unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'promote develop to master' (#6) from develop into master

Browse Source 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/6
This commit is contained in:
Ben Vincent 2024-06-01 14:48:47 +10:00
commit 4487551f62
291 changed files with 9121 additions and 583 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.reek.yml Normal file
View File

@ -0,0 +1,5 @@
# .reek.yml
detectors:
FeatureEnvy:
enabled: false

10
.rubocop.yml Normal file
View File

@ -0,0 +1,10 @@
# .rubocop.yml
Style/ClassAndModuleChildren:
EnforcedStyle: compact
Style/Documentation:
Enabled: false
Layout/LineLength:
Max: 140

51
Puppetfile
View File

@ -1,17 +1,52 @@
forge 'forge.puppetlabs.com'
moduledir 'external_modules'
# Forge Modules
# puppetlabs
mod 'puppetlabs-stdlib', '9.1.0'
mod 'puppetlabs-inifile', '6.0.0'
mod 'puppetlabs-concat', '9.0.0'
#mod 'eyp-eyplib', '0.1.24'
#mod 'eyp-systemd', '3.1.0'
mod 'puppet-systemd', '5.1.0'
mod 'ghoneycutt-puppet', '3.3.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppetlabs-vcsrepo', '6.1.0'
mod 'puppetlabs-yumrepo_core', '2.0.0'
mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
# puppet
mod 'puppet-python', '7.0.0'
mod 'puppet-systemd', '5.1.0'
mod 'puppet-yum', '7.0.0'
mod 'puppetlabs-apt', '9.1.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppet-puppetboard', '9.0.0'
mod 'puppet-nginx', '5.0.0'
mod 'puppet-selinux', '4.1.0'
mod 'puppet-prometheus', '13.4.0'
mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4'
mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
:tag => '1.0'

48
doc/vault/setup.md Normal file
View File

@ -0,0 +1,48 @@
# root ca
vault secrets enable -path=pki_root pki
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="unkinroot-2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
# intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="unkin-dot-net-intermediate" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="unkinroot-2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
# create role
vault write pki_int/roles/unkin-dot-net \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allowed_domains="unkin.net" \
allow_subdomains=true \
max_ttl="2160h"
# test generating a domain cert
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
# remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true

3
environment.conf
View File

@ -1,2 +1,3 @@
manifest = manifests/site.pp
modulepath = external_modules:site
modulepath = external_modules:modules:site
config_version = '/usr/bin/grep signature /etc/puppetlabs/code/environments/$environment/.g10k-deploy.json | /usr/bin/cut -d \" -f 4'

42
hiera.yaml
View File

@ -4,11 +4,37 @@ defaults:
datadir: "hieradata"
data_hash: "yaml_data"
hierarchy:
- name: Node-specific data
path: "nodes/%{trusted.certname}.yaml"
- name: "Per-OS & Release Specific Data"
path: "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
- name: "Per-OS Specific Data"
path: "os/%{facts.os.name}/all_releases.yaml"
- name: Common data shared across nodes
path: "common.yaml"
- name: Consolidated Data
paths:
- "nodes/%{trusted.certname}.yaml"
- "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml"
- "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml"
- "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml"
- "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml"
- "country/%{::country}/region/%{::region}/%{::enc_role_tier1}.eyaml"
- "country/%{::country}/region/%{::region}/%{::enc_role_tier1}.yaml"
- "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml"
- "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml"
- "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml"
- "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml"
- "country/%{::country}/roles/%{::enc_role_tier1}.eyaml"
- "country/%{::country}/roles/%{::enc_role_tier1}.yaml"
- "country/%{::country}/region/%{::region}.eyaml"
- "country/%{::country}/region/%{::region}.yaml"
- "country/%{::country}.eyaml"
- "country/%{::country}.yaml"
- "roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml"
- "roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml"
- "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml"
- "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml"
- "roles/%{::enc_role_tier1}.eyaml"
- "roles/%{::enc_role_tier1}.yaml"
- "virtual/%{facts.virtual}.yaml"
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
- "os/%{facts.os.name}/all_releases.yaml"
- "common.eyaml"
- "common.yaml"
lookup_key: eyaml_lookup_key
options:
pkcs7_private_key: /var/lib/puppet/keys/private_key.pkcs7.pem
pkcs7_public_key: /var/lib/puppet/keys/public_key.pkcs7.pem

8
hieradata/common.eyaml Normal file
View File

@ -0,0 +1,8 @@
---
profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn]
profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ]
profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAS7pNFRX4onccFaR87zB/eFFORuF22j6xqjyeAqqjgEduYhkt6w5kkz+YfUoHUesU0Q6F2p6HrCSZ8yAsx5M25NCiud9P4hIpjKmOZ4zCNO7uhATh4AQDYw3BrdRwfO+c6jOl5wOiNLCfDBJ0sFT3akCvcuPS1xIoRJq4Gyn+uCbOsMbvSl25ld2xKt1/cqs8gc1d8mkpjwWto7t+qZSUFMCehTbehH3G4a3Q5rvfBoNwv42Wbs676BDcCurDaAzHNqE7pDbOWhGuVOBl+q+BU0Ri/CRkGcTViN9fr8Dc9SveVC6EPsMbw+05/8/NlfzQse3KAwQ34nR9tR2PQw5qEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7LywscQtF7cG2nomfEsu9gDDVqJBFP1jAX2eGZ2crYS5gnBcsRwhc0HNo2/WWdhZprMW+vEJOOGXDelI53NxA3o0=]
profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=]
profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=]
profiles::consul::server::acl_tokens_replication: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzTIxbaAR/TZYnC671aBhiahsfwf3ieyeSHpD5hQm40sMEF/fXlEDijq9i2ykPikm94074j1Uo4HNzv/V9GTf0NSC/64t61jJ/Ya3QKa5f/36+DcRj3lcETsSIyhWwmU+E+zkY8I2r68MtXAuvSoMSMZdpgWSkPx/3FFgZlrsg//bzDu69jS9cx4UK582N3A6QN4Uy/qwYtJcm+2iTQlqqgGRWGqnSgTirxhegxPbJGWTDoAEpAL4/DyF5/hqcUn6mgoSfAsHF3loPHOqN30lG+9o0THWJ9B8Gf4W/1X2UWA/avmUnqBnumGoz0p7AYdNgpW+qLl2rk4lyGYa4kvQjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD9KSLH3Pn/1EIzgVJM+8VOgDDpKWzHfSVsfUMyTD0XIRPGclTdmxqCnsdhKNqmUfSjkYIf2nI9rQtSK6n42TYuO4k=]

261
hieradata/common.yaml
View File

@ -1,31 +1,268 @@
---
profiles::base::ntp_servers:
- 0.au.pool.ntp.org
- 1.au.pool.ntp.org
lookup_options:
hiera_classes:
merge:
strategy: deep
profiles::packages::install:
merge:
strategy: deep
profiles::packages::install_exclude:
merge:
strategy: deep
profiles::packages::remove:
merge:
strategy: deep
profiles::packages::remove_exclude:
merge:
strategy: deep
profiles::pki::vault::alt_names:
merge:
strategy: deep
profiles::pki::vault::ip_sans:
merge:
strategy: deep
profiles::yum::global::managed_repos:
merge:
strategy: deep
profiles::haproxy::server::defaults:
merge:
strategy: deep
profiles::haproxy::server::globals:
merge:
strategy: deep
profiles::haproxy::server::frontends:
merge:
strategy: deep
profiles::haproxy::server::backends:
merge:
strategy: deep
profiles::haproxy::server::mappings:
merge:
strategy: deep
profiles::haproxy::server::listeners:
merge:
strategy: deep
haproxy::backend:
merge:
strategy: deep
sudo::configs:
merge:
strategy: deep
profiles::base::groups::local:
merge:
strategy: deep
profiles::dns::resolver::zones:
merge:
strategy: deep
profiles::dns::resolver::acls:
merge:
strategy: deep
profiles::dns::resolver::views:
merge:
strategy: deep
profiles::dns::resolver::keys:
merge:
strategy: deep
profiles::dns::master::zones:
merge:
strategy: deep
profiles::dns::master::acls:
merge:
strategy: deep
profiles::dns::master::views:
merge:
strategy: deep
profiles::dns::master::keys:
merge:
strategy: deep
consul::services:
merge:
strategy: deep
consul::watch:
merge:
strategy: deep
consul::check:
merge:
strategy: deep
profiles::consul::client::node_rules:
merge:
strategy: deep
profiles::consul::prepared_query::rules:
merge:
strategy: deep
profiles::puppet::server::dns_alt_names:
merge:
strategy: deep
profiles::puppet::client::dns_alt_names:
merge:
strategy: deep
profiles::base::hosts::additional_hosts:
merge:
strategy: deep
postgresql_config_entries:
merge:
strategy: deep
profiles::yum::global::repos:
merge:
strategy: deep
profiles::nginx::simpleproxy::nginx_aliases:
merge:
strategy: deep
profiles::base::packages::common:
facts_path: '/opt/puppetlabs/facter/facts.d'
hiera_classes:
- timezone
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
profiles::ntp::client::peers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
profiles::consul::client::members_lookup: true
profiles::consul::client::members_role: roles::infra::storage::consul
profiles::consul::client::node_rules:
- resource: node
segment: "%{facts.networking.hostname}"
disposition: write
- resource: node
segment: "%{facts.networking.fqdn}"
disposition: write
- resource: node
segment: ''
disposition: read
profiles::packages::install:
- bash-completion
- bzip2
- ccze
- curl
- dstat
- expect
- gzip
- git
- htop
- inotify-tools
- iotop
- jq
- lz4
- mtr
- ncdu
- neovim
- python3
- p7zip
- pbzip2
- pigz
- pv
- python3.11
- rsync
- screen
- socat
- strace
- sudo
- sysstat
- tmux
- traceroute
- unzip
- vim
- vnstat
- wget
- zsh
- zstd
profiles::puppet::autosign::subnet_ranges:
- '198.18.17.0/24'
profiles::packages::remove:
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000-firmware
- iwl6000g2a-firmware
- iwl6050-firmware
- iwl7260-firmware
- puppet7-release
profiles::puppet::autosign::domains:
- '*.main.unkin.net'
profiles::base::scripts::scripts:
puppet: puppetwrapper.py
profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
profiles::puppet::client::server: 'puppet.query.consul'
profiles::puppet::client::ca_server: 'puppetca.query.consul'
profiles::puppet::client::environment: 'develop'
profiles::puppet::client::runinterval: 1800
profiles::puppet::client::runtimeout: 3600
profiles::puppet::client::show_diff: true
profiles::puppet::client::usecacheonfailure: false
profiles::puppet::client::dns_alt_names:
- "%{trusted.certname}"
# puppetdb
puppetdbapi: puppetdbapi.query.consul
puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
prometheus::systemd_exporter::export_scrape_job: true
profiles::base::groups::local:
admins:
ensure: present
gid: 10000
allowdupe: false
forcelocal: true
sudo::configs:
admins:
priority: 10
content: |
%admins ALL=(ALL) NOPASSWD: ALL
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::base::hosts::additional_hosts:
- ip: 198.18.17.3
hostname: prodinf01n01.main.unkin.net
aliases:
- prodinf01n01
- puppet
- puppetmaster
- puppetca
- ip: 198.18.17.4
hostname: prodinf01n04.main.unkin.net
aliases:
- prodinf01n04
- ip: 198.18.17.5
hostname: prodinf01n05.main.unkin.net
aliases:
- prodinf01n05
- ip: 198.18.17.6
hostname: prodinf01n06.main.unkin.net
aliases:
- prodinf01n06
- ip: 198.18.17.9
hostname: prodinf01n09.main.unkin.net
aliases:
- prodinf01n09
- ntp01.main.unkin.net
- ip: 198.18.17.10
hostname: prodinf01n10.main.unkin.net
aliases:
- prodinf01n10
- ntp02.main.unkin.net
- ip: 198.18.17.22
hostname: prodinf01n22.main.unkin.net
aliases:
- prodinf01n22
- repos.main.unkin.net

2
hieradata/country/au/region/drw1.yaml Normal file
View File

@ -0,0 +1,2 @@
---
timezone::timezone: 'Australia/Darwin'

52
hieradata/country/au/region/drw1/infra/dns/resolver.yaml Normal file
View File

@ -0,0 +1,52 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
forward: 'only'

65
hieradata/country/au/region/drw1/infra/halb/haproxy.yaml Normal file
View File

@ -0,0 +1,65 @@
---
# mappings
profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'puppetboard.main.unkin.net be_puppetboard'
- 'puppetdbapi.main.unkin.net be_puppetdbapi'
fe_https:
ensure: present
mappings:
- 'puppetboard.main.unkin.net be_puppetboard'
- 'puppetdbapi.main.unkin.net be_puppetdbapi'
profiles::haproxy::frontends:
fe_http:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
fe_https:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
profiles::haproxy::backends:
be_puppetboard:
description: Backend for Puppetboard
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_puppetdbapi:
description: Backend for the PuppetDB API
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- puppetboard.main.unkin.net
- puppetdbapi.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- puppetboard.main.unkin.net
- puppetdbapi.main.unkin.net

3
hieradata/country/au/region/drw1/infra/puppet/master.eyaml Normal file
View File

@ -0,0 +1,3 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]

4
hieradata/country/au/region/drw1/infra/puppet/master.yaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca

4
hieradata/country/au/region/drw1/infra/storage/consul.eyaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=]
#profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
#profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=]

7
hieradata/country/au/region/drw1/infra/storage/consul.yaml Normal file
View File

@ -0,0 +1,7 @@
---
profiles::consul::server::bootstrap_count: 3
profiles::consul::server::raft_multiplier: 10
profiles::consul::server::primary_datacenter: 'au-syd1'
profiles::consul::server::join_remote_regions: true
profiles::consul::server::remote_regions:
- syd1

6
hieradata/country/au/region/drw1/infra/storage/minio.yaml Normal file
View File

@ -0,0 +1,6 @@
---
profiles::minio::server::minio_members: 5
profiles::minio::server::blockdev:
- /dev/sda
- /dev/sdb
profiles::minio::server::minio_storage_class: 'EC:2'

7
hieradata/country/au/region/drw1/infra/storage/vault.eyaml Normal file
View File

@ -0,0 +1,7 @@
---
vault::unseal_keys:
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHfDhuu2C5ZEALdJlmOqWukEiAQQiVJ7KjpSRuf9h7RYwR+u8UNdcJYK1xFvYwmUczw6hkST/Zr06T4JwavpAHHuaRbyl8N1qZjlwt4MO5CPUTBT8k+EOaocF2byUXpYBThETjLB+WNLJAU3Dq8JboekCJ2F1Zjd8Mmdtu1C3Ip5ii5iVGbQShxDSPsdjtk8Q49lUKj61tLyuvadcTcxllHyXs6siWl7atBfIS6OX5KgA66VJhxOeoyyBaiqSSu7OqqZa2siYGTvjJS3UFDf8J+itsJJ1+0KUtkl07PvItkIruSAlHZGagVPrizAyEx1j4hFvVTGHac86bcV/5M9z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDCjxoJHSXr/4XvXaxVbUGOgDCQ4DL05Qnw3+3qHWZRKvNChHgrhRPi2HmkiGni+A4ZVF9LHs+mF8TQ/t3Q1DrSy3I=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoapLUNj1f+7BEvjzR9CO0Qz3LhI5M326BVliikRY7hpL2+0CnTOlR9K3YapD83LtpuiNbXqbk1mhi44ak0CTet8yz0ZH/BPkVYgV2Ll9ISdN4Knnnlf2Ljt/gHGf03jiUKwfXxu87LfvCySAMgzYonQ90cfIDc+XH6CoQv27WM3U1q79RcWl/w9Z/XwJiKyANSCXfBT16+RawrzmVo+zWbteqx09MfOHr7Q36VwOqjJaO94A/Dj3m/YJIOhmYXd52h+am6Kc1Q9dnzycKZYoKYOv+qi+bY4frx9sRvBxoGDGMb1mXTDSPeIT6NXbMCIsTsmYxjxAvBET72oKWXJUcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDy/pkTHpz4F9l1J6cKW4A9gDD873VdHr3ArjpE1R82wS5brCbBe7ntEuNFQMbnFPvOXwI4EaYV3IMRNv6Lzk6BBSI=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAVKVb6/nhbgEx6b2b90gfuXbZglZpoJjQtyzDQtCZzcZxh/xVFjwUy1XX/3+dueazFd5Ge5NnqQdxs/h5MBSjexHJhEm3fmA+gnns8sdYX5SDJSnhYvS1cB/wmfHuvkj3ZhIFxg0jlPlKz24QST99ouxKI2c490ByIbcFCr+A5GWnO7D/kf1Y+M0Sg2YiPE4zqF2zx1sgOfaV2xvQbRqqSjDPim/mYff95AtWwN9KbcAvc/7vDi4PrHR8GY9RXhI8FBEvelAT0H0NmnaCw4TvWXF/YxztlG9E55G3MsFyVAQJT7Dl8w4w5nk4AJJBMaXlO2s4AWD4Y+MVQh62hjqgHjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBptatyhSChU/V0R+IVd5hRgDCmA07/V4UBz1nVMc2vZm2KvnUOPofO74hwkkoxOnk6O2h6arbw8GNHj7WxeHXoXPk=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOGvhPhbKt8hkYTif5C+IE7iqcoeXm68BeUzlzE9qAY7lzQoAENauDKoIgoQT0hA7zrKZXPTUDrcw8SdxNp7Zo/Dr44urdr4LiT+QZwYTE09Xn8yIA3ij1XnXQ5bYP70TycuOjpVT0BKK+qSkklfd7IAw76AnUWF1D6P9MjT+shOmVNHQQSRrL2JLNppetQRCyOEMzkeDI/58/ohexvyUcY8WT4YMNhl/IrNBdcJ3xOwnJqEAXSUTre15T2I+7f+prhj4cS2V9qd0ZwUXSueL38EIMKwmq1ugb+zm8UYzqfKpRk/1THqT8T/r8B4PR2QxtiwtzLk388ag1mqQ/jHL9zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAlKLuJOARFD1vt/R9gfp4LgDA0irHwG41ByRyYcKT87ra9tsdhb+i9ugnNRbFQ1UPTk7bFwS3HUteEJwNzcNIwFXY=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEQvjVATvI+UVWrowTWSxtluiPrfa8akOSgr+MdcAh5Mgypw6RUeVJ2Sh8jekePZOO7Y0IQSfyNWOFAsaxBgeG7aEu6loFwxcSzrilg9c/2bV7Ybxr5saDViTjHO+UOYPPVRsJKeYvWd+vTdM+J7Eg3LGwzdLqyYu824affGm41KsSJdtxbNC1EzR+AOEU7SO8FkDIUZl2ekwz+3FfBX5TyXywlZGrbS7DkABB1jrO/JJtgnRu4D1AgUWjSJINXKyi9Xf91ZUyYCbVJ1asmRhOcCDcRigs82CF6nWbsSad80Z/ZoGVGYSlCsSXd4t8iEujCzeTkfBRK6Azr71f0zbBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAeR7zOfSz3Sd19UkcmdMJLgDBiPUNdk6zh2inhCqms/qnt7BqDBAYEzHuzbsM3U3PO+UIeJdym51cu3YKw3MkVuyw=]

9
hieradata/country/au/region/drw1/infra/storage/vault.yaml Normal file
View File

@ -0,0 +1,9 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- vault.service.au-drw1.consul
profiles::nginx::simpleproxy::nginx_aliases:
- vault.service.au-drw1.consul
profiles::vault::server::primary_datacenter: 'au-drw1'

2
hieradata/country/au/region/syd1.yaml Normal file
View File

@ -0,0 +1,2 @@
---
timezone::timezone: 'Australia/Sydney'

52
hieradata/country/au/region/syd1/infra/dns/resolver.yaml Normal file
View File

@ -0,0 +1,52 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.13.19
- 198.18.13.20
- 198.18.13.21
forward: 'only'

79
hieradata/country/au/region/syd1/infra/halb/haproxy.yaml Normal file
View File

@ -0,0 +1,79 @@
---
# mappings
profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
profiles::haproxy::frontends:
fe_http:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
http-request:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
profiles::haproxy::backends:
be_ausyd1pve_web:
description: Backend for au-syd1 pve cluster (Web)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_ausyd1pve_api:
description: Backend for au-syd1 pve cluster (API only)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net

8
hieradata/country/au/region/syd1/infra/proxmox.yaml Normal file
View File

@ -0,0 +1,8 @@
---
profiles::proxmox::params::pve_members_role: 'roles::infra::proxmox::node'
profiles::proxmox::params::pve_kernel_version: '1.0.1'
profiles::proxmox::params::pve_kernel_release: '6.5.13-5-pve'
profiles::proxmox::params::pve_ceph_repos: true
profiles::proxmox::params::pve_ceph_release: 'reef'
profiles::proxmox::params::pve_ceph_install: true
profiles::proxmox::params::pve_ceph_network: '10.18.15.1/24'

3
hieradata/country/au/region/syd1/infra/puppet/master.eyaml Normal file
View File

@ -0,0 +1,3 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]

4
hieradata/country/au/region/syd1/infra/puppet/master.yaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca

4
hieradata/country/au/region/syd1/infra/sql/galera.yaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::sql::galera_member::cluster_name: au-syd1
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
profiles::sql::galera_member::innodb_buffer_pool_size: 256M

2
hieradata/country/au/region/syd1/infra/storage/consul.eyaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=]

7
hieradata/country/au/region/syd1/infra/storage/consul.yaml Normal file
View File

@ -0,0 +1,7 @@
---
profiles::consul::server::bootstrap_count: 3
profiles::consul::server::raft_multiplier: 10
profiles::consul::server::primary_datacenter: 'au-syd1'
profiles::consul::server::join_remote_regions: true
profiles::consul::server::remote_regions:
- drw1

7
hieradata/country/au/region/syd1/infra/storage/vault.eyaml Normal file
View File

@ -0,0 +1,7 @@
---
vault::unseal_keys:
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEABDaLiGSq+xu4DjB/MygqwyVX2cRBlypzRTdijD0Q/Pk/KF4X/6dP1jFVH1hQOI4/oxfsv13PaLFFh/mHgh/WGtwsDKoc20KgUR9N5wvA6p83OLBfuueFFiFM6myh1uzcwgCETGAyGbIy3+Zm2KECfQGJVvcVVEvlCTdqSq8VRMpaxlVrjFA/A/JVI8Gcscuv/44SVAeQi0xsCt0e+HwiaBYq7b+bUjDIR3cHJq1/WZx9mY1rVlOK2385AXhZbN0yi3J+18TYY1ngNq4ag+8T5oFUNfvd66rjFE7sXVKwUCZ64vEVOO08E06rQmv9LHT6DLwPucWIp5AZ8Dc59yWBGzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBmNT7lhDBPD628O6AMkH15gDDuoa6S9NGknF8IOhFVUUSxODg/VCKI43Z9IXBgv3iboD1Q+Dhfje6Vmiyi1sukLRw=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdpCkAgYhBO6psgTovA9cD0NEu3QxwT14KSzmxr37aHuhSBoh3tIX9asLvR3AduGbDRNI+eTGohSmQRMraTOFWHcTpVv1GShG/KD/wKwW9BGlNze/MwEuoV/OeFcrjfYbsSA338IMgWbG5+MfEduZGxWKIT5F5D14vx6pb9V7bYvbH9jKwSOwWry/RfWkEvMhMZSjFxtRrlMQqj7yqjs9RjauWXctYt4Rx9jK+I+ghWjjV26Q3Pust3OxYCJfCffZ0tpW6YikkGd1Qtq3kuPeh72YU1kYmuQIsDpcgwIuJIMJy2ekteQ/14JtIqN43OvXW5CVrmBemF0AK059LQ96WDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCDOOqa8oCU1St/MStiB/dngDCUp3/Vs0caWnMBi6z0oQ8FhfQR7zPSH8666bXh1U1ETCVL+B1c0NKLiig/3I4ncaQ=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALAt+ASQS+MoaVoMTBGadYksrKq7REP3OchGXMZL97xdfRVtxaV75/HMES13q4B2dewJzBhpvgTBy9lqPCHXk7PXAkGv0YP2gbj3FXuzlXtZtXD0QHv1SY9assGABCQMdQY+DlZasGIRer/RzOLXpi3zSLlHVFu6dLndKhVs7B6RXgPMnf5Xo0yRijTKHRh8G2oizOxN7X0g5RNZAfAXN+gbDXF/KzpCM8Hox0+6UgJs9ghL7hH8c5Z8odJZcfNuqg87ELSp2XAvpC4jO4KC8VkcT0lIuDgYafyRZcWT4O8Zx6FNvSnDWEdtWHfOUYIg0RTXQ0OR0p28PzS8+0Fhh8TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXnDOd5VnrCXt3QIM9BCsIgDD3P5XS+w/EV85vkp9SciOtH95jZ1M0tt7uwA76Bsk69O5qxEbNlv40ZUOC1i02Z4w=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlBQxsb/TK3gdOmohjoRs5ICN9PjQJvIxW5co7NDsynU6kT6jBinokhbfCRt2RpTUeZqRC2eodMxZSQrkqkMaAbkwSVnMLWzK5444VwT9OrSSwQ0NfT2CuGW9/Vb/XbGy4jwlwGlG23Zf6GptdwxKq1PaJb5FGgUcTXB1XUsDPwLRqpduH4JTdi7BIovOFzsz/hLkaAvrx3BD1ls+21oJpHiGGoomSoTki0tv9Yq2mgB3sn5/P4hIs2vA5gGKTE74nd71hGCg6LBQT9q29cuiM367qebKcSH+nzUlJXYvTxbJiMrs3k5K8IdPd7ocxn1iIuxprSVe6cxEPeoyUIm2dzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCSHy2XB/CfyCxkgWoLNPWRgDB23dqS9tTUKvXffAAucl5pttdtg5PUknvs7uiOndQDY5J3R0b5hapS186njvlsrW0=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAY3xFtGYy4lQDhHa/t4qri4TJ2/nWAg+EP+tAP4P/9a1er2mR2WkSZD6zBpDMBwN73V0b7XNgAV1W3lPi3XsJlzjhE27a2qBGzoXXekkW5+C65hrVfcPrATos4vpY+ly7ldu6gsZgaE5TlRVt6BE/joi2U5+PfzICOG1Zwpb6/aPdW9UhNPLIRVmAVZBTdnh2qXbYhg/IpUeuX1CSK8F7ptryGXO/aiL4adSYluJkgDtjFplP0yy4IRe7PztnBb2w1XsgIL3SodyhT64OqvoIQd7g6lKwvPmpBJB/VqHwoQDw/GvZg8/BN9514hNpwYsZNIpvtJRE8HX7QJ28mv7TzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBClVGY4pKZs+wNZ9dIPRSZVgDAW1mDpEnYXfciwNU/aUpZyo2GkTC2DUsNwFtKlgG1aICTfCjLOUhBzcON+Tfhq+7c=]

31
hieradata/country/au/region/syd1/infra/storage/vault.yaml Normal file
View File

@ -0,0 +1,31 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- vault.service.au-syd1.consul
- vault.query.consul
profiles::nginx::simpleproxy::nginx_aliases:
- vault.service.au-syd1.consul
- vault.query.consul
profiles::vault::server::primary_datacenter: 'au-syd1'
consul::services:
vault:
service_name: 'vault'
tags:
- 'https'
- 'secure'
address: "%{facts.networking.ip}"
port: 8200
checks:
- id: 'vault_https_check'
name: 'Vault HTTPS Check'
http: "https://%{facts.networking.fqdn}:8200/v1/sys/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: vault
disposition: write

2
hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::cobbler::params::is_cobbler_master: true

9
hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,9 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true

9
hieradata/nodes/prodinf01n01.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,9 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true

5
hieradata/nodes/prodnxsr0001.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,5 @@
---
profiles::proxmox::params::pve_clusterinit_master: true
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true

4
hieradata/nodes/prodnxsr0002.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true

4
hieradata/nodes/prodnxsr0003.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true

2
hieradata/nodes/prodnxsr0004.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::proxmox::params::pve_ceph_osd: true

2
hieradata/nodes/prodnxsr0005.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::proxmox::params::pve_ceph_osd: true

2
hieradata/nodes/prodnxsr0006.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::proxmox::params::pve_ceph_osd: true

2
hieradata/nodes/prodnxsr0007.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::proxmox::params::pve_ceph_osd: true

2
hieradata/nodes/prodnxsr0008.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::proxmox::params::pve_ceph_osd: true

6
hieradata/os/AlmaLinux/AlmaLinux8.yaml
View File

@ -1,8 +1,2 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
profiles::yum::managed_repos:
- 'base'
- 'extras'
- 'appstream'
- 'epel'
- 'puppet7'

6
hieradata/os/AlmaLinux/AlmaLinux9.yaml
View File

@ -1,8 +1,2 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
profiles::yum::managed_repos:
- 'base'
- 'extras'
- 'appstream'
- 'epel'
- 'puppet7'

62
hieradata/os/AlmaLinux/all_releases.yaml
View File

@ -1,4 +1,62 @@
# hieradata/os/almalinux/all_releases.yaml
---
profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au
profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
profiles::packages::install:
- lzo
- xz
- policycoreutils
lm-sensors::package: lm_sensors
profiles::yum::global::repos:
baseos:
name: baseos
descr: baseos repository
target: /etc/yum.repos.d/baseos.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
extras:
name: extras
descr: extras repository
target: /etc/yum.repos.d/extras.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
appstream:
name: appstream
descr: appstream repository
target: /etc/yum.repos.d/appstream.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
highavailability:
name: highavailability
descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
epel:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os

2
hieradata/os/Debian/Debian11.yaml
View File

@ -10,3 +10,5 @@ profiles::apt::components:
- contrib
- main
- non-free
profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'

2
hieradata/os/Debian/Debian12.yaml
View File

@ -11,3 +11,5 @@ profiles::apt::components:
- main
- non-free
- non-free-firmware
profiles::puppet::agent::puppet_version: 'latest'

11
hieradata/os/Debian/all_releases.yaml
View File

@ -1,7 +1,14 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: http://debian.mirror.digitalpacific.com.au/debian
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
profiles::apt::puppet7::dist: bullseye
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
profiles::packages::install:
- lzop
- python3.11-venv
- xz-utils
lm-sensors::package: lm-sensors

1
hieradata/roles/apps.yaml Normal file
View File

@ -0,0 +1 @@
---

6
hieradata/roles/infra.yaml Normal file
View File

@ -0,0 +1,6 @@
---
profiles::packages::install:
- policycoreutils
puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"

2
hieradata/roles/infra/cobbler/server.eyaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::cobbler::params::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=]

21
hieradata/roles/infra/cobbler/server.yaml Normal file
View File

@ -0,0 +1,21 @@
---
profiles::packages::install:
- cobbler
- cobbler3.2-web
- httpd
- syslinux
- dnf-plugins-core
- debmirror
- pykickstart
- fence-agents
- selinux-policy-devel
- ipxe-bootimgs
profiles::pki::vault::alt_names:
- cobbler.main.unkin.net
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive
hiera_classes:
- profiles::selinux::setenforce

77
hieradata/roles/infra/dhcp/server.yaml Normal file
View File

@ -0,0 +1,77 @@
---
profiles::dhcp::server::ntpservers:
- ntp01.main.unkin.net
- ntp02.main.unkin.net
profiles::dhcp::server::interfaces:
- eth0
profiles::dhcp::server::default_lease_time: 1200
profiles::dhcp::server::globaloptions:
- 'arch code 93 = unsigned integer 16'
profiles::dhcp::server::pools:
syd1-prod:
network: 198.18.15.0
mask: 255.255.255.0
range:
- '198.18.15.200 198.18.15.220'
gateway: 198.18.15.254
nameservers:
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.13.27
syd1-test:
network: 198.18.16.0
mask: 255.255.255.0
range:
- '198.18.16.200 198.18.16.220'
gateway: 198.18.16.254
nameservers:
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.13.27
syd1-prod1:
network: 198.18.13.0
mask: 255.255.255.0
range:
- '198.18.13.200 198.18.13.220'
gateway: 198.18.13.254
nameservers:
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.13.27
syd1-prod2:
network: 198.18.14.0
mask: 255.255.255.0
range:
- '198.18.14.200 198.18.14.220'
gateway: 198.18.14.254
nameservers:
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.13.27
drw1-prod:
network: 198.18.17.0
mask: 255.255.255.0
range:
- '198.18.17.200 198.18.17.220'
gateway: 198.18.17.1
nameservers:
- 198.18.17.7
- 198.18.17.8
domain_name: main.unkin.net
pxeserver: 198.18.13.27
# UFI 64-bit
profiles::dhcp::server::classes:
UEFI-64:
parameters:
- 'match if option arch = 00:07 or option arch = 00:09'
- 'filename "/ipxe.efi"'
Legacy:
parameters:
- 'match if option arch = 00:00'
- 'filename "/undionly.kpxe"'

2
hieradata/roles/infra/dns.yaml Normal file
View File

@ -0,0 +1,2 @@
---
prometheus::bind_exporter::export_scrape_job: true

3
hieradata/roles/infra/dns/master.eyaml Normal file
View File

@ -0,0 +1,3 @@
---
profiles::dns::master::secret: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJSp35spGbW0doI4arooNlpVW8JFlftPttnCE/P9bsmlCiA2DIfqu+ug3ZpHc7ELjA+PLJ7/IwZmpm+pfKpeSfZhw3zxFSpGUAi1q94VUnqLx6AbTgWJKT2ral6ZM/PGQSYaZB22rSvMWN7S7ow57yka3umW1KzUVDvqonJkFV2rrcfMrQU+xUm1BqHYd/zHcX6U5q4zAX3GG66jHYJzhMtzjUCeGaDZoMdw7T0nLGA5JFfVbXml3P/EH3lNMWtKT4LVEuJEier+GQA3y4mAwnKTiOml0DWH5Imbrx5beqEnsnN1AETTM21oq8Iv8kJEQMnxo0xxWj74MLG3/c1oB1zCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQMoKOR5PV7MNG9dCAu2sDF4BgCaGIhzEdQIcKBcst+u7vq2pw5vGBeTdz0J+waFyL9IrBmNu9akfIanKauYEU1cPa9KwT5tW2AG4yGpOebW/W+zjlUvupvctWG81zMTrq6So/zSl5dcHU0gX9R8zBb0vF]

68
hieradata/roles/infra/dns/master.yaml Normal file
View File

@ -0,0 +1,68 @@
---
profiles::dns::master::ns_role: roles::infra::dns::master
profiles::dns::master::use_ns: region
profiles::dns::master::acls:
acl-main.unkin.net:
addresses:
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
profiles::dns::master::zones:
main.unkin.net:
domain: 'main.unkin.net'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/main.unkin.net.conf'
13.18.198.in-addr.arpa:
domain: '13.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/13.18.198.in-addr.arpa.conf'
14.18.198.in-addr.arpa:
domain: '14.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/14.18.198.in-addr.arpa.conf'
15.18.198.in-addr.arpa:
domain: '15.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/15.18.198.in-addr.arpa.conf'
16.18.198.in-addr.arpa:
domain: '16.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/16.18.198.in-addr.arpa.conf'
17.18.198.in-addr.arpa:
domain: '17.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/17.18.198.in-addr.arpa.conf'
profiles::dns::master::views:
master-zones:
recursion: false
zones:
- main.unkin.net
- 13.18.198.in-addr.arpa
- 14.18.198.in-addr.arpa
- 15.18.198.in-addr.arpa
- 16.18.198.in-addr.arpa
- 17.18.198.in-addr.arpa
match_clients:
- acl-main.unkin.net
profiles::dns::master::keys:
rndskey:
secret_bits: 512
algorithm: hmac-sha256
secret: "%{lookup('profiles::dns::master::secret')}"

84
hieradata/roles/infra/dns/resolver.yaml Normal file
View File

@ -0,0 +1,84 @@
---
profiles::dns::resolver::acls:
acl-main.unkin.net:
addresses:
- 10.10.8.1/32
- 198.18.21.160/27
- 198.18.21.192/27
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
profiles::dns::resolver::zones:
8.10.10.in-addr.arpa-forward:
domain: '8.10.10.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
16.10.10.in-addr.arpa-forward:
domain: '16.10.10.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
20.10.10.in-addr.arpa-forward:
domain: '20.10.10.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
unkin.net-forward:
domain: 'unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
dmz.unkin.net-forward:
domain: 'dmz.unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
network.unkin.net-forward:
domain: 'network.unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
prod.unkin.net-forward:
domain: 'prod.unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
profiles::dns::resolver::views:
openforwarder:
recursion: true
zones:
- main.unkin.net-forward
- unkin.net-forward
- dmz.unkin.net-forward
- network.unkin.net-forward
- prod.unkin.net-forward
- consul-forward
- 13.18.198.in-addr.arpa-forward
- 14.18.198.in-addr.arpa-forward
- 15.18.198.in-addr.arpa-forward
- 16.18.198.in-addr.arpa-forward
- 17.18.198.in-addr.arpa-forward
- 8.10.10.in-addr.arpa-forward
- 16.10.10.in-addr.arpa-forward
- 20.10.10.in-addr.arpa-forward
match_clients:
- acl-main.unkin.net

3
hieradata/roles/infra/git/gitea.eyaml Normal file
View File

@ -0,0 +1,3 @@
---
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]

39
hieradata/roles/infra/git/gitea.yaml Normal file
View File

@ -0,0 +1,39 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- git.main.unkin.net
- git.service.consul
- git.query.consul
- "git.service.%{facts.country}-%{facts.region}.consul"
consul::services:
git:
service_name: 'git'
tags:
- 'git'
- 'gitea'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'gitea_https_check'
name: 'Gitea HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: git
disposition: write
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- git.main.unkin.net
- git.service.consul
- git.query.consul
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M

91
hieradata/roles/infra/halb/haproxy.yaml Normal file
View File

@ -0,0 +1,91 @@
---
profiles::haproxy::ls_stats::port: 9090
profiles::haproxy::ls_stats::user: 'admin'
profiles::selinux::setenforce::mode: permissive
profiles::haproxy::selinux::ports:
- 9090
profiles::haproxy::selinux::sebooleans:
- haproxy_connect_any
profiles::haproxy::server::globals:
log:
- /dev/log local0
- /dev/log local1 notice
stats:
- timeout 30s
- socket /var/lib/haproxy/stats
ca-base: /etc/ssl/certs
crt-base: /etc/ssl/private
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl-default-bind-options: 'ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3'
ssl-default-server-ciphers: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-server-options: no-sslv3
tune.ssl.default-dh-param: 2048
profiles::haproxy::server::defaults:
mode: http
option:
- httplog
- dontlognull
- http-server-close
- forwardfor except 127.0.0.0/8
- redispatch
timeout:
- http-request 10s
- queue 1m
- connect 10s
- client 5m
- server 5m
- http-keep-alive 10s
- check 10s
retries: 3
maxconn: 5000
profiles::haproxy::frontends:
fe_http:
description: 'Global HTTP Frontend'
bind:
0.0.0.0:80:
- transparent
mode: 'http'
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
fe_https:
description: 'Global HTTPS Frontend'
bind:
0.0.0.0:443:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
mode: 'http'
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
profiles::haproxy::backends:
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }

11
hieradata/roles/infra/metrics/prometheus.yaml Normal file
View File

@ -0,0 +1,11 @@
---
profiles::metrics::server::version: '2.48.0'
profiles::metrics::server::manage_user: true
profiles::metrics::server::manage_group: true
profiles::metrics::server::retention: 30d
profiles::metrics::server::scrape_jobs:
- node
- bind
- puppetdb
- systemd
profiles::metrics::server::localstorage: /data/prometheus

14
hieradata/roles/infra/ntp/server.yaml Normal file
View File

@ -0,0 +1,14 @@
---
profiles::ntp::client::client_only: false
profiles::ntp::server::allowquery:
- '198.18.13.0/24'
- '198.18.14.0/24'
- '198.18.15.0/24'
- '198.18.16.0/24'
- '198.18.17.0/24'
profiles::ntp::server::peers:
- '0.au.pool.ntp.org'
- '1.au.pool.ntp.org'
- '2.au.pool.ntp.org'
- '3.au.pool.ntp.org'

50
hieradata/roles/infra/ovirt/engine.yaml Normal file
View File

@ -0,0 +1,50 @@
---
profiles::yum::global::repos:
centos_8_advanced_virtualization:
name: 'virt-advanced-virtualization'
descr: 'CentOS Advanced Virtualization'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
name: 'storage-ceph-pacific'
descr: 'CentOS Ceph Pacific'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
name: 'messaging-rabbitmq-38'
descr: 'CentOS RabbitMQ 38'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
name: 'nfv-openvswitch-2'
descr: 'CentOS NFV OpenvSwitch'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
name: 'cloud-openstack-xena'
descr: 'CentOS OpenStack Xena'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
name: 'opstools-collectd-5'
descr: 'CentOS OpsTools - collectd'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
name: 'virt-ovirt-45'
descr: 'CentOS oVirt 4.5'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
name: 'storage-gluster-10'
descr: 'CentOS oVirt 4.5 - Glusterfs 10'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'

58
hieradata/roles/infra/ovirt/node.yaml Normal file
View File

@ -0,0 +1,58 @@
---
profiles::firewall::firewalld::ensure_package: 'installed'
profiles::firewall::firewalld::ensure_service: 'running'
sudo::purge_ignore:
- '50_vdsm'
- '50_vdsm_hook_ovirt_provider_ovn_hook'
- '60_ovirt-ha'
profiles::yum::global::repos:
centos_8_advanced_virtualization:
name: 'virt-advanced-virtualization'
descr: 'CentOS Advanced Virtualization'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
name: 'storage-ceph-pacific'
descr: 'CentOS Ceph Pacific'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
name: 'messaging-rabbitmq-38'
descr: 'CentOS RabbitMQ 38'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
name: 'nfv-openvswitch-2'
descr: 'CentOS NFV OpenvSwitch'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
name: 'cloud-openstack-xena'
descr: 'CentOS OpenStack Xena'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
name: 'opstools-collectd-5'
descr: 'CentOS OpsTools - collectd'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
name: 'virt-ovirt-45'
descr: 'CentOS oVirt 4.5'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
name: 'storage-gluster-10'
descr: 'CentOS oVirt 4.5 - Glusterfs 10'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'

7
hieradata/roles/infra/proxmox.yaml Normal file
View File

@ -0,0 +1,7 @@
---
sudo::configs:
ceph-smartctl:
priority: 20
content: |
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*

3
hieradata/roles/infra/puppet.yaml Normal file
View File

@ -0,0 +1,3 @@
---
profiles::packages::install:
- puppetserver

3
hieradata/roles/infra/puppet/master.eyaml Normal file
View File

@ -0,0 +1,3 @@
---
profiles::puppet::eyaml::publickey: ENC[PKCS7,MIIFjQYJKoZIhvcNAQcDoIIFfjCCBXoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAizhVN1svMJqLlkDWcm/qhMNajKL9G7GvBxG04dOdYLUu99wgmIlD1vetNIoJrQ6defmVuMMzT3IxzIDrRf8QEVL7hstIFoGlhv0ObBewjLJY34v3B7Sxj0nv8XPTLd8Q6LZQb+KSo0SLQxbjEw60qAl5DbDqXUNOx2OIV3yP1IaCzzi6llb1ZOWPcBESt6HEnLzqkwzEK+2/QGBOMqChP1EP7JHFrWQw5YYCLUcYCLVts1K57Q7ThFwckUA0v8Vh9HdlZqA0XPxKyVK7nfw/Y1CpwRTwZ8GYnry1/iLNYjFGkDU0V5pf+ZhlZfIChVccma9NCSlQtA+7DikNcpLTfTCCBE4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJQ4jJz/oSqW79tDOSv2pWCAggQgvi+p2P7tkIY4c0yNEIFjnXa3Imopg4bZ29TQJnPLAqVM7Bexh0XhxAjWk8YFvxQ0Yio+3JKlvqlsFVpecumV6NHwVPe521Hl7l88eRvgCHBC3tVm98+N2A0GdGbT+begqsj0nPTDScixJE79dGZK6/qgf3NuYPCj+drFwWrDuZXpIYMHJcOrVhqlg4RFW4ZYUxbsAC2eNFXUF0bYpKej3voCnlj/o6RxLEC/Gv2T66e9sFjeANo9W84uAfZ1t4cweVzYh1h6Yiw+0ewWA6ndg8thgr2Uk9JdpjXzS0QTtElGmNv+tZmCH45o0HUunPZs0gkn5unT0pzZosqgSeu0HdHcsImJpuJVRIVjAXypku7LtBKnP3VA5iXi2lld/suEOeeU18Aw3pxFQrKV3cexiWLa4mpKn8JR1HBxw4NcLj3/fes41fxW0zLyY8m4MksaIpc4BXz33uup5rHdVblbD1raZJPAg7k8KufStsRBmeokdysF+PJebrCfTH8goR3BWGfCVWQEoDjB2wAhVTQKuzAh3d51k+s4uvJchNBDgfGt/s9hdBFU/VQTZUyOoSEOwxB1857sOF3iPLM1233XEhZd2AOl4h5xy1z3+aSOG0jiihWt6QdosUig/IHxyO4gWaEO37iaLlF0ZVSJKjOV/IBCHJAaAG476uSNv+kTKgvu0PQtIfcKHpa1ppHi96fO8FKX76l26VoGKf/kMi6bWdTObYZnyiN7fz342ewMpwu70wQQWo33riK0hhF6bRu40J/KmgoUaUz3jSnErv+EeeREYww5SSNlMhpQNBNj+WfEDRC4Zx9VsF1cjtTY1um0kYdoyTHBLH6V1oAEiFIScHqkW1zKVAEiBh2v6C1U3fwAzOyAbnDlBrsuhnVxbJa8O1d5yw+U2py6xdC3Wq6FsAP9kdfDu+mjNDOwwJWZa8iTj3NHum1G6xklF2JHtmp2p1gY0e/JCETIk5Xh1okf404F9Xi+CWvlmlPXie9SdwgyJWpXOM60pJN2iMOFKPGn4chppMka38HakDKbdNNTELxNE+/yVECT0uQ8iBvETX1FU+y4LpGFghmwAIiKB1HZXx/0Gof0+txj/p9AgnpeVvDbq4iiZOulcu2BepsrFDg2zNLollfhAo+6QvElpk2MI1yHrg3OaTt7U8JV1dxHyIWjbtRvbiiS1E6mKGiOpkIQd/IHBjkujvEd7LVeE721HrLdGRaTR9QJfTR8jPZGHMlZa14a2pcxliyYd9RFSVOkVZH2LetuSWStQ1gPdBEeKDSWyFBA0Rxzlw2Sl25MJ4PAIpimyUYrnxTa2XgHyavMa0kjVAhX15+ywze2ypOVnB9/q3L3M5JCq+eaOBicJQiERX4h7Yj499S9Y/2nxk2DOUxi965BDIZGSG3/qOtl]
profiles::puppet::eyaml::privatekey: ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkH2q64bYf5Es/YNK6c6d5t9PYcbc9NGzC6F2AzjWeLV9rdT+DBNmhPeyHN4jR6edzLRaNL+u3cuur3mTxwSJcEXdyHQSbXJLlGpd9CPEjuerqdsXkFvamP//nHjwvSosBUo4PKtllphX0XHP6JS0Mm+nukv0YyDk+63+cETuyP5M1FVsLSK8ZWblOn1uBgNhhjGZF5nNeayjJKloWdVY8+pS8L6/y0QprF05oLDvI0JgK9wud8NID+LCNtb2Z5/mq2ScpMB/r/ji/oPHs40zhANqOiAuy/sUWwIivdB2iKKvcLfJ8tbtCanXuQxboqnulL1+C87Y4m1rmk4cNtKU3DCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEELXUERpdYNf8m2IXbCw/MxiAggaQ187hqDCftN9RvnFRHnlHyPZijykRgs558tdh0yA8GscJ9vim8kxQXrxM6gqAGgmV7xYnpyK0pvEn0/6cEFkcBkpkQOtlyil+4WB9bcLJIF4LzPut0pz4Eq/6zMSM9PGWCRFe3ufkdoDq5M1SlHa/Aoi/LwNu5EFFlFZeeDiZyUMupLJUHbTQ+wt2JgQLfpBzeCGb5BRLvSPH0+Y7ShwHgp2ZCtxc/tT5cdQq5a3+tt9ZYSy5Hj+c8I2WBPm3wghA7QULCB1+42K4A8BJ7HQucaT1mRMc0QnCt68xQkhBulxGnADPaRAWICmuAF2KBv/eS74TdYj3z0OCSZW5k1wDBz8FCSIodn2a1LgBMrFRCAS2fwRn7Hc0yguCRl9ppERW+8K3pg7aAiBqJbeTwQN/VICNan92y+cbUndO9a/U16zKD4SxfW8PMwSu/qz6i45gUjQ83THjwNAE6el0lYFYivBsEEg66Sqo2cXtPQlAdB8lOsS34TQq21zipikgAAii0mGoH738t2CYL6tMUGthpcfXLioU0AhXjLVED1PIpmWxieFENWO8SUx3NjXyoefBVQrzc1PPAgeVGSaOBoJSN7xNx3/RQhWck0240DZmi+41z5CF1z91eZY+ZJYa/SaHVWWZ7GgQDEXGnWKQkMZce6RK0qw0/8B0x5O6aIlBrB7aSVQIkDLSUw8bq7N5dAeKXLu+2QHhG1yl+Bmn1xDMILFphJNT2ZNXkoSd0r1WUePWBEFCOBPsu3cHaK9DZiXSdfJ3dY+1NYuVZDQshQ1Fe4IKpHm/0mtz60DjrTTaJ3kAsPLCpeFGJ+1U/TdO+IgPAsiHUIaDRtv19ZeH7/Pa/kAceIe16F8CRNkzJ62D8CH4RYEXxTJ7oogYbhsw+5WQ3ZGzJHNvxcX4EVofjIsr2uIQEAVTu9VSDY2LyihJBEs0EBw25dai52u2g1Jjtteod9p6B+rwrcVGKAzdEo7nF9qK6+dS8VlfFbmbU1/ulIpM0hUr3ZFsUSv1qUGqUmYdgndvE0+gHop71fsnQRmT9wTdQlUs7RC0+BPWvf7eGljJT+omDwv+wSShikWku9ZSk58HqZ74f2RizxL7Ny8SWCkOf1u+Gi8kalMhr+1p8e39S6WTws8rJHxIQrzfY7aqZwYIZzLl4JMnqBvbkUlCEKNHmVAVt6AgPGfTmoEzSgulHEMCETuBQl4dS8mtFvWRKCy0jC2fAUfIAoihoh/2g3MTbKQCM3aSHrqyPTAduN2VkQwTM4JmgU6YYWy4kXjPWsgEm+FjqOKQqd5Q5bwIOoFLSVQgrTtoKVUXzK8VbTDNDhLj+LggB9MMncr5X44LkdtrktYWeQ1CbBGYUTNHyXxT2nbJm7DJos4zjSIqnkSiR2VyRAkxF9TSXjnZwtsziXC4gdonjA+ImV5aUvL5aTO2zbTYQOqgrauS/SWS4tXbZ4Thw86d2zbO32Kvuu4bfHVTN087eiRuiFmjtz43PwBRMxjABLDe/ZRUHLDomAVydTS98aIswUb33jHoPtEkz4bWEtZlhwrqguvPzLSJT1SNZnDhNsdzO96GDB2vtvXmIiQq+/8jh0LKIoOCFWKsFfB0GrkZZvLnF6oQQ/MiYNNY1TLnHMAg2uSF+ap/g8QRvfE5FX2UquYE1ATeD+8iRw0g2crNXGVRynBo6ESd5O+zwcMitO/Re9tQM4rfNj83VgWeSUNLxhOZmbYs0hDEbS0lXIWa1NbASuXWk/FBXzr8X/ZdlZPWAMWe3J9Bqh6e1FhgGD6ZZmSTYxHzlz5TNCf+aMqnJRb5eyN+UM5iWgW/VpAlKWMl98c1lsKwccAS/SH2zugKwBT8Bf/4wnbpHrZe817vVF7raVcaYvNnYTzdSQCcnvRK/D40sqleOhtfX/vdjOFWfoukbEJnXNytkTZeKrBm83z6tmYe4siQdfn4X9/lGNWEDyjYiJX8czH6yMlRW+FposOpE4Y9Dgs694iPHmYt1/1VbuW240uG6VT/d+OjSD5L6JfTT47pghoWTl0dQGbKd3kmoku7C7ll5etCdz5UIY2JOmS1gx6NgvsElJyflgQHgXLiSKpB0iSZ7zTRKlBmRG7uiU582nkbXHQ7BwZkP3nq95bgtCmk+0pvioYYg/jK8hvuiv+b8Ez2pHaTLabn/jYww8ewIZz0W5mWgcCDwdebtP2CCSnB2IPjyzAh2TW8JTljeoJAe9ai+iqiX4400R2hXZl6KMpC]

75
hieradata/roles/infra/puppet/master.yaml Normal file
View File

@ -0,0 +1,75 @@
---
profiles::puppet::autosign::subnet_ranges:
- '198.18.13.0/24'
- '198.18.14.0/24'
- '198.18.15.0/24'
- '198.18.16.0/24'
- '198.18.17.0/24'
profiles::puppet::autosign::domains:
- '*.main.unkin.net'
# profiles::puppet::autosign::nodes:
# - 'somenode.main.unkin.net'
profiles::puppet::cobbler_enc::cobbler_scheme: https
profiles::puppet::cobbler_enc::cobbler_hostname: cobbler.main.unkin.net
profiles::puppet::cobbler_enc::version: 'system'
profiles::puppet::cobbler_enc::packages:
- 'requests'
- 'PyYAML'
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git
profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
profiles::puppet::g10k::default_environment: 'develop'
profiles::puppet::gems::puppet:
- 'deep_merge'
- 'ipaddr'
- 'hiera-eyaml'
profiles::helpers::certmanager::vault_config:
addr: 'https://vault.query.consul:8200'
mount_point: 'pki_int'
approle_path: 'approle'
role_name: 'servers_default'
output_path: '/tmp/certmanager'
role_id: "%{lookup('certmanager::role_id')}"
profiles::puppet::server::agent_server: 'puppet.query.consul'
profiles::puppet::server::report_server: 'puppet.query.consul'
profiles::puppet::server::ca_server: 'puppetca.query.consul'
profiles::puppet::server::dns_alt_names:
- "%{facts.networking.fqdn}"
- "%{facts.networking.hostname}"
- puppetmaster.main.unkin.net
- puppet.main.unkin.net
- puppet.service.consul
- puppet.query.consul
- puppetmaster
- puppet
consul::services:
puppet:
service_name: 'puppet'
tags:
- 'puppet'
- 'master'
address: "%{facts.networking.ip}"
port: 8140
checks:
- id: 'puppet_https_check'
name: 'Puppet HTTPS Check'
http: "https://%{facts.networking.fqdn}:8140/status/v1/simple"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppet
disposition: write
- resource: service
segment: puppetca
disposition: write

35
hieradata/roles/infra/puppetboard/server.yaml Normal file
View File

@ -0,0 +1,35 @@
---
# additional servername aliases
profiles::puppet::puppetboard::nginx_aliases:
- puppetboard.service.consul
- puppetboard.query.consul
- "puppetboard.service.%{facts.country}-%{facts.region}.consul"
- "%{facts.networking.fqdn}"
# additional altnames
profiles::pki::vault::alt_names:
- puppetboard.main.unkin.net
- puppetboard.service.consul
- puppetboard.query.consul
- "puppetboard.service.%{facts.country}-%{facts.region}.consul"
consul::services:
puppetboard:
service_name: 'puppetboard'
tags:
- 'puppet'
- 'puppetboard'
address: "%{facts.networking.ip}"
port: 80
checks:
- id: 'puppetboard_http_check'
name: 'Puppetboard HTTP Check'
http: "http://%{facts.networking.fqdn}:80"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetboard
disposition: write

39
hieradata/roles/infra/puppetdb/api.yaml Normal file
View File

@ -0,0 +1,39 @@
---
profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
profiles::puppet::puppetdb_api::java_args:
'-Xmx': '2048m'
'-Xms': '256m'
profiles::puppet::client::dns_alt_names:
- puppetdbapi.main.unkin.net
- puppetdbapi.service.consul
- puppetdbapi.query.consul
# additional altnames
profiles::pki::vault::alt_names:
- puppetdbapi.main.unkin.net
- puppetdbapi.service.consul
- puppetdbapi.query.consul
- puppetdbapi
consul::services:
puppetdbapi:
service_name: 'puppetdbapi'
tags:
- 'puppet'
- 'puppetdb'
- 'puppetdbapi'
address: "%{facts.networking.ip}"
port: 8080
checks:
- id: 'puppetdbapi_http_check'
name: 'PuppetDB API HTTP Check'
http: "http://%{facts.networking.fqdn}:8080"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetdbapi
disposition: write

1
hieradata/roles/infra/puppetdb/sql.eyaml Normal file
View File

@ -0,0 +1 @@
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]

39
hieradata/roles/infra/puppetdb/sql.yaml Normal file
View File

@ -0,0 +1,39 @@
---
postgresql_config_entries:
max_connections: 300
shared_buffers: '256MB'
consul::services:
puppetdbsql:
service_name: 'puppetdbsql'
tags:
- 'puppet'
- 'puppetdb'
- 'database'
address: "%{facts.networking.ip}"
port: 5432
checks:
- id: 'psql-check'
name: 'PostgreSQL Health Check'
args:
- '/usr/local/bin/check_consul_postgresql'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetdbsql
disposition: write
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL

136
hieradata/roles/infra/reposync/syncer.yaml Normal file
View File

@ -0,0 +1,136 @@
---
profiles::packages::install:
- createrepo
profiles::pki::vault::alt_names:
- repos.main.unkin.net
profiles::reposync::webserver::nginx_listen_mode: both
profiles::reposync::webserver::nginx_cert_type: vault
profiles::reposync::repos_list:
almalinux_8_9_baseos:
repository: 'BaseOS'
description: 'AlmaLinux 8.9 - BaseOS'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_appstream:
repository: 'AppStream'
description: 'AlmaLinux 8.9 - AppStream'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_highavailability:
repository: 'HighAvailability'
description: 'AlmaLinux 8.9 - HighAvailability'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_powertools:
repository: 'PowerTools'
description: 'AlmaLinux 8.9 - PowerTools'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_extras:
repository: 'extras'
description: 'AlmaLinux 8.9 - extras'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
centos_8_advanced_virtualization:
repository: 'virt-advanced-virtualization'
description: 'CentOS Advanced Virtualization'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
repository: 'storage-ceph-pacific'
description: 'CentOS Ceph Pacific'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
repository: 'messaging-rabbitmq-38'
description: 'CentOS RabbitMQ 38'
osname: 'centos'
release: '8-stream' # Specified based on the repository name
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
repository: 'nfv-openvswitch-2'
description: 'CentOS NFV OpenvSwitch'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
repository: 'cloud-openstack-xena'
description: 'CentOS OpenStack Xena'
osname: 'centos'
release: '8-stream' # Directly taken from the provided mirrorlist
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
repository: 'opstools-collectd-5'
description: 'CentOS OpsTools - collectd'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
repository: 'virt-ovirt-45'
description: 'CentOS oVirt 4.5'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
repository: 'storage-gluster-10'
description: 'CentOS oVirt 4.5 - Glusterfs 10'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
epel_8_everything:
repository: 'Everything'
description: 'EPEL 8 Everything'
osname: 'epel'
release: '8'
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
mariadb_11_2_el8:
repository: 'el8'
description: 'MariaDB 11.2'
osname: 'mariadb'
release: '11.2'
baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.2/rhel8-amd64/'
gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
puppet7_el8:
repository: '8'
description: 'Puppet 7 EL8'
osname: 'puppet7'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
postgresql_rhel8_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'

3
hieradata/roles/infra/sql/galera.eyaml Normal file
View File

@ -0,0 +1,3 @@
---
profiles::sql::galera_member::root_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdR+LgWom6UO3PhwmlkpttcJUkzvqsfJVGRYhNfbBtmzITSW2obN9q4ifCPweGA78+zsd8WzG8Ydd2vNsALLl0LogLHt2vpGnv3xomJROQYI03ipc4ih0mIcFii2m7f/quumbPzT4m7rotACtQtquWeYIXcTW6LMqAesLE97kTtSeTIcYmzOLAmkY0kWGMPsik3H6dJbjIFNtdQpu1e3Ah/2+dgbrr1zDzcPArk/5eb7RwMQpLGZHwvbXrNTCxpzAUA7ZclmKRT8SyDmOKAS/WTMe8Z6khp97cmT5N32HH3KHinSdxp8g40XrN4Ue86feEPxwKbeFF3Fzq4B7MYVSyDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBHcYpDTcYJHQX8iz3gvAbwgDA6h78+zGZ6Yn3VveL29fCzsKEvkalRGnHDcu8sZunNYbDrZDIrAdo/zI7Tivvb+TQ=]
profiles::sql::galera_member::status_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAj0Zjb+XijI6Fqxv9nemJrONvuqEr2uG7dRtZ/ZSDIQCFDAAMilM6EKg+6hMdHVAno45qLDsmJUUgznEQEPe7qkvFKNzzZecGGLdyj0FVU9YMDL69qfcpTxhXxA7mxE+LrtbpArRNjWAgiiRv1REvo54ZdsMThLFrDvQG6myDRaNaWxQ9RWQ1o+oy57AYwrurNgsM8ziOEU3ZfF+ax1zGA+GlGgIiM6XW+w5aH4tLdaUbvfYhBZpGaa0Wh594TSDlzBslfmO4gx6076xUua0pi71ZeMfx63kedTyjj2k07C3SLKpknm+FqYG0ZhdEMSscCodnys/KYT3qiN5fStWN3zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCCeXDpaOYDKhr1Q7A8I30ygDC7BBHB/UtDJLjuGZ4cll0MsfBlrQwAGDJm0j25JnsLCYqBvz1XjxFs1JhKJXLe42c=]

27
hieradata/roles/infra/sql/galera.yaml Normal file
View File

@ -0,0 +1,27 @@
---
profiles::sql::galera_member::configure_firewall: false
profiles::sql::galera_member::wsrep_sst_method: rsync
profiles::sql::galera_member::galera_members_lookup: true
profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera
profiles::sql::galera_member::datadir: /data/mariadb
profiles::sql::galera_member::innodb_file_per_table: 1
profiles::sql::galera_member::package_name: mariadb-galera-server
consul::services:
mariadb:
service_name: "mariadb-%{facts.environment}"
tags:
- 'database'
- 'mariadb'
address: "%{facts.networking.ip}"
port: 3306
checks:
- id: 'mariadb_tcp_check'
name: 'MariaDB TCP Check'
tcp: "%{facts.networking.ip}:3306"
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: "mariadb-%{facts.environment}"
disposition: write

2
hieradata/roles/infra/storage/consul.eyaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::consul::server::acl_master_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAFCDnJyImf/X8f6WGqt37XbuuSg5hCeC5Uhdd0u1/Jjlz4AzMyhF41Vs6iVrV6irlsMDziSQrcEvGumTPmYShRQiRv0GvkhHUpn2XROKd63KolsWRj2K2S5FhgwolgtQc05DLmGaQ6FIUMVk3aKU/v8IGSDopcjdhwTJtheOLgiiEjv8TsjWKOOIa0H7caa6ZiZxcf2Y99Wv9gIZdt+LnXGdlDuO88+gkYTpRM07RY21nr4VS821y0MwFcYx2SyzMDk60RvgCmvA6RdoyHBUYAu07IX6IjP5LZwpAkcPcA4gADVP7vOPT2WhVAtkzpg+RwNxkuWYA5roO2r1UhERixjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9TM/c8nXJswHAUSU6kFCDgDBob2r0tFLq1Jw313Ys8jUtKsetsrc5x7uIDYzOqr7ulEM9B0VOD2ekR9IRYZMsBCg=]

79
hieradata/roles/infra/storage/consul.yaml Normal file
View File

@ -0,0 +1,79 @@
---
profiles::consul::server::members_lookup: true
profiles::consul::server::data_dir: /data/consul
profiles::consul::server::addresses:
dns: "%{::networking.ip}"
http: "%{::networking.ip}"
https: "%{::networking.ip}"
grpc: "%{::networking.ip}"
grpc_tls: "%{::networking.ip}"
profiles::consul::server::ports:
dns: 8600
http: 8500
https: -1
profiles::consul::server::acl:
enabled: true
default_policy: 'deny'
down_policy: 'extend-cache'
tokens:
initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}"
default: "%{alias('profiles::consul::server::acl_tokens_default')}"
replication: "%{alias('profiles::consul::server::acl_tokens_replication')}"
# additional altnames
profiles::pki::vault::alt_names:
- consul.main.unkin.net
- consul.service.consul
- consul
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'consul.service.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- consul
- consul.main.unkin.net
profiles::nginx::simpleproxy::proxy_port: 8500
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::consul::prepared_query::rules:
vault:
ensure: 'present'
service_name: 'vault'
service_failover_n: 3
service_only_passing: true
ttl: 10
puppet:
ensure: 'present'
service_name: 'puppet'
service_failover_n: 3
service_only_passing: true
ttl: 10
puppetca:
ensure: 'present'
service_name: 'puppetca'
service_failover_n: 3
service_only_passing: true
ttl: 10
edgecache:
ensure: 'present'
service_name: 'edgecache'
service_failover_n: 3
service_only_passing: true
ttl: 10
puppetdbapi:
ensure: 'present'
service_name: 'puppetdbapi'
service_failover_n: 3
service_only_passing: true
ttl: 10
puppetboard:
ensure: 'present'
service_name: 'puppetboard'
service_failover_n: 3
service_only_passing: true
ttl: 10
git:
ensure: 'present'
service_name: 'git'
service_failover_n: 3
service_only_passing: true
ttl: 10

120
hieradata/roles/infra/storage/edgecache.yaml Normal file
View File

@ -0,0 +1,120 @@
---
consul::services:
edgecache:
service_name: 'edgecache'
tags:
- 'cache'
- 'edge'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'edgecache_https_check'
name: 'EdgeCache HTTPS Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: edgecache
disposition: write
# additional altnames
profiles::pki::vault::alt_names:
- edgecache.service.consul
- edgecache.query.consul
profiles::edgecache::params::nginx_resolvers_enable: true
profiles::edgecache::params::nginx_resolvers_ipv4only: true
profiles::edgecache::params::nginx_listen_mode: both
profiles::edgecache::params::nginx_cert_type: vault
profiles::edgecache::params::nginx_aliases:
- edgecache.service.consul
- edgecache.query.consul
profiles::edgecache::params::directories:
/data/edgecache: { owner: root, group: root }
/data/edgecache/pub: { owner: nginx, group: nginx }
/data/edgecache/pub/centos: { owner: nginx, group: nginx }
/data/edgecache/pub/almalinux: { owner: nginx, group: nginx }
/data/edgecache/pub/debian: { owner: nginx, group: nginx }
/data/edgecache/pub/epel: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
profiles::edgecache::params::mirrors:
debian:
ensure: present
location: /debian
proxy: http://mirror.gsl.icu
debian_pool:
ensure: present
location: /debian/pool
proxy: http://mirror.gsl.icu
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
centos_repodata:
ensure: present
location: '~* ^/centos/.*/repodata/'
proxy: http://gsl-syd.mm.fcix.net
centos_data:
ensure: present
location: /centos
proxy: http://gsl-syd.mm.fcix.net
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
almalinux_repodata:
ensure: present
location: '~* ^/almalinux/.*/repodata/'
proxy: http://gsl-syd.mm.fcix.net
almalinux_data:
ensure: present
location: /almalinux
proxy: http://gsl-syd.mm.fcix.net
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
epel_repodata:
ensure: present
location: '~* ^/epel/.*/repodata/'
proxy: http://gsl-syd.mm.fcix.net
epel_data:
ensure: present
location: /epel
proxy: http://gsl-syd.mm.fcix.net
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
postgres_yum_repodata:
ensure: present
location: '~* ^/postgres/yum/.*/repodata/'
rewrite_rules:
- '^/postgres/yum/(.*)$ /pub/repos/yum/$1 break'
proxy: https://download.postgresql.org
postgres_yum_data:
ensure: present
location: /postgres/yum
proxy: https://download.postgresql.org/pub/repos/yum
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
postgres_apt:
ensure: present
location: /postgres/apt
proxy: https://download.postgresql.org/pub/repos/apt
postgres_apt_pool:
ensure: present
location: /postgres/apt/pool
proxy: https://download.postgresql.org/pub/repos/apt/pool
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'

2
hieradata/roles/infra/storage/minio.eyaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::minio::server::minio_root_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcAGh4K8P/bOwHs7FEAssBcYgtT+FlkMW4/jpJf230sbOh0jswvCl0woQMMw+AIpkXNJ//YcmDBkhdE92RCK8C4Xi/2nkdWjPt9FQwuT47BhAKISjunRs9R61dKj5aOwAlTQ3lNtsQsknGz17AMTyPEGQC9SnPxYirLRr9VgJX/EKPjl7M2LbkZTJChwIE6IiT+LSzye7YgpkJ7O6h4jNIp5ryWaUqSUfooYjqHc1zl4Bs9ZfyY1K/CWCTIbtd4hY1ZlskRlVa9yA0cWhsufV0gw43RA/bCAJPowLc64bZ4XlLx9Fy0qHKjTCDRLzysUoq0QjIR2Ulf1TkcCJAVLwFDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC3+P+RW/JoQemkVJE/mpAngDAw1JpFkBvLj4AlbJePvpnG+fFN8coOE+5N94NgGd9Gtl2NZt/g5x/7xFHS28cSlIg=]

9
hieradata/roles/infra/storage/minio.yaml Normal file
View File

@ -0,0 +1,9 @@
---
profiles::minio::server::minio_members_role: roles::infra::storage::minio
profiles::minio::server::minio_root_user: admin
profiles::minio::server::minio_opts:
- '--anonymous'
profiles::minio::server::minio_members_lookup: true
profiles::minio::server::version: 'RELEASE.2023-12-20T01-00-02Z'
profiles::minio::server::checksum: '09fafaf399885b4912bafda6fa03fc4ccbc39ec45e17239677217317915d6aeb'
profiles::minio::server::checksum_type: 'sha256'

7
hieradata/roles/infra/storage/vault.eyaml Normal file
View File

@ -0,0 +1,7 @@
---
vault::unseal_keys:
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHfDhuu2C5ZEALdJlmOqWukEiAQQiVJ7KjpSRuf9h7RYwR+u8UNdcJYK1xFvYwmUczw6hkST/Zr06T4JwavpAHHuaRbyl8N1qZjlwt4MO5CPUTBT8k+EOaocF2byUXpYBThETjLB+WNLJAU3Dq8JboekCJ2F1Zjd8Mmdtu1C3Ip5ii5iVGbQShxDSPsdjtk8Q49lUKj61tLyuvadcTcxllHyXs6siWl7atBfIS6OX5KgA66VJhxOeoyyBaiqSSu7OqqZa2siYGTvjJS3UFDf8J+itsJJ1+0KUtkl07PvItkIruSAlHZGagVPrizAyEx1j4hFvVTGHac86bcV/5M9z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDCjxoJHSXr/4XvXaxVbUGOgDCQ4DL05Qnw3+3qHWZRKvNChHgrhRPi2HmkiGni+A4ZVF9LHs+mF8TQ/t3Q1DrSy3I=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoapLUNj1f+7BEvjzR9CO0Qz3LhI5M326BVliikRY7hpL2+0CnTOlR9K3YapD83LtpuiNbXqbk1mhi44ak0CTet8yz0ZH/BPkVYgV2Ll9ISdN4Knnnlf2Ljt/gHGf03jiUKwfXxu87LfvCySAMgzYonQ90cfIDc+XH6CoQv27WM3U1q79RcWl/w9Z/XwJiKyANSCXfBT16+RawrzmVo+zWbteqx09MfOHr7Q36VwOqjJaO94A/Dj3m/YJIOhmYXd52h+am6Kc1Q9dnzycKZYoKYOv+qi+bY4frx9sRvBxoGDGMb1mXTDSPeIT6NXbMCIsTsmYxjxAvBET72oKWXJUcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDy/pkTHpz4F9l1J6cKW4A9gDD873VdHr3ArjpE1R82wS5brCbBe7ntEuNFQMbnFPvOXwI4EaYV3IMRNv6Lzk6BBSI=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAVKVb6/nhbgEx6b2b90gfuXbZglZpoJjQtyzDQtCZzcZxh/xVFjwUy1XX/3+dueazFd5Ge5NnqQdxs/h5MBSjexHJhEm3fmA+gnns8sdYX5SDJSnhYvS1cB/wmfHuvkj3ZhIFxg0jlPlKz24QST99ouxKI2c490ByIbcFCr+A5GWnO7D/kf1Y+M0Sg2YiPE4zqF2zx1sgOfaV2xvQbRqqSjDPim/mYff95AtWwN9KbcAvc/7vDi4PrHR8GY9RXhI8FBEvelAT0H0NmnaCw4TvWXF/YxztlG9E55G3MsFyVAQJT7Dl8w4w5nk4AJJBMaXlO2s4AWD4Y+MVQh62hjqgHjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBptatyhSChU/V0R+IVd5hRgDCmA07/V4UBz1nVMc2vZm2KvnUOPofO74hwkkoxOnk6O2h6arbw8GNHj7WxeHXoXPk=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOGvhPhbKt8hkYTif5C+IE7iqcoeXm68BeUzlzE9qAY7lzQoAENauDKoIgoQT0hA7zrKZXPTUDrcw8SdxNp7Zo/Dr44urdr4LiT+QZwYTE09Xn8yIA3ij1XnXQ5bYP70TycuOjpVT0BKK+qSkklfd7IAw76AnUWF1D6P9MjT+shOmVNHQQSRrL2JLNppetQRCyOEMzkeDI/58/ohexvyUcY8WT4YMNhl/IrNBdcJ3xOwnJqEAXSUTre15T2I+7f+prhj4cS2V9qd0ZwUXSueL38EIMKwmq1ugb+zm8UYzqfKpRk/1THqT8T/r8B4PR2QxtiwtzLk388ag1mqQ/jHL9zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAlKLuJOARFD1vt/R9gfp4LgDA0irHwG41ByRyYcKT87ra9tsdhb+i9ugnNRbFQ1UPTk7bFwS3HUteEJwNzcNIwFXY=]
- ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEQvjVATvI+UVWrowTWSxtluiPrfa8akOSgr+MdcAh5Mgypw6RUeVJ2Sh8jekePZOO7Y0IQSfyNWOFAsaxBgeG7aEu6loFwxcSzrilg9c/2bV7Ybxr5saDViTjHO+UOYPPVRsJKeYvWd+vTdM+J7Eg3LGwzdLqyYu824affGm41KsSJdtxbNC1EzR+AOEU7SO8FkDIUZl2ekwz+3FfBX5TyXywlZGrbS7DkABB1jrO/JJtgnRu4D1AgUWjSJINXKyi9Xf91ZUyYCbVJ1asmRhOcCDcRigs82CF6nWbsSad80Z/ZoGVGYSlCsSXd4t8iEujCzeTkfBRK6Azr71f0zbBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAeR7zOfSz3Sd19UkcmdMJLgDBiPUNdk6zh2inhCqms/qnt7BqDBAYEzHuzbsM3U3PO+UIeJdym51cu3YKw3MkVuyw=]

24
hieradata/roles/infra/storage/vault.yaml Normal file
View File

@ -0,0 +1,24 @@
---
profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false
vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vault_1.15.5_linux_amd64.zip
# additional altnames
profiles::pki::vault::alt_names:
- vault.main.unkin.net
- vault.service.consul
- vault.service.consul
- vault
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- vault.main.unkin.net
- vault
profiles::nginx::simpleproxy::proxy_scheme: 'http'
profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
profiles::nginx::simpleproxy::proxy_port: 8200
profiles::nginx::simpleproxy::proxy_path: '/'

0
hieradata/virtual/kvm.yaml Normal file
View File

3
hieradata/virtual/physical.yaml Normal file
View File

@ -0,0 +1,3 @@
---
profiles::packages::install:
- "%{hiera('lm-sensors::package')}"

27
modules/libs/lib/facter/arpa.rb Normal file
View File

@ -0,0 +1,27 @@
# frozen_string_literal: true
# arpa_fact.rb
require 'facter'
Facter.add(:arpa) do
setcode do
arpa_info = {}
Facter.value(:networking)['interfaces'].each do |interface_name, values|
next unless values.key?('ip')
ip_address = values['ip']
reversed_ip_parts = ip_address.split('.').reverse
addr = "#{reversed_ip_parts.join('.')}.in-addr.arpa"
trimmed_ip_parts = reversed_ip_parts[1..]
zone = "#{trimmed_ip_parts.join('.')}.in-addr.arpa"
arpa_info[interface_name] = {
'zone' => zone,
'addr' => addr
}
end
arpa_info
end
end

8
modules/libs/lib/facter/cobbler_data_dir_exists.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add('cobbler_data_dir_exists') do
confine enc_role: 'roles::infra::cobbler::server'
setcode do
File.exist?('/data/cobbler')
end
end

8
modules/libs/lib/facter/cobbler_var_www_exists.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add('cobbler_var_www_exists') do
confine enc_role: 'roles::infra::cobbler::server'
setcode do
File.exist?('/var/www/cobbler')
end
end

8
modules/libs/lib/facter/cobbler_var_www_islink.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add('cobbler_var_www_islink') do
confine enc_role: 'roles::infra::cobbler::server'
setcode do
File.exist?('/var/www/cobbler') and File.symlink?('/var/www/cobbler')
end
end

13
modules/libs/lib/facter/enc_env.rb Normal file
View File

@ -0,0 +1,13 @@
# frozen_string_literal: true
Facter.add('enc_env') do
setcode do
require 'yaml'
# Check if the YAML file exists
if File.exist?('/root/.cache/custom_facts.yaml')
data = YAML.load_file('/root/.cache/custom_facts.yaml')
# Use safe navigation to return 'enc_env' or nil
data&.dig('enc_env')
end
end
end

13
modules/libs/lib/facter/enc_role.rb Normal file
View File

@ -0,0 +1,13 @@
# frozen_string_literal: true
Facter.add('enc_role') do
setcode do
require 'yaml'
# Check if the YAML file exists
if File.exist?('/root/.cache/custom_facts.yaml')
data = YAML.load_file('/root/.cache/custom_facts.yaml')
# Use safe navigation to return 'enc_role' or nil
data&.dig('enc_role')
end
end
end

14
modules/libs/lib/facter/enc_role_path.rb Normal file
View File

@ -0,0 +1,14 @@
# frozen_string_literal: true
# create an enc_role_path fact from enc_role, to be used by hiera.yaml
#
# roles::infra::dns::resolver becomes roles/infra/dns/resolver
Facter.add(:enc_role_path) do
setcode do
enc_role = Facter.value(:enc_role)
if enc_role
enc_role_path = enc_role.gsub('::', '/')
enc_role_path
end
end
end

15
modules/libs/lib/facter/enc_role_tier1.rb Normal file
View File

@ -0,0 +1,15 @@
# frozen_string_literal: true
# split the enc_role fact into different tiers
#
# e.g.
# enc_role_tier2: roles::infra::dns::resolver -> infra
Facter.add(:enc_role_tier1) do
setcode do
role = Facter.value(:enc_role)
if role
parts = role.split('::')
parts[1] if parts.size > 1
end
end
end

14
modules/libs/lib/facter/enc_role_tier2.rb Normal file
View File

@ -0,0 +1,14 @@
# frozen_string_literal: true
# split the enc_role fact into different tiers
# e.g.
# enc_role_tier2: roles::infra::dns::resolver -> dns
Facter.add(:enc_role_tier2) do
setcode do
role = Facter.value(:enc_role)
if role
parts = role.split('::')
parts[2] if parts.size > 2
end
end
end

14
modules/libs/lib/facter/enc_role_tier3.rb Normal file
View File

@ -0,0 +1,14 @@
# frozen_string_literal: true
# split the enc_role fact into different tiers
# e.g.
# enc_role_tier3: roles::infra::dns::resolver -> resolver
Facter.add(:enc_role_tier3) do
setcode do
role = Facter.value(:enc_role)
if role
parts = role.split('::')
parts[3] if parts.size > 3
end
end
end

8
modules/libs/lib/facter/firstrun.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add(:firstrun) do
confine kernel: 'Linux'
setcode do
File.exist?('/root/.cache/puppet_firstrun_complete') ? false : true
end
end

10
modules/libs/lib/facter/is_pveceph_mgr.rb Normal file
View File

@ -0,0 +1,10 @@
# frozen_string_literal: true
require 'facter'
Facter.add('is_pveceph_mgr') do
confine enc_role: 'roles::infra::proxmox::node'
setcode do
system('pgrep -x ceph-mgr > /dev/null 2>&1')
end
end

10
modules/libs/lib/facter/is_pveceph_mon.rb Normal file
View File

@ -0,0 +1,10 @@
# frozen_string_literal: true
require 'facter'
Facter.add('is_pveceph_mon') do
confine enc_role: 'roles::infra::proxmox::node'
setcode do
system('pgrep -x ceph-mon > /dev/null 2>&1')
end
end

11
modules/libs/lib/facter/mariadb_active.rb Normal file
View File

@ -0,0 +1,11 @@
# frozen_string_literal: true
# create a boolean for when the mariadb service is active
require 'English'
Facter.add('mariadb_active') do
setcode do
system('systemctl is-active --quiet mariadb')
$CHILD_STATUS.exitstatus.zero?
end
end

22
modules/libs/lib/facter/mariadb_datapath.rb Normal file
View File

@ -0,0 +1,22 @@
# frozen_string_literal: true
# check if the /etc/my.cnf.d/server.cnf file exists,
# open it and search for the 'datadir =' option
# store the datadir value as this fact
require 'facter'
Facter.add('mariadb_datapath') do
setcode do
if File.exist?('/etc/my.cnf.d/server.cnf')
datadir = nil
File.foreach('/etc/my.cnf.d/server.cnf') do |line|
match = line.match(/^\s*datadir\s*=\s*(.+)\s*$/)
if match
datadir = match[1].strip
break
end
end
datadir
end
end
end

16
modules/libs/lib/facter/mariadb_galera_active.rb Normal file
View File

@ -0,0 +1,16 @@
# frozen_string_literal: true
# check if the mariadb server exists
# check if the mariadb_datapath fact exists, else set /var/lib/mysql as the datapath
# check if the galera grastate.dat file exists, identifying if galera is boostrapped
require 'facter'
if system('systemctl is-active --quiet mariadb')
Facter.add('mariadb_galera_active') do
setcode do
mariadb_datapath = Facter.value(:mariadb_datapath) || '/var/lib/mysql'
File.exist?("#{mariadb_datapath}/grastate.dat")
end
end
end

8
modules/libs/lib/facter/mariadb_installed.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
# create boolean for if mariadb is installed based of the default service file
Facter.add('mariadb_installed') do
setcode do
File.exist?('/usr/lib/systemd/system/mariadb.service')
end
end

26
modules/libs/lib/facter/minio_datadirs_initialised.rb Normal file
View File

@ -0,0 +1,26 @@
# frozen_string_literal: true
# check all datadirs for minio are initialised
require 'yaml'
Facter.add('minio_datadirs_initialised') do
setcode do
yaml_file_path = '/opt/puppetlabs/facter/facts.d/minio_facts.yaml'
# check if the YAML file exists first
next false unless File.exist?(yaml_file_path)
minio_facts = YAML.load_file(yaml_file_path)
dev_count = minio_facts['minio_blockdev_count']
datadir = minio_facts['minio_datadir']
# check datadir if no blockdevices are used, otherwise check the store locations
if dev_count.zero?
Dir.exist?(datadir)
else
(1..dev_count).all? do |number|
Dir.exist?("#{datadir}/store#{number}")
end
end
end
end

Some files were not shown because too many files have changed in this diff Show More