No doubt, if this escalates, they’ll certainly find the range my current VPN provider uses and block it, and I’ll be stuck with what’s available in Germany. Thankfully, the situation has improved a lot - Netflix and Amazon both stream in Germany now, but still mostly crappy dubbed content. A very limited selection of Original Version (OV) content is available that falls far short of what’s streamable in the U.S.
Most television shows take years to become available here due to complex localization and licensing requirements. Movies take less time, but still not on par with the U.S., Sony completely ignored the rest of the world when they launched The Interview, for example.
The internet has no borders. Please stop building artificial ones. :-(
Two projects that I'm really loving at the moment are The Foreman and FreeIPA.
The Foreman is lifecycle management tool for physical and virtual servers (think Cobbler on PCP), and FreeIPA provides central authentication: directory services, kerberos, policy enforcement, and a PKI infrastructure.
Why not glue them together? This is my first attempt, and it's all a bit manual and unpolished. There's an effort to get this integration into the Foreman Smart Proxy itself.
The idea here is that our machines when foreman creates them are automatically registered to FreeIPA with a one-time password, and if later deleted in the Foreman, they are removed from FreeIPA too. Hosts also get an SSL certificate signed by the FreeIPA server to talk to puppet. The flow looks like this:
Creating IPA User with Right Permissions
A previous version of this guide called this user "foreman" - don't do that, it'll interfere with upgrading later, as the RPM packaging expects to use a local user named "foreman."
Create the user:
Grant host enrollment privileges:
We need to modify the Host Enrollment role to actually allow the Foreman user to add brand new hosts and delete them too -- so Foreman can completely manage the machine lifecycle.
Put foreman-ipa into /etc/sysconfig/ with the right permissions
Put 10_integrate_freeipa.sh into /usr/share/foreman/config/hooks/host/managed/create and create a symlink to destroy and after_commit:
Restart foreman to get it to notice the new hooks:
Take a look at the logs to make sure the hooks were registered, look in /var/log/foreman/production.log:
The last step in this is integrating into your provisioning template. You'll need to get ipa-client installed in your packages list, and remove the other puppet registration thingy from the Foreman. I have a snippet that looks like this:
When the machine boots it will use one-time password authentication with FreeIPA and grab an SSL certificate for use with Puppet. And you get the bonus of when you delete the machine in Foreman, it gets deleted in IPA too.