From 6bb52f2a1577ced8e17d9131338e62702cfe532b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 22 Oct 2023 19:54:10 +1100
Subject: [PATCH 01/19] feat: add firewalld management profile

- basic profile to enable/disable, and install/remove
- defaulting to enabled and installed, but set to disabled and removed
  in hiera
---
 hieradata/os/AlmaLinux/all_releases.yaml      |  3 ++
 site/profiles/manifests/base.pp               |  1 +
 site/profiles/manifests/firewall/firewalld.pp | 32 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 site/profiles/manifests/firewall/firewalld.pp

diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index beee352..230dbd0 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -2,3 +2,6 @@
 ---
 profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au
 profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au
+profiles::firewall::firewalld::ensure_package: 'absent'
+profiles::firewall::firewalld::ensure_service: 'stopped'
+profiles::firewall::firewalld::enable_service: false
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index e5831df..056d3e1 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -8,6 +8,7 @@ class profiles::base (
   case $facts['os']['family'] {
     'RedHat': {
       include profiles::yum::global
+      include profiles::firewall::firewalld
     }
     'Debian': {
       include profiles::apt::global
diff --git a/site/profiles/manifests/firewall/firewalld.pp b/site/profiles/manifests/firewall/firewalld.pp
new file mode 100644
index 0000000..eaafda7
--- /dev/null
+++ b/site/profiles/manifests/firewall/firewalld.pp
@@ -0,0 +1,32 @@
+# Manages the firewalld package and service on RedHat-like distributions.
+#
+# @param ensure_package Determines the state of the firewalld package.
+#   Can be set to 'absent' to remove the package or 'installed' to ensure it's present.
+#
+# @param ensure_service Determines the state of the firewalld service.
+#   Can be set to 'stopped' to stop the service or 'running' to ensure it's active.
+#
+# @param enable_service A boolean that specifies whether to enable or disable the firewalld service on boot.
+#
+class profiles::firewall::firewalld (
+  Enum['absent', 'installed'] $ensure_package = 'installed',
+  Enum['stopped', 'running'] $ensure_service = 'running',
+  Boolean $enable_service = true,
+) {
+  # Ensure it only runs on RedHat like distributions
+  if $facts['os']['family'] == 'RedHat' {
+
+    # Manage the firewalld package
+    package { 'firewalld':
+      ensure => $ensure_package,
+    }
+
+    # Manage the firewalld service
+    service { 'firewalld':
+      ensure     => $ensure_service,
+      enable     => $enable_service,
+      hasrestart => true,
+      require    => Package['firewalld'],
+    }
+  }
+}

From e682462917518767a91df8f980cb52cb4d2ef9a9 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 22 Oct 2023 19:46:10 +1100
Subject: [PATCH 02/19] feat: split puppetdb role into api and sql

- add puppetdb_api and puppetdb_sql role
- add puppetdb_api and puppetdb_sql profile
- add prodinf01n05 to /etc/hosts file
- set listen_address for all services to be hosts ip
- set storeconfigs and storeconfigs_backend to be managed by puppetmaster profile
---
 hieradata/common.yaml                         |  7 +++-
 site/profiles/manifests/puppet/puppetdb.pp    | 39 -------------------
 .../profiles/manifests/puppet/puppetdb_api.pp | 16 ++++++++
 .../profiles/manifests/puppet/puppetdb_sql.pp | 27 +++++++++++++
 .../profiles/manifests/puppet/puppetmaster.pp | 29 +++++++-------
 site/profiles/manifests/puppet/server.pp      | 28 +++++++------
 .../templates/puppet/server/puppet.conf.epp   |  2 +
 site/roles/manifests/puppet/puppetdb_api.pp   |  6 +++
 site/roles/manifests/puppet/puppetdb_sql.pp   |  6 +++
 9 files changed, 95 insertions(+), 65 deletions(-)
 delete mode 100644 site/profiles/manifests/puppet/puppetdb.pp
 create mode 100644 site/profiles/manifests/puppet/puppetdb_api.pp
 create mode 100644 site/profiles/manifests/puppet/puppetdb_sql.pp
 create mode 100644 site/roles/manifests/puppet/puppetdb_api.pp
 create mode 100644 site/roles/manifests/puppet/puppetdb_sql.pp

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 1520bd2..eea398c 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -38,8 +38,9 @@ profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
 profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
 profiles::puppet::g10k::default_environment: 'develop'
 profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
+profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
 puppetdb::master::config::create_puppet_service_resource: false
-puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
 
 profiles::accounts::sysadmin::sshkeys:
   - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
@@ -58,3 +59,7 @@ profiles::base::hosts::additional_hosts:
     aliases:
       - prodinf01n04
       - puppetdb
+  - ip: 198.18.17.5
+    hostname: prodinf01n05.main.unkin.net
+    aliases:
+      - prodinf01n05
diff --git a/site/profiles/manifests/puppet/puppetdb.pp b/site/profiles/manifests/puppet/puppetdb.pp
deleted file mode 100644
index 9ca7a57..0000000
--- a/site/profiles/manifests/puppet/puppetdb.pp
+++ /dev/null
@@ -1,39 +0,0 @@
-# profiles::puppet::puppetdb
-#
-# This class manages the installation and configuration of PuppetDB
-# and its underlying PostgreSQL database on a single node.
-#
-# It makes use of the puppetlabs-puppetdb module to manage both the
-# PuppetDB service and its PostgreSQL backend.
-#
-class profiles::puppet::puppetdb(
-  String  $puppetdb_host,
-  String  $listen_address = $facts['networking']['ip'],
-) {
-
-  # disable the postgresql dnf module for el8+
-  if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
-    # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
-    package { 'postgresql dnf module':
-        ensure   => 'disabled',
-        name     => 'postgresql',
-        provider => 'dnfmodule',
-        before   => Class['puppetdb::database::postgresql'],
-    }
-  }
-
-  # Install and configure PostgreSQL for PuppetDB
-  class { 'puppetdb::database::postgresql':
-    listen_addresses  => $listen_address,
-    postgresql_ssl_on => false,
-    postgres_version  => '15',
-    puppetdb_server   => $puppetdb_host,
-    before            => Class['puppetdb::server'],
-  }
-
-  class { 'puppetdb::server':
-    database_host     => $listen_address,
-    postgresql_ssl_on => false,
-    manage_firewall   => false,
-  }
-}
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp
new file mode 100644
index 0000000..fb1be2e
--- /dev/null
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@@ -0,0 +1,16 @@
+# configure the puppetdb api service
+class profiles::puppet::puppetdb_api (
+  String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'),
+  String $listen_address = $facts['networking']['ip'],
+) {
+
+  class { 'puppetdb::server':
+    database_host      => $postgres_host,
+    manage_firewall    => false,
+    ssl_listen_address => $listen_address,
+    listen_address     => $listen_address,
+  }
+
+  contain ::puppetdb::server
+
+}
diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp
new file mode 100644
index 0000000..2d80d30
--- /dev/null
+++ b/site/profiles/manifests/puppet/puppetdb_sql.pp
@@ -0,0 +1,27 @@
+# configure the puppetdb sql service
+class profiles::puppet::puppetdb_sql (
+  String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  String $listen_address = $facts['networking']['ip'],
+) {
+
+  # disable the postgresql dnf module for el8+
+  if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
+    # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
+    package { 'postgresql dnf module':
+        ensure   => 'disabled',
+        name     => 'postgresql',
+        provider => 'dnfmodule',
+        before   => Class['puppetdb::database::postgresql'],
+    }
+  }
+
+  # Install and configure PostgreSQL for PuppetDB
+  class { 'puppetdb::database::postgresql':
+    listen_addresses => $listen_address,
+    postgres_version => '15',
+    puppetdb_server  => $puppetdb_host,
+  }
+
+  contain ::puppetdb::database::postgresql
+
+}
diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp
index 76a80b6..f2a559a 100644
--- a/site/profiles/manifests/puppet/puppetmaster.pp
+++ b/site/profiles/manifests/puppet/puppetmaster.pp
@@ -31,16 +31,17 @@ class profiles::puppet::puppetmaster (
   include profiles::puppet::autosign
 
   class { 'puppetdb::master::config':
-    puppetdb_server => $puppetdb_host,
+    puppetdb_server     => $puppetdb_host,
+    manage_storeconfigs => false,
   }
 
   class { 'profiles::puppet::server':
-    vardir              => '/opt/puppetlabs/server/data/puppetserver',
-    logdir              => '/var/log/puppetlabs/puppetserver',
-    rundir              => '/var/run/puppetlabs/puppetserver',
-    pidfile             => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
-    codedir             => '/etc/puppetlabs/code',
-    dns_alt_names       => [
+    vardir               => '/opt/puppetlabs/server/data/puppetserver',
+    logdir               => '/var/log/puppetlabs/puppetserver',
+    rundir               => '/var/run/puppetlabs/puppetserver',
+    pidfile              => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
+    codedir              => '/etc/puppetlabs/code',
+    dns_alt_names        => [
       'prodinf01n01.main.unkin.net',
       'puppet.main.unkin.net',
       'puppetca.main.unkin.net',
@@ -49,11 +50,13 @@ class profiles::puppet::puppetmaster (
       'puppetca',
       'puppetmaster',
     ],
-    server              => 'prodinf01n01.main.unkin.net',
-    node_terminus       => 'exec',
-    external_nodes      => '/opt/puppetlabs/bin/enc',
-    autosign            => '/etc/puppetlabs/puppet/autosign.conf',
-    default_manifest    => '/etc/puppetlabs/code/environments/develop/manifests',
-    default_environment => 'develop',
+    server               => 'prodinf01n01.main.unkin.net',
+    node_terminus        => 'exec',
+    external_nodes       => '/opt/puppetlabs/bin/enc',
+    autosign             => '/etc/puppetlabs/puppet/autosign.conf',
+    default_manifest     => '/etc/puppetlabs/code/environments/develop/manifests',
+    default_environment  => 'develop',
+    storeconfigs         => true,
+    storeconfigs_backend => 'puppetdb',
   }
 }
diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp
index ca68998..bfec7d1 100644
--- a/site/profiles/manifests/puppet/server.pp
+++ b/site/profiles/manifests/puppet/server.pp
@@ -27,6 +27,8 @@ class profiles::puppet::server (
   String $autosign,
   String $default_manifest,
   String $default_environment,
+  Boolean $storeconfigs,
+  String $storeconfigs_backend,
 ) {
 
   file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -35,18 +37,20 @@ class profiles::puppet::server (
     group   => 'root',
     mode    => '0644',
     content => epp('profiles/puppet/server/puppet.conf.epp', {
-      'vardir'              => $vardir,
-      'logdir'              => $logdir,
-      'rundir'              => $rundir,
-      'pidfile'             => $pidfile,
-      'codedir'             => $codedir,
-      'dns_alt_names'       => join($dns_alt_names, ','),
-      'server'              => $server,
-      'node_terminus'       => $node_terminus,
-      'external_nodes'      => $external_nodes,
-      'autosign'            => $autosign,
-      'default_manifest'    => $default_manifest,
-      'default_environment' => $default_environment,
+      'vardir'               => $vardir,
+      'logdir'               => $logdir,
+      'rundir'               => $rundir,
+      'pidfile'              => $pidfile,
+      'codedir'              => $codedir,
+      'dns_alt_names'        => join($dns_alt_names, ','),
+      'server'               => $server,
+      'node_terminus'        => $node_terminus,
+      'external_nodes'       => $external_nodes,
+      'autosign'             => $autosign,
+      'default_manifest'     => $default_manifest,
+      'default_environment'  => $default_environment,
+      'storeconfigs'         => $storeconfigs,
+      'storeconfigs_backend' => $storeconfigs_backend,
     }),
     notify  => Service['puppetserver'],
   }
diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp
index a22777b..c241a70 100644
--- a/site/profiles/templates/puppet/server/puppet.conf.epp
+++ b/site/profiles/templates/puppet/server/puppet.conf.epp
@@ -17,3 +17,5 @@ external_nodes = <%= $external_nodes %>
 autosign = <%= $autosign %>
 default_manifest = <%= $default_manifest %>
 default_environment = <%= $default_environment %>
+storeconfigs = <%= $storeconfigs %>
+storeconfigs_backend = <%= $storeconfigs_backend %>
diff --git a/site/roles/manifests/puppet/puppetdb_api.pp b/site/roles/manifests/puppet/puppetdb_api.pp
new file mode 100644
index 0000000..991102d
--- /dev/null
+++ b/site/roles/manifests/puppet/puppetdb_api.pp
@@ -0,0 +1,6 @@
+# a role to deploy the puppetdb api service
+class roles::puppet::puppetdb_api {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetdb_api
+  }
diff --git a/site/roles/manifests/puppet/puppetdb_sql.pp b/site/roles/manifests/puppet/puppetdb_sql.pp
new file mode 100644
index 0000000..db640a3
--- /dev/null
+++ b/site/roles/manifests/puppet/puppetdb_sql.pp
@@ -0,0 +1,6 @@
+# a role to deploy the puppetdb postgresql service
+class roles::puppet::puppetdb_sql {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetdb_sql
+  }

From 0171a82d58e79eda2877f5e8a2424cdd78c0ab84 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 23 Oct 2023 22:34:53 +1100
Subject: [PATCH 03/19] feat: add features to puppet.conf

- reports, for sending reports to puppetdb
- usecacheonfailure, to show faulures in puppetboard (when set to false)
---
 site/profiles/manifests/puppet/puppetmaster.pp        | 2 ++
 site/profiles/manifests/puppet/server.pp              | 4 ++++
 site/profiles/templates/puppet/server/puppet.conf.epp | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp
index f2a559a..9819d5e 100644
--- a/site/profiles/manifests/puppet/puppetmaster.pp
+++ b/site/profiles/manifests/puppet/puppetmaster.pp
@@ -58,5 +58,7 @@ class profiles::puppet::puppetmaster (
     default_environment  => 'develop',
     storeconfigs         => true,
     storeconfigs_backend => 'puppetdb',
+    reports              => 'puppetdb',
+    usecacheonfailure    => false,
   }
 }
diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp
index bfec7d1..7f0aec5 100644
--- a/site/profiles/manifests/puppet/server.pp
+++ b/site/profiles/manifests/puppet/server.pp
@@ -29,6 +29,8 @@ class profiles::puppet::server (
   String $default_environment,
   Boolean $storeconfigs,
   String $storeconfigs_backend,
+  String $reports,
+  Boolean $usecacheonfailure,
 ) {
 
   file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -51,6 +53,8 @@ class profiles::puppet::server (
       'default_environment'  => $default_environment,
       'storeconfigs'         => $storeconfigs,
       'storeconfigs_backend' => $storeconfigs_backend,
+      'reports'              => $reports,
+      'usecacheonfailure'    => $usecacheonfailure,
     }),
     notify  => Service['puppetserver'],
   }
diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp
index c241a70..226346d 100644
--- a/site/profiles/templates/puppet/server/puppet.conf.epp
+++ b/site/profiles/templates/puppet/server/puppet.conf.epp
@@ -19,3 +19,5 @@ default_manifest = <%= $default_manifest %>
 default_environment = <%= $default_environment %>
 storeconfigs = <%= $storeconfigs %>
 storeconfigs_backend = <%= $storeconfigs_backend %>
+reports = <%= $reports %>
+usecacheonfailure = <%= $usecacheonfailure %>

From 46c3eb9597a0c7c183f0151103b8def5d650cd00 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 23 Oct 2023 22:30:15 +1100
Subject: [PATCH 04/19] feat: add puppetboard role

- add nginx module to manage reverse proxy on host level
- add puppetboard venv
- add gunicorn instance
- add script to start the gunicorn instance
- add nginx vhost
---
 Puppetfile                                    |   1 +
 hieradata/common.yaml                         |   4 +
 site/profiles/manifests/puppet/puppetboard.pp | 138 ++++++++++++++----
 .../puppetboard/puppetboard.service.erb       |  12 ++
 .../puppet/puppetboard/start_puppetboard.erb  |   7 +
 site/roles/manifests/puppet/puppetboard.pp    |   6 +
 6 files changed, 139 insertions(+), 29 deletions(-)
 create mode 100644 site/profiles/templates/puppet/puppetboard/puppetboard.service.erb
 create mode 100644 site/profiles/templates/puppet/puppetboard/start_puppetboard.erb
 create mode 100644 site/roles/manifests/puppet/puppetboard.pp

diff --git a/Puppetfile b/Puppetfile
index 5ad891a..e4f3c7d 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -20,6 +20,7 @@ mod 'puppet-yum', '7.0.0'
 mod 'puppet-archive', '7.0.0'
 mod 'puppet-chrony', '2.6.0'
 mod 'puppet-puppetboard', '9.0.0'
+mod 'puppet-nginx', '5.0.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index eea398c..0a0ce3e 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -63,3 +63,7 @@ profiles::base::hosts::additional_hosts:
     hostname: prodinf01n05.main.unkin.net
     aliases:
       - prodinf01n05
+  - ip: 198.18.17.6
+    hostname: prodinf01n06.main.unkin.net
+    aliases:
+      - prodinf01n06
diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp
index 85d2d4e..0085eb5 100644
--- a/site/profiles/manifests/puppet/puppetboard.pp
+++ b/site/profiles/manifests/puppet/puppetboard.pp
@@ -1,43 +1,123 @@
 # Class: profiles::puppet::puppetboard
 #
-# This class manages the configuration of Puppetboard, a web frontend for PuppetDB.
-#
-# Parameters:
-#   - `python_version`: Specifies the Python version used for the virtualenv where Puppetboard runs.
-#   - `manage_virtualenv`: Determines if this class should handle the creation of the virtual environment for Puppetboard.
-#   - `reports_count`: Defines the number of reports to show per node in Puppetboard.
-#   - `offline_mode`: Determines if Puppetboard should work in offline mode or not.
-#   - `default_environment`: Sets the default Puppet environment to filter results in Puppetboard.
-#
-# Usage:
-#   This class can be called directly in your manifests or through Hiera.
-#
-# Example:
-#   To use the default parameters (as shown below), you can declare the class:
-#   
-#   include profiles::puppet::puppetboard
-#
-#   Alternatively, you can customize the parameters:
-#
-#   class { 'profiles::puppet::puppetboard':
-#     python_version => '3.8',
-#     reports_count  => 50,
-#     offline_mode   => false,
-#   }
+# This class manages the Puppetboard, a web interface to PuppetDB.
 #
 class profiles::puppet::puppetboard (
-  String $python_version = '3.6',
-  Boolean $manage_virtualenv = false,
-  Integer $reports_count = 40,
-  Boolean $offline_mode = true,
-  String $default_environment = '*',
+  String  $python_version       = '3.6',
+  Boolean $manage_virtualenv    = false,
+  Integer $reports_count        = 40,
+  Boolean $offline_mode         = true,
+  String  $default_environment  = '*',
+  String  $puppetdb_host        = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  Stdlib::AbsolutePath $basedir = '/opt/puppetboard',
+  Stdlib::Absolutepath $virtualenv_dir  = "${basedir}/venv",
+  Stdlib::Absolutepath $settings_file   = "${basedir}/settings.py",
+  String  $user                 = 'puppetboard',
+  String  $group                = 'puppetboard',
+  String  $gunicorn_bind        = '127.0.0.1:8080',
+  String  $gunicorn_bind_prefix = 'http://',
+  Integer $gunicorn_workers     = 1,
+  Integer $gunicorn_threads     = 4,
+  String  $nginx_vhost          = 'puppetboard.main.unkin.net',
+  Integer $nginx_port           = 80,
+  #String[1] $secret_key         = "${fqdn_rand_string(32)}",
 ) {
 
+  # store puppet-agents ssl settings/certname
+  $ssl_dir = $::settings::ssldir
+  $puppetboard_certname = $trusted['certname']
+
+  # setup the puppetboard venv
   class { 'puppetboard':
     python_version      => $python_version,
     manage_virtualenv   => $manage_virtualenv,
     reports_count       => $reports_count,
     offline_mode        => $offline_mode,
+    basedir             => $basedir,
+    virtualenv_dir      => $virtualenv_dir,
+    settings_file       => $settings_file,
+    #secret_key         => $secret_key,
     default_environment => $default_environment,
+    puppetdb_host       => $puppetdb_host,
+    puppetdb_port       => 8081,
+    puppetdb_key        => "${basedir}/ssl/${puppetboard_certname}.pem",
+    puppetdb_ssl_verify => "${ssl_dir}/certs/ca.pem",
+    puppetdb_cert       => "${ssl_dir}/certs/${puppetboard_certname}.pem",
+    user                => $user,
+    group               => $group,
+    notify              => Service['puppetboard.service'],
+  }
+
+  # install gunicorn
+  python::pip { 'puppetboard_gunicorn':
+    ensure     => 'latest',
+    pkgname    => 'gunicorn',
+    virtualenv => $virtualenv_dir,
+    require    => Class['puppetboard'],
+  }
+
+  # create ssl dir for puppetboard
+  file { "${basedir}/ssl":
+    ensure  => directory,
+    owner   => $user,
+    group   => $group,
+    mode    => '0750',
+    require => Class['puppetboard'],
+  }
+
+  # copy the ssl certs for puppetboard
+  file { "${basedir}/ssl/${puppetboard_certname}.pem":
+    ensure  => present,
+    owner   => $user,
+    group   => $group,
+    mode    => '0750',
+    source  => "${ssl_dir}/private_keys/${puppetboard_certname}.pem",
+    require => File["${basedir}/ssl"],
+    notify  => Service['puppetboard.service'],
+  }
+
+  # create script to start service
+  file { "${virtualenv_dir}/bin/start_puppetboard":
+    ensure  => file,
+    owner   => $user,
+    group   => $group,
+    mode    => '0755',
+    content => template('profiles/puppet/puppetboard/start_puppetboard.erb'),
+    require => Class['puppetboard'],
+    notify  => Service['puppetboard.service'],
+  }
+
+  # create systemd service unit
+  systemd::unit_file { 'puppetboard.service':
+    content => template('profiles/puppet/puppetboard/puppetboard.service.erb'),
+    active  => true,
+    enable  => true,
+    require => File["${virtualenv_dir}/bin/start_puppetboard"],
+  }
+
+  # ensure the nginx service is managed
+  class { 'nginx': }
+
+  # create the nginx vhost
+  nginx::resource::server { $nginx_vhost:
+      listen_port           => $nginx_port,
+      server_name           => [$nginx_vhost],
+      proxy                 => "${gunicorn_bind_prefix}${gunicorn_bind}",
+      proxy_set_header      => [
+          'Host $http_host',
+          'X-Real-IP $remote_addr',
+          'X-Scheme $scheme',
+      ],
+      proxy_pass_header     => ['Server'],
+      proxy_redirect        => 'off',
+      proxy_connect_timeout => '10s',
+      proxy_read_timeout    => '10s',
+  }
+
+  # service static files from nginx for performance
+  nginx::resource::location { "${nginx_vhost}_static":
+      location       => '/static',
+      server         => $nginx_vhost,
+      location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static",
   }
 }
diff --git a/site/profiles/templates/puppet/puppetboard/puppetboard.service.erb b/site/profiles/templates/puppet/puppetboard/puppetboard.service.erb
new file mode 100644
index 0000000..08fec4d
--- /dev/null
+++ b/site/profiles/templates/puppet/puppetboard/puppetboard.service.erb
@@ -0,0 +1,12 @@
+[Unit]
+Description=puppetboard daemon
+After=network.target
+[Service]
+Type=simple
+User=<%= @user %>
+Group=<%= @group %>
+Environment="PUPPETBOARD_SETTINGS=<%= @settings_file %>"
+ExecStart=<%= @virtualenv_dir %>/bin/start_puppetboard
+PrivateTmp=true
+[Install]
+WantedBy=multi-user.target
diff --git a/site/profiles/templates/puppet/puppetboard/start_puppetboard.erb b/site/profiles/templates/puppet/puppetboard/start_puppetboard.erb
new file mode 100644
index 0000000..46e6da3
--- /dev/null
+++ b/site/profiles/templates/puppet/puppetboard/start_puppetboard.erb
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+<%= @virtualenv_dir %>/bin/gunicorn \
+    --workers <%= @gunicorn_workers %> \
+    --threads <%= @gunicorn_threads %> \
+    --config <%= @settings_file %> \
+    --bind <%= @gunicorn_bind %> \
+    puppetboard.app:app
diff --git a/site/roles/manifests/puppet/puppetboard.pp b/site/roles/manifests/puppet/puppetboard.pp
new file mode 100644
index 0000000..34862c3
--- /dev/null
+++ b/site/roles/manifests/puppet/puppetboard.pp
@@ -0,0 +1,6 @@
+# a role to deploy the puppetboard
+class roles::puppet::puppetboard {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetboard
+  }

From 130669a1301d630a395786b974d6eaed984e3d91 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 29 Oct 2023 20:17:07 +1100
Subject: [PATCH 05/19] feat: manage puppet clients

- manage the service
- manage the package, version lock it
- deploy the /etc/puppetlabs/puppet/puppet.conf from template for puppet
  clients only
---
 hieradata/common.yaml                         | 10 ++++
 site/profiles/manifests/base.pp               |  6 +++
 site/profiles/manifests/puppet/client.pp      | 50 +++++++++++++++++++
 .../templates/puppet/client/puppet.conf.erb   | 13 +++++
 4 files changed, 79 insertions(+)
 create mode 100644 site/profiles/manifests/puppet/client.pp
 create mode 100644 site/profiles/templates/puppet/client/puppet.conf.erb

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index eea398c..0f3ff84 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -3,6 +3,9 @@ profiles::base::ntp_servers:
   - 0.au.pool.ntp.org
   - 1.au.pool.ntp.org
 
+profiles::base::puppet_servers:
+  - 'prodinf01n01.main.unkin.net'
+
 profiles::base::packages::common:
   - ccze
   - curl
@@ -31,6 +34,13 @@ profiles::puppet::autosign::domains:
 # profiles::puppet::autosign::nodes:
 #  - 'somenode.main.unkin.net'
 
+profiles::puppet::client::puppet_version: '7.26.0'
+profiles::puppet::client::environment: 'develop'
+profiles::puppet::client::runinterval: 1800
+profiles::puppet::client::runtimeout: 3600
+profiles::puppet::client::show_diff: true
+profiles::puppet::client::usecacheonfailure: false
+
 profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index 056d3e1..35874eb 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -1,6 +1,7 @@
 # this is the base class, which will be used by all servers
 class profiles::base (
   Array  $ntp_servers,
+  Array  $puppet_servers,
 ) {
   class { 'chrony':
     servers => $ntp_servers,
@@ -24,6 +25,11 @@ class profiles::base (
     ensure   => 'installed',
   }
 
+  # manage puppet clients
+  if ! member($puppet_servers, $trusted['certname']) {
+    include profiles::puppet::client
+  }
+
   # include admin scripts
   include profiles::base::scripts
 
diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp
new file mode 100644
index 0000000..360e296
--- /dev/null
+++ b/site/profiles/manifests/puppet/client.pp
@@ -0,0 +1,50 @@
+# Class: profiles::puppet::client
+#
+# This class manages Puppet client configuration and service.
+#
+# Parameters:
+#   vardir - Directory path for variable data.
+#   logdir - Directory path for logs.
+#   rundir - Directory path for run-time data.
+#   pidfile - File path for the PID file.
+#   codedir - Directory path for code data.
+#   dns_alt_names - Array of alternate DNS names for the server.
+#   server - Server's name.
+#
+# site/profile/manifests/puppet/client.pp
+class profiles::puppet::client (
+  String $dns_alt_names       = $trusted['certname'],
+  String $server              = 'puppetmaster',
+  String $ca_server           = 'puppetca',
+  String $environment         = 'develop',
+  Integer $runinterval        = 1800,
+  Integer $runtimeout         = 3600,
+  Boolean $show_diff          = true,
+  Boolean $usecacheonfailure  = false,
+  String $puppet_version      = 'latest',
+) {
+
+  # Ensure the puppet-agent package is installed and locked to a specific version
+  package { 'puppet-agent':
+    ensure => $puppet_version,
+  }
+
+  # Ensure the puppet service is running
+  service { 'puppet':
+    ensure     => 'running',
+    enable     => true,
+    hasrestart => true,
+    require    => Package['puppet-agent'],
+  }
+
+  # Assuming you want to manage puppet.conf with this profile
+  file { '/etc/puppetlabs/puppet/puppet.conf':
+    ensure  => 'present',
+    content => template('profiles/puppet/client/puppet.conf.erb'),
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    notify  => Service['puppet'],
+  }
+}
+
diff --git a/site/profiles/templates/puppet/client/puppet.conf.erb b/site/profiles/templates/puppet/client/puppet.conf.erb
new file mode 100644
index 0000000..e7a86c6
--- /dev/null
+++ b/site/profiles/templates/puppet/client/puppet.conf.erb
@@ -0,0 +1,13 @@
+[main]
+dns_alt_names = <%= @dns_alt_names %>
+
+[agent]
+server = <%= @server %>
+ca_server = <%= @ca_server %>
+environment = <%= @environment %>
+report = true
+report_server = <%= @server %>
+runinterval = <%= @runinterval %>
+runtimeout = <%= @runtimeout %>
+show_diff = <%= @show_diff %>
+usecacheonfailure = <%= @usecacheonfailure %>

From 5076d7383a8594a7d564ac22d02ab8a69b7e2ba0 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Thu, 2 Nov 2023 20:12:47 +1100
Subject: [PATCH 06/19] feat: add ceph osd/mds/mon roles

- basic roles currently
- will allow build of ceph to begin
---
 site/roles/manifests/ceph/mds.pp | 6 ++++++
 site/roles/manifests/ceph/mon.pp | 6 ++++++
 site/roles/manifests/ceph/osd.pp | 6 ++++++
 3 files changed, 18 insertions(+)
 create mode 100644 site/roles/manifests/ceph/mds.pp
 create mode 100644 site/roles/manifests/ceph/mon.pp
 create mode 100644 site/roles/manifests/ceph/osd.pp

diff --git a/site/roles/manifests/ceph/mds.pp b/site/roles/manifests/ceph/mds.pp
new file mode 100644
index 0000000..a7a6a2e
--- /dev/null
+++ b/site/roles/manifests/ceph/mds.pp
@@ -0,0 +1,6 @@
+# a role to deploy the ceph mds
+# work in progress
+class roles::ceph::mds {
+    include profiles::defaults
+    include profiles::base
+}
diff --git a/site/roles/manifests/ceph/mon.pp b/site/roles/manifests/ceph/mon.pp
new file mode 100644
index 0000000..b1fe65a
--- /dev/null
+++ b/site/roles/manifests/ceph/mon.pp
@@ -0,0 +1,6 @@
+# a role to deploy the ceph mon
+# work in progress
+class roles::ceph::mon {
+    include profiles::defaults
+    include profiles::base
+}
diff --git a/site/roles/manifests/ceph/osd.pp b/site/roles/manifests/ceph/osd.pp
new file mode 100644
index 0000000..047718a
--- /dev/null
+++ b/site/roles/manifests/ceph/osd.pp
@@ -0,0 +1,6 @@
+# a role to deploy the ceph osd
+# work in progress
+class roles::ceph::osd {
+    include profiles::defaults
+    include profiles::base
+}

From 75a66a3339fb41f5958a8f9e820b45280d6b364f Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Thu, 2 Nov 2023 22:08:00 +1100
Subject: [PATCH 07/19] fix: digitalpacific epel repodata broken

- change epel to read from aarnet
---
 hieradata/os/AlmaLinux/all_releases.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index 230dbd0..e749c94 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -1,7 +1,7 @@
 # hieradata/os/almalinux/all_releases.yaml
 ---
 profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au
-profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au
+profiles::yum::epel::baseurl: http://mirror.aarnet.edu.au/pub/epel
 profiles::firewall::firewalld::ensure_package: 'absent'
 profiles::firewall::firewalld::ensure_service: 'stopped'
 profiles::firewall::firewalld::enable_service: false

From a89a68bc61a9838c83eaa37633e9efbd467f1205 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Thu, 2 Nov 2023 22:14:38 +1100
Subject: [PATCH 08/19] fix: debian puppet_version different to EL

- change puppet_version to be set per-os in hieradata
---
 hieradata/common.yaml                    | 1 -
 hieradata/os/AlmaLinux/all_releases.yaml | 2 ++
 hieradata/os/Debian/Debian11.yaml        | 2 ++
 hieradata/os/Debian/Debian12.yaml        | 2 ++
 4 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 4ab4245..3a828ea 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -34,7 +34,6 @@ profiles::puppet::autosign::domains:
 # profiles::puppet::autosign::nodes:
 #  - 'somenode.main.unkin.net'
 
-profiles::puppet::client::puppet_version: '7.26.0'
 profiles::puppet::client::environment: 'develop'
 profiles::puppet::client::runinterval: 1800
 profiles::puppet::client::runtimeout: 3600
diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index e749c94..bdb6ccb 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -5,3 +5,5 @@ profiles::yum::epel::baseurl: http://mirror.aarnet.edu.au/pub/epel
 profiles::firewall::firewalld::ensure_package: 'absent'
 profiles::firewall::firewalld::ensure_service: 'stopped'
 profiles::firewall::firewalld::enable_service: false
+
+profiles::puppet::client::puppet_version: '7.26.0'
diff --git a/hieradata/os/Debian/Debian11.yaml b/hieradata/os/Debian/Debian11.yaml
index 8ed26ec..41e6201 100644
--- a/hieradata/os/Debian/Debian11.yaml
+++ b/hieradata/os/Debian/Debian11.yaml
@@ -10,3 +10,5 @@ profiles::apt::components:
   - contrib
   - main
   - non-free
+
+profiles::puppet::client::puppet_version: '7.25.0-1bullseye'
diff --git a/hieradata/os/Debian/Debian12.yaml b/hieradata/os/Debian/Debian12.yaml
index 7063126..fab31d1 100644
--- a/hieradata/os/Debian/Debian12.yaml
+++ b/hieradata/os/Debian/Debian12.yaml
@@ -11,3 +11,5 @@ profiles::apt::components:
   - main
   - non-free
   - non-free-firmware
+
+profiles::puppet::client::puppet_version: 'latest'

From 0cc0bacad33b26b8c79caa41ca674ef603a02d65 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 4 Nov 2023 18:12:35 +1100
Subject: [PATCH 09/19] feat: add motd and facts

- use parameters created by the enc to create external facts
- use external facts to generate the motd
- use features from https://git.unkin.net/unkinben/puppet-enc/pulls/22
---
 site/profiles/manifests/base.pp               |  4 +++
 site/profiles/manifests/base/facts.pp         | 29 +++++++++++++++++++
 site/profiles/manifests/base/motd.pp          | 20 +++++++++++++
 .../profiles/templates/base/facts/enc_env.erb |  1 +
 .../templates/base/facts/enc_role.erb         |  1 +
 site/profiles/templates/base/motd/motd.erb    | 13 +++++++++
 6 files changed, 68 insertions(+)
 create mode 100644 site/profiles/manifests/base/facts.pp
 create mode 100644 site/profiles/manifests/base/motd.pp
 create mode 100644 site/profiles/templates/base/facts/enc_env.erb
 create mode 100644 site/profiles/templates/base/facts/enc_role.erb
 create mode 100644 site/profiles/templates/base/motd/motd.erb

diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index 35874eb..e1a98c0 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -52,4 +52,8 @@ class profiles::base (
   # default users
   include profiles::accounts::sysadmin
 
+  # add a motd
+  include profiles::base::facts
+  include profiles::base::motd
+
 }
diff --git a/site/profiles/manifests/base/facts.pp b/site/profiles/manifests/base/facts.pp
new file mode 100644
index 0000000..e234625
--- /dev/null
+++ b/site/profiles/manifests/base/facts.pp
@@ -0,0 +1,29 @@
+# a class to define some global facts
+class profiles::base::facts {
+
+  # The path where external facts are stored
+  $facts_d_path = '/opt/puppetlabs/facter/facts.d'
+
+  # Ensure the directory exists
+  file { $facts_d_path:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  # facts to create
+  $fact_list = [ 'enc_role', 'enc_env' ]
+
+  # Manage the external fact file with content from the template
+  $fact_list.each | String $item | {
+    file { "${facts_d_path}/${item}.txt":
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template("profiles/base/facts/${item}.erb"),
+      require => File[$facts_d_path],
+    }
+  }
+}
diff --git a/site/profiles/manifests/base/motd.pp b/site/profiles/manifests/base/motd.pp
new file mode 100644
index 0000000..e1dd5ca
--- /dev/null
+++ b/site/profiles/manifests/base/motd.pp
@@ -0,0 +1,20 @@
+# set the motd
+class profiles::base::motd (
+  String  $enc_role   = pick($facts['enc_role'], 'undefined'),
+  String  $enc_env    = pick($facts['enc_env'], 'undefined'),
+  String  $fqdn       = $facts['networking']['fqdn'],
+  String  $addr       = $facts['networking']['ip'],
+  String  $nic        = $facts['networking']['primary'],
+  String  $os_name    = $facts['os']['name'],
+  String  $os_release = $facts['os']['release']['full'],
+) {
+
+  # Use the regsubst function to remove the 'roles::' prefix from the role name
+  $clean_role = regsubst($enc_role, '^roles::', '')
+
+  # Manage the content of the /etc/motd file
+  file { '/etc/motd':
+    ensure  => file,
+    content => template('profiles/base/motd/motd.erb'),
+  }
+}
diff --git a/site/profiles/templates/base/facts/enc_env.erb b/site/profiles/templates/base/facts/enc_env.erb
new file mode 100644
index 0000000..7695e4d
--- /dev/null
+++ b/site/profiles/templates/base/facts/enc_env.erb
@@ -0,0 +1 @@
+enc_env=<%= @enc_env %>
diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb
new file mode 100644
index 0000000..d59acdf
--- /dev/null
+++ b/site/profiles/templates/base/facts/enc_role.erb
@@ -0,0 +1 @@
+enc_role=<%= @enc_role[0] %>
diff --git a/site/profiles/templates/base/motd/motd.erb b/site/profiles/templates/base/motd/motd.erb
new file mode 100644
index 0000000..7ca06df
--- /dev/null
+++ b/site/profiles/templates/base/motd/motd.erb
@@ -0,0 +1,13 @@
+<%
+# calculate padding for the longest word
+max_length = ['fqdn:', 'os:', 'role:', 'branch:', 'addr:', 'nic:'].max_by(&:length).length
+# helper lambda to right-align text
+align = ->(word) { word.ljust(max_length) }
+%>
+<%= align.call('fqdn:') %> <%= @fqdn %>
+<%= align.call('os:') %> <%= @os_name %> <%= @os_release %>
+<%= align.call('role:') %> <%= @clean_role %>
+<%= align.call('branch:') %> <%= @enc_env %>
+<%= align.call('addr:') %> <%= @addr %>
+<%= align.call('nic:') %> <%= @nic %>
+

From 56518f1fcb94d265f4add099351e844194555fb4 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 4 Nov 2023 20:25:35 +1100
Subject: [PATCH 10/19] feat: change enc repo to be tagged

- enc repository will download a specific tag
- defaults to master
- hiera set to release tag '0.1'
---
 hieradata/common.yaml                 | 4 +++-
 site/profiles/manifests/puppet/enc.pp | 8 ++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 3a828ea..b8267f4 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -40,7 +40,9 @@ profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
-profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
+profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git
+profiles::puppet::enc::release: '0.1'
+profiles::puppet::enc::force: true
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
 profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp
index 6745587..4e84227 100644
--- a/site/profiles/manifests/puppet/enc.pp
+++ b/site/profiles/manifests/puppet/enc.pp
@@ -34,7 +34,9 @@
 # This is designed to work on Unix-like systems only.
 #
 class profiles::puppet::enc (
-  String $enc_repo,
+  String $repo,
+  String $release = 'master',
+  Boolean $force = false,
 ) {
 
   include profiles::git::git
@@ -42,7 +44,9 @@ class profiles::puppet::enc (
   vcsrepo { '/opt/puppetlabs/enc':
     ensure   => latest,
     provider => git,
-    source   => $enc_repo,
+    source   => $repo,
+    revision => $release,
+    force    => $force,
     require  => Package['git'],
   }
 

From def2561e6cee4c4e6cc1da12a1083c0d1d465b73 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 27 Aug 2023 00:15:01 +1000
Subject: [PATCH 11/19] feat: add datavol class to manage /data

  - included puppetlabs-lvm module
  - created profiles::base::datavol to:
    - create pv, vg, lv and format the filesystem and mount it
---
 Puppetfile                              |  1 +
 site/profiles/manifests/base/datavol.pp | 62 +++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 site/profiles/manifests/base/datavol.pp

diff --git a/Puppetfile b/Puppetfile
index 5995d48..258a0c8 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -15,3 +15,4 @@ mod 'puppetlabs-vcsrepo', '6.1.0'
 mod 'puppetlabs-yumrepo_core', '2.0.0'
 mod 'puppet-yum', '7.0.0'
 mod 'puppetlabs-apt', '9.1.0'
+mod 'puppetlabs-lvm', '2.0.3'
diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp
new file mode 100644
index 0000000..2d3fb37
--- /dev/null
+++ b/site/profiles/manifests/base/datavol.pp
@@ -0,0 +1,62 @@
+# profiles::base::datavol
+#
+# This class manages the creation of a logical volume using the `lvm::volume` definition.
+#
+# Parameters:
+#   $ensure   - Ensure whether the logical volume is present or not. Defaults to 'present'.
+#   $vg       - Volume group name. No default.
+#   $pv       - Physical volume, typically the disk or partition device path. No default.
+#   $fstype   - Filesystem type for the logical volume. Defaults to 'ext3'.
+#   $size     - Size of the logical volume. No default.
+#
+class profiles::base::datavol (
+  Enum['present', 'absent'] $ensure = 'present',
+  Enum['ext2', 'ext3', 'ext4', 'xfs', 'btrfs'] $fstype = 'xfs',
+  String $vg = 'datavg',
+  String $pv = '/dev/vdb',
+  String $lv = 'data',
+  Stdlib::Absolutepath $mount = '/data',
+  Variant[Pattern[/^[\d+GTP%FREE]$/], Integer] $size = '100%FREE',
+  Array  $mount_options = ['noatime', 'nodiratime'],
+) {
+
+  # Ensure the physical volume exists
+  physical_volume { $pv:
+    ensure => $ensure,
+    before => Volume_group[$vg],
+  }
+
+  # Ensure the volume group exists
+  volume_group { $vg:
+    ensure           => $ensure,
+    physical_volumes => [$pv],
+    before           => Logical_volume[$lv],
+  }
+
+  # Ensure the logical volume exists
+  logical_volume { $lv:
+    ensure       => $ensure,
+    volume_group => $vg,
+    size         => $size,
+    before       => Filesystem["/dev/${vg}/${lv}"],
+  }
+
+  # Ensure the filesystem is created on the logical volume
+  filesystem { "/dev/${vg}/${lv}":
+    ensure  => $ensure,
+    fs_type => $fstype,
+    require => Logical_volume[$lv],
+    before  => Mount[$mount],
+  }
+
+  # Ensure the logical volume is mounted at the desired location
+  mount { $mount:
+    ensure  => $ensure,
+    device  => "/dev/${vg}/${lv}",
+    fstype  => $fstype,
+    options => 'defaults',
+    dump    => 0,
+    pass    => 2,
+    require => Filesystem["/dev/${vg}/${lv}"],
+  }
+}

From 1d1541419afc91c872b9ab4d6a58140dcc0f154d Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 5 Nov 2023 17:45:13 +1100
Subject: [PATCH 12/19] feat: adding base packagerepo role

- create roles::infra::packagerepo
- bump enc version
---
 hieradata/common.yaml                     | 2 +-
 site/roles/manifests/infra/packagerepo.pp | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 site/roles/manifests/infra/packagerepo.pp

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index b8267f4..9533387 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -41,7 +41,7 @@ profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
 profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git
-profiles::puppet::enc::release: '0.1'
+profiles::puppet::enc::release: '0.2'
 profiles::puppet::enc::force: true
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
diff --git a/site/roles/manifests/infra/packagerepo.pp b/site/roles/manifests/infra/packagerepo.pp
new file mode 100644
index 0000000..1f2afdc
--- /dev/null
+++ b/site/roles/manifests/infra/packagerepo.pp
@@ -0,0 +1,6 @@
+# a role to deploy a packagerepo
+class roles::infra::packagerepo {
+  include profiles::defaults
+  include profiles::base
+  include profiles::base::datavol
+}

From 36142a3565aac5dd748f7444bf3f53f2285461ba Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 5 Nov 2023 17:54:36 +1100
Subject: [PATCH 13/19] fix: bump enc

https://git.unkin.net/unkinben/puppet-enc/pulls/24
---
 hieradata/common.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 9533387..eb3289a 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -41,7 +41,7 @@ profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
 profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git
-profiles::puppet::enc::release: '0.2'
+profiles::puppet::enc::release: '0.3'
 profiles::puppet::enc::force: true
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'

From cb9af5a2a8a36495b65c5909964ece765bb0a49b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 5 Nov 2023 18:01:16 +1100
Subject: [PATCH 14/19] fix: variant regex results in error

- update the $size variant regex so it actually matches correctly
- default $size to undef, which results in 100%FREE
---
 site/profiles/manifests/base/datavol.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp
index 2d3fb37..167f60a 100644
--- a/site/profiles/manifests/base/datavol.pp
+++ b/site/profiles/manifests/base/datavol.pp
@@ -7,7 +7,7 @@
 #   $vg       - Volume group name. No default.
 #   $pv       - Physical volume, typically the disk or partition device path. No default.
 #   $fstype   - Filesystem type for the logical volume. Defaults to 'ext3'.
-#   $size     - Size of the logical volume. No default.
+#   $size     - Size of the logical volume. undef = 100%FREE. Changing $size to cause a resize.
 #
 class profiles::base::datavol (
   Enum['present', 'absent'] $ensure = 'present',
@@ -16,7 +16,7 @@ class profiles::base::datavol (
   String $pv = '/dev/vdb',
   String $lv = 'data',
   Stdlib::Absolutepath $mount = '/data',
-  Variant[Pattern[/^[\d+GTP%FREE]$/], Integer] $size = '100%FREE',
+  Optional[Variant[Pattern[/^\d+(M|G|T|P)$/], Integer]] $size = undef,
   Array  $mount_options = ['noatime', 'nodiratime'],
 ) {
 

From 058cc2500840d0a8ceea57399ecaa9c566bf59ed Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Wed, 8 Nov 2023 22:03:21 +1100
Subject: [PATCH 15/19] feat: add bash completion

- quality of life addition to all hosts
---
 hieradata/common.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index eb3289a..1976320 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -7,6 +7,7 @@ profiles::base::puppet_servers:
   - 'prodinf01n01.main.unkin.net'
 
 profiles::base::packages::common:
+  - bash-completion
   - ccze
   - curl
   - dstat

From 19836e2069dbc2e1712f84483860b5440b7bec92 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Thu, 2 Nov 2023 20:09:22 +1100
Subject: [PATCH 16/19] feat: adding reposync wrapper and tooling

- add autosyncer/autopromoter scripts
- add timer and service to initial sync process
- add timer/service for daily/weekly/monthly autopromote
- add define to manage each repo
- add nginx webserver to share repos
- add favion.ico if enabled
- add selinux management, and packages for selinux
- cleanup package management, sorting package groups into package classes
---
 Puppetfile                                    |   1 +
 hieradata/common.yaml                         |  44 +++++++-
 site/profiles/files/reposync/favicon.ico      | Bin 0 -> 32038 bytes
 site/profiles/manifests/base.pp               |  21 +---
 site/profiles/manifests/base/packages.pp      |  27 -----
 site/profiles/manifests/git/git.pp            |  24 ----
 site/profiles/manifests/packages/base.pp      |  21 ++++
 site/profiles/manifests/packages/git.pp       |  11 ++
 site/profiles/manifests/packages/reposync.pp  |  11 ++
 site/profiles/manifests/packages/selinux.pp   |  11 ++
 site/profiles/manifests/puppet/enc.pp         |   2 +-
 site/profiles/manifests/puppet/r10k.pp        |   2 +-
 .../manifests/reposync/autopromoter.pp        | 105 ++++++++++++++++++
 .../profiles/manifests/reposync/autosyncer.pp |  44 ++++++++
 site/profiles/manifests/reposync/repos.pp     |  46 ++++++++
 site/profiles/manifests/reposync/syncer.pp    |  30 +++++
 site/profiles/manifests/reposync/webserver.pp |  58 ++++++++++
 .../templates/reposync/autopromoter.erb       |  53 +++++++++
 .../templates/reposync/autosyncer.erb         |  97 ++++++++++++++++
 .../profiles/templates/reposync/repo_conf.erb |   8 ++
 site/roles/manifests/infra/packagerepo.pp     |   1 +
 21 files changed, 547 insertions(+), 70 deletions(-)
 create mode 100644 site/profiles/files/reposync/favicon.ico
 delete mode 100644 site/profiles/manifests/base/packages.pp
 delete mode 100644 site/profiles/manifests/git/git.pp
 create mode 100644 site/profiles/manifests/packages/base.pp
 create mode 100644 site/profiles/manifests/packages/git.pp
 create mode 100644 site/profiles/manifests/packages/reposync.pp
 create mode 100644 site/profiles/manifests/packages/selinux.pp
 create mode 100644 site/profiles/manifests/reposync/autopromoter.pp
 create mode 100644 site/profiles/manifests/reposync/autosyncer.pp
 create mode 100644 site/profiles/manifests/reposync/repos.pp
 create mode 100644 site/profiles/manifests/reposync/syncer.pp
 create mode 100644 site/profiles/manifests/reposync/webserver.pp
 create mode 100644 site/profiles/templates/reposync/autopromoter.erb
 create mode 100644 site/profiles/templates/reposync/autosyncer.erb
 create mode 100644 site/profiles/templates/reposync/repo_conf.erb

diff --git a/Puppetfile b/Puppetfile
index 1e7b959..1da664c 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -22,6 +22,7 @@ mod 'puppet-archive', '7.0.0'
 mod 'puppet-chrony', '2.6.0'
 mod 'puppet-puppetboard', '9.0.0'
 mod 'puppet-nginx', '5.0.0'
+mod 'puppet-selinux', '4.1.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index eb3289a..66e571c 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -6,7 +6,7 @@ profiles::base::ntp_servers:
 profiles::base::puppet_servers:
   - 'prodinf01n01.main.unkin.net'
 
-profiles::base::packages::common:
+profiles::packages::base:
   - ccze
   - curl
   - dstat
@@ -14,6 +14,7 @@ profiles::base::packages::common:
   - mtr
   - ncdu
   - neovim
+  - rsync
   - screen
   - strace
   - tmux
@@ -56,6 +57,42 @@ puppetdb::master::config::create_puppet_service_resource: false
 profiles::accounts::sysadmin::sshkeys:
   - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
 
+profiles::reposync::repos_list:
+  almalinux_8_8_baseos:
+    repository: 'BaseOS'
+    description: 'AlmaLinux 8.8 - BaseOS'
+    osname: 'almalinux'
+    release: '8.8'
+    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_8_appstream:
+    repository: 'AppStream'
+    description: 'AlmaLinux 8.8 - AppStream'
+    osname: 'almalinux'
+    release: '8.8'
+    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_8_highavailability:
+    repository: 'HighAvailability'
+    description: 'AlmaLinux 8.8 - HighAvailability'
+    osname: 'almalinux'
+    release: '8.8'
+    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  epel_8_everything:
+    repository: 'Everything'
+    description: 'EPEL 8 Everything'
+    osname: 'epel'
+    release: '8'
+    baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/'
+    gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
+  epel_8_modular:
+    repository: 'Modular'
+    description: 'EPEL 8 Modular'
+    osname: 'epel'
+    release: '8'
+    baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/'
+    gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
 
 profiles::base::hosts::additional_hosts:
   - ip: 198.18.17.3
@@ -78,3 +115,8 @@ profiles::base::hosts::additional_hosts:
     hostname: prodinf01n06.main.unkin.net
     aliases:
       - prodinf01n06
+  - ip: 198.18.17.22
+    hostname: prodinf01n22.main.unkin.net
+    aliases:
+      - prodinf01n22
+      - repo.main.unkin.net
diff --git a/site/profiles/files/reposync/favicon.ico b/site/profiles/files/reposync/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..6c351da869acfccd096f138b8160e34c5b598f6f
GIT binary patch
literal 32038
zcmeI*1)N+((g5(~;BdI$1Pzi9Gzk^~?t;4<?h@Qda8Gax?(PJ4hX64o1a}GU?oNOG
z?@14Dhn?No%?9$zcl%4{&Aj)zyQ;dnx~zNZ>c*>^psr`nx_E6@*KwJ;x)ti`>N<BW
zeIL-iu5Pz@uU)%Q-`mvHO}|53U7L9I{tgq=)eYRQuC8OO6Pu{(8;kqtuV-D|Tnm*-
z=|)}MFF*enD$B3G{1kp0hYEa@BA#D-{#p3)i_hxa`|a1C!%shcA3pi`!|=iT@5S=&
zI8xpVUwr;)qCq7cGELln`l%<wPCM-w7F%qwu;2m<gayWtvfzRXhX4HM-{F{Jjt(Dv
z`2L@G0q*a=_fA-L*=0kV7vpT1V1fz4fd}lLcs!50>+iq)5*~hdXqaZ2X~tRH^SI)J
z&p-R59uL5O$dEx{>ZzwL<3I7l6Nk2K+lHBDnkf~u`Nu#0QGTvH-=~{yy7D{TSI@I4
zrkEn$Z#$}uw&{C@p|Ptrr=51%a+}&8fBf<5^=lj_oN&Ta#v5<EKRugah8e2XUvkMM
z!e^g;+$8@0{`XSh@!^k!=bw8fy!gU%;oNi14wFqbS-rlxbm<ZX4|*^>|NOJzg;?&o
z^Y$>u9CM_1cG!OVSohiR+_O)oXS?sVYrVSFXfWxdlZNxoJ16z2-&=3FIm|fYjODts
z%rZ-Y<>s4i2shq%eOPzhb;{4QInO*D!od6QOMR+;&D8_yjccv=ud?#W;hV3&OmicI
z-@=`D+*WT4jnm<WAC{i~{@c&NI~QGaL6~Twi4r^q9e6+pzyBKlm7X0D->rso@jm{!
z=9&Siy%2s4ufF<nXy1PBa@|cg-6Z_@!*{9e_+Pl^?z_TNQ%zNVzSyFRrZr37o(~*&
zUzjrTV(z0>{8wISrSR34pC>*sKW@M6)_VBkv0+1pB>c%wv?`7TIb%H~UtAA6tX~<1
z3`;{-ynfC(XQg)4d-ILg1NrUUNhX;jTzSRi>6v!*Yc8)G$11l4KkK(=;J*I)Yg4`A
z^IG`7Dg4)1WA&sz<bKQ*yqWu{#J^wPzU626ood&kk2<nUS31bzaXt2Kr%nqcdZ5eC
z5&tZ^&6mt~%P+TFJ-9Bu=)xo?a$hYS|2yxvJ;^2WbH4fJ3wPXpTN+pR|NPSr;eh@3
zt0x~T@xS!aOTvmPt`JsOVTAyO4jnp#Hf{dZAWin#vrodUG`^pPo<0AQ-s{u5cj^oN
z<jPY|J`q{`moW16*Ai{uxaOK`gzvunx;*};o^o<MxLSfgINp2r?QrwWH>P>;%F8b%
zINYa0l8rM=KYcx1iufC+@4x#d%@Oki&%QD8weY|L_lJWIIxx=f_Vwy+y>+iN$F={>
zH(!NSS6wB|y?gGyvpg@3KknFY$RP(OJhiVsYr#evZ5V#|{@Xw1UBCK#*Ao2mTqEOh
zF}J`+#;>>Dx@G>$d{&7+S@O=?ZzetK+lW(=Pf<o`W5nZ+g{7D7S*F3-YyY=AhUljK
z?%lg3-Obp4{nZy?wbfP)-Me)QAAay&YU`1QhsAYbhOp(9TO`_n8DI9^WA}2qU~38f
z`m_%2x8J@2ZytB-F=6PC!R0af^plUm5l0*zrkH&4a$iOK)j#L#v%-Ay&Knk5XrZv?
z8f%2B2V9lL3I1p?c+f*>%?2ZW&pHZO-)pO_()hv&-JcjSJj^ol%t@}Bhw7v01{<s&
zw%=~Mq~B>5A8g%gt1?V2#b2Md-Fizf_w)G99Q(iix@(dQ$YZj>`s<gUSK{BVf)A}9
z4@UmaeDw8KUxw9IT{YETWRZo_e1ijf?7+B|(k;BJuaizXv8)sAy35Y#9nUVm{L-+`
z-g}ktCkNJBcil2fql5qLx7|{2e6_WIlzCt@F5qHcWPPj>|HJy#U;oJKYp=OF;iSH?
z+Hk`S60GygGf#N!)mKuRco?s|`R2&<-P*Ncl%aVXy!+w{&nF&u{k2!Z1?Qhv=1X&K
z`Q?`@zdJhklRb1{I^Z<ZOr3c2;bB7)OyF1c*nPKhUzPaxKjHW&@7tu(uHEcm=bd*-
za~J*4?#(wwhAy2ur}{I`JX3h)=_kwhzx&QxNq!pRd+)uwo<2txKC%A^>0Pp7<m<1N
z$Dgg&wd>+#n3{$E%JiQv()fZA-G>Z*DBKtOf8>#2Wm!bO1J^?j4h(b6HCMT>BL3>X
z_wGC4;bB9<(4m9FOD{ej<=Z#0Uepca++~~Zz1N=Mpa1-4s!yLA6!mKDqO1Cfxv+bI
z#+e6}SYnANSKm!E@SZwo`c~wb1s7bP3{!LP$2Vjv`J-QLf(N|Xc8`pDHm<`bo_Ipk
zyXUFb4}8qO%K8~6&x|Yiwf_3+mF*@lP9Ejx%{Sec`cz*r572GiC_^*e`ARO)3&B`?
z|AptDt2ZXi!QU8IldL^kZM9|CZo6&6&O7ZCc8PrJv$@JfnswG$%d#lL<2u`Hvqimh
zrLghF8wKn6_S<il>hiDjiZXfi)mM*e!GiU4>Rg`=%ud~GvrPkiU-5al<(4h;NPah8
z=bwN6^1JE%O*aj6)JmJJ*7Yy9JFZ=8!Jll#&*n}l(GSKSR_}X$*3>oEZE5|c+Hdmt
zf{7RNx>O7PZ1`bOR?&IiiF33yin-ocX^lP_YUBNAKb?KnnPnTO7X0U)d+zXBw7bcw
zEPI=KB_q|(ZIG9AG;8vgUwodf^jP<@e9d)So7-Qt_vz~cuDY_>_`mY<OG(a?sm&=F
z4r{UXgRR6)qq9Ew#N%mQr%S)|;tR>g!;a&p;XfJ~*KYPMn&?wo&FQ<LchUc<E3X*i
z_-9zH<u50kM<l(>9AYD)hczt2nBRBLnq@t-o}$6C&pZ{Li!`FYc%I+Qb(?ejEAR&&
zUba3PPr3+w*8N<Xg87-Jp9;etdo<w-=Z`=7AUyfxi16s64~LK9=a$moufYH9x86uL
ztQbN|#tUxu-FHv2P50Y(pXBp%j~pPs9(wSBG;i=pbLlW9@h7*Qdg_UUyE)rj*zg1#
z6`ya4KHa(InlstSY%6ks{L;_U(H@{bn@7#*XH4M_rlCUyg~uX)`rI6t;EGSo8S4zc
zNah=UZE*y87afp~xo_V?1Aj8Tjz6n8G#C^3!_{1UVBr1bwX3Q5U3{)S+XS!Et@n*r
zKHJ}ZE!jBRZoAE&bo{J`(#tQt_`;g$-P-t<V1Fardh5+)A63Q;9~;N)f6Mpt6)d@U
zhrP~s1b6Rv77eUq%j7sx#=CgsI~@_%(>!l-`wd-N8-Frr&_fTF{BHb#(H_h;p*gxs
z^v4_&eVW$1JSV_ueH--91L4dwPLK9t|8VljCx+8bJ2f12<Pm{y=(JN$348>{Mjy(K
zJMQo&e_|1TpSRm~+tg-5I2Z4=CjRi?Yd#?QS}%%z^-C_fIPhy<cG;!j=%bHHa!bry
z%!*7%;~DAm)|+pH-FDq2#c9}f;*5OgOE0~2^4aaM!}iIyc<{jorFm{Xm;>y~YB5>9
zm`5LZxJe#pP5iZW{dLzSn-U(m@WB|9>7x()zI*RUGTVAU?<BwY^~5f=ioRL8_>jSa
z()_0@<+<`}q%Hd9Vjl6ih%ch|{E=SShS8V!8(#5#al9)(w<iAh`H(n9ML3FlIp>^n
zCO<A7*+2S<yL9QCc-gx4c9ij%C%^>mJU=R7&fh)vt}C5#n{Bo(>#_RfH!-jB`wd-N
z6MtjXE6VF4&Xu3pj+<_>N%Yb7k2?KxWt_?OB7AUa3jgB!@SqQ`y2>i${(JQ3p7g}V
z+G$Pv(OP_^66gHAW5;>I3CACoWJKoUi~|_KqTp@vk-qP9ey6D`IeY$j=Y~Ar7G8Ma
zWK;iD_>=v7R~g@Y<zw2qSFfb|gQYkp;p@A(E=GFZx#tA(jxXz!lTT_?e<;oo?Pwc)
zGyY2~(Ib33D%M+#cIvg3{Rf`I;#yUl|6;!4)#4YGc+=CK81Z<D7cCd#vSJ>&uFqmt
z#X1=Wc;b&cW6XoUz`SEai-VB+neKdx`pESfy0#|%+PW?3J#t&XKo>(>@G7}~d~*MN
z_lC_k->e?Ia#m)G{?cWaT_&7<`l(fAm$s}Q+ibmc;+4&!FOxqt<LzqgIXT9G8lqo@
z!?iW>2NxT!M~@x}7P&dM+;UUGJ?laAH+D<=Q8^pd@1=Y8Ogip$F<vHKnsuWh&5AJR
z&vdCG&c)B<tbDz{5`S=k`K-8xXZ>`x*=9{KiA$p{Bt9-aa&DaC;M+UK;@E8PP4tQS
zqVZ@7Z_mlbl~!D_LHw=#`|PuK@|$E@RlBz4_-Fj->+7tuc0JheBbta^Og{N!N#_yk
zC*O_Jh{uPg^~-#w2ULUCeK5;g`PaW1&W{k&di9l;n;iSxR%^+>3^Se+pIdzKQeH}t
zFZ1V4G0rV!dC4Ug#ko6c$|YTW_0^J0xah(Q()`YRpuNn;?(rL1A97p8>zt9V?!D*k
zvdxj}R=bWV|EK=sOm^+swLv&1iM(*d<(Gw9;+$aL3>`W+3?Kez)Y*rn9G)T%@QaU(
zem^o#yJwt!T6umIahDg!{+AO~YvEg9bCJE;s@4Bpi~kp_&pz{Xkgt(rmqmExgW>m5
z&dBe{wk03a_fd8u9bax(kM7;W-FMxYbcBXteAayV6&*Wv4D-g~T1%OC-i|@8LSA>p
zO7)p}FVB%7(U+6+Kl%S_!Czf8;HzYdka<P?=|%D$#fHU<*+ydiV)U0>d{NA4xFhn%
zO-VmEJkmhvJSqmB+cD<!CAMI`H#*l%H`%z}+#6l|)z7pf<HV=YfsD>@l4I6EvJoGW
zmBtf&*o?-<T3W0l=aat+&FGHeu(`dKT(!MMjJb+4WO%{e8u;gS@Pc{G2YyPNr)$JK
zA2wkzZ>AdT)()}c6;@b2<r1;&*&EgZa$((d>gTyuYp0?6;+Z?d__J697&E;2s*jfP
ze{Q3A)rU5%e=ooEV&d~N&padWZ|oF(J8Z};x7Z@)Ds7weB6a{dDds^}$n}5yrNmou
z;EK7W4dGbro}3f%7Y{XrJGfgL|4a*fmT}QX?jMgRbc6g{9;45dyy<&O@s}gUUSvO1
zwwqxbllT|=XzAyc;xAS&XHCD2;XW?nFMn|OV~>>ittr}%DgJM&-&&qGXZ)=x@^a|L
z^0I1a-#g<1{??e@z4u75(ky5Gzu-Sz)RFr4KR&HD&BeXi_$MBUG8_N>odrJhfNJX>
zdr0n^^`t2|SB)Pk`G3wi=ScBAb}pam-&yF^eCKl6D%bc$<6f76_upF{pKACub)T#d
zyP|*TgTA!D0`mv{)v=+7Bk;9l{OPjxynwkS{N4~f@R&VH^zhuz*m$)Eh+pvSm~+uu
zxTA-;BPVxo%<(-v#wCwE_LyYTvFpZ`V&8#WaK5qD#J$K5WI@@NIm$*Ko4$jurE;!_
z=l?#JY~MJ?|M&O*m;%m;h(}A*Z5d1XoQS!rpA%v3WnX^DulL8Eu(9cTmJ@7Wc~)7*
z^GDtm_wtAx_3wYeSXrz;_L_jbD5u2L>=)!Wi^DZm7x7JThrCYV8-CYr-5U0nkB#`)
z=aK0Tez{tUFJ9VDG<h5Y`|{+l*~`R_nQ`Fjl*1&C$9@mrJ-1hF-x#;rVvEh|?Mcq{
z^3}UyfA$-$wdR^({87GCKGC(-S~L0Ev#zR+y$XBAeTiVPFEaa4?K`Okf7{rWoLl~Q
zF-`HB+`qjhc+E5W%lU2TpdWwqVY<i93#a^k<&|Hae&$auRE`zy*{64Em*4A{m@k##
z++^d8lP^qv_DN=6{Wgujj~1o<zrUs&2zzP3L3bZ8;L0SU^ds-eeP<PX_`&<>KHtdH
zQ~#k)SHdr*&rb{<@l5#hVT);JUFf-IpNW3%cByT7Ir<`V?A^}oH3xqCOVnFxsinfZ
z(NC)%djNARqzM0$PmD;hkLjnME=)P)lw~^Re&HrI1%7+<z|JT1S=1Zl3$W+di_U0J
z$G$!MZLZ?E+)gd<!<kII@PhMG+zMT^C68a+g0EkD8Ge263yYECKl@%Uh;{8<g^PE|
zH?a}$i!;iHrGx+e`)}zxJy;*&fa=H(0|#E`=WZ_iXz^*3O`m-HQKFBw<ZY}N<IfGj
z&qobz`M>ZqR_rHnZ+03#6g?gM_BnKm`;_Gg`_3P0E}0+bW>0*-nBS{U@_xfehvvYq
zZ}HOq{&%gkpNxEXDCSvekH25cwMc*Oj~FpL*}7=A*kX$&Typ;#ZCJ{05;L@(<H0@R
z9_lY5&fwc9`q#wz$aeUcul8T6Z(LVd<&U!%YT+O7h<|222dmsp^GW~bMS773nSZ?h
z*rSisi;c6@^smT~(Z-Q+Kel(tHhy4y_e|VZk@HCK+xOpno8lAp8hXyI5+7|Y{mm!s
zb?($D?bXMZ+5?Z+Ly`XO;eBx)v17KZeG_06qsaMfeWEW<8|Evx)RX&^Wu`U4`5WlO
zM`Auy%JHV?|8&gVM`QiqMeCdXd?zdTmD<fddl`QHfKy*|Ds{{`Fvw-*f6TI8e8)3z
zJI6%Z#TceB-Lp@h)R#8FA*NkC3!yRiCyjmpzFxV;#@cxZ=p%+|?OkfgC4)6OkEJ*&
zzB=@fgTql#Mjs#FJucRvPi+!oqSnw%TXp1{YTNsL<NUOLvr_Mxb=FzZdVc7khlIYd
z>>AgaV$Mcm@MpNj=4)f{lUwMGhRrR;DwX5oHJ4HMn%h?KeQnCa=DS1J#^5(E$uIm_
zODXYaJkKY-kKfG`@=g(-_1*o%@Ax^D+S<<jt3&T1!<&L1&zYxLzpHjNSHWe^p<EDo
z4c4SrUwJ9zoV*ot)2&5s#JTszNO>hAlRPGiTH;f-4m#hWwcscF$d-{YKZg84YjD9A
zZpC6OtjAy{OJ0m})m}9Cd#@UeiuYRsetqGG40qA~EcR9Wtd4ciTI(Dsc!S0MNjebR
zYQbT2;nxSbZm*{G1dL7fi+}N=V&Aa5+-2h4209SAZ@sf78o#D^c68teCpy_*VBDL6
z8*b*Cb9l};<FvF#)jD*4j47~h=yLR<MHX2k>D%l<<I-5WqXR#9?5i3Xc^#ef<El-%
zO6C{$GtJEfdBpTlX9{`W_&H~(a&3`&Ltf@~8oIU=elXz|uzdT?*9m50ara$!q+Aa<
zQ1MXFC>Kli0^P#dJiEpGD0VXY)mkjS+Pd4ld$+RgUBp9diXK;uk6H>pdR}?u<-wji
zXTPly_Zi69o_+S&l1)eMn4k8e&?DrP(c$)r=Uki>b6ak_;rev$9Ny!*u{X}yTbpmT
zSvjr*4|)$9v9;khmh_$?t$e1Vuu~owcwgGPAU_N3>72#~9Hq6Yw6^87$ThD=@>ls1
zat<LMgPfFx=0Qv8kG|PfDdIpUa~8>Ir=5~y5*q|u8BU+8(K7S5cgdlAP8|EoI?-D2
z%Tq#2=X4ceZ_}nt;&1t2V979p*Bq5QdF{1V$Fl`*PjV>3o3Gvjqe3oa+r}AEY`fNi
zUw`BXe^!Ryc_Q|Dk&oa|j4j{Ekw+d8mR)9<xSwJA<i}zwR>Gn^e8W~oYkM}$8SNWS
z_*d2eM@#t!ZS5_?FJyPh5svyDxIJStI-iOiz($!p+BME+VGFRID`D}SK1ml7XP#(O
z{w(;7L*@H<%vuURIO$|)B*w{?$3CO8fzRBQm+A~W_Uy>GMwm0|H3SQs>4<qe^OY|}
z4zlMN=Hj)b@M{AceAnnp&hY`;6V)l&#q-ZUUy_N&ojyb7w3gzpV*ftFi4V*gkl}Xa
zi$VLW|5euWeRSamA3rT0PO)$KHF6a3#8OKwnS5LQ`W>3~b7cC1I~TT5F((@A8*Z>c
z+Uv_6M*qr^<t?ADzWD|+j`|?Ovj4f7{;z+2cI#=Sy-J2#J70h8)if{7P3`Mfu7`Qd
zr(k^SF)rdy7jpIy`^x-psMyOZm)qV}b?pgjF8tnyt8uhXAlq`<lbdknnWrbe?<3K_
z$wzq8jW;Cy&3*|!^FyM&UOY>XzCbSX3m5UJ<+C#_^Vrr(|02G|g8t5b(5cfx2?l(C
zmiACtPw^SvBA57dCZ2erbdNuxPoLf?$3xC|bKuve+-bI4OX1IWz(E`Dy!}=>Z<k!M
zPA|IXB8f-jH<L^9)>m3-#pDAT5cPgM#_o#DmDadg;m5OLBzRcg8II=CKiA7w`%km3
zfVc2F88kA=QFP+NBTw~{-&2>qYK^W1e*9^FhW0bvbN{0Ye{LsVwTC{rRQ8wOs}+7@
zc-^(vRJD~`8~zMmQ`cJH?;2xr^ztIVRJJ=d!cSK*m+X_SwjO6ZD&gmEY^qMKJ33c$
zp&|Y!yZA)ee6_&w2mGZyWBjV_S<A;{!4uBYF3w**TK>N;<67Ss&lKqfR_i6dhPA_)
z)Z&&KZ?w@EEqv2rg7hi<Ivex+^UqCs6PSuH*7DgpNp@Rr*e8EQvEIqiwO`PAkKk?z
z?C?{MJwZni|NW~9U7SwZQn-s_gXb!BzrW&pt-M}@HGhu0_rJftkpl9x+Qrf{mU5m}
z{LP<gzvuJOhaV(=AfMovEw3kC4WH!LA)lYKImGhXx1T%eiS3iF$fhXWD}Ddtd57|I
z@07})>vo9km7kZ}?vVTm&KER?@ObY%_DHf)eA{nuu%{#0k_?qI;hgZShqH&XU&}kW
zsH1MSq3G1|K(ZY6*;x#eO;$P+n}3RrM*sPYUT5Ek0pxR?#e2yszgsb5w2jX``^@MY
ze?FZLko(P7`TqO?yX?Gk>eG2>_5||1d1s%fBWqi(j_>vxR`xG8Pyd#m;vIfRe{5Jd
z%gr%vm3}MluCw;q2^V=fXyi;ne{2!<y|bJ2=ZuGH{qx7rAMAByOYvp!d09Kr(|G~t
z#s9^J%C@jJ(TjS<GZX01`r)@>mpg-6yoz5y9tHa%?+a)M|J=WGNA9@&*66=|JH-Z^
zGtD;7{liKBBcm<A&Or}83;qdt4wuLCo!AQO8-CN1;`voqU3Eo*PhL$^_=_9hw_d%r
zitESEsZD$(?||;ZkE{*;aDUDdF*o$-Y<#gSu@pSXMz^O@UJn~dY@%BKewV=C)mLAY
z>@xH6=bwH|<8KW4k&L1J$Z}{NkNeZVigA5#^4-AIdS_nCZ_p3_xI7tf)BV_~)%wTx
z&d5S5XF=gd=e<oeRhv|2$Cw{<*=3icd@avUj{88--q^skZ?v1y{)7{bE9aYmTYMnh
zk3JS>kvG&o{%Y5*U4*Ygd7n60WN)%_x_xHzc%Ju@`_5nB>N#2CIr)|Em9Fj6eb40K
z;nyPn$vHD;h7BE@c-~oemBrY)$4)k$VwK{u;<NbBv;0nF-TYlV!r4+}kv+6|{>wv{
zHRiBsC)={-SuW;$_RAVWd2z-RKYbE?OyYFx<Ig|)G|jPGukxxtI8Hg`6lv^={mY?y
zEy^c#vJQcl%wzMAFDu8)-Ot6l&f51IKK!0&Aa-4BC$~r5i*4|w;GM?$*FGB`P4w$~
zZYN*S1Wm;&ovnjE>C5B@AAThawf3(sc)$G83uSuh%N+7dyFYyYU7CMnf@frsc`)IG
z@pqo$)o+tIL%s-ibNaWh<&O9pMnfXK;6sLe^YvHhd{LjbjcbH6>#YsusoydX$IbaH
zcs!r8pXpU=|6(@iiBFA{xp7lm1IdQmUp^BKU%(%|@SwP%H3lu58{~ebK`s4zM?Sz3
zJxXWxkQHs)&Y19%<7bVrMuHLl7jp%S3!VZGIZqDYkLL8R4e@`mM7jgtv9n%{Jw6;7
z=TE=rM;42ayHxatvvbTv=O%XU+$s6kd~a_5-lsnp%TiwDZ>e4W*{)p|PiNWi=ki13
zw#f}KO?uq4)0T35+570z-0??)>{GV(Z@&5FNhcD^Fz%ISB7s4{kH$+OPpo-Gc~+7?
zLu!&g+PgOT0jz7eO?nzVg3pe;fgAq9gHOe?hy6~4cda@6?Ik^0o=i!nCY#U*U)xX6
znEc5!Lw__ipX4H5cilBfCltTu(-tRlPJ%o@{33or&$O0VxA<G<$|ZiEIX<)2$-m9C
zA^#hazhE#Q*s=5~XY5$N!7)|z1vvl2XX~1EUXGkRkQ{T!bSqxXOZo5ljAmoqSpQ(~
z+oIq=Yx*GlkDhhK6_+KQgspAP!iNr4t$)4?I&F?)r?zY8KaT~TNOL^)qpw`RmU*xk
zb1CADzRtYLGCa3g3;y}trmkRUsQ-oH9Fmu>FYgrFN&W8<*Z&yzr#D8V%6Mh`YQBz=
zeZ@15$Y65=jf(x|&+fBL%!z&W-aF;_8>1GLXnXJz;(z+Hb0z6M)%pel{KcK+Xz;DB
zzS`&)zbPiiv@#}<ajv|Afh-~4TccQ;GCx-KRrx*g=->LsPZ8Y`$yZVKQ^emSuJlu|
zZOJ(@n7!^Q_svz@OUd`-2<2zui)=u1uS=KC(H>qc<stCJE*W!v<?P4qQ(-I1D|hY>
zS-y5Wrz)S%OYY0fVH3##VE^sB(~c=`z;FNAUvhdphpTV2LD)rdljvq_wHt1@F8N^D
z-g14cAI`)Re{_bGd~|v1#~yohI?u|!YW52Iy<7AFu>Z+xc@T6Uza0iwa9$j3<)e>2
zGUa0M{fcjr`Eps=fYtzTh>gm%*EijtuR%X4CpY$Q-k5XFR7SI-jyfXkbtCh&Y0rgz
z$p`$3PsP9JLv#>!fiZHAyfEin?GL%(`s-4C`ilExw36#uALST`7dy9!eAfpa7TYV=
zkMOF)7w^1dXJOqPZG5_+wVq9A4%3aS2ihpshcEeP?~nKVCfi+cJo%XE(`2)JM0WdI
zajgbxu|Asp6z8cky675y$H+btXBJw^<#3_Byclh{2Y)sJ`oTXo8l2(I55Z@EuO570
zVA^BIZ$aO{C&r*}-$R1mXQYSc`e1?=*+S>1hxv^;<9BV0$Kkuo&&l?U`44`(n$4c}
zI7FzDJdd!Yzc@zPE8Po;H`Etf#^c7;I9wjjrrR#k-0x}O*?J|8f$z@Vl6OK!;43N0
ZAbt`&$d+iV$g9Nn@GQ!z2-9f&{U5<0A2I*{

literal 0
HcmV?d00001

diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index e1a98c0..692ad57 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -19,22 +19,18 @@ class profiles::base (
     }
   }
 
-  # include the base packages profile
-  class { 'profiles::base::packages':
-    packages => hiera('profiles::base::packages::common'),
-    ensure   => 'installed',
-  }
-
   # manage puppet clients
   if ! member($puppet_servers, $trusted['certname']) {
     include profiles::puppet::client
   }
 
-  # include admin scripts
+  # include the base profiles
+  include profiles::packages::base
+  include profiles::base::facts
+  include profiles::base::motd
   include profiles::base::scripts
-
-  # include admin scripts
   include profiles::base::hosts
+  include profiles::accounts::sysadmin
 
   # include the python class
   class { 'python':
@@ -49,11 +45,4 @@ class profiles::base (
     secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
   }
 
-  # default users
-  include profiles::accounts::sysadmin
-
-  # add a motd
-  include profiles::base::facts
-  include profiles::base::motd
-
 }
diff --git a/site/profiles/manifests/base/packages.pp b/site/profiles/manifests/base/packages.pp
deleted file mode 100644
index 6c15811..0000000
--- a/site/profiles/manifests/base/packages.pp
+++ /dev/null
@@ -1,27 +0,0 @@
-# This class manages the installation of packages for the base profile
-#
-# Parameters:
-# - $packages: An array of package names to be installed (optional)
-#
-# Description:
-# This class installs a list of packages specified in the $packages parameter
-# using the `package` resource from Puppet. Each package in the array is installed
-# with the `ensure => installed` attribute, ensuring that the package is present
-# on the target system. By default, the class retrieves the package list from Hiera
-# using the key 'profiles::base::packages::common'.
-#
-# Example usage:
-# class { 'profiles::base::packages':
-#   packages => ['package1', 'package2', 'package3'],
-#
-class profiles::base::packages (
-  Array     $packages,
-  Enum[
-    'present',
-    'absent',
-    'latest',
-    'installed'
-    ]       $ensure = 'installed',
-){
-  ensure_packages($packages, {'ensure' => $ensure})
-}
diff --git a/site/profiles/manifests/git/git.pp b/site/profiles/manifests/git/git.pp
deleted file mode 100644
index ca3b4e7..0000000
--- a/site/profiles/manifests/git/git.pp
+++ /dev/null
@@ -1,24 +0,0 @@
-# Class: profiles::git::git
-#
-# This class ensures that the Git package is installed.
-#
-# It uses the 'package' resource to manage the Git package,
-# and will ensure that it is installed. This class does not 
-# manage any configurations related to Git, it only ensures 
-# that the package is installed.
-#
-# The class does not take any parameters.
-#
-# Example usage:
-# --------------
-# To use this class, you simply need to declare it in your manifest:
-# 
-# include profiles::git::git
-#
-# You do not need to pass any parameters.
-#
-class profiles::git::git {
-  package { 'git':
-    ensure => installed,
-  }
-}
diff --git a/site/profiles/manifests/packages/base.pp b/site/profiles/manifests/packages/base.pp
new file mode 100644
index 0000000..807c8a8
--- /dev/null
+++ b/site/profiles/manifests/packages/base.pp
@@ -0,0 +1,21 @@
+# This class manages the installation of packages for the base profile
+#
+# Parameters:
+# - $packages: An array of package names to be installed (optional)
+# - $ensure: Enum of present, absent, latest or installed (optional)
+#
+# Example usage:
+# class { 'profiles::base::packages':
+#   packages => ['package1', 'package2', 'package3'],
+#
+class profiles::packages::base (
+  Array     $packages = lookup('profiles::packages::base', Array, 'first', []),
+  Enum[
+    'present',
+    'absent',
+    'latest',
+    'installed'
+    ]       $ensure = 'installed',
+){
+  ensure_packages($packages, {'ensure' => $ensure})
+}
diff --git a/site/profiles/manifests/packages/git.pp b/site/profiles/manifests/packages/git.pp
new file mode 100644
index 0000000..578aca7
--- /dev/null
+++ b/site/profiles/manifests/packages/git.pp
@@ -0,0 +1,11 @@
+# installs git related packages
+#
+class profiles::packages::git (
+  Array[String] $packages = lookup('profiles::packages::git', Array, 'first', ['git']),
+) {
+  $packages.each |String $package| {
+    package { $package:
+      ensure => installed,
+    }
+  }
+}
diff --git a/site/profiles/manifests/packages/reposync.pp b/site/profiles/manifests/packages/reposync.pp
new file mode 100644
index 0000000..f6525a5
--- /dev/null
+++ b/site/profiles/manifests/packages/reposync.pp
@@ -0,0 +1,11 @@
+# installs reposync related packages
+#
+class profiles::packages::reposync (
+  Array[String] $packages = lookup('profiles::packages::reposync', Array, 'first', ['createrepo']),
+) {
+  $packages.each |String $package| {
+    package { $package:
+      ensure => installed,
+    }
+  }
+}
diff --git a/site/profiles/manifests/packages/selinux.pp b/site/profiles/manifests/packages/selinux.pp
new file mode 100644
index 0000000..1bbd457
--- /dev/null
+++ b/site/profiles/manifests/packages/selinux.pp
@@ -0,0 +1,11 @@
+# installs selinux related packages
+#
+class profiles::packages::selinux (
+  Array[String] $packages = lookup('profiles::packages::selinux', Array, 'first', ['policycoreutils']),
+) {
+  $packages.each |String $package| {
+    package { $package:
+      ensure => installed,
+    }
+  }
+}
diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp
index 4e84227..dad9d11 100644
--- a/site/profiles/manifests/puppet/enc.pp
+++ b/site/profiles/manifests/puppet/enc.pp
@@ -39,7 +39,7 @@ class profiles::puppet::enc (
   Boolean $force = false,
 ) {
 
-  include profiles::git::git
+  include profiles::packages::git
 
   vcsrepo { '/opt/puppetlabs/enc':
     ensure   => latest,
diff --git a/site/profiles/manifests/puppet/r10k.pp b/site/profiles/manifests/puppet/r10k.pp
index 29d302f..402f49a 100644
--- a/site/profiles/manifests/puppet/r10k.pp
+++ b/site/profiles/manifests/puppet/r10k.pp
@@ -37,7 +37,7 @@ class profiles::puppet::r10k (
   String $r10k_repo,
 ){
 
-  include profiles::git::git
+  include profiles::packages::git
 
   vcsrepo { '/etc/puppetlabs/r10k':
     ensure   => latest,
diff --git a/site/profiles/manifests/reposync/autopromoter.pp b/site/profiles/manifests/reposync/autopromoter.pp
new file mode 100644
index 0000000..63c2ab7
--- /dev/null
+++ b/site/profiles/manifests/reposync/autopromoter.pp
@@ -0,0 +1,105 @@
+# setup the autopromoter
+class profiles::reposync::autopromoter {
+
+  # Ensure the autopromoter script is present and executable
+  file { '/usr/local/bin/autopromoter':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => template('profiles/reposync/autopromoter.erb'),
+  }
+
+  # daily autopromote service/timer
+  $_daily_timer = @(EOT)
+  [Unit]
+  Description=autopromoter daily timer
+  [Timer]
+  OnCalendar=*-*-* 05:00:00
+  RandomizedDelaySec=1s
+  [Install]
+  WantedBy=timers.target
+  EOT
+
+  $_daily_service = @(EOT)
+  [Unit]
+  Description=autopromoter daily service
+  [Service]
+  Type=oneshot
+  ExecStart=/usr/local/bin/autopromoter daily
+  User=root
+  Group=root
+  PermissionsStartOnly=false
+  PrivateTmp=no
+  EOT
+
+  systemd::timer { 'autopromoter-daily.timer':
+    timer_content   => $_daily_timer,
+    service_content => $_daily_service,
+    active          => true,
+    enable          => true,
+    require         => File['/usr/local/bin/autopromoter'],
+  }
+
+  # weekly autopromote service/timer
+  $_weekly_timer = @(EOT)
+  [Unit]
+  Description=autopromoter weekly timer
+  [Timer]
+  OnCalendar=Sun *-*-* 05:05:00
+  RandomizedDelaySec=1s
+  [Install]
+  WantedBy=timers.target
+  EOT
+
+  $_weekly_service = @(EOT)
+  [Unit]
+  Description=autopromoter weekly service
+  [Service]
+  Type=oneshot
+  ExecStart=/usr/local/bin/autopromoter weekly
+  User=root
+  Group=root
+  PermissionsStartOnly=false
+  PrivateTmp=no
+  EOT
+
+  systemd::timer { 'autopromoter-weekly.timer':
+    timer_content   => $_weekly_timer,
+    service_content => $_weekly_service,
+    active          => true,
+    enable          => true,
+    require         => File['/usr/local/bin/autopromoter'],
+  }
+
+  # monthly autopromote service/timer
+  $_monthly_timer = @(EOT)
+  [Unit]
+  Description=autopromoter monthly timer
+  [Timer]
+  OnCalendar=*-*-01 05:10:00
+  RandomizedDelaySec=1s
+  [Install]
+  WantedBy=timers.target
+  EOT
+
+  $_monthly_service = @(EOT)
+  [Unit]
+  Description=autopromoter monthly service
+  [Service]
+  Type=oneshot
+  ExecStart=/usr/local/bin/autopromoter monthly
+  User=root
+  Group=root
+  PermissionsStartOnly=false
+  PrivateTmp=no
+  EOT
+
+  systemd::timer { 'autopromoter-monthly.timer':
+    timer_content   => $_monthly_timer,
+    service_content => $_monthly_service,
+    active          => true,
+    enable          => true,
+    require         => File['/usr/local/bin/autopromoter'],
+  }
+}
diff --git a/site/profiles/manifests/reposync/autosyncer.pp b/site/profiles/manifests/reposync/autosyncer.pp
new file mode 100644
index 0000000..e2e8683
--- /dev/null
+++ b/site/profiles/manifests/reposync/autosyncer.pp
@@ -0,0 +1,44 @@
+# setup the autosyncer
+class profiles::reposync::autosyncer {
+
+  # Ensure the autosyncer script is present and executable
+  file { '/usr/local/bin/autosyncer':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => template('profiles/reposync/autosyncer.erb'),
+    require => Class['profiles::packages::reposync'],
+  }
+
+  # daily autosyncr service/timer
+  $_timer = @(EOT)
+  [Unit]
+  Description=autosyncer timer
+  [Timer]
+  OnCalendar=*-*-* 03:00:00
+  RandomizedDelaySec=1s
+  [Install]
+  WantedBy=timers.target
+  EOT
+
+  $_service = @(EOT)
+  [Unit]
+  Description=autosyncer service
+  [Service]
+  Type=oneshot
+  ExecStart=/usr/local/bin/autosyncer
+  User=root
+  Group=root
+  PermissionsStartOnly=false
+  PrivateTmp=no
+  EOT
+
+  systemd::timer { 'autosyncer.timer':
+    timer_content   => $_timer,
+    service_content => $_service,
+    active          => true,
+    enable          => true,
+    require         => File['/usr/local/bin/autosyncer'],
+  }
+}
diff --git a/site/profiles/manifests/reposync/repos.pp b/site/profiles/manifests/reposync/repos.pp
new file mode 100644
index 0000000..5886785
--- /dev/null
+++ b/site/profiles/manifests/reposync/repos.pp
@@ -0,0 +1,46 @@
+# define to generate repositories in yum
+define profiles::reposync::repos (
+  String          $repository,
+  String          $description,
+  String          $osname,
+  String          $release,
+  Stdlib::HTTPUrl $baseurl,
+  Stdlib::HTTPUrl $gpgkey,
+  String          $arch = 'x86_64',
+  String          $repo_owner = 'root',
+  String          $repo_group = 'root',
+  Stdlib::Absolutepath $basepath = '/data/repos',
+){
+
+  $repos_name = downcase("${osname}-${release}-${repository}-${arch}")
+  $conf_file = "/etc/reposync/conf.d/${repos_name}.conf"
+
+  # Create the repository configuration
+  yumrepo { $repos_name:
+    ensure   => 'present',
+    descr    => $description,
+    baseurl  => $baseurl,
+    gpgkey   => $gpgkey,
+    target   => '/etc/yum.repos.d/reposync.repo',
+    enabled  => 0,
+    gpgcheck => 1,
+  }
+
+  # Ensure the repo dest path exists
+  file { "${basepath}/live/${repos_name}" :
+    ensure => 'directory',
+    owner  => $repo_owner,
+    group  => $repo_group,
+    mode   => '0755',
+  }
+
+  # Create the repo configuration file
+  file { $conf_file:
+    ensure  => file,
+    owner   => $repo_owner,
+    group   => $repo_group,
+    mode    => '0644',
+    content => template('profiles/reposync/repo_conf.erb'),
+    require => File['/etc/reposync/conf.d'],
+  }
+}
diff --git a/site/profiles/manifests/reposync/syncer.pp b/site/profiles/manifests/reposync/syncer.pp
new file mode 100644
index 0000000..6f20996
--- /dev/null
+++ b/site/profiles/manifests/reposync/syncer.pp
@@ -0,0 +1,30 @@
+# setup a reposync syncer
+class profiles::reposync::syncer {
+
+  include profiles::packages::reposync
+  include profiles::reposync::autosyncer
+  include profiles::reposync::autopromoter
+  include profiles::reposync::webserver
+
+  # Ensure the reposync config path exists
+  file { '/etc/reposync':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+  file { '/etc/reposync/conf.d':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  # get a list of repos as a hash, and iterate through them
+  $repos = lookup('profiles::reposync::repos_list', {})
+  $repos.each | String $name, Hash $repo_hash | {
+    profiles::reposync::repos { $name:
+      * => $repo_hash,
+    }
+  }
+}
diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp
new file mode 100644
index 0000000..66f549a
--- /dev/null
+++ b/site/profiles/manifests/reposync/webserver.pp
@@ -0,0 +1,58 @@
+# setup a reposync webserver
+class profiles::reposync::webserver (
+  String  $www_root = '/data/repos/snap',
+  String  $nginx_vhost = 'repos.main.unkin.net',
+  Integer $nginx_port = 80,
+  Boolean $favicon = true,
+  Boolean $selinux = true,
+) {
+
+  class { 'nginx': }
+
+  # create the nginx vhost
+  nginx::resource::server { $nginx_vhost:
+    listen_port          => $nginx_port,
+    server_name          => [$nginx_vhost],
+    use_default_location => true,
+    access_log           => "/var/log/nginx/${nginx_vhost}_access.log",
+    error_log            => "/var/log/nginx/${nginx_vhost}_error.log",
+    www_root             => $www_root,
+    autoindex            => 'on',
+  }
+
+  if $favicon {
+    file { "${www_root}/favicon.ico":
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+      source => 'puppet:///modules/profiles/reposync/favicon.ico',
+    }
+  }
+
+  if $selinux {
+
+    # include packages that are required
+    include profiles::packages::selinux
+
+    # set httpd_sys_content_t to all files under the www_root
+    selinux::fcontext { $www_root:
+      ensure   => 'present',
+      seltype  => 'httpd_sys_content_t',
+      pathspec => "${www_root}(/.*)?",
+    }
+
+    # make sure we can connect to port 80
+    selboolean { 'httpd_can_network_connect':
+      persistent => true,
+      value      => 'on',
+    }
+
+    exec { "restorecon_${www_root}":
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => "restorecon -Rv ${www_root}",
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext[$www_root],
+    }
+  }
+}
diff --git a/site/profiles/templates/reposync/autopromoter.erb b/site/profiles/templates/reposync/autopromoter.erb
new file mode 100644
index 0000000..0bf995f
--- /dev/null
+++ b/site/profiles/templates/reposync/autopromoter.erb
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Function to create symlink for snapshots
+create_symlink() {
+  local osname="$1"
+  local release="$2"
+  local repository="$3"
+  local basepath="$4"
+  local label="$5" # 'monthly', 'weekly', or 'daily'
+  local date_format="$6" # Date format for finding the snapshot
+
+  # The path where snapshots are stored
+  local snap_path="${basepath}/snap/${osname}/${release}/${repository}-${date_format}"
+
+  # The target path for the symlink
+  local symlink_target="${basepath}/snap/${osname}/${release}/${repository}-${label}"
+
+  # Check if the source directory exists
+  if [[ -d "$snap_path" ]]; then
+    # Create the symlink, overwrite if it already exists
+    ln -sfn "$snap_path" "$symlink_target"
+    echo "Symlink created for $snap_path -> $symlink_target"
+  else
+    echo "Snapshot path does not exist: $snap_path"
+    return 1
+  fi
+}
+
+# Determine which snapshot to promote based on the passed argument
+case "$1" in
+  monthly)
+    promote_date=$(date --date="$(date +%Y%m01) -1 month" +%Y%m%d)
+    ;;
+  weekly)
+    promote_date=$(date --date="last Sunday" +%Y%m%d)
+    ;;
+  daily)
+    promote_date=$(date --date="yesterday" +%Y%m%d)
+    ;;
+  *)
+    echo "Usage: $0 {monthly|weekly|daily}"
+    exit 1
+    ;;
+esac
+
+# Call the function with appropriate arguments
+# Iterate over the repositories to create symlinks for each
+for conf in /etc/reposync/conf.d/*.conf; do
+  source "$conf"
+
+  # Create symlink based on the provided argument
+  create_symlink "$OSNAME" "$RELEASE" "$REPOSITORY" "$BASEPATH" "$1" "$promote_date"
+done
diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb
new file mode 100644
index 0000000..a66ed5d
--- /dev/null
+++ b/site/profiles/templates/reposync/autosyncer.erb
@@ -0,0 +1,97 @@
+#!/usr/bin/bash
+
+# Function to perform reposync
+perform_reposync() {
+  local reponame="$1"
+  local basepath="$2"
+
+  /usr/bin/dnf reposync \
+    --gpgcheck \
+    --delete \
+    --downloadcomps \
+    --download-metadata \
+    --remote-time \
+    --disablerepo="*" \
+    --enablerepo="${reponame}" \
+    --download-path="${basepath}/live"
+}
+
+# Function to download GPG keys
+download_gpg_key() {
+  local gpgkeyurl="$1"
+  local reponame="$2"
+  local basepath="$3"
+
+  # Extract filename from URL
+  local filename=$(basename "$gpgkeyurl")
+
+  # Download GPG key to the specified path with the filename from the URL
+  wget -q -O "${basepath}/live/${reponame}/${filename}" "$gpgkeyurl" || {
+    echo "Failed to download GPG key from $gpgkeyurl"
+  }
+}
+
+# Function to perform rsync with hard links
+perform_rsync() {
+  local source_path="$1"
+  local dest_path="$2"
+
+  # Create the destination directory if it doesn't exist
+  mkdir -p "$dest_path"
+
+  # Use rsync to create hard links to the files in the destination directory
+  rsync -a --link-dest="$source_path" "$source_path"/* "$dest_path"
+}
+
+create_repo_metadata() {
+  local basepath="${1}"
+  local osname="${2}"
+  local release="${3}"
+  local repository="${4}"
+  local current_date="${5}"
+
+  local repo_path="${basepath}/snap/${osname}/${release}/${repository}-${current_date}"
+
+  if [[ -d "$repo_path" ]]; then
+      echo "Running createrepo on ${repo_path}..."
+      createrepo --update "${repo_path}"
+      if [[ $? -eq 0 ]]; then
+          echo "Successfully created repository metadata for ${repository}"
+      else
+          echo "Failed to create repository metadata for ${repository}" >&2
+          return 1
+      fi
+  else
+      echo "The specified repository path does not exist: ${repo_path}" >&2
+      return 1
+  fi
+}
+
+# Current date in the required format
+DATE=$(date +%Y%m%d)
+
+# iterate over each configuration file
+for conf in /etc/reposync/conf.d/*.conf; do
+
+  # source the configuration to get the variables
+  source "$conf"
+
+  # Call the function to download the GPG key
+  download_gpg_key "$GPGKEYURL" "$REPONAME" "$BASEPATH"
+
+  # Call the reposync function
+  perform_reposync "$REPONAME" "$BASEPATH"
+
+  # Path for rsync source
+  live_path="${BASEPATH}/live/${REPONAME}"
+
+  # Path for rsync destination
+  snap_path="${BASEPATH}/snap/${OSNAME}/${RELEASE}/${REPOSITORY}-${DATE}/${ARCH}/os"
+
+  # Call the rsync function
+  perform_rsync "$live_path" "$snap_path"
+
+  # After syncing each repo, fix the repository metadata
+  create_repo_metadata "${BASEPATH}" "${OSNAME}" "${RELEASE}" "${REPOSITORY}" "${DATE}"
+
+done
diff --git a/site/profiles/templates/reposync/repo_conf.erb b/site/profiles/templates/reposync/repo_conf.erb
new file mode 100644
index 0000000..99eb2b0
--- /dev/null
+++ b/site/profiles/templates/reposync/repo_conf.erb
@@ -0,0 +1,8 @@
+# <%= @osname %>-<%= @release %>-<%= @repository %> repository configuration
+REPOSITORY="<%= @repository %>"
+REPONAME="<%= @repos_name %>"
+OSNAME="<%= @osname %>"
+RELEASE="<%= @release %>"
+ARCH="<%= @arch %>"
+BASEPATH="<%= @basepath %>"
+GPGKEYURL="<%= @gpgkey %>"
diff --git a/site/roles/manifests/infra/packagerepo.pp b/site/roles/manifests/infra/packagerepo.pp
index 1f2afdc..ff90820 100644
--- a/site/roles/manifests/infra/packagerepo.pp
+++ b/site/roles/manifests/infra/packagerepo.pp
@@ -3,4 +3,5 @@ class roles::infra::packagerepo {
   include profiles::defaults
   include profiles::base
   include profiles::base::datavol
+  include profiles::reposync::syncer
 }

From 9cb730d116bcb22ae904a6004e40bcfa5e66ab43 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 10 Nov 2023 23:21:08 +1100
Subject: [PATCH 17/19] feat: add ntp server/client

- add ntp client and server class
- add ntp server role
- update hiera.yaml to work with enc_role
- cleanup base profile
---
 hiera.yaml                                    | 14 +++++---
 hieradata/common.yaml                         | 16 +++++++--
 hieradata/roles/infra/ntpserver.yaml          | 10 ++++++
 site/profiles/manifests/base.pp               |  6 ++--
 site/profiles/manifests/ntp/client.pp         | 30 ++++++++++++++++
 site/profiles/manifests/ntp/server.pp         | 34 +++++++++++++++++++
 .../templates/base/facts/enc_role.erb         |  1 +
 site/roles/manifests/infra/ntpserver.pp       |  6 ++++
 8 files changed, 105 insertions(+), 12 deletions(-)
 create mode 100644 hieradata/roles/infra/ntpserver.yaml
 create mode 100644 site/profiles/manifests/ntp/client.pp
 create mode 100644 site/profiles/manifests/ntp/server.pp
 create mode 100644 site/roles/manifests/infra/ntpserver.pp

diff --git a/hiera.yaml b/hiera.yaml
index c601683..d117ebd 100644
--- a/hiera.yaml
+++ b/hiera.yaml
@@ -5,10 +5,14 @@ defaults:
   data_hash: "yaml_data"
 hierarchy:
   - name: Node-specific data
-    path: "nodes/%{trusted.certname}.yaml"
-  - name: "Per-OS & Release Specific Data"
-    path: "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
-  - name: "Per-OS Specific Data"
-    path: "os/%{facts.os.name}/all_releases.yaml"
+    paths:
+      - "nodes/%{trusted.certname}.yaml"
+  - name: Role-specific data
+    paths:
+      - "%{facts.enc_role_path}.yaml"
+  - name: "OS Related"
+    paths:
+      - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
+      - "os/%{facts.os.name}/all_releases.yaml"
   - name: Common data shared across nodes
     path: "common.yaml"
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 47674fe..964e975 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -1,7 +1,7 @@
 ---
-profiles::base::ntp_servers:
-  - 0.au.pool.ntp.org
-  - 1.au.pool.ntp.org
+profiles::ntp::client::peers:
+  - ntp01.main.unkin.net
+  - ntp02.main.unkin.net
 
 profiles::base::puppet_servers:
   - 'prodinf01n01.main.unkin.net'
@@ -116,6 +116,16 @@ profiles::base::hosts::additional_hosts:
     hostname: prodinf01n06.main.unkin.net
     aliases:
       - prodinf01n06
+  - ip: 198.18.17.9
+    hostname: prodinf01n09.main.unkin.net
+    aliases:
+      - prodinf01n09
+      - ntp01.main.unkin.net
+  - ip: 198.18.17.10
+    hostname: prodinf01n10.main.unkin.net
+    aliases:
+      - prodinf01n10
+      - ntp02.main.unkin.net
   - ip: 198.18.17.22
     hostname: prodinf01n22.main.unkin.net
     aliases:
diff --git a/hieradata/roles/infra/ntpserver.yaml b/hieradata/roles/infra/ntpserver.yaml
new file mode 100644
index 0000000..e618573
--- /dev/null
+++ b/hieradata/roles/infra/ntpserver.yaml
@@ -0,0 +1,10 @@
+---
+profiles::ntp::client::client_only: false
+profiles::ntp::server::allowquery:
+  - '198.18.17.0/24'
+
+profiles::ntp::server::peers:
+  - '0.au.pool.ntp.org'
+  - '1.au.pool.ntp.org'
+  - '2.au.pool.ntp.org'
+  - '3.au.pool.ntp.org'
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index 692ad57..d601bf8 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -1,11 +1,8 @@
 # this is the base class, which will be used by all servers
 class profiles::base (
-  Array  $ntp_servers,
   Array  $puppet_servers,
 ) {
-  class { 'chrony':
-    servers => $ntp_servers,
-  }
+
   case $facts['os']['family'] {
     'RedHat': {
       include profiles::yum::global
@@ -31,6 +28,7 @@ class profiles::base (
   include profiles::base::scripts
   include profiles::base::hosts
   include profiles::accounts::sysadmin
+  include profiles::ntp::client
 
   # include the python class
   class { 'python':
diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp
new file mode 100644
index 0000000..0429266
--- /dev/null
+++ b/site/profiles/manifests/ntp/client.pp
@@ -0,0 +1,30 @@
+# setup an ntp client using chrony
+# use exported resources from profiles::ntp::server if they are available
+class profiles::ntp::client (
+  Array     $peers,
+  Boolean   $wait_enable = true,
+  Enum[
+    'running',
+    'stopped'
+  ]         $wait_ensure = 'running',
+  Boolean   $client_only = true,
+) {
+
+  # If $client_only, setup a client. Servers are set to false so that they are configured
+  # through the profiles::ntp::server class.
+  if $client_only {
+
+    # Define the client configuration based on OS family
+    if $facts['os']['family'] == 'RedHat' {
+      class { 'chrony':
+        servers     => $peers,
+        wait_enable => $wait_enable,
+        wait_ensure => $wait_ensure,
+      }
+    } else {
+      class { 'chrony':
+        servers    => $peers,
+      }
+    }
+  }
+}
diff --git a/site/profiles/manifests/ntp/server.pp b/site/profiles/manifests/ntp/server.pp
new file mode 100644
index 0000000..0739737
--- /dev/null
+++ b/site/profiles/manifests/ntp/server.pp
@@ -0,0 +1,34 @@
+# chronyd server class with exported resources
+class profiles::ntp::server (
+  Array[Variant[
+    Stdlib::IP::Address::V4,
+    Stdlib::IP::Address::V4::CIDR
+  ]]                  $allowquery = ['127.0.0.1'],
+  Array[Stdlib::Host] $peers = [
+    '0.pool.ntp.org',
+    '1.pool.ntp.org',
+    '2.pool.ntp.org',
+    '3.pool.ntp.org'
+  ],
+  Boolean             $wait_enable = true,
+  Enum[
+    'running',
+    'stopped'
+  ]                   $wait_ensure = 'running',
+){
+
+  # define the server
+  if $facts['os']['family'] == 'RedHat' {
+    class { 'chrony':
+      servers     => $peers,
+      queryhosts  => $allowquery,
+      wait_enable => $wait_enable,
+      wait_ensure => $wait_ensure,
+    }
+  } else {
+    class { 'chrony':
+      servers    => $peers,
+      queryhosts => $allowquery,
+    }
+  }
+}
diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb
index d59acdf..69c6d06 100644
--- a/site/profiles/templates/base/facts/enc_role.erb
+++ b/site/profiles/templates/base/facts/enc_role.erb
@@ -1 +1,2 @@
 enc_role=<%= @enc_role[0] %>
+enc_role=<%= @enc_role[0].gsub('::', '/') %>
diff --git a/site/roles/manifests/infra/ntpserver.pp b/site/roles/manifests/infra/ntpserver.pp
new file mode 100644
index 0000000..887efce
--- /dev/null
+++ b/site/roles/manifests/infra/ntpserver.pp
@@ -0,0 +1,6 @@
+# a role to deploy a ntp server
+class roles::infra::ntpserver {
+  include profiles::defaults
+  include profiles::base
+  include profiles::ntp::server
+}

From f73c16bca2f960b2fa351b38e6a1b80865a5792f Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 11 Nov 2023 00:03:12 +1100
Subject: [PATCH 18/19] feat: add enc_role_path fact

---
 hiera.yaml                                      | 14 +++++++++-----
 site/profiles/templates/base/facts/enc_role.erb |  1 +
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/hiera.yaml b/hiera.yaml
index c601683..d117ebd 100644
--- a/hiera.yaml
+++ b/hiera.yaml
@@ -5,10 +5,14 @@ defaults:
   data_hash: "yaml_data"
 hierarchy:
   - name: Node-specific data
-    path: "nodes/%{trusted.certname}.yaml"
-  - name: "Per-OS & Release Specific Data"
-    path: "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
-  - name: "Per-OS Specific Data"
-    path: "os/%{facts.os.name}/all_releases.yaml"
+    paths:
+      - "nodes/%{trusted.certname}.yaml"
+  - name: Role-specific data
+    paths:
+      - "%{facts.enc_role_path}.yaml"
+  - name: "OS Related"
+    paths:
+      - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
+      - "os/%{facts.os.name}/all_releases.yaml"
   - name: Common data shared across nodes
     path: "common.yaml"
diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb
index d59acdf..dbef811 100644
--- a/site/profiles/templates/base/facts/enc_role.erb
+++ b/site/profiles/templates/base/facts/enc_role.erb
@@ -1 +1,2 @@
 enc_role=<%= @enc_role[0] %>
+enc_role_path=<%= @enc_role[0].gsub('::', '/') %>

From aef3311fceb28c13686eeb76d2f5709b58fe0f30 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 11 Nov 2023 00:21:56 +1100
Subject: [PATCH 19/19] chore: bump puppet-enc

- includes ntpservers in ntpserver role
- https://git.unkin.net/unkinben/puppet-enc/pulls/25
---
 hieradata/common.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 47674fe..f5e4439 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -43,7 +43,7 @@ profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
 profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git
-profiles::puppet::enc::release: '0.3'
+profiles::puppet::enc::release: '0.4'
 profiles::puppet::enc::force: true
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'