diff --git a/Puppetfile b/Puppetfile index f29fb47..ddbc134 100644 --- a/Puppetfile +++ b/Puppetfile @@ -35,10 +35,14 @@ mod 'puppet-vault', '4.1.0' mod 'puppet-dhcp', '6.1.0' mod 'puppet-keepalived', '3.6.0' mod 'puppet-extlib', '7.0.0' +mod 'puppet-network', '2.2.0' +mod 'puppet-kmod', '4.0.1' +mod 'puppet-filemapper', '4.0.0' # other mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' +mod 'saz-ssh', '12.1.0' mod 'ghoneycutt-timezone', '4.0.0' mod 'dalen-puppetdbquery', '3.0.1' mod 'markt-galera', '3.1.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eda0ea1..e8169f7 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -108,11 +108,22 @@ lookup_options: profiles::nginx::simpleproxy::nginx_aliases: merge: strategy: deep + networking::interfaces: + merge: + strategy: deep + networking::routes: + merge: + strategy: deep + ssh::server::options: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' -hiera_classes: +hiera_include: - timezone + - networking + - ssh::server profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::use_ntp: 'region' @@ -215,6 +226,38 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul prometheus::node_exporter::export_scrape_job: true prometheus::systemd_exporter::export_scrape_job: true +ssh::server::storeconfigs_enabled: false +ssh::server::options: + Protocol: '2' + ListenAddress: + - '127.0.0.1' + - '%{facts.networking.ip}' + SyslogFacility: 'AUTHPRIV' + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key + HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem + AuthorizedKeysFile: .ssh/authorized_keys + PermitRootLogin: no + PasswordAuthentication: no + ChallengeResponseAuthentication: no + PubkeyAuthentication: yes + GSSAPIAuthentication: yes + GSSAPICleanupCredentials: yes + UsePAM: yes + X11Forwarding: no + PrintMotd: no + AcceptEnv: + - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + - LC_IDENTIFICATION LC_ALL LANGUAGE + - XMODIFIERS + Subsystem: sftp /usr/libexec/openssh/sftp-server + +profiles::ssh::knownhosts::lines: + - '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw==' + profiles::base::groups::local: admins: ensure: present @@ -231,38 +274,34 @@ sudo::configs: profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net -profiles::base::hosts::additional_hosts: - - ip: 198.18.17.3 - hostname: prodinf01n01.main.unkin.net - aliases: - - prodinf01n01 - - puppet - - puppetmaster - - puppetca - - ip: 198.18.17.4 - hostname: prodinf01n04.main.unkin.net - aliases: - - prodinf01n04 - - ip: 198.18.17.5 - hostname: prodinf01n05.main.unkin.net - aliases: - - prodinf01n05 - - ip: 198.18.17.6 - hostname: prodinf01n06.main.unkin.net - aliases: - - prodinf01n06 - - ip: 198.18.17.9 - hostname: prodinf01n09.main.unkin.net - aliases: - - prodinf01n09 - - ntp01.main.unkin.net - - ip: 198.18.17.10 - hostname: prodinf01n10.main.unkin.net - aliases: - - prodinf01n10 - - ntp02.main.unkin.net - - ip: 198.18.17.22 - hostname: prodinf01n22.main.unkin.net - aliases: - - prodinf01n22 - - repos.main.unkin.net +networking::interfaces: + eth0: + ensure: present + family: inet + method: static + netmask: 255.255.255.0 + onboot: true +networking::routes: + default: + ensure: present + interface: eth0 + netmask: 0.0.0.0 + network: default + + +#profiles::base::hosts::additional_hosts: +# - ip: 198.18.17.9 +# hostname: prodinf01n09.main.unkin.net +# aliases: +# - prodinf01n09 +# - ntp01.main.unkin.net +# - ip: 198.18.17.10 +# hostname: prodinf01n10.main.unkin.net +# aliases: +# - prodinf01n10 +# - ntp02.main.unkin.net +# - ip: 198.18.17.22 +# hostname: prodinf01n22.main.unkin.net +# aliases: +# - prodinf01n22 +# - repos.main.unkin.net diff --git a/hieradata/country/au/region/drw1/infra/puppet/master.eyaml b/hieradata/country/au/region/drw1/infra/puppet/master.eyaml index 1dea3a5..bbc75d7 100644 --- a/hieradata/country/au/region/drw1/infra/puppet/master.eyaml +++ b/hieradata/country/au/region/drw1/infra/puppet/master.eyaml @@ -1,3 +1,4 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=] +sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=] diff --git a/hieradata/country/au/region/syd1/infra/puppet/master.eyaml b/hieradata/country/au/region/syd1/infra/puppet/master.eyaml index a6c1883..2793277 100644 --- a/hieradata/country/au/region/syd1/infra/puppet/master.eyaml +++ b/hieradata/country/au/region/syd1/infra/puppet/master.eyaml @@ -1,3 +1,4 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=] certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=] +sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=] diff --git a/hieradata/nodes/ausyd1nxvm1000.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1000.main.unkin.net.yaml new file mode 100644 index 0000000..0d0f768 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1000.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.10 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1001.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1001.main.unkin.net.yaml new file mode 100644 index 0000000..5f25e62 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1001.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.11 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml new file mode 100644 index 0000000..df3aa6c --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.12 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml new file mode 100644 index 0000000..3742c94 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.13 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml new file mode 100644 index 0000000..07b1320 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.14 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml new file mode 100644 index 0000000..637f41a --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.15 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml new file mode 100644 index 0000000..b3ad9ef --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.16 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml new file mode 100644 index 0000000..d13378d --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.17 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1008.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1008.main.unkin.net.yaml new file mode 100644 index 0000000..21161d2 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1008.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.18 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml new file mode 100644 index 0000000..5714209 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.19 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml new file mode 100644 index 0000000..85030a0 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.20 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml new file mode 100644 index 0000000..1e4bd69 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.21 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml new file mode 100644 index 0000000..fe067ca --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.22 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml new file mode 100644 index 0000000..b7faf2d --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.23 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml new file mode 100644 index 0000000..6eb0c2d --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.24 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1015.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1015.main.unkin.net.yaml new file mode 100644 index 0000000..d013779 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1015.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.25 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1016.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1016.main.unkin.net.yaml new file mode 100644 index 0000000..4139c9a --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1016.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.26 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml index f7ad64b..49565b5 100644 --- a/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml +++ b/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml @@ -1,2 +1,8 @@ --- profiles::cobbler::params::is_cobbler_master: true +networking::interfaces: + eth0: + ipaddress: 198.18.13.27 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1018.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1018.main.unkin.net.yaml new file mode 100644 index 0000000..cc95111 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1018.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.28 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml new file mode 100644 index 0000000..f34d534 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.29 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml new file mode 100644 index 0000000..1171c3a --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.30 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1021.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1021.main.unkin.net.yaml new file mode 100644 index 0000000..4db921a --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1021.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.31 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1022.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1022.main.unkin.net.yaml new file mode 100644 index 0000000..bc8c957 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1022.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.32 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1023.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1023.main.unkin.net.yaml new file mode 100644 index 0000000..2efaddd --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1023.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.33 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1024.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1024.main.unkin.net.yaml new file mode 100644 index 0000000..9b01689 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1024.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.34 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1025.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1025.main.unkin.net.yaml new file mode 100644 index 0000000..08699cd --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1025.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.35 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1026.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1026.main.unkin.net.yaml new file mode 100644 index 0000000..f2d2815 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1026.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.36 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1027.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1027.main.unkin.net.yaml new file mode 100644 index 0000000..d866894 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1027.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.37 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1028.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1028.main.unkin.net.yaml new file mode 100644 index 0000000..c500f84 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1028.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.38 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1029.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1029.main.unkin.net.yaml new file mode 100644 index 0000000..7c71aab --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1029.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.39 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1030.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1030.main.unkin.net.yaml new file mode 100644 index 0000000..5dfd63a --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1030.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.40 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1031.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1031.main.unkin.net.yaml new file mode 100644 index 0000000..06ec9c5 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1031.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.41 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1032.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1032.main.unkin.net.yaml new file mode 100644 index 0000000..1163ae6 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1032.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.42 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1033.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1033.main.unkin.net.yaml new file mode 100644 index 0000000..fd6a428 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1033.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.43 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml new file mode 100644 index 0000000..4749523 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.44 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml new file mode 100644 index 0000000..d3e7eca --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.45 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml index a909eb0..e496390 100644 --- a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml +++ b/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml @@ -5,5 +5,17 @@ profiles::puppet::server::dns_alt_names: - puppetca.query.consul - puppetca +profiles::ssh::sign::principals: + - puppetca.main.unkin.net + - puppetca.service.consul + - puppetca.query.consul + - puppetca + profiles::puppet::puppetca::is_puppetca: true profiles::puppet::puppetca::allow_subject_alt_names: true +networking::interfaces: + eth0: + ipaddress: 198.18.13.46 +networking::routes: + default: + gateway: 198.18.13.254 diff --git a/hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml new file mode 100644 index 0000000..e12dfe1 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.47 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/nodes/ausyd1nxvm1038.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1038.main.unkin.net.yaml new file mode 100644 index 0000000..7d31106 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1038.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.48 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/nodes/ausyd1nxvm1039.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1039.main.unkin.net.yaml new file mode 100644 index 0000000..21d5f26 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1039.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.49 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml index e6e8fc8..d3fd91b 100644 --- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml +++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml @@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names: profiles::puppet::puppetca::is_puppetca: false profiles::puppet::puppetca::allow_subject_alt_names: true + +hiera_exclude: + - networking diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index c383966..eaa2953 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -19,44 +19,53 @@ profiles::yum::global::repos: target: /etc/yum.repos.d/baseos.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + mirrorlist: absent extras: name: extras descr: extras repository target: /etc/yum.repos.d/extras.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + mirrorlist: absent appstream: name: appstream descr: appstream repository target: /etc/yum.repos.d/appstream.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + mirrorlist: absent powertools: name: powertools descr: powertools repository target: /etc/yum.repos.d/powertools.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + mirrorlist: absent highavailability: name: highavailability descr: highavailability repository target: /etc/yum.repos.d/highavailability.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + mirrorlist: absent epel: name: epel descr: epel repository target: /etc/yum.repos.d/epel.repo baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture} gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major} + mirrorlist: absent puppet: name: puppet descr: puppet repository target: /etc/yum.repos.d/puppet.repo baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture} gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406 + mirrorlist: absent unkin: name: unkin descr: unkin repository target: /etc/yum.repos.d/unkin.repo - baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os + baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major} + gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key + mirrorlist: absent diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml index 221b479..04e4212 100644 --- a/hieradata/os/Debian/all_releases.yaml +++ b/hieradata/os/Debian/all_releases.yaml @@ -1,6 +1,6 @@ # hieradata/os/debian/all_releases.yaml --- -profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian +profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/ profiles::apt::base::secureurl: http://security.debian.org/debian-security profiles::apt::puppet7::mirror: http://apt.puppetlabs.com profiles::apt::puppet7::repo: puppet7 @@ -12,3 +12,4 @@ profiles::packages::install: - xz-utils lm-sensors::package: lm-sensors +networking::nwmgr_dns_none: false diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml index 6709152..42dbef9 100644 --- a/hieradata/roles/infra/cobbler/server.yaml +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -17,5 +17,5 @@ profiles::pki::vault::alt_names: profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' profiles::selinux::setenforce::mode: permissive -hiera_classes: +hiera_include: - profiles::selinux::setenforce diff --git a/hieradata/roles/infra/git/gitea.eyaml b/hieradata/roles/infra/git/gitea.eyaml index fa29e19..3d6508c 100644 --- a/hieradata/roles/infra/git/gitea.eyaml +++ b/hieradata/roles/infra/git/gitea.eyaml @@ -1,3 +1,3 @@ --- -profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==] +profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==] profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=] diff --git a/hieradata/roles/infra/git/gitea.yaml b/hieradata/roles/infra/git/gitea.yaml index 3199ed6..ec84020 100644 --- a/hieradata/roles/infra/git/gitea.yaml +++ b/hieradata/roles/infra/git/gitea.yaml @@ -6,6 +6,11 @@ profiles::pki::vault::alt_names: - git.query.consul - "git.service.%{facts.country}-%{facts.region}.consul" +profiles::ssh::sign::principals: + - git.main.unkin.net + - git.service.consul + - git.query.consul + consul::services: git: service_name: 'git' @@ -37,3 +42,43 @@ profiles::nginx::simpleproxy::nginx_aliases: profiles::nginx::simpleproxy::proxy_port: 3000 profiles::nginx::simpleproxy::proxy_path: '/' nginx::client_max_body_size: 250M + +profiles::gitea::init::root: + APP_NAME: 'Gitea' + RUN_USER: 'git' + RUN_MODE: 'prod' +profiles::gitea::init::repository: + ROOT: '/data/gitea/repos' + FORCE_PRIVATE: false + MAX_CREATION_LIMIT: -1 + DISABLE_HTTP_GIT: false + DEFAULT_BRANCH: 'main' + DEFAULT_PRIVATE: 'last' +profiles::gitea::init::ui: + SHOW_USER_EMAIL: false +profiles::gitea::init::server: + PROTOCOL: 'http' + DOMAIN: 'git.query.consul' + ROOT_URL: 'https://git.query.consul' + HTTP_ADDR: '0.0.0.0' + HTTP_PORT: 3000 + START_SSH_SERVER: false + SSH_DOMAIN: 'git.query.consul' + SSH_PORT: 2222 + SSH_LISTEN_HOST: '0.0.0.0' + OFFLINE_MODE: true + APP_DATA_PATH: '/data/gitea' + SSH_LISTEN_PORT: 22 + LFS_START_SERVER: true +profiles::gitea::init::database: + DB_TYPE: 'mysql' + HOST: 'mariadb-prod.service.au-syd1.consul:3306' + NAME: 'gitea' + USER: 'gitea' + PASSWD: "%{hiera('profiles::gitea::mysql_pass')}" + SSL_MODE: 'disable' + LOG_SQL: false +profiles::gitea::init::lfs: + PATH: '/data/gitea/lfs' +profiles::gitea::init::session: + PROVIDER: db diff --git a/hieradata/roles/infra/ntp/server.yaml b/hieradata/roles/infra/ntp/server.yaml index 839e32d..6e4bd92 100644 --- a/hieradata/roles/infra/ntp/server.yaml +++ b/hieradata/roles/infra/ntp/server.yaml @@ -12,3 +12,24 @@ profiles::ntp::server::peers: - '1.au.pool.ntp.org' - '2.au.pool.ntp.org' - '3.au.pool.ntp.org' + +consul::services: + ntp: + service_name: 'ntp' + tags: + - 'ntp' + - 'time' + - 'sync' + address: "%{facts.networking.ip}" + port: 123 + checks: + - id: ntp_check + name: "NTP Service Check" + args: + - '/usr/local/bin/check_ntp.sh' + interval: '15s' + timeout: '5s' +profiles::consul::client::node_rules: + - resource: service + segment: ntp + disposition: write diff --git a/hieradata/roles/infra/proxmox.yaml b/hieradata/roles/infra/proxmox.yaml index 7a1b911..b15a126 100644 --- a/hieradata/roles/infra/proxmox.yaml +++ b/hieradata/roles/infra/proxmox.yaml @@ -5,3 +5,17 @@ sudo::configs: content: | ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/* ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/* + +hiera_exclude: + - networking + +# proxmox tools use root to authenticate against each other +ssh::server::options: + PermitRootLogin: yes + AcceptEnv: + - LANG LC_* + - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + - LC_IDENTIFICATION LC_ALL LANGUAGE + - XMODIFIERS + ListenAddress: + - "%{facts.networking.interfaces.enp3s0.ip}" diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 4af2c1c..562fbfb 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -37,6 +37,14 @@ profiles::helpers::certmanager::vault_config: output_path: '/tmp/certmanager' role_id: "%{lookup('certmanager::role_id')}" +profiles::helpers::sshsignhost::vault_config: + addr: 'https://vault.service.consul:8200' + mount_point: 'ssh-host-signer' + approle_path: 'approle' + role_name: 'hostrole' + output_path: '/tmp/sshsignhost' + role_id: "%{lookup('sshsignhost::role_id')}" + profiles::puppet::server::agent_server: 'puppet.query.consul' profiles::puppet::server::report_server: 'puppet.query.consul' profiles::puppet::server::ca_server: 'puppetca.query.consul' @@ -50,6 +58,10 @@ profiles::puppet::server::dns_alt_names: - puppetmaster - puppet +profiles::ssh::sign::principals: + - puppet.service.consul + - puppet.query.consul + consul::services: puppet: service_name: 'puppet' diff --git a/hieradata/roles/infra/puppetdb/sql.eyaml b/hieradata/roles/infra/puppetdb/sql.eyaml new file mode 100644 index 0000000..c1c2c5d --- /dev/null +++ b/hieradata/roles/infra/puppetdb/sql.eyaml @@ -0,0 +1 @@ +profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==] diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml index 0d6409a..838300d 100644 --- a/hieradata/roles/infra/puppetdb/sql.yaml +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -2,3 +2,38 @@ postgresql_config_entries: max_connections: 300 shared_buffers: '256MB' + +consul::services: + puppetdbsql: + service_name: 'puppetdbsql' + tags: + - 'puppet' + - 'puppetdb' + - 'database' + address: "%{facts.networking.ip}" + port: 5432 + checks: + - id: 'psql-check' + name: 'PostgreSQL Health Check' + args: + - '/usr/local/bin/check_consul_postgresql' + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: puppetdbsql + disposition: write + +profiles::yum::global::repos: + postgresql-15: + name: postgresql-15 + descr: postgresql-15 repository + target: /etc/yum.repos.d/postgresql.repo + baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} + gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL + postgresql-common: + name: postgresql-common + descr: postgresql-common repository + target: /etc/yum.repos.d/postgresql.repo + baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} + gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index a3ea581..2902de3 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -77,3 +77,9 @@ profiles::consul::prepared_query::rules: service_failover_n: 3 service_only_passing: true ttl: 10 + ntp: + ensure: 'present' + service_name: 'ntp' + service_failover_n: 3 + service_only_passing: true + ttl: 10 diff --git a/modules/libs/lib/facter/sshd_host_cert_exists.rb b/modules/libs/lib/facter/sshd_host_cert_exists.rb new file mode 100644 index 0000000..c3f8283 --- /dev/null +++ b/modules/libs/lib/facter/sshd_host_cert_exists.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +# lib/facter/sshd_host_cert_exists.rb +require 'puppet' + +Facter.add('sshd_host_cert_exists') do + setcode do + File.exist?('/etc/ssh/ssh_host_rsa_key-cert.pem') + end +end diff --git a/modules/libs/lib/facter/sshd_host_principals.rb b/modules/libs/lib/facter/sshd_host_principals.rb new file mode 100644 index 0000000..4c3cd75 --- /dev/null +++ b/modules/libs/lib/facter/sshd_host_principals.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +# lib/facter/sshd_host_principals.rb +require 'puppet' + +Facter.add('sshd_host_principals') do + setcode do + principals_file = '/etc/ssh/host_principals' + if File.exist?(principals_file) + File.read(principals_file).split("\n") + else + [] + end + end +end diff --git a/modules/networking/manifests/init.pp b/modules/networking/manifests/init.pp new file mode 100644 index 0000000..f7239d5 --- /dev/null +++ b/modules/networking/manifests/init.pp @@ -0,0 +1,35 @@ +# unkin networking module +class networking ( + Hash $interfaces = {}, + Hash $routes = {}, +){ + + include network + include networking::params + + $interfaces.each | $interface, $data | { + network_config {$interface: + * => $data, + } + } + $routes.each | $route, $data | { + network_route {$route: + * => $data, + } + } + + # prevent DNS from being overwritten by networkmanager + if $networking::params::nwmgr_dns_none { + file {'/etc/NetworkManager/conf.d/dns_none.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0655', + content => "[main]\ndns=none", + } + }else{ + file {'/etc/NetworkManager/conf.d/dns_none.conf': + ensure => 'absent', + } + } +} diff --git a/modules/networking/manifests/params.pp b/modules/networking/manifests/params.pp new file mode 100644 index 0000000..27f58b8 --- /dev/null +++ b/modules/networking/manifests/params.pp @@ -0,0 +1,6 @@ +# networking params +class networking::params ( + Boolean $nwmgr_dns_none = true, + Boolean $nwmgr_service_running = true, +){ +} diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 13f6b10..13d18dd 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -32,6 +32,8 @@ class profiles::base ( include profiles::ntp::client include profiles::dns::base include profiles::pki::vault + include profiles::ssh::sign + include profiles::ssh::knownhosts include profiles::cloudinit::init include profiles::metrics::default include profiles::helpers::node_lookup @@ -56,7 +58,9 @@ class profiles::base ( } # include classes from hiera - lookup('hiera_classes', Array[String], 'unique').include + $hiera_include = lookup('hiera_include', Array[String], 'unique', []) + $hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', []) + ($hiera_include - $hiera_exclude).include # specifc ordering constraints Class['profiles::pki::vaultca'] diff --git a/site/profiles/manifests/cobbler/service.pp b/site/profiles/manifests/cobbler/service.pp index 63b2645..ed03c83 100644 --- a/site/profiles/manifests/cobbler/service.pp +++ b/site/profiles/manifests/cobbler/service.pp @@ -14,4 +14,11 @@ class profiles::cobbler::service inherits profiles::cobbler::params { enable => true, require => File['/etc/httpd/conf.d/ssl.conf'], } + + # ensure tftp is running + service {'tftp': + ensure => 'running', + enable => true, + require => Package['cobbler'], + } } diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index 4524b87..d1d82d8 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -36,14 +36,15 @@ class profiles::consul::client ( # deploy the consul agent class { 'consul': config_hash => { - 'data_dir' => $data_dir, - 'datacenter' => $consul_cluster, - 'log_level' => 'INFO', - 'node_name' => $facts['networking']['fqdn'], - 'retry_join' => $servers_array, - 'bind_addr' => $::facts['networking']['ip'], - 'advertise_addr' => $::facts['networking']['ip'], - 'acl' => { + 'data_dir' => $data_dir, + 'datacenter' => $consul_cluster, + 'log_level' => 'INFO', + 'node_name' => $facts['networking']['fqdn'], + 'retry_join' => $servers_array, + 'bind_addr' => $::facts['networking']['ip'], + 'advertise_addr' => $::facts['networking']['ip'], + 'enable_script_checks' => true, + 'acl' => { tokens => { default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}") } diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp index c0b94a8..be4ec87 100644 --- a/site/profiles/manifests/defaults.pp +++ b/site/profiles/manifests/defaults.pp @@ -34,7 +34,6 @@ class profiles::defaults { ensure => 'present', enabled => 1, gpgcheck => 1, - mirrorlist => 'absent', require => Class['profiles::pki::vaultca'], notify => Exec['dnf_makecache'], } diff --git a/site/profiles/manifests/gitea/init.pp b/site/profiles/manifests/gitea/init.pp index 90e9e47..299a0d4 100644 --- a/site/profiles/manifests/gitea/init.pp +++ b/site/profiles/manifests/gitea/init.pp @@ -1,7 +1,13 @@ # profiles::gitea::init class profiles::gitea::init ( - String $mysql_pass = '', String $lfs_jwt_secret = '', + Hash $root = {}, + Hash $server = {}, + Hash $database = {}, + Hash $repository = {}, + Hash $session = {}, + Hash $lfs = {}, + Hash $ui = {}, ) { include profiles::nginx::simpleproxy @@ -10,46 +16,13 @@ class profiles::gitea::init ( ensure => '1.22.0', checksum => 'a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d', custom_configuration => { - '' => { - 'APP_NAME' => 'Gitea', - 'RUN_USER' => 'git', - 'RUN_MODE' => 'prod', - }, - 'repository' => { - 'ROOT' => '/data/gitea/repos', - 'FORCE_PRIVATE' => false, - 'MAX_CREATION_LIMIT' => -1, - 'DISABLE_HTTP_GIT' => false, - 'DEFAULT_BRANCH' => 'main', - 'DEFAULT_PRIVATE' => 'last', - }, - 'ui' => { - 'SHOW_USER_EMAIL' => false, - }, - 'server' => { - 'PROTOCOL' => 'http', - 'DOMAIN' => 'git.query.consul', - 'ROOT_URL' => 'https://git.query.consul', - 'HTTP_ADDR' => '0.0.0.0', - 'HTTP_PORT' => 3000, - 'START_SSH_SERVER' => false, - 'SSH_DOMAIN' => 'git.query.consul', - 'SSH_PORT' => 2222, - 'SSH_LISTEN_HOST' => '0.0.0.0', - 'OFFLINE_MODE' => true, - 'APP_DATA_PATH' => '/var/lib/gitea/data', - 'SSH_LISTEN_PORT' => 22, - }, - 'database' => { - 'DB_TYPE' => 'mysql', - 'HOST' => 'mariadb-prod.service.au-syd1.consul:3306', - 'NAME' => 'gitea', - 'USER' => 'gitea', - 'PASSWD' => Sensitive($mysql_pass), - 'SSL_MODE' => 'disable', - 'PATH' => '/var/lib/gitea/data/gitea.db', - 'LOG_SQL' => false, - }, - } + '' => $root, + server => $server, + database => $database, + repository => $repository, + session => $session, + lfs => $lfs, + ui => $ui, + }, } } diff --git a/site/profiles/manifests/helpers/sshsignhost.pp b/site/profiles/manifests/helpers/sshsignhost.pp new file mode 100644 index 0000000..c27678c --- /dev/null +++ b/site/profiles/manifests/helpers/sshsignhost.pp @@ -0,0 +1,77 @@ +# profiles::helpers::sshsignhost +# +# wrapper class for python, pip and venv +class profiles::helpers::sshsignhost ( + String $script_name = 'sshsignhost', + Stdlib::AbsolutePath $base_path = "/opt/${script_name}", + Stdlib::AbsolutePath $venv_path = "${base_path}/venv", + Stdlib::AbsolutePath $config_path = "${base_path}/config.yaml", + Hash $vault_config = {}, + String $owner = 'root', + String $group = 'root', + Boolean $systempkgs = false, + String $version = 'system', + Array[String[1]] $packages = ['requests', 'pyyaml'], +){ + + if $::facts['python3_version'] { + + $python_version = $version ? { + 'system' => $::facts['python3_version'], + default => $version, + } + + # ensure the base_path exists + file { $base_path: + ensure => directory, + mode => '0755', + owner => $owner, + group => $group, + } + + # create a venv + python::pyvenv { $venv_path : + ensure => present, + version => $python_version, + systempkgs => $systempkgs, + venv_dir => $venv_path, + owner => $owner, + group => $group, + require => File[$base_path], + } + + # install the required pip packages + $packages.each |String $package| { + python::pip { "${venv_path}_${package}": + ensure => present, + pkgname => $package, + virtualenv => $venv_path, + } + } + + # create the script from a template + file { "${base_path}/${script_name}": + ensure => file, + mode => '0755', + content => template("profiles/helpers/${script_name}.erb"), + require => Python::Pyvenv[$venv_path], + } + + # create the config from a template + file { $config_path: + ensure => file, + mode => '0660', + owner => 'puppet', + group => 'root', + content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")), + require => Python::Pyvenv[$venv_path], + } + + # create symbolic link in $PATH + file { "/usr/local/bin/${script_name}": + ensure => 'link', + target => "${base_path}/${script_name}", + require => File["${base_path}/${script_name}"], + } + } +} diff --git a/site/profiles/manifests/ntp/server.pp b/site/profiles/manifests/ntp/server.pp index 88f1426..a8a1c77 100644 --- a/site/profiles/manifests/ntp/server.pp +++ b/site/profiles/manifests/ntp/server.pp @@ -35,5 +35,13 @@ class profiles::ntp::server ( queryhosts => $allowquery, } } + + file {'/usr/local/bin/check_ntp.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + content => template('profiles/ntp/check_ntp.sh.erb'), + } } } diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index aa3444c..1888cf5 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -12,6 +12,7 @@ class profiles::puppet::client ( Integer $runtimeout = 3600, Boolean $show_diff = true, Boolean $usecacheonfailure = false, + Integer $facts_soft_limit = 4096, ) { # dont manage puppet.conf if this is a puppetmaster diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp index fcfeec7..4b986fa 100644 --- a/site/profiles/manifests/puppet/enc.pp +++ b/site/profiles/manifests/puppet/enc.pp @@ -10,32 +10,12 @@ class profiles::puppet::enc ( Boolean $force = false, ) { - vcsrepo { '/opt/puppetlabs/enc': - ensure => latest, - provider => git, - source => $repo, - revision => $release, - force => $force, - require => Package['git'], - } - file { '/opt/puppetlabs/bin/enc': - ensure => link, - target => '/opt/puppetlabs/enc/enc.py', - require => Vcsrepo['/opt/puppetlabs/enc'], + ensure => absent, } file { '/opt/puppetlabs/bin/puppet-enc': - ensure => file, - owner => 'root', - group => 'root', - mode => '0755', - content => "#!/bin/bash\n( - cd /opt/puppetlabs/enc/ - git reset --hard master - git clean -fd - git pull\n)", - require => Package['git'], + ensure => absent, } $_timer = @(EOT) @@ -63,8 +43,7 @@ class profiles::puppet::enc ( systemd::timer { 'puppet-enc.timer': timer_content => $_timer, service_content => $_service, - active => true, - enable => true, - require => File['/opt/puppetlabs/bin/puppet-enc'], + active => false, + enable => false, } } diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp index e94ecad..4e6233b 100644 --- a/site/profiles/manifests/puppet/puppetca.pp +++ b/site/profiles/manifests/puppet/puppetca.pp @@ -21,16 +21,40 @@ class profiles::puppet::puppetca ( # manage the crl file if $is_puppetca { # export the puppet crl.pem - @@file { '/etc/puppetlabs/puppet/ssl/crl.pem': + @@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest': ensure => file, content => file('/etc/puppetlabs/puppet/ssl/crl.pem'), tag => 'crl_pem_export', } + systemd::manage_dropin { 'copy_crl.conf': + ensure => absent, + unit => 'puppetserver.service', + } }else{ # import the puppet crl.pem File <<| tag == 'crl_pem_export' |>> { require => Service['puppetserver'], } + # copy latest to active location + file { '/etc/puppetlabs/puppet/ssl/crl.pem': + ensure => file, + owner => 'puppet', + group => 'puppet', + source => '/etc/puppetlabs/puppet/ssl/crl.pem.latest', + require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'], + } + # copy the latest crl when restarting + systemd::manage_dropin { 'copy_crl.conf': + ensure => present, + unit => 'puppetserver.service', + service_entry => { + 'ExecStartPost' => [ + '/usr/bin/sleep 2', + '/bin/cp /etc/puppetlabs/puppet/ssl/crl.pem.latest /etc/puppetlabs/puppet/ssl/crl.pem', + ], + }, + require => File['/etc/puppetlabs/puppet/ssl/crl.pem'], + } } # register the PuppetCA service with consul diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp index 1765003..c13a778 100644 --- a/site/profiles/manifests/puppet/puppetdb_sql.pp +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -2,6 +2,7 @@ class profiles::puppet::puppetdb_sql ( String $puppetdb_host = lookup('puppetdbsql'), String $listen_address = $facts['networking']['ip'], + String $consul_test_db_pass = '', ) { # disable the postgresql dnf module for el8+ @@ -17,9 +18,11 @@ class profiles::puppet::puppetdb_sql ( # Install and configure PostgreSQL for PuppetDB class { 'puppetdb::database::postgresql': - listen_addresses => $listen_address, - postgres_version => '15', - puppetdb_server => $puppetdb_host, + listen_addresses => $listen_address, + postgres_version => '15', + puppetdb_server => $puppetdb_host, + manage_package_repo => false, + require => [ Yumrepo['postgresql-15'],Yumrepo['postgresql-common'] ], } contain ::puppetdb::database::postgresql @@ -32,4 +35,19 @@ class profiles::puppet::puppetdb_sql ( value => $value, } } + + # create consul database + user to test the host is responsive + postgresql::server::db { 'consul_test_db': + user => 'consul_test_user', + password => postgresql::postgresql_password('consul_test_user', Sensitive($consul_test_db_pass) ), + } + + file { '/usr/local/bin/check_consul_postgresql': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + content => template('profiles/puppetdb/check_consul_postgresql.erb'), + before => Class['profiles::consul::client'], + } } diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 6ce7ca5..17bb350 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -15,6 +15,7 @@ class profiles::puppet::puppetmaster ( include profiles::puppet::autosign include profiles::puppet::gems include profiles::helpers::certmanager + include profiles::helpers::sshsignhost include profiles::puppet::server include profiles::puppet::puppetca include profiles::puppet::eyaml diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 771d41a..09b27e1 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -28,6 +28,7 @@ class profiles::puppet::server ( Integer $runinterval = 1800, Integer $runtimeout = 3600, Boolean $show_diff = true, + Integer $facts_soft_limit = 4096, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -59,6 +60,7 @@ class profiles::puppet::server ( 'storeconfigs_backend' => $storeconfigs_backend, 'reports' => $reports, 'usecacheonfailure' => $usecacheonfailure, + 'facts_soft_limit' => $facts_soft_limit, }), notify => Service['puppetserver'], } @@ -69,4 +71,14 @@ class profiles::puppet::server ( hasstatus => true, hasrestart => true, } + # generate puppet types when restarting + systemd::manage_dropin { 'generate_types.conf': + ensure => present, + unit => 'puppetserver.service', + service_entry => { + 'ExecStartPost' => [ + "/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments", + ], + }, + } } diff --git a/site/profiles/manifests/ssh/knownhosts.pp b/site/profiles/manifests/ssh/knownhosts.pp new file mode 100644 index 0000000..aeff1c6 --- /dev/null +++ b/site/profiles/manifests/ssh/knownhosts.pp @@ -0,0 +1,12 @@ +# manage known hosts +class profiles::ssh::knownhosts ( + Array $lines = [], +) { + file {'/etc/ssh/ssh_known_hosts': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/ssh/ssh_known_hosts.erb'), + } +} diff --git a/site/profiles/manifests/ssh/sign.pp b/site/profiles/manifests/ssh/sign.pp new file mode 100644 index 0000000..7796925 --- /dev/null +++ b/site/profiles/manifests/ssh/sign.pp @@ -0,0 +1,84 @@ +# profiles::ssh::sign +class profiles::ssh::sign ( + Optional[Array[Stdlib::Host]] $principals = [], +){ + + # validate and prepare additional alt_names, if any + $default_principals = [ + $::facts['networking']['hostname'], + $::facts['networking']['fqdn'], + $::facts['networking']['ip'], + ] + $effective_principals = $principals ? { + [] => $default_principals, + default => concat($default_principals, $principals), + } + + # path for the principals file + $principals_file = '/etc/ssh/host_principals' + + # alt_names_file contents + $principals_file_content = $effective_principals + + # manage the alt names file + file { $principals_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => join($principals_file_content, "\n"), + } + + # compare the sorted arrays of principals from disk (fact) vs what is intended (this run) + $principals_match = sort($::facts['sshd_host_principals']) == sort($principals_file_content) + + # only renew signed certificate if doesnt exist or the principals have changed + if ! $::facts['sshd_host_cert_exists'] or ! $principals_match { + + $common_name = $::facts['networking']['fqdn'] + $valid_hours = '87600h' + + # prepare alt_names and ip_sans arguments conditionally + $principals_string = $effective_principals.empty() ? { + true => '', + default => join($effective_principals, ','), + } + + # sshsignhost arguments + $cmd = '/usr/local/bin/sshsignhost' + $principals_arg = '--valid_principals' + $ttl_arg = '--ttl' + $public_key_arg = '--public_key' + + # call the script with generate(), capturing json output + $json_output = generate( + $cmd, + $principals_arg, + $principals_string, + $ttl_arg, + $valid_hours, + $public_key_arg, + "${facts['ssh']['rsa']['type']} ${facts['ssh']['rsa']['key']}", + '--json' + ) + $signed_data = parsejson($json_output) + + # manage the signed hostkey file + file { '/etc/ssh/ssh_host_rsa_key-cert.pem': + ensure => file, + content => $signed_data['signed_key'], + owner => 'root', + group => 'root', + mode => '0644', + } + + }else{ + # manage the signed hostkey file + file { '/etc/ssh/ssh_host_rsa_key-cert.pem': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + } + } +} diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index a9fbef5..ed36d63 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -16,6 +16,13 @@ class profiles::yum::global ( purge => $purge, } + #exec {'purge_almalinux_default_repos': + # command => 'rm -f /etc/yum.repos.d/almalinux*.repo', + # path => ['/bin', '/usr/bin'], + # onlyif => 'find /etc/yum.repos.d/ -type f -name *almalinux* | grep .', + # before => Resources['yumrepo'], + #} + # download all gpg keys if a repo defines it $repos.each |$name, $repo| { if $repo['gpgkey'] { @@ -29,11 +36,12 @@ class profiles::yum::global ( before => Yumrepo[$name], } } + # create the repo + yumrepo { $name: + * => $repo, + } } - # create repos - create_resources('yumrepo', $repos) - # makecache if changes made to repos exec {'dnf_makecache': command => 'dnf makecache -q', diff --git a/site/profiles/templates/helpers/sshsignhost.erb b/site/profiles/templates/helpers/sshsignhost.erb new file mode 100644 index 0000000..f12a6b9 --- /dev/null +++ b/site/profiles/templates/helpers/sshsignhost.erb @@ -0,0 +1,83 @@ +#!<%= @venv_path %>/bin/python +import argparse +import requests +import json +import yaml + +# remove this after certs are generated everywhere +requests.packages.urllib3.disable_warnings() + +def load_config(config_path): + with open(config_path, 'r') as file: + config = yaml.safe_load(file) + return config['vault'] + +def authenticate_approle(vault_config): + url = f"{vault_config['addr']}/v1/auth/{vault_config['approle_path']}/login" + payload = { + "role_id": vault_config['role_id'], + } + response = requests.post(url, json=payload, verify=False) + if response.status_code == 200: + auth_response = response.json() + return auth_response['auth']['client_token'] + else: + print(f"Error authenticating with AppRole: {response.text}") + return None + +def sign_ssh_certificate(vault_config, public_key, valid_principals, ttl): + # Authenticate using AppRole and get a token + client_token = authenticate_approle(vault_config) + if not client_token: + print("Failed to authenticate with Vault using AppRole.") + return None + + # Prepare the SSH certificate signing request + url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/sign/{vault_config['role_name']}" + headers = {'X-Vault-Token': client_token} + payload = { + "cert_type": "host", + "public_key": public_key, + "valid_principals": valid_principals, + "ttl": ttl + } + + # Request the SSH certificate signing + response = requests.post(url, headers=headers, json=payload, verify=False) + if response.status_code == 200: + return response.json() + else: + print(f"Error requesting certificate: {response.text}") + return None + +def main(config_file): + config = load_config(config_file) + parser = argparse.ArgumentParser(description='Sign SSH host certificate using Vault.') + parser.add_argument('--public_key', required=True, help='SSH public key as a string') + parser.add_argument('--valid_principals', required=True, help='Comma-separated list of valid principals') + parser.add_argument('--ttl', default='87600h', help='Time-to-live for the certificate (default: 87600h)') + parser.add_argument('--json', action='store_true', help='Output the resulting certificate as JSON') + + args = parser.parse_args() + + # Load configuration + config = load_config(config_file) + + # Sign SSH certificate + response = sign_ssh_certificate(config, args.public_key, args.valid_principals, args.ttl) + + if response and 'data' in response and 'signed_key' in response['data']: + if args.json: + output = { + 'signed_key': response['data']['signed_key'], + } + print(json.dumps(output)) + else: + print(response['data']['signed_key']) + else: + print("Error: The response does not contain the expected data.") + exit(1) + +if __name__ == "__main__": + config_file = '<%= @config_path %>' + main(config_file) diff --git a/site/profiles/templates/helpers/sshsignhost_config.yaml.erb b/site/profiles/templates/helpers/sshsignhost_config.yaml.erb new file mode 100644 index 0000000..1b3e1ed --- /dev/null +++ b/site/profiles/templates/helpers/sshsignhost_config.yaml.erb @@ -0,0 +1,7 @@ +vault: + addr: '<%= @vault_config['addr'] %>' + role_id: '<%= @vault_config['role_id'] %>' + approle_path: '<%= @vault_config['approle_path'] %>' + mount_point: '<%= @vault_config['mount_point'] %>' + role_name: '<%= @vault_config['role_name'] %>' +output_path: '<%= @vault_config['output_path'] %>' diff --git a/site/profiles/templates/ntp/check_ntp.sh.erb b/site/profiles/templates/ntp/check_ntp.sh.erb new file mode 100644 index 0000000..6b940ba --- /dev/null +++ b/site/profiles/templates/ntp/check_ntp.sh.erb @@ -0,0 +1,8 @@ +#!/usr/bin/bash + +# Check if ntpd or chronyd is running +if pgrep ntpd > /dev/null || pgrep chronyd > /dev/null; then + exit 0 +else + exit 2 +fi diff --git a/site/profiles/templates/puppet/client/puppet.conf.erb b/site/profiles/templates/puppet/client/puppet.conf.erb index 40874c6..65f3328 100644 --- a/site/profiles/templates/puppet/client/puppet.conf.erb +++ b/site/profiles/templates/puppet/client/puppet.conf.erb @@ -11,3 +11,4 @@ runinterval = <%= @runinterval %> runtimeout = <%= @runtimeout %> show_diff = <%= @show_diff %> usecacheonfailure = <%= @usecacheonfailure %> +number_of_facts_soft_limit = <%= @facts_soft_limit %> diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp index dbb93ee..1831263 100644 --- a/site/profiles/templates/puppet/server/puppet.conf.epp +++ b/site/profiles/templates/puppet/server/puppet.conf.epp @@ -17,6 +17,7 @@ report_server = <%= $report_server %> runinterval = <%= $runinterval %> runtimeout = <%= $runtimeout %> show_diff = <%= $show_diff %> +number_of_facts_soft_limit = <%= $facts_soft_limit %> [master] node_terminus = <%= $node_terminus %> diff --git a/site/profiles/templates/puppetdb/check_consul_postgresql.erb b/site/profiles/templates/puppetdb/check_consul_postgresql.erb new file mode 100644 index 0000000..9d651d7 --- /dev/null +++ b/site/profiles/templates/puppetdb/check_consul_postgresql.erb @@ -0,0 +1,2 @@ +#!/usr/bin/bash +PGPASSWORD=<%= @consul_test_db_pass %> /usr/bin/psql -U consul_test_user -d consul_test_db -h <%= @facts['networking']['ip'] %> -p 5432 -c "SELECT 1" diff --git a/site/profiles/templates/ssh/ssh_known_hosts.erb b/site/profiles/templates/ssh/ssh_known_hosts.erb new file mode 100644 index 0000000..069e17b --- /dev/null +++ b/site/profiles/templates/ssh/ssh_known_hosts.erb @@ -0,0 +1,4 @@ +# this file is managed by puppet +<% @lines.each do |line| -%> +<%= line %> +<% end -%> diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp index 7f13859..872e9b4 100644 --- a/site/roles/manifests/infra/puppetdb/sql.pp +++ b/site/roles/manifests/infra/puppetdb/sql.pp @@ -6,6 +6,8 @@ class roles::infra::puppetdb::sql { }else{ include profiles::defaults include profiles::base - include profiles::puppet::puppetdb_sql + if $facts['enc_role'] == 'roles::infra::puppetdb::sql' { + include profiles::puppet::puppetdb_sql + } } }