Merge branch 'develop' into benvin/almalinux9.6

hieradata/country/au/region/syd1.yaml

@@ -1,6 +1,6 @@
 ---
 timezone::timezone: 'Australia/Sydney'
-certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
+certbot::client::webserver: ausyd1nxvm2057.main.unkin.net
 profiles_dns_upstream_forwarder_unkin:
   - 198.18.19.15
 profiles_dns_upstream_forwarder_consul:

hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.12
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.13
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.14
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.15
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.16
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.17
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.19
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.20
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.21
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.22
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.23
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.24
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.29
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.30
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.44
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.45
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml

@@ -1,14 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.47
-  ens19:
-    ensure: present
-    family: inet
-    method: static
-    ipaddress: 10.18.15.47
-    netmask: 255.255.255.0
-    onboot: true
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1040.main.unkin.net.yaml

@@ -1,14 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.50
-  ens19:
-    ensure: present
-    family: inet
-    method: static
-    ipaddress: 10.18.15.50
-    netmask: 255.255.255.0
-    onboot: true
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1041.main.unkin.net.yaml

@@ -1,14 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.51
-  ens19:
-    ensure: present
-    family: inet
-    method: static
-    ipaddress: 10.18.15.51
-    netmask: 255.255.255.0
-    onboot: true
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1042.main.unkin.net.yaml

@@ -1,14 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.52
-  ens19:
-    ensure: present
-    family: inet
-    method: static
-    ipaddress: 10.18.15.52
-    netmask: 255.255.255.0
-    onboot: true
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1043.main.unkin.net.yaml

@@ -1,14 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.53
-  ens19:
-    ensure: present
-    family: inet
-    method: static
-    ipaddress: 10.18.15.53
-    netmask: 255.255.255.0
-    onboot: true
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1044.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.54
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1045.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.55
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1046.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.56
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml

@@ -1,14 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.58
-  ens19:
-    ensure: present
-    family: inet
-    method: static
-    ipaddress: 10.18.15.58
-    netmask: 255.255.255.0
-    onboot: true
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1050.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.60
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1051.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.61
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1055.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.65
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1056.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.66
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1061.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.71
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1062.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.72
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1063.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.73
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1070.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.80
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1071.main.unkin.net.yaml

@@ -1,7 +0,0 @@
----
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.81
-networking::routes:
-  default:
-    gateway: 198.18.13.254

hieradata/nodes/prodinf01n01.main.unkin.net.yaml

@@ -1,12 +0,0 @@
----
-profiles::puppet::server::dns_alt_names:
-  - puppetca.main.unkin.net
-  - puppetca.service.consul
-  - puppetca.query.consul
-  - puppetca
-
-profiles::puppet::puppetca::is_puppetca: false
-profiles::puppet::puppetca::allow_subject_alt_names: true
-
-hiera_exclude:
-  - networking

hieradata/roles/infra/puppet/master.yaml

@@ -27,7 +27,7 @@ profiles::puppet::cobbler_enc::packages:
   - 'PyYAML'
 profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
 profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
-profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
+profiles::puppet::g10k::bin_path: '/usr/bin/g10k'
 profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
 profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
 profiles::puppet::g10k::default_environment: 'develop'

hieradata/roles/infra/reposync/repo.yaml

@@ -0,0 +1,41 @@
+---
+hiera_include:
+  - profiles::reposync::webserver
+
+profiles::ssh::sign::principals:
+  - packagerepo.service.consul
+  - packagerepo.query.consul
+  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - packagerepo.main.unkin.net
+  - packagerepo.service.consul
+  - packagerepo.query.consul
+  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+consul::services:
+  jupyterhub:
+    service_name: 'packagerepo'
+    tags:
+      - 'packagerepo'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'packagerepo_http_check'
+        name: 'packagerepo HTTP Check'
+        http: "https://%{facts.networking.fqdn}"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: packagerepo
+    disposition: write
+
+profiles::reposync::webserver::nginx_listen_mode: both
+profiles::reposync::webserver::nginx_cert_type: vault
+profiles::reposync::webserver::www_root: /shared/apps/packagerepo/snap
+profiles::reposync::webserver::cache_root: /data/repos/cache

hieradata/roles/infra/reposync/syncer.yaml

@@ -2,41 +2,6 @@
 profiles::packages::include:
   createrepo: {}
 
-profiles::ssh::sign::principals:
-  - packagerepo.service.consul
-  - packagerepo.query.consul
-  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
-
-# additional altnames
-profiles::pki::vault::alt_names:
-  - packagerepo.main.unkin.net
-  - packagerepo.service.consul
-  - packagerepo.query.consul
-  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
-
-# configure consul service
-consul::services:
-  jupyterhub:
-    service_name: 'packagerepo'
-    tags:
-      - 'packagerepo'
-    address: "%{facts.networking.ip}"
-    port: 443
-    checks:
-      - id: 'packagerepo_http_check'
-        name: 'packagerepo HTTP Check'
-        http: "https://%{facts.networking.fqdn}"
-        method: 'GET'
-        tls_skip_verify: true
-        interval: '10s'
-        timeout: '1s'
-profiles::consul::client::node_rules:
-  - resource: service
-    segment: packagerepo
-    disposition: write
-
-profiles::reposync::webserver::nginx_listen_mode: both
-profiles::reposync::webserver::nginx_cert_type: vault
 profiles::reposync::repos_list:
   almalinux_9.6_baseos:
     repository: 'baseos'

site/profiles/manifests/puppet/g10k.pp

@@ -1,25 +1,14 @@
 # Class: profiles::puppet::g10k
 #
-# This class handles downloading and installation of the g10k tool, a fast 
-# Git and Forge based Puppet environment and module deployment tool.
-# The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'.
-# Additionally, it creates a helper script to easily run g10k with the appropriate configuration.
-# It also creates a systemd service and timer that runs the g10k script every minute.
 class profiles::puppet::g10k (
-  String $bin_path,
+  Stdlib::Absolutepath $bin_path = '/usr/bin/g10k',
-  String $cfg_path,
+  Stdlib::Absolutepath $cfg_path = '/etc/puppetlabs/r10k/r10k.yaml',
-  String $environments_path,
+  Stdlib::Absolutepath $environments_path = '/etc/puppetlabs/code/environments',
-  String $default_environment,
+  String $default_environment = 'develop',
 ){
 
-  archive { '/tmp/g10k.zip':
+  package {'g10k':
-    ensure       => present,
+    ensure => 'latest',
-    source       => 'https://github.com/xorpaul/g10k/releases/latest/download/g10k-linux-amd64.zip',
-    extract      => true,
-    extract_path => '/opt/puppetlabs/bin',
-    creates      => '/opt/puppetlabs/bin/g10k',
-    cleanup      => true,
-    require      => Package['unzip']
   }
 
   file { '/opt/puppetlabs/bin/puppet-g10k':
@@ -28,7 +17,7 @@ class profiles::puppet::g10k (
     group   => 'root',
     mode    => '0755',
     content => template('profiles/puppet/g10k/puppet-g10k.erb'),
-    require => Archive['/tmp/g10k.zip'],
+    require => Package['g10k'],
   }
 
   $_timer = @(EOT)

site/profiles/manifests/reposync/autosyncer.pp

@@ -1,6 +1,6 @@
 # setup the autosyncer
 class profiles::reposync::autosyncer (
-  Stdlib::Absolutepath $basepath = '/data/repos',
+  Stdlib::Absolutepath $basepath = '/shared/apps/packagerepo',
 ) {
 
   # Ensure the autosyncer script is present and executable

site/profiles/manifests/reposync/repos.pp

@@ -8,7 +8,7 @@ define profiles::reposync::repos (
   String          $arch = 'x86_64',
   String          $repo_owner = 'root',
   String          $repo_group = 'root',
-  Stdlib::Absolutepath $basepath = '/data/repos',
+  Stdlib::Absolutepath $basepath = '/shared/apps/packagerepo',
   Optional[Stdlib::HTTPUrl] $baseurl = undef,
   Optional[Stdlib::HTTPUrl] $mirrorlist = undef,
 ){

site/profiles/manifests/reposync/syncer.pp

@@ -3,7 +3,6 @@ class profiles::reposync::syncer {
 
   include profiles::reposync::autosyncer
   include profiles::reposync::autopromoter
-  include profiles::reposync::webserver
 
   # Ensure the reposync config path exists
   file { '/etc/reposync':

site/profiles/manifests/reposync/webserver.pp

@@ -92,6 +92,10 @@ class profiles::reposync::webserver (
     proxy_cache_max_size  => '30000m',
     proxy_cache_inactive  => '60d',
     proxy_temp_path       => "${cache_root}/tmp",
+    require               => [
+      Mkdir::P[$cache_root],
+      Mkdir::P[$www_root]
+    ]
   }
 
   # create the nginx vhost with the merged parameters
@@ -131,15 +135,6 @@ class profiles::reposync::webserver (
     }
   }
 
-  # export cnames for webserver
-  profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME":
-    value  => $::facts['networking']['hostname'],
-    type   => 'CNAME',
-    record => 'repos.main.unkin.net.',
-    zone   => $::facts['networking']['domain'],
-    order  => 10,
-  }
-
   if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
 
     # set httpd_sys_content_t to all files under the www_root

site/profiles/templates/reposync/autosyncer.erb

@@ -29,6 +29,9 @@ download_gpg_key() {
   curl -s --create-dirs -o "${basepath}/live/${reponame}/${filename}" "$gpgkeyurl" || {
     echo "Failed to download GPG key from $gpgkeyurl"
   }
+
+  # import the gpg key
+  rpm --import "${basepath}/live/${reponame}/${filename}" || echo "Failed to import gpg key ${basepath}/live/${reponame}/${filename}"
 }
 
 # Function to perform rsync with hard links

site/roles/manifests/infra/reposync/repo.pp

@@ -0,0 +1,11 @@
+# a role to deploy the webserver for packagerepo
+class roles::infra::reposync::repo {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+  }
+}

site/roles/manifests/infra/reposync/syncer.pp

@@ -1,4 +1,4 @@
-# a role to deploy a packagerepo
+# a role to deploy the syncer/promoter for packagerepo
 class roles::infra::reposync::syncer {
   if $facts['firstrun'] {
     include profiles::defaults