databaseserver, + dsc_instancename => 'MSSQLSERVER', + dsc_backuppath => $xd7deliverycontroller::sqldbbackuppath, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + #require => Dsc_sqldatabaserecoverymodel['LoggingDatabaseRecoveryModel'] + } + + dsc_sqlagdatabase{'MonitorDatabaseAlwaysOn': + dsc_databasename => $xd7deliverycontroller::monitordatabasename, + dsc_availabilitygroupname => $xd7deliverycontroller::sqlavailabilitygroup, + dsc_servername => $xd7deliverycontroller::databaseserver, + dsc_instancename => 'MSSQLSERVER', + dsc_backuppath => $xd7deliverycontroller::sqldbbackuppath, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + #require => Dsc_sqldatabaserecoverymodel['MonitorDatabaseRecoveryModel'] + } + } } diff --git a/manifests/init.pp b/manifests/init.pp index 13b349f..216a470 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,6 @@ -# Class: xd7mastercontroller +# Class: xd7deliverycontroller # -# This module manages xd7mastercontroller +# This module manages xd7deliverycontroller # # Parameters: none # @@ -10,39 +10,42 @@ # # Sample Usage: # -class xd7mastercontroller ( - $svc_username, - $svc_password, - $sitename, - $databaseserver, - $licenceserver, - $sitedatabasename='CitrixSiteDB', - $loggingdatabasename='CitrixLogDB', - $monitordatabasename='CitrixMonitorDB', - $sourcepath, - $xd7administrator, - $domainNetbiosName, - $sqlalwayson = false, - $sqlavailabilitygroup = '', #Name of the SQL Server Availability group - $sqldbbackuppath = '', - $https = false, - $sslCertificateSourcePath = '', - $sslCertificatePassword = '', - $sslCertificateThumbprint = '' +class xd7deliverycontroller ( + String $setup_svc_username, + String $setup_svc_password, + String $sourcepath, + String $sitename, + Enum['primary', 'secondary'] $role, + Optional[String] $databaseserver = '', + Optional[String] $licenceserver = '', + Optional[String] $xd7administrator = '', + Optional[String] $site_primarycontroller = '', + Optional[String] $sitedatabasename = 'CitrixSiteDB', + Optional[String] $loggingdatabasename = 'CitrixLogDB', + Optional[String] $monitordatabasename = 'CitrixMonitorDB', + Optional[Boolean] $sqlalwayson = false, + Optional[String] $sqlavailabilitygroup = '', + Optional[String] $sqldbbackuppath = '', + Enum['internet', 'offline'] $sqlservermodulesource = 'internet', + Optional[String] $sqlservermodulesourcepath = '', + Optional[Boolean] $https = false, + Optional[String] $sslcertificatesourcepath = '', + Optional[String] $sslcertificatepassword = '', + Optional[String] $sslcertificatethumbprint = '' ) { - contain xd7mastercontroller::install - contain xd7mastercontroller::siteconfig - contain xd7mastercontroller::databasehighavailability - contain xd7mastercontroller::sslconfig - Class['::xd7mastercontroller::install'] -> - Class['::xd7mastercontroller::siteconfig'] -> - #Class['::xd7mastercontroller::databasehighavailability'] -> - Class['::xd7mastercontroller::sslconfig'] - - reboot { 'dsc_reboot': - when => pending - } -} + contain xd7deliverycontroller::install + contain xd7deliverycontroller::siteconfig + contain xd7deliverycontroller::databasehighavailability + contain xd7deliverycontroller::sslconfig + + Class['::xd7deliverycontroller::install'] + ->Class['::xd7deliverycontroller::siteconfig'] + #->Class['::xd7deliverycontroller::databasehighavailability'] + ->Class['::xd7deliverycontroller::sslconfig'] + reboot { 'dsc_reboot': + when => pending + } +} diff --git a/manifests/install.pp b/manifests/install.pp index 259f663..5622f52 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,57 +1,82 @@ -class xd7mastercontroller::install inherits xd7mastercontroller { - - reboot { 'after_run': - apply => immediately, - when => refreshed - } - - dsc_xcredssp{ 'Server': - dsc_ensure => 'Present', - dsc_role => 'Server', - notify => Reboot['after_run'] - } - - dsc_xcredssp{ 'Client': - dsc_ensure => 'Present', - dsc_role => 'Client', - dsc_delegatecomputers => '*' - } - - #Ensure IIS is not installed on the system to avoid conflicts with Broker Service - dsc_windowsfeature{'iis': - dsc_ensure => 'Absent', - dsc_name => 'Web-Server', - } - +#Class installing Citrix XenDesktop Delivery Controller and SQLServer powershell module +class xd7deliverycontroller::install inherits xd7deliverycontroller { + + reboot { 'after_run': + apply => immediately, + when => refreshed + } + + #Implemented a GPO check to prevent an endless reboot loop when CredSSP is configured via a GPO + if (!$facts['credsspservicegpo']) { + dsc_xcredssp{ 'Server': + dsc_ensure => 'Present', + dsc_role => 'Server', + notify => Reboot['after_run'] + } + } + else { + notify { 'CredSSPServiceAlreadyConfigured': + message => 'CredSSP already configured by GPO. Unauthorized to overide GPO configuration. + Please check that CredSSP service is allowed on this Computer.' + } + } + + #Implemented a GPO check to prevent an endless reboot loop when CredSSP is configured via a GPO + if (!$facts['credsspclientgpo']) { + dsc_xcredssp{ 'Client': + dsc_ensure => 'Present', + dsc_role => 'Client', + dsc_delegatecomputers => '*' + } + } + else { + notify { 'CredSSPClientAlreadyConfigured': + message => 'CredSSP already configured by GPO. Unauthorized to overide GPO configuration. + Please check that CredSSP client is allowed on this Computer.' + } + } + + #Ensure IIS is not installed on the system to avoid conflicts with Broker Service + dsc_windowsfeature{'iis': + dsc_ensure => 'Absent', + dsc_name => 'Web-Server', + } + #Install Delivery Controller - dsc_xd7features { 'XD7DeliveryController': - dsc_issingleinstance => 'Yes', - dsc_role => [Studio, Controller], - dsc_sourcepath => $sourcepath, - dsc_ensure => 'present', - require => Dsc_windowsfeature['iis'], - notify => Reboot['after_run'] - } - - #Download and install SQLSERVER powershell module. Required for database high availability setup (always on citrix databases membership) - file{ "C:\\Program Files\\WindowsPowerShell\\Modules\\sqlserver_powershell_21.0.17199.zip": - source => 'puppet:///modules/xd7mastercontroller/sqlserver_powershell_21.0.17199.zip', - source_permissions => ignore, - } - - #dsc_xarchive{'UnzipSqlserverModule': - # dsc_path => 'C:\Program Files\WindowsPowerShell\Modules\sqlserver_powershell_21.0.17199.zip', - # dsc_destination => 'C:\Program Files\WindowsPowerShell\Modules', - # dsc_force => true, - # require => File["C:\\Program Files\\WindowsPowerShell\\Modules\\sqlserver_powershell_21.0.17199.zip"] - #} - - #Unzip function provided by the reidmv-unzip - unzip{'UnzipSqlserverModule': - source => 'C:\\Program Files\WindowsPowerShell\Modules\sqlserver_powershell_21.0.17199.zip', - destination => 'C:\\Program Files\WindowsPowerShell\Modules', - creates => 'C:\\Program Files\WindowsPowerShell\Modules\SqlServer', - require => File["C:\\Program Files\\WindowsPowerShell\\Modules\\sqlserver_powershell_21.0.17199.zip"] - } + dsc_xd7features { 'XD7DeliveryController': + dsc_issingleinstance => 'Yes', + dsc_role => ['Studio', 'Controller'], + dsc_sourcepath => $xd7deliverycontroller::sourcepath, + dsc_ensure => 'present', + require => Dsc_windowsfeature['iis'], + notify => Reboot['after_run'] + } + + #Download and install SQLSERVER powershell module. Required for database high availability setup (always on citrix databases membership) + if ($xd7deliverycontroller::sqlservermodulesource == 'internet') { + exec { 'InstallNuGetProviderPSGallery': + command => 'Install-PackageProvider -Name NuGet -Confirm:$false -Force', + onlyif => 'if (Get-PackageProvider -ListAvailable -Name Nuget) { exit 1 }', + provider => 'powershell' + } + + ->exec { 'InstallSQLServerModulePSGallery': + command => 'Install-Module -Name SqlServer -RequiredVersion 21.0.17099 -Confirm:$false -Force', + onlyif => 'if (Get-Module -ListAvailable -Name SqlServer) { exit 1 }', + provider => 'powershell' + } + } + else { + file{ 'C:\Program Files\WindowsPowerShell\Modules\sqlserver_powershell_module.zip': + source => $xd7deliverycontroller::sqlservermodulesourcepath, + source_permissions => ignore, + } + #Unzip function provided by the reidmv-unzip + ->unzip{'UnzipSqlserverModule': + source => 'C:\Program Files\WindowsPowerShell\Modules\sqlserver_powershell_module.zip', + destination => 'C:\Program Files\WindowsPowerShell\Modules', + creates => 'C:\Program Files\WindowsPowerShell\Modules\SqlServer' + } + } } diff --git a/manifests/siteconfig.pp b/manifests/siteconfig.pp index 17cc8e8..b03ca77 100644 --- a/manifests/siteconfig.pp +++ b/manifests/siteconfig.pp @@ -1,89 +1,147 @@ -class xd7mastercontroller::siteconfig inherits xd7mastercontroller { - - #Databases creation - dsc_xd7database{ 'XD7SiteDatabase': - dsc_sitename => $sitename, - dsc_databaseserver => $databaseserver, - dsc_databasename => $sitedatabasename, - dsc_datastore => 'Site', - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - #require => Dsc_xd7features['XD7DeliveryController'] - } - - dsc_xd7database{ 'XD7SiteLoggingDatabase': - dsc_sitename => $sitename, - dsc_databaseserver => $databaseserver, - dsc_databasename => $loggingdatabasename, - dsc_datastore => 'Logging', - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - #require => Dsc_xd7features['XD7DeliveryController'] - } - - dsc_xd7database{ 'XD7SiteMonitorDatabase': - dsc_sitename => $sitename, - dsc_databaseserver => $databaseserver, - dsc_databasename => $monitordatabasename, - dsc_datastore => 'Monitor', - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - #require => Dsc_xd7features['XD7DeliveryController'] - } - - #XD7 site creation - dsc_xd7site{ 'XD7Site': - dsc_sitename => $sitename, - dsc_databaseserver => $databaseserver, - dsc_sitedatabasename => $sitedatabasename, - dsc_loggingdatabasename => $loggingdatabasename, - dsc_monitordatabasename => $monitordatabasename, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => [Dsc_xd7database['XD7SiteDatabase'], Dsc_xd7database['XD7SiteMonitorDatabase'], Dsc_xd7database['XD7SiteLoggingDatabase'] ] - } - - #Linking with Citrix License server - dsc_xd7sitelicense{ 'XD7SiteLicense': - dsc_licenseserver => $licenceserver, - dsc_licenseedition => 'PLT', - dsc_licensemodel => 'UserDevice', - dsc_trustlicenseservercertificate => false, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } - - #Site admin roles for users - #Administrator has to be created before beeing affected a role - dsc_xd7administrator{ 'CitrixAdmin': - dsc_name => $xd7administrator, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } - - dsc_xd7role{ 'CitrixAdminFullAdministratorRole': - dsc_name => 'Full Administrator', - dsc_members => $xd7administrator, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => [ Dsc_xd7site['XD7Site'] , Dsc_xd7administrator['CitrixAdmin'] ] - } - - #Site admin roles for Puppet service account - #Administrator has to be created before beeing affected a role - dsc_xd7administrator{ 'PuppetServiceAccountCitrixAdmin': - dsc_name => $svc_username, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } - - dsc_xd7role{ 'PuppetServiceAccountFullAdministratorRole': - dsc_name => 'Full Administrator', - dsc_members => $svc_username, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => [ Dsc_xd7site['XD7Site'] , Dsc_xd7administrator['PuppetServiceAccountCitrixAdmin'] ] +#Class for Citrix XenDesktop site initial configuration +class xd7deliverycontroller::siteconfig inherits xd7deliverycontroller { + + if ($xd7deliverycontroller::role == 'primary') { + #Databases creation + dsc_xd7database{ 'XD7SiteDatabase': + dsc_sitename => $xd7deliverycontroller::sitename, + dsc_databaseserver => $xd7deliverycontroller::databaseserver, + dsc_databasename => $xd7deliverycontroller::sitedatabasename, + dsc_datastore => 'Site', + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + } + + dsc_xd7database{ 'XD7SiteLoggingDatabase': + dsc_sitename => $xd7deliverycontroller::sitename, + dsc_databaseserver => $xd7deliverycontroller::databaseserver, + dsc_databasename => $xd7deliverycontroller::loggingdatabasename, + dsc_datastore => 'Logging', + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + } + + dsc_xd7database{ 'XD7SiteMonitorDatabase': + dsc_sitename => $xd7deliverycontroller::sitename, + dsc_databaseserver => $xd7deliverycontroller::databaseserver, + dsc_databasename => $xd7deliverycontroller::monitordatabasename, + dsc_datastore => 'Monitor', + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + } + + #XD7 site creation + dsc_xd7site{ 'XD7Site': + dsc_sitename => $xd7deliverycontroller::sitename, + dsc_databaseserver => $xd7deliverycontroller::databaseserver, + dsc_sitedatabasename => $xd7deliverycontroller::sitedatabasename, + dsc_loggingdatabasename => $xd7deliverycontroller::loggingdatabasename, + dsc_monitordatabasename => $xd7deliverycontroller::monitordatabasename, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => [ + Dsc_xd7database['XD7SiteDatabase'], + Dsc_xd7database['XD7SiteMonitorDatabase'], + Dsc_xd7database['XD7SiteLoggingDatabase'] ] + } + + #Linking with Citrix License server + dsc_xd7sitelicense{ 'XD7SiteLicense': + dsc_licenseserver => $xd7deliverycontroller::licenceserver, + dsc_licenseedition => 'PLT', + dsc_licensemodel => 'UserDevice', + dsc_trustlicenseservercertificate => false, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } + + #Site admin roles for users + #Administrator has to be created before beeing affected a role + dsc_xd7administrator{ 'CitrixAdmin': + dsc_name => $xd7deliverycontroller::xd7administrator, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } + + dsc_xd7role{ 'CitrixAdminFullAdministratorRole': + dsc_name => 'Full Administrator', + dsc_members => $xd7deliverycontroller::xd7administrator, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => [ Dsc_xd7site['XD7Site'] , Dsc_xd7administrator['CitrixAdmin'] ] + } + + #Site admin roles for Puppet service account + #Administrator has to be created before beeing affected a role + dsc_xd7administrator{ 'PuppetServiceAccountCitrixAdmin': + dsc_name => $xd7deliverycontroller::setup_svc_username, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } + + dsc_xd7role{ 'PuppetServiceAccountFullAdministratorRole': + dsc_name => 'Full Administrator', + dsc_members => $xd7deliverycontroller::setup_svc_username, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => [ Dsc_xd7site['XD7Site'] , Dsc_xd7administrator['PuppetServiceAccountCitrixAdmin'] ] + } + + #Trust requests sent to XML service + dsc_xd7siteconfig{'XD7GlobalSiteSetting': + dsc_issingleinstance => 'Yes', + dsc_trustrequestssenttothexmlserviceport => true, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + }, + require => Dsc_xd7site['XD7Site'] + } } - - #Trust requests sent to XML service - dsc_xd7siteconfig{'XD7GlobalSiteSetting': - dsc_issingleinstance => 'Yes', - dsc_trustrequestssenttothexmlserviceport => true, - dsc_psdscrunascredential => {'user' => $svc_username, 'password' => $svc_password}, - require => Dsc_xd7site['XD7Site'] - } -} \ No newline at end of file + + else { + #Test 3 times if the XenDesktop site exists before throwing an error + dsc_xd7waitforsite{ 'WaitForXD7Site': + dsc_sitename => $xd7deliverycontroller::sitename, + dsc_existingcontrollername => $xd7deliverycontroller::site_primarycontroller, + dsc_retrycount => 3, + dsc_retryintervalsec => 10, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + } + } + + #Join the secondary controller to the existing XenDesktop site + ->dsc_xd7controller{ 'XD7ControllerJoin': + dsc_sitename => $xd7deliverycontroller::sitename, + dsc_existingcontrollername => $xd7deliverycontroller::site_primarycontroller, + dsc_psdscrunascredential => { + 'user' => $xd7deliverycontroller::setup_svc_username, + 'password' => $xd7deliverycontroller::setup_svc_password + } + } + } + +} diff --git a/manifests/sslconfig.pp b/manifests/sslconfig.pp index 9914873..535b7d8 100644 --- a/manifests/sslconfig.pp +++ b/manifests/sslconfig.pp @@ -1,48 +1,49 @@ -class xd7mastercontroller::sslconfig inherits xd7mastercontroller { - if $https { - reboot { 'after_sslconfig': - apply => finished, - when => refreshed - } +#Class configuring SSL encryption for Citrix Broker access +class xd7deliverycontroller::sslconfig inherits xd7deliverycontroller { + if $xd7deliverycontroller::https { + reboot { 'after_sslconfig': + apply => finished, + when => refreshed + } - #Download SSL certificate - dsc_file{ 'SSLCert': - dsc_sourcepath => $sslCertificateSourcePath, - dsc_destinationpath => 'c:\SSL\cert.pfx', - dsc_type => 'File' - }-> + #Download SSL certificate + dsc_file{ 'SSLCert': + dsc_sourcepath => $xd7deliverycontroller::sslcertificatesourcepath, + dsc_destinationpath => 'c:\SSL\cert.pfx', + dsc_type => 'File' + } - #Load SSL certificate in Local Computer personal certificate store - dsc_xpfximport{ 'ImportSSLCert': - dsc_thumbprint => $sslCertificateThumbprint, - dsc_path => 'c:\SSL\cert.pfx', - dsc_location => 'LocalMachine', - dsc_store => 'My', - dsc_credential => {'user' => 'cert', 'password' => $sslCertificatePassword }, - require => Dsc_file['SSLCert'] - }-> + #Load SSL certificate in Local Computer personal certificate store + ->dsc_xpfximport{ 'ImportSSLCert': + dsc_thumbprint => $xd7deliverycontroller::sslcertificatethumbprint, + dsc_path => 'c:\SSL\cert.pfx', + dsc_location => 'LocalMachine', + dsc_store => 'My', + dsc_credential => {'user' => 'cert', 'password' => $xd7deliverycontroller::sslcertificatepassword }, + require => Dsc_file['SSLCert'] + } + + #Map SSL certificate to Citrix Broker Service using netsh method + #netsh http add sslcert ipport=0.0.0.0:443 certhash= appid={} + ->dsc_script{ 'CitrixBrokerServiceSSL': + dsc_getscript => 'Return @{ Result = [string]$(netsh http show sslcert) }', + dsc_testscript => 'If ((netsh http show sslcert | Select-String "Application ID") -like "*Application*") { + Return $true + } Else { + Return $false + }', + dsc_setscript => "\$brokerservice = get-wmiobject -class Win32_Product | Where-Object {\$_.name -Like \"*Broker Service*\"} + \$guid = \$brokerservice.IdentifyingNumber + netsh http add sslcert ipport=0.0.0.0:443 certhash=${$xd7deliverycontroller::sslcertificatethumbprint} appid=\$guid", + notify => Reboot['after_sslconfig'] + } - #Map SSL certificate to Citrix Broker Service using netsh method - #netsh http add sslcert ipport=0.0.0.0:443 certhash= appid={} - dsc_script{ 'CitrixBrokerServiceSSL': - dsc_getscript => 'Return @{ Result = [string]$(netsh http show sslcert) }', - dsc_testscript => 'If ((netsh http show sslcert | Select-String "Application ID") -like "*Application*") { - Return $true - } Else { - Return $false - }', - dsc_setscript => "\$brokerservice = get-wmiobject -class Win32_Product | Where-Object {\$_.name -Like \"*Broker Service*\"} - \$guid = \$brokerservice.IdentifyingNumber - netsh http add sslcert ipport=0.0.0.0:443 certhash=${$sslCertificateThumbprint} appid=\$guid", - notify => Reboot['after_sslconfig'] + #Make sure Citrix XML Service SSL port is 443 + registry_value { 'HKLM\SOFTWARE\Citrix\DesktopServer\XmlServicesSslPort': + ensure => present, + type => 'dword', + data => '443', + require => Dsc_xd7features['XD7DeliveryController'] } - - #Make sure Citrix XML Service SSL port is 443 - registry_value { 'HKLM\SOFTWARE\Citrix\DesktopServer\XmlServicesSslPort': - ensure => present, - type => 'dword', - data => '443', - require => Dsc_xd7features ['XD7DeliveryController'] - } - } + } } diff --git a/metadata.json b/metadata.json index bfa5e6d..144cc83 100644 --- a/metadata.json +++ b/metadata.json @@ -1,21 +1,21 @@ { "author": "virtualdesktopdevops", "dependencies": [ - { - "name": "reidmv/unzip", + { + "name": "reidmv/unzip", "version_requirement": ">= 0.1.2" }, - { - "name": "puppetlabs/registry", + { + "name": "puppetlabs/registry", "version_requirement": ">= 1.1.4" }, - { - "name": "puppetlabs/dsc", - "version_requirement": ">= 1.4.0" + { + "name": "virtualdesktopdevops/dsc", + "version_requirement": ">= 1.5.0" } ], "license": "Apache-2.0", - "name": "virtualdesktopdevops-xd7mastercontroller", + "name": "virtualdesktopdevops-xd7deliverycontroller", "operatingsystem_support": [ { "operatingsystem": "windows", @@ -32,14 +32,18 @@ "version_requirement": ">= 3.8.0 < 6.0.0" } ], - "source": "http://www.virtualdesktopdevops.com/", - "summary": "Xendesktop 7.x Delivery Controller installation & site creation", + "source": "https://virtualdesktopdevops.github.io/xd7deliverycontroller/", + "issues_url": "https://github.com/virtualdesktopdevops/xd7deliverycontroller/issues", + "summary": "Puppet module installing a production grade Citrix XenDesktop 7.x Delivery Controller, including XenDesktop site creation, high availability configuration and administrator rights setup.", "tags": [ "powershell", "dsc", "xendesktop", "citrix", - "delivery-controller" + "delivery", + "controller", + "ssl", + "alwayson" ], - "version": "1.0.0" -} \ No newline at end of file + "version": "2.0.0" +}