feat: adding reposync wrapper and tooling

- add autosyncer/autopromoter scripts
- add timer and service to initial sync process
- add timer/service for daily/weekly/monthly autopromote
- add define to manage each repo
- add nginx webserver to share repos
- add favion.ico if enabled
- add selinux management, and packages for selinux
- cleanup package management, sorting package groups into package classes
This commit is contained in:
2023-11-02 20:09:22 +11:00
parent f5ce438679
commit 19836e2069
21 changed files with 547 additions and 70 deletions
+5 -16
View File
@@ -19,22 +19,18 @@ class profiles::base (
}
}
# include the base packages profile
class { 'profiles::base::packages':
packages => hiera('profiles::base::packages::common'),
ensure => 'installed',
}
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
}
# include admin scripts
# include the base profiles
include profiles::packages::base
include profiles::base::facts
include profiles::base::motd
include profiles::base::scripts
# include admin scripts
include profiles::base::hosts
include profiles::accounts::sysadmin
# include the python class
class { 'python':
@@ -49,11 +45,4 @@ class profiles::base (
secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
}
# default users
include profiles::accounts::sysadmin
# add a motd
include profiles::base::facts
include profiles::base::motd
}
-27
View File
@@ -1,27 +0,0 @@
# This class manages the installation of packages for the base profile
#
# Parameters:
# - $packages: An array of package names to be installed (optional)
#
# Description:
# This class installs a list of packages specified in the $packages parameter
# using the `package` resource from Puppet. Each package in the array is installed
# with the `ensure => installed` attribute, ensuring that the package is present
# on the target system. By default, the class retrieves the package list from Hiera
# using the key 'profiles::base::packages::common'.
#
# Example usage:
# class { 'profiles::base::packages':
# packages => ['package1', 'package2', 'package3'],
#
class profiles::base::packages (
Array $packages,
Enum[
'present',
'absent',
'latest',
'installed'
] $ensure = 'installed',
){
ensure_packages($packages, {'ensure' => $ensure})
}
-24
View File
@@ -1,24 +0,0 @@
# Class: profiles::git::git
#
# This class ensures that the Git package is installed.
#
# It uses the 'package' resource to manage the Git package,
# and will ensure that it is installed. This class does not
# manage any configurations related to Git, it only ensures
# that the package is installed.
#
# The class does not take any parameters.
#
# Example usage:
# --------------
# To use this class, you simply need to declare it in your manifest:
#
# include profiles::git::git
#
# You do not need to pass any parameters.
#
class profiles::git::git {
package { 'git':
ensure => installed,
}
}
+21
View File
@@ -0,0 +1,21 @@
# This class manages the installation of packages for the base profile
#
# Parameters:
# - $packages: An array of package names to be installed (optional)
# - $ensure: Enum of present, absent, latest or installed (optional)
#
# Example usage:
# class { 'profiles::base::packages':
# packages => ['package1', 'package2', 'package3'],
#
class profiles::packages::base (
Array $packages = lookup('profiles::packages::base', Array, 'first', []),
Enum[
'present',
'absent',
'latest',
'installed'
] $ensure = 'installed',
){
ensure_packages($packages, {'ensure' => $ensure})
}
+11
View File
@@ -0,0 +1,11 @@
# installs git related packages
#
class profiles::packages::git (
Array[String] $packages = lookup('profiles::packages::git', Array, 'first', ['git']),
) {
$packages.each |String $package| {
package { $package:
ensure => installed,
}
}
}
@@ -0,0 +1,11 @@
# installs reposync related packages
#
class profiles::packages::reposync (
Array[String] $packages = lookup('profiles::packages::reposync', Array, 'first', ['createrepo']),
) {
$packages.each |String $package| {
package { $package:
ensure => installed,
}
}
}
@@ -0,0 +1,11 @@
# installs selinux related packages
#
class profiles::packages::selinux (
Array[String] $packages = lookup('profiles::packages::selinux', Array, 'first', ['policycoreutils']),
) {
$packages.each |String $package| {
package { $package:
ensure => installed,
}
}
}
+1 -1
View File
@@ -39,7 +39,7 @@ class profiles::puppet::enc (
Boolean $force = false,
) {
include profiles::git::git
include profiles::packages::git
vcsrepo { '/opt/puppetlabs/enc':
ensure => latest,
+1 -1
View File
@@ -37,7 +37,7 @@ class profiles::puppet::r10k (
String $r10k_repo,
){
include profiles::git::git
include profiles::packages::git
vcsrepo { '/etc/puppetlabs/r10k':
ensure => latest,
@@ -0,0 +1,105 @@
# setup the autopromoter
class profiles::reposync::autopromoter {
# Ensure the autopromoter script is present and executable
file { '/usr/local/bin/autopromoter':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profiles/reposync/autopromoter.erb'),
}
# daily autopromote service/timer
$_daily_timer = @(EOT)
[Unit]
Description=autopromoter daily timer
[Timer]
OnCalendar=*-*-* 05:00:00
RandomizedDelaySec=1s
[Install]
WantedBy=timers.target
EOT
$_daily_service = @(EOT)
[Unit]
Description=autopromoter daily service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/autopromoter daily
User=root
Group=root
PermissionsStartOnly=false
PrivateTmp=no
EOT
systemd::timer { 'autopromoter-daily.timer':
timer_content => $_daily_timer,
service_content => $_daily_service,
active => true,
enable => true,
require => File['/usr/local/bin/autopromoter'],
}
# weekly autopromote service/timer
$_weekly_timer = @(EOT)
[Unit]
Description=autopromoter weekly timer
[Timer]
OnCalendar=Sun *-*-* 05:05:00
RandomizedDelaySec=1s
[Install]
WantedBy=timers.target
EOT
$_weekly_service = @(EOT)
[Unit]
Description=autopromoter weekly service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/autopromoter weekly
User=root
Group=root
PermissionsStartOnly=false
PrivateTmp=no
EOT
systemd::timer { 'autopromoter-weekly.timer':
timer_content => $_weekly_timer,
service_content => $_weekly_service,
active => true,
enable => true,
require => File['/usr/local/bin/autopromoter'],
}
# monthly autopromote service/timer
$_monthly_timer = @(EOT)
[Unit]
Description=autopromoter monthly timer
[Timer]
OnCalendar=*-*-01 05:10:00
RandomizedDelaySec=1s
[Install]
WantedBy=timers.target
EOT
$_monthly_service = @(EOT)
[Unit]
Description=autopromoter monthly service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/autopromoter monthly
User=root
Group=root
PermissionsStartOnly=false
PrivateTmp=no
EOT
systemd::timer { 'autopromoter-monthly.timer':
timer_content => $_monthly_timer,
service_content => $_monthly_service,
active => true,
enable => true,
require => File['/usr/local/bin/autopromoter'],
}
}
@@ -0,0 +1,44 @@
# setup the autosyncer
class profiles::reposync::autosyncer {
# Ensure the autosyncer script is present and executable
file { '/usr/local/bin/autosyncer':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profiles/reposync/autosyncer.erb'),
require => Class['profiles::packages::reposync'],
}
# daily autosyncr service/timer
$_timer = @(EOT)
[Unit]
Description=autosyncer timer
[Timer]
OnCalendar=*-*-* 03:00:00
RandomizedDelaySec=1s
[Install]
WantedBy=timers.target
EOT
$_service = @(EOT)
[Unit]
Description=autosyncer service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/autosyncer
User=root
Group=root
PermissionsStartOnly=false
PrivateTmp=no
EOT
systemd::timer { 'autosyncer.timer':
timer_content => $_timer,
service_content => $_service,
active => true,
enable => true,
require => File['/usr/local/bin/autosyncer'],
}
}
+46
View File
@@ -0,0 +1,46 @@
# define to generate repositories in yum
define profiles::reposync::repos (
String $repository,
String $description,
String $osname,
String $release,
Stdlib::HTTPUrl $baseurl,
Stdlib::HTTPUrl $gpgkey,
String $arch = 'x86_64',
String $repo_owner = 'root',
String $repo_group = 'root',
Stdlib::Absolutepath $basepath = '/data/repos',
){
$repos_name = downcase("${osname}-${release}-${repository}-${arch}")
$conf_file = "/etc/reposync/conf.d/${repos_name}.conf"
# Create the repository configuration
yumrepo { $repos_name:
ensure => 'present',
descr => $description,
baseurl => $baseurl,
gpgkey => $gpgkey,
target => '/etc/yum.repos.d/reposync.repo',
enabled => 0,
gpgcheck => 1,
}
# Ensure the repo dest path exists
file { "${basepath}/live/${repos_name}" :
ensure => 'directory',
owner => $repo_owner,
group => $repo_group,
mode => '0755',
}
# Create the repo configuration file
file { $conf_file:
ensure => file,
owner => $repo_owner,
group => $repo_group,
mode => '0644',
content => template('profiles/reposync/repo_conf.erb'),
require => File['/etc/reposync/conf.d'],
}
}
@@ -0,0 +1,30 @@
# setup a reposync syncer
class profiles::reposync::syncer {
include profiles::packages::reposync
include profiles::reposync::autosyncer
include profiles::reposync::autopromoter
include profiles::reposync::webserver
# Ensure the reposync config path exists
file { '/etc/reposync':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/reposync/conf.d':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
# get a list of repos as a hash, and iterate through them
$repos = lookup('profiles::reposync::repos_list', {})
$repos.each | String $name, Hash $repo_hash | {
profiles::reposync::repos { $name:
* => $repo_hash,
}
}
}
@@ -0,0 +1,58 @@
# setup a reposync webserver
class profiles::reposync::webserver (
String $www_root = '/data/repos/snap',
String $nginx_vhost = 'repos.main.unkin.net',
Integer $nginx_port = 80,
Boolean $favicon = true,
Boolean $selinux = true,
) {
class { 'nginx': }
# create the nginx vhost
nginx::resource::server { $nginx_vhost:
listen_port => $nginx_port,
server_name => [$nginx_vhost],
use_default_location => true,
access_log => "/var/log/nginx/${nginx_vhost}_access.log",
error_log => "/var/log/nginx/${nginx_vhost}_error.log",
www_root => $www_root,
autoindex => 'on',
}
if $favicon {
file { "${www_root}/favicon.ico":
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/profiles/reposync/favicon.ico',
}
}
if $selinux {
# include packages that are required
include profiles::packages::selinux
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { $www_root:
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${www_root}(/.*)?",
}
# make sure we can connect to port 80
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
exec { "restorecon_${www_root}":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${www_root}",
refreshonly => true,
subscribe => Selinux::Fcontext[$www_root],
}
}
}