From c96676e1435519182f352e3e2489c0415023a983 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 26 Aug 2023 01:00:31 +1000 Subject: [PATCH 001/229] Updated autosign - added way to manage individual nodes - added defaults for domains, subnets and nodes - updated comments and doc --- hieradata/common.yaml | 3 +++ site/profiles/manifests/puppet/autosign.pp | 14 +++++++++++--- .../templates/puppet/autosign/autosign.conf.erb | 6 ++++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index fbdb03a..5c004ed 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -27,5 +27,8 @@ profiles::puppet::autosign::subnet_ranges: profiles::puppet::autosign::domains: - '*.main.unkin.net' +# profiles::puppet::autosign::nodes: +# - 'somenode.main.unkin.net' + profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git diff --git a/site/profiles/manifests/puppet/autosign.pp b/site/profiles/manifests/puppet/autosign.pp index 4a84d70..0c75d25 100644 --- a/site/profiles/manifests/puppet/autosign.pp +++ b/site/profiles/manifests/puppet/autosign.pp @@ -9,26 +9,34 @@ # - `subnet_ranges`: An array of IP subnet ranges in CIDR notation. # Nodes with IP addresses within these ranges will have their # certificates autosigned. +# Default: [] # Example: ['198.18.17.0/24'] # # - `domains`: An array of domain patterns. # Nodes with hostnames matching these patterns will have their # certificates autosigned. -# Default: ['*.main.unkin.net'] +# Default: [] # Example: ['*.main.unkin.net', '*.secondary.unkin.net'] # +# - `nodes`: An array of specific node names. +# Nodes with hostnames matching these will have their +# certificates autosigned. +# Default: [] +# Example: ['somenode.main.unkin.net', 'othernode.secondary.unkin.net'] # Usage: # # To include this class with custom parameters: # class { 'profiles::puppet::autosign': # subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'], # domains => ['*.main.unkin.net', '*.dev.unkin.net'], +# nodes => ['somenode.main.unkin.net', 'othernode.dev.unkin.net'], # } # # Alternatively, configure subnet ranges and domains through Hiera. class profiles::puppet::autosign ( - Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges, - Array[String[1]] $domains, + Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges = [], + Array[String[1]] $domains = [], + Array[String[1]] $nodes = [], ) { # Manage the autosign.conf file using the template diff --git a/site/profiles/templates/puppet/autosign/autosign.conf.erb b/site/profiles/templates/puppet/autosign/autosign.conf.erb index c533d8a..ccbc1dd 100644 --- a/site/profiles/templates/puppet/autosign/autosign.conf.erb +++ b/site/profiles/templates/puppet/autosign/autosign.conf.erb @@ -1,6 +1,12 @@ +# Autosign all nodes from these subnets <% @subnet_ranges.each do |subnet| -%> <%= subnet %> <% end -%> +# Autosign all nodes from these domains <% @domains.each do |domain| -%> <%= domain %> <% end -%> +# Autosign these specific nodes +<% @nodes.each do |node| -%> +<%= node %> +<% end -%> From efc769191e8e9dc8250f16f4244b642f93e23ac5 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 26 Aug 2023 14:28:41 +1000 Subject: [PATCH 002/229] Adding a default environment - set through puppet.conf - created symbolic link from develop -> production in code/environments - changed puppet-g10k script to be generated from a template - parameterised g10k into hieradata --- hieradata/common.yaml | 4 ++++ site/profiles/manifests/puppet/g10k.pp | 10 +++++--- .../profiles/manifests/puppet/puppetmaster.pp | 22 +++++++++-------- site/profiles/manifests/puppet/server.pp | 24 +++++++++++-------- .../templates/puppet/g10k/puppet-g10k.erb | 4 ++++ .../templates/puppet/server/puppet.conf.epp | 2 ++ 6 files changed, 43 insertions(+), 23 deletions(-) create mode 100644 site/profiles/templates/puppet/g10k/puppet-g10k.erb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 5c004ed..cd02e13 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -32,3 +32,7 @@ profiles::puppet::autosign::domains: profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git +profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' +profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' +profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' +profiles::puppet::g10k::default_environment: 'develop' diff --git a/site/profiles/manifests/puppet/g10k.pp b/site/profiles/manifests/puppet/g10k.pp index 958e53e..617190b 100644 --- a/site/profiles/manifests/puppet/g10k.pp +++ b/site/profiles/manifests/puppet/g10k.pp @@ -30,8 +30,12 @@ # # Limitations: # This is designed to work on Unix-like systems only. -class profiles::puppet::g10k { - +class profiles::puppet::g10k ( + String $bin_path, + String $cfg_path, + String $environments_path, + String $default_environment, +){ package { 'unzip': ensure => installed, } @@ -50,7 +54,7 @@ class profiles::puppet::g10k { owner => 'root', group => 'root', mode => '0755', - content => "#!/usr/bin/bash\n/opt/puppetlabs/bin/g10k -config /etc/puppetlabs/r10k/r10k.yaml\n", + content => template('profiles/puppet/g10k/puppet-g10k.erb'), require => Archive['/tmp/g10k.zip'], } diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index d50ed16..d9e9e3d 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -29,15 +29,17 @@ class profiles::puppet::puppetmaster { include profiles::puppet::autosign class { 'profiles::puppet::server': - vardir => '/opt/puppetlabs/server/data/puppetserver', - logdir => '/var/log/puppetlabs/puppetserver', - rundir => '/var/run/puppetlabs/puppetserver', - pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', - codedir => '/etc/puppetlabs/code', - dns_alt_names => ['prodinf01n01.main.unkin.net'], - server => 'prodinf01n01.main.unkin.net', - node_terminus => 'exec', - external_nodes => '/opt/puppetlabs/bin/enc', - autosign => '/etc/puppetlabs/puppet/autosign.conf', + vardir => '/opt/puppetlabs/server/data/puppetserver', + logdir => '/var/log/puppetlabs/puppetserver', + rundir => '/var/run/puppetlabs/puppetserver', + pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', + codedir => '/etc/puppetlabs/code', + dns_alt_names => ['prodinf01n01.main.unkin.net'], + server => 'prodinf01n01.main.unkin.net', + node_terminus => 'exec', + external_nodes => '/opt/puppetlabs/bin/enc', + autosign => '/etc/puppetlabs/puppet/autosign.conf', + default_manifest => '/etc/puppetlabs/code/environments/develop/manifests', + default_environment => 'develop', } } diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 03b82c3..ca68998 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -25,6 +25,8 @@ class profiles::puppet::server ( String $node_terminus, String $external_nodes, String $autosign, + String $default_manifest, + String $default_environment, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -33,16 +35,18 @@ class profiles::puppet::server ( group => 'root', mode => '0644', content => epp('profiles/puppet/server/puppet.conf.epp', { - 'vardir' => $vardir, - 'logdir' => $logdir, - 'rundir' => $rundir, - 'pidfile' => $pidfile, - 'codedir' => $codedir, - 'dns_alt_names' => join($dns_alt_names, ','), - 'server' => $server, - 'node_terminus' => $node_terminus, - 'external_nodes' => $external_nodes, - 'autosign' => $autosign, + 'vardir' => $vardir, + 'logdir' => $logdir, + 'rundir' => $rundir, + 'pidfile' => $pidfile, + 'codedir' => $codedir, + 'dns_alt_names' => join($dns_alt_names, ','), + 'server' => $server, + 'node_terminus' => $node_terminus, + 'external_nodes' => $external_nodes, + 'autosign' => $autosign, + 'default_manifest' => $default_manifest, + 'default_environment' => $default_environment, }), notify => Service['puppetserver'], } diff --git a/site/profiles/templates/puppet/g10k/puppet-g10k.erb b/site/profiles/templates/puppet/g10k/puppet-g10k.erb new file mode 100644 index 0000000..2bb537e --- /dev/null +++ b/site/profiles/templates/puppet/g10k/puppet-g10k.erb @@ -0,0 +1,4 @@ +#!/usr/bin/bash +<%= @bin_path %> -config <%= @cfg_path %> +rm -f <%= @environments_path %>/production +ln -s <%= @environments_path %>/<%= @default_environment %> <%= @environments_path %>/production diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp index 37f3a5e..a22777b 100644 --- a/site/profiles/templates/puppet/server/puppet.conf.epp +++ b/site/profiles/templates/puppet/server/puppet.conf.epp @@ -15,3 +15,5 @@ server = <%= $server %> node_terminus = exec external_nodes = <%= $external_nodes %> autosign = <%= $autosign %> +default_manifest = <%= $default_manifest %> +default_environment = <%= $default_environment %> From 116342bdaa47c59ef1d375105e1c61630c6de462 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 26 Aug 2023 16:11:53 +1000 Subject: [PATCH 003/229] Added class to manage a default set of scripts - included scripts into profiles::base - updated hiera with list of scripts to create and their template name - created template for a puppet wrapper --- hieradata/common.yaml | 3 +++ site/profiles/manifests/base.pp | 4 +++ site/profiles/manifests/base/scripts.pp | 26 +++++++++++++++++++ .../base/scripts/puppetwrapper.py.erb | 22 ++++++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 site/profiles/manifests/base/scripts.pp create mode 100644 site/profiles/templates/base/scripts/puppetwrapper.py.erb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 5c004ed..569a796 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -21,6 +21,9 @@ profiles::base::packages::common: - wget - zsh +profiles::base::scripts::scripts: + puppet: puppetwrapper.py + profiles::puppet::autosign::subnet_ranges: - '198.18.17.0/24' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 5a5493c..079b8d3 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -17,8 +17,12 @@ class profiles::base ( } } + # install common required applications class { 'profiles::base::packages': packages => hiera('profiles::base::packages::common'), ensure => 'installed', } + + # include admin scripts + include profiles::base::scripts } diff --git a/site/profiles/manifests/base/scripts.pp b/site/profiles/manifests/base/scripts.pp new file mode 100644 index 0000000..fc0b3e8 --- /dev/null +++ b/site/profiles/manifests/base/scripts.pp @@ -0,0 +1,26 @@ +# This class can be included directly in node definitions or other classes. +# The preferred method for declaring the scripts is via Hiera. +# +# Here's an example Hiera configuration: +# +# profiles::base::scripts::scripts: +# script1: script1 +# script2: script2 +# +# This would deploy 'script1' and 'script2' to /usr/local/bin using their +# respective ERB templates in the profiles/base/scripts directory. +# +class profiles::base::scripts ( + Hash $scripts = {}, +) { + $scripts.each |$script_name, $template_name| { + file { "/usr/local/bin/${script_name}": + ensure => file, + owner => 'root', + group => 'root', + mode => '0755', + content => template("profiles/base/scripts/${template_name}.erb"), + } + } +} + diff --git a/site/profiles/templates/base/scripts/puppetwrapper.py.erb b/site/profiles/templates/base/scripts/puppetwrapper.py.erb new file mode 100644 index 0000000..57ca8b1 --- /dev/null +++ b/site/profiles/templates/base/scripts/puppetwrapper.py.erb @@ -0,0 +1,22 @@ +#!/usr/bin/env python3 + +import sys +import subprocess + +def main(): + # If "-E" is in the arguments, modify the following argument + args = sys.argv[1:] + if "-E" in args: + index = args.index("-E") + if index + 1 < len(args): # Check if there's another argument after "-E" + environment_value = args[index + 1] + # Replace \ and - with _ + modified_environment_value = environment_value.replace("\\", "_").replace("-", "_").replace("/","_") + args[index + 1] = modified_environment_value + + # Construct the full puppet command with the modified args + command = ["/opt/puppetlabs/bin/puppet"] + args + subprocess.run(command) + +if __name__ == "__main__": + main() From afb30f9dcec2c89896086cd94a6b7f91130722c7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 26 Aug 2023 19:45:43 +1000 Subject: [PATCH 004/229] Updated dns_alt_names for puppetmaster --- site/profiles/manifests/puppet/puppetmaster.pp | 10 +++++++++- site/roles/manifests/base.pp | 6 +++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index d50ed16..74c2141 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -34,7 +34,15 @@ class profiles::puppet::puppetmaster { rundir => '/var/run/puppetlabs/puppetserver', pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', codedir => '/etc/puppetlabs/code', - dns_alt_names => ['prodinf01n01.main.unkin.net'], + dns_alt_names => [ + 'prodinf01n01.main.unkin.net', + 'puppet.main.unkin.net', + 'puppetca.main.unkin.net', + 'puppetmaster.main.unkin.net', + 'puppet', + 'puppetca', + 'puppetmaster', + ], server => 'prodinf01n01.main.unkin.net', node_terminus => 'exec', external_nodes => '/opt/puppetlabs/bin/enc', diff --git a/site/roles/manifests/base.pp b/site/roles/manifests/base.pp index 86164e4..d6a7fa2 100644 --- a/site/roles/manifests/base.pp +++ b/site/roles/manifests/base.pp @@ -1,6 +1,6 @@ # a role to deploy the base system # work in progress class roles::base { - include profiles::defaults - include profiles::base - } + include profiles::defaults + include profiles::base +} From 81784f819fddf05247c42a9ffb7e65bb6b9701f3 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 29 Aug 2023 21:46:39 +1000 Subject: [PATCH 005/229] Show commit version when applying puppet - set the config_version in the environment.conf file --- environment.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/environment.conf b/environment.conf index 4569646..19e7e87 100644 --- a/environment.conf +++ b/environment.conf @@ -1,2 +1,3 @@ manifest = manifests/site.pp modulepath = external_modules:site +config_version = '/usr/bin/grep signature /etc/puppetlabs/code/environments/$environment/.g10k-deploy.json | /usr/bin/cut -d \" -f 4' From 2b11a9417c33f4ba3884921832ef076d386cfd54 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 29 Aug 2023 23:10:40 +1000 Subject: [PATCH 006/229] Account/Sudo management - imported account and sudo puppet modules - created account management wrapper - defined sysadmin account, set to be created on all nodes - removed sudo from base packages as its managed by sudo module now --- Puppetfile | 2 + hieradata/common.yaml | 4 +- site/profiles/manifests/accounts/sysadmin.pp | 15 +++++++ site/profiles/manifests/base.pp | 7 +++ site/profiles/manifests/base/account.pp | 45 ++++++++++++++++++++ 5 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 site/profiles/manifests/accounts/sysadmin.pp create mode 100644 site/profiles/manifests/base/account.pp diff --git a/Puppetfile b/Puppetfile index 5995d48..e24a9bc 100644 --- a/Puppetfile +++ b/Puppetfile @@ -15,3 +15,5 @@ mod 'puppetlabs-vcsrepo', '6.1.0' mod 'puppetlabs-yumrepo_core', '2.0.0' mod 'puppet-yum', '7.0.0' mod 'puppetlabs-apt', '9.1.0' +mod 'saz-sudo', '8.0.0' +mod 'puppetlabs-accounts', '8.1.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index cd02e13..8708200 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -14,7 +14,6 @@ profiles::base::packages::common: - python3 - screen - strace - - sudo - tmux - vim - vnstat @@ -36,3 +35,6 @@ profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' profiles::puppet::g10k::default_environment: 'develop' + +profiles::accounts::sysadmin::sshkeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net diff --git a/site/profiles/manifests/accounts/sysadmin.pp b/site/profiles/manifests/accounts/sysadmin.pp new file mode 100644 index 0000000..81bde92 --- /dev/null +++ b/site/profiles/manifests/accounts/sysadmin.pp @@ -0,0 +1,15 @@ +# create the sysadmin user +class profiles::accounts::sysadmin( + Array[String] $sshkeys = [], +){ + profiles::base::account {'sysadmin': + username => 'sysadmin', + uid => 1000, + gid => 1000, + groups => ['wheel'], + sshkeys => $sshkeys, + sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'], + password => '', + ignore_pass => true, + } +} diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 5a5493c..7383b59 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -21,4 +21,11 @@ class profiles::base ( packages => hiera('profiles::base::packages::common'), ensure => 'installed', } + + # all hosts will have sudo applied + include sudo + + # default users + include profiles::accounts::sysadmin + } diff --git a/site/profiles/manifests/base/account.pp b/site/profiles/manifests/base/account.pp new file mode 100644 index 0000000..92011b4 --- /dev/null +++ b/site/profiles/manifests/base/account.pp @@ -0,0 +1,45 @@ +# a wrapper for puppetlabs-account and saz-sudo +define profiles::base::account ( + String $username, + Integer $uid, + Integer $gid = undef, + Boolean $manage_home = true, + Boolean $create_group = true, + Boolean $purge_sshkeys = true, + Boolean $system = false, + Boolean $locked = false, + String $password = '!!', + Boolean $ignore_pass = false, + Array[String] $groups = [], + Array[String] $sshkeys = [], + Array[String] $sudo_rules = [], + String $shell = '/usr/bin/bash', +) { + + # Set gid to uid if gid is undef + $final_gid = $gid ? { + undef => $uid, + default => $gid, + } + + # Manage user + accounts::user { $username: + uid => $uid, + gid => $final_gid, + shell => $shell, + groups => $groups, + sshkeys => $sshkeys, + system => $system, + locked => $locked, + password => $password, + create_group => $create_group, + managehome => $manage_home, + purge_sshkeys => $purge_sshkeys, + ignore_password_if_empty => $ignore_pass, + } + + # Manage sudo rules + sudo::conf { "${username}_sudo": + content => $sudo_rules, + } +} From 080cdd8884eac10e09e1d4d2640f96a54ae5498c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 26 Aug 2023 23:50:22 +1000 Subject: [PATCH 007/229] Setup PuppetDB/Puppetboard - install modules required - puppetdb - postgresql - puppetboard - python - create new profiles to manage each item (puppetdb/puppetboard) - added puppetdb role - include the puppetdb::master::config in puppetmaster role - re-organised the puppetfile - moved python to be managed by the python module - added postgresql to list of managed repos --- Puppetfile | 23 ++++++---- hieradata/common.yaml | 4 +- hieradata/os/AlmaLinux/AlmaLinux8.yaml | 1 + hieradata/os/AlmaLinux/AlmaLinux9.yaml | 1 + site/profiles/manifests/base.pp | 9 ++++ site/profiles/manifests/puppet/puppetboard.pp | 43 +++++++++++++++++++ site/profiles/manifests/puppet/puppetdb.pp | 38 ++++++++++++++++ .../profiles/manifests/puppet/puppetmaster.pp | 1 + site/roles/manifests/puppet/puppetdb.pp | 7 +++ 9 files changed, 118 insertions(+), 9 deletions(-) create mode 100644 site/profiles/manifests/puppet/puppetboard.pp create mode 100644 site/profiles/manifests/puppet/puppetdb.pp create mode 100644 site/roles/manifests/puppet/puppetdb.pp diff --git a/Puppetfile b/Puppetfile index 5995d48..2ac7bc2 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,17 +1,24 @@ forge 'forge.puppetlabs.com' moduledir 'external_modules' -# Forge Modules +# puppetlabs mod 'puppetlabs-stdlib', '9.1.0' mod 'puppetlabs-inifile', '6.0.0' mod 'puppetlabs-concat', '9.0.0' -#mod 'eyp-eyplib', '0.1.24' -#mod 'eyp-systemd', '3.1.0' -mod 'puppet-systemd', '5.1.0' -mod 'ghoneycutt-puppet', '3.3.0' -mod 'puppet-archive', '7.0.0' -mod 'puppet-chrony', '2.6.0' mod 'puppetlabs-vcsrepo', '6.1.0' mod 'puppetlabs-yumrepo_core', '2.0.0' -mod 'puppet-yum', '7.0.0' mod 'puppetlabs-apt', '9.1.0' +mod 'puppetlabs-puppetdb', '7.13.0' +mod 'puppetlabs-postgresql', '9.1.0' +mod 'puppetlabs-firewall', '6.0.0' + +# puppet +mod 'puppet-python', '7.0.0' +mod 'puppet-systemd', '5.1.0' +mod 'puppet-yum', '7.0.0' +mod 'puppet-archive', '7.0.0' +mod 'puppet-chrony', '2.6.0' +mod 'puppet-puppetboard', '9.0.0' + +# other +mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index cd02e13..83adf2c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -11,7 +11,6 @@ profiles::base::packages::common: - mtr - ncdu - neovim - - python3 - screen - strace - sudo @@ -36,3 +35,6 @@ profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' profiles::puppet::g10k::default_environment: 'develop' +profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net +puppetdb::master::config::create_puppet_service_resource: false +puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index b932b45..3447bca 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -6,3 +6,4 @@ profiles::yum::managed_repos: - 'appstream' - 'epel' - 'puppet7' + - 'yum.postgresql.org' diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index 2c7f1c2..2613c77 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -6,3 +6,4 @@ profiles::yum::managed_repos: - 'appstream' - 'epel' - 'puppet7' + - 'yum.postgresql.org' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 5a5493c..ca34981 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -17,8 +17,17 @@ class profiles::base ( } } + # include the base packages profile class { 'profiles::base::packages': packages => hiera('profiles::base::packages::common'), ensure => 'installed', } + + # include the python class + class { 'python': + manage_python_package => true, + manage_venv_package => true, + manage_pip_package => true, + use_epel => false, + } } diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp new file mode 100644 index 0000000..85d2d4e --- /dev/null +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -0,0 +1,43 @@ +# Class: profiles::puppet::puppetboard +# +# This class manages the configuration of Puppetboard, a web frontend for PuppetDB. +# +# Parameters: +# - `python_version`: Specifies the Python version used for the virtualenv where Puppetboard runs. +# - `manage_virtualenv`: Determines if this class should handle the creation of the virtual environment for Puppetboard. +# - `reports_count`: Defines the number of reports to show per node in Puppetboard. +# - `offline_mode`: Determines if Puppetboard should work in offline mode or not. +# - `default_environment`: Sets the default Puppet environment to filter results in Puppetboard. +# +# Usage: +# This class can be called directly in your manifests or through Hiera. +# +# Example: +# To use the default parameters (as shown below), you can declare the class: +# +# include profiles::puppet::puppetboard +# +# Alternatively, you can customize the parameters: +# +# class { 'profiles::puppet::puppetboard': +# python_version => '3.8', +# reports_count => 50, +# offline_mode => false, +# } +# +class profiles::puppet::puppetboard ( + String $python_version = '3.6', + Boolean $manage_virtualenv = false, + Integer $reports_count = 40, + Boolean $offline_mode = true, + String $default_environment = '*', +) { + + class { 'puppetboard': + python_version => $python_version, + manage_virtualenv => $manage_virtualenv, + reports_count => $reports_count, + offline_mode => $offline_mode, + default_environment => $default_environment, + } +} diff --git a/site/profiles/manifests/puppet/puppetdb.pp b/site/profiles/manifests/puppet/puppetdb.pp new file mode 100644 index 0000000..eaf2f44 --- /dev/null +++ b/site/profiles/manifests/puppet/puppetdb.pp @@ -0,0 +1,38 @@ +# profiles::puppet::puppetdb +# +# This class manages the installation and configuration of PuppetDB +# and its underlying PostgreSQL database on a single node. +# +# It makes use of the puppetlabs-puppetdb module to manage both the +# PuppetDB service and its PostgreSQL backend. +# +class profiles::puppet::puppetdb( + String $puppetdb_host, + String $listen_address = $facts['networking']['ip'], +) { + + # disable the postgresql dnf module for el8+ + if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' { + # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp + package { 'postgresql dnf module': + ensure => 'disabled', + name => 'postgresql', + provider => 'dnfmodule', + before => Class['puppetdb::database::postgresql'], + } + } + + # Install and configure PostgreSQL for PuppetDB + class { 'puppetdb::database::postgresql': + listen_addresses => $listen_address, + postgresql_ssl_on => false, + postgres_version => '15', + puppetdb_server => $puppetdb_host, + before => Class['puppetdb::server'], + } + + class { 'puppetdb::server': + database_host => $listen_address, + postgresql_ssl_on => false, + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index a835cc0..366317c 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -27,6 +27,7 @@ class profiles::puppet::puppetmaster { include profiles::puppet::g10k include profiles::puppet::enc include profiles::puppet::autosign + include puppetdb::master::config class { 'profiles::puppet::server': vardir => '/opt/puppetlabs/server/data/puppetserver', diff --git a/site/roles/manifests/puppet/puppetdb.pp b/site/roles/manifests/puppet/puppetdb.pp new file mode 100644 index 0000000..29ece76 --- /dev/null +++ b/site/roles/manifests/puppet/puppetdb.pp @@ -0,0 +1,7 @@ +# a role to deploy the puppetdb +# work in progress +class roles::puppet::puppetdb { + include profiles::defaults + include profiles::base + include profiles::puppet::puppetdb + } From 86a6c1bd96b9c38a0e8d4dcc7f65e0ddb9052ec8 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 21 Oct 2023 23:52:48 +1100 Subject: [PATCH 008/229] feat: add sudo secure_path - update the sudo class from an include to a definition - set the secure_path variable to include /usr/local/{bin,sbin} --- site/profiles/manifests/base.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 23c0746..0f40f27 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -32,7 +32,9 @@ class profiles::base ( } # all hosts will have sudo applied - include sudo + class { 'sudo': + secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' + } # default users include profiles::accounts::sysadmin From 95434214a9559b9e09c8cb99fc50cc15fc2688be Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 22 Oct 2023 00:32:10 +1100 Subject: [PATCH 009/229] feat: add management of /etc/hosts - add class to manage the /etc/hosts file - add static hosts to /etc/hosts file via hiera array/hash --- hieradata/common.yaml | 15 +++++++++++++ site/profiles/manifests/base.pp | 3 +++ site/profiles/manifests/base/hosts.pp | 30 ++++++++++++++++++++++++++ site/profiles/templates/base/hosts.erb | 15 +++++++++++++ 4 files changed, 63 insertions(+) create mode 100644 site/profiles/manifests/base/hosts.pp create mode 100644 site/profiles/templates/base/hosts.erb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index d07c72a..1520bd2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -43,3 +43,18 @@ puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb:: profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net + + +profiles::base::hosts::additional_hosts: + - ip: 198.18.17.3 + hostname: prodinf01n01.main.unkin.net + aliases: + - prodinf01n01 + - puppet + - puppetmaster + - puppetca + - ip: 198.18.17.4 + hostname: prodinf01n04.main.unkin.net + aliases: + - prodinf01n04 + - puppetdb diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 8e56160..e5831df 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -26,6 +26,9 @@ class profiles::base ( # include admin scripts include profiles::base::scripts + # include admin scripts + include profiles::base::hosts + # include the python class class { 'python': manage_python_package => true, diff --git a/site/profiles/manifests/base/hosts.pp b/site/profiles/manifests/base/hosts.pp new file mode 100644 index 0000000..922b244 --- /dev/null +++ b/site/profiles/manifests/base/hosts.pp @@ -0,0 +1,30 @@ +# basic class to manage the /etc/hosts file from a template +# +# @param additional_hosts: +# An array of hashes with ip/hostname/aliases +# Aliases is an array in case there is a need for multiple aliases +# +# class { 'profiles::base::hosts': +# additional_hosts => [ +# { 'ip' => '192.168.0.10', 'hostname' => 'server1.example.com', 'aliases' => ['server1'] }, +# { 'ip' => '192.168.0.11', 'hostname' => 'server2.example.com' }, +# # ... and so on +# ], +# } +# +class profiles::base::hosts ( + Array[Hash] $additional_hosts = [] +) { + + $fqdn = $facts['networking']['fqdn'] + $hostname = $facts['networking']['hostname'] + + # Ensure the file exists and manage its content + file { '/etc/hosts': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/base/hosts.erb'), + } +} diff --git a/site/profiles/templates/base/hosts.erb b/site/profiles/templates/base/hosts.erb new file mode 100644 index 0000000..45bf0d2 --- /dev/null +++ b/site/profiles/templates/base/hosts.erb @@ -0,0 +1,15 @@ +# /etc/hosts file managed by Puppet + +# The following lines are desirable for IPv4 capable hosts +127.0.0.1 <%= @fqdn %> <%= @hostname %> +127.0.0.1 localhost.localdomain localhost +127.0.0.1 localhost4.localdomain4 localhost4 + +# The following lines are desirable for IPv6 capable hosts +::1 <%= @fqdn %> <%= @hostname %> +::1 localhost.localdomain localhost +::1 localhost6.localdomain6 localhost6 + +<% @additional_hosts.each do |host| -%> +<%= host['ip'] %> <%= host['hostname'] %> <%= host['aliases'].join(' ') if host['aliases'] %> +<% end -%> From c6c36e835189100db47242f94e03850131de774f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 22 Oct 2023 00:14:00 +1100 Subject: [PATCH 010/229] fix: set the puppetdb_host correctly - change the puppetdb::master::config from include to class statement - set the puppetdb_host value to match what is stored in hiera - disable firewall management on the puppetdb host --- site/profiles/manifests/puppet/puppetdb.pp | 1 + site/profiles/manifests/puppet/puppetmaster.pp | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/puppet/puppetdb.pp b/site/profiles/manifests/puppet/puppetdb.pp index eaf2f44..9ca7a57 100644 --- a/site/profiles/manifests/puppet/puppetdb.pp +++ b/site/profiles/manifests/puppet/puppetdb.pp @@ -34,5 +34,6 @@ class profiles::puppet::puppetdb( class { 'puppetdb::server': database_host => $listen_address, postgresql_ssl_on => false, + manage_firewall => false, } } diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 366317c..76a80b6 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -22,12 +22,17 @@ # # Limitations: # This is designed to work on Unix-like systems. -class profiles::puppet::puppetmaster { +class profiles::puppet::puppetmaster ( + String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), +) { include profiles::puppet::r10k include profiles::puppet::g10k include profiles::puppet::enc include profiles::puppet::autosign - include puppetdb::master::config + + class { 'puppetdb::master::config': + puppetdb_server => $puppetdb_host, + } class { 'profiles::puppet::server': vardir => '/opt/puppetlabs/server/data/puppetserver', From f77221563047a73311ceb5f5d947ffe6d66d14f4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 22 Oct 2023 01:30:57 +1100 Subject: [PATCH 011/229] fix: found typo in r10k script --- site/profiles/manifests/puppet/r10k.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/puppet/r10k.pp b/site/profiles/manifests/puppet/r10k.pp index c404be7..29d302f 100644 --- a/site/profiles/manifests/puppet/r10k.pp +++ b/site/profiles/manifests/puppet/r10k.pp @@ -52,7 +52,7 @@ class profiles::puppet::r10k ( group => 'root', mode => '0755', content => "#!/bin/bash\n( - cd /etc/puppetlabls/r10k + cd /etc/puppetlabs/r10k git reset --hard master git clean -fd git pull\n)", From 6bb52f2a1577ced8e17d9131338e62702cfe532b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 22 Oct 2023 19:54:10 +1100 Subject: [PATCH 012/229] feat: add firewalld management profile - basic profile to enable/disable, and install/remove - defaulting to enabled and installed, but set to disabled and removed in hiera --- hieradata/os/AlmaLinux/all_releases.yaml | 3 ++ site/profiles/manifests/base.pp | 1 + site/profiles/manifests/firewall/firewalld.pp | 32 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 site/profiles/manifests/firewall/firewalld.pp diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index beee352..230dbd0 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -2,3 +2,6 @@ --- profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au +profiles::firewall::firewalld::ensure_package: 'absent' +profiles::firewall::firewalld::ensure_service: 'stopped' +profiles::firewall::firewalld::enable_service: false diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index e5831df..056d3e1 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -8,6 +8,7 @@ class profiles::base ( case $facts['os']['family'] { 'RedHat': { include profiles::yum::global + include profiles::firewall::firewalld } 'Debian': { include profiles::apt::global diff --git a/site/profiles/manifests/firewall/firewalld.pp b/site/profiles/manifests/firewall/firewalld.pp new file mode 100644 index 0000000..eaafda7 --- /dev/null +++ b/site/profiles/manifests/firewall/firewalld.pp @@ -0,0 +1,32 @@ +# Manages the firewalld package and service on RedHat-like distributions. +# +# @param ensure_package Determines the state of the firewalld package. +# Can be set to 'absent' to remove the package or 'installed' to ensure it's present. +# +# @param ensure_service Determines the state of the firewalld service. +# Can be set to 'stopped' to stop the service or 'running' to ensure it's active. +# +# @param enable_service A boolean that specifies whether to enable or disable the firewalld service on boot. +# +class profiles::firewall::firewalld ( + Enum['absent', 'installed'] $ensure_package = 'installed', + Enum['stopped', 'running'] $ensure_service = 'running', + Boolean $enable_service = true, +) { + # Ensure it only runs on RedHat like distributions + if $facts['os']['family'] == 'RedHat' { + + # Manage the firewalld package + package { 'firewalld': + ensure => $ensure_package, + } + + # Manage the firewalld service + service { 'firewalld': + ensure => $ensure_service, + enable => $enable_service, + hasrestart => true, + require => Package['firewalld'], + } + } +} From e682462917518767a91df8f980cb52cb4d2ef9a9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 22 Oct 2023 19:46:10 +1100 Subject: [PATCH 013/229] feat: split puppetdb role into api and sql - add puppetdb_api and puppetdb_sql role - add puppetdb_api and puppetdb_sql profile - add prodinf01n05 to /etc/hosts file - set listen_address for all services to be hosts ip - set storeconfigs and storeconfigs_backend to be managed by puppetmaster profile --- hieradata/common.yaml | 7 +++- site/profiles/manifests/puppet/puppetdb.pp | 39 ------------------- .../profiles/manifests/puppet/puppetdb_api.pp | 16 ++++++++ .../profiles/manifests/puppet/puppetdb_sql.pp | 27 +++++++++++++ .../profiles/manifests/puppet/puppetmaster.pp | 29 +++++++------- site/profiles/manifests/puppet/server.pp | 28 +++++++------ .../templates/puppet/server/puppet.conf.epp | 2 + site/roles/manifests/puppet/puppetdb_api.pp | 6 +++ site/roles/manifests/puppet/puppetdb_sql.pp | 6 +++ 9 files changed, 95 insertions(+), 65 deletions(-) delete mode 100644 site/profiles/manifests/puppet/puppetdb.pp create mode 100644 site/profiles/manifests/puppet/puppetdb_api.pp create mode 100644 site/profiles/manifests/puppet/puppetdb_sql.pp create mode 100644 site/roles/manifests/puppet/puppetdb_api.pp create mode 100644 site/roles/manifests/puppet/puppetdb_sql.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 1520bd2..eea398c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -38,8 +38,9 @@ profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' profiles::puppet::g10k::default_environment: 'develop' profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net +profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net puppetdb::master::config::create_puppet_service_resource: false -puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" +#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net @@ -58,3 +59,7 @@ profiles::base::hosts::additional_hosts: aliases: - prodinf01n04 - puppetdb + - ip: 198.18.17.5 + hostname: prodinf01n05.main.unkin.net + aliases: + - prodinf01n05 diff --git a/site/profiles/manifests/puppet/puppetdb.pp b/site/profiles/manifests/puppet/puppetdb.pp deleted file mode 100644 index 9ca7a57..0000000 --- a/site/profiles/manifests/puppet/puppetdb.pp +++ /dev/null @@ -1,39 +0,0 @@ -# profiles::puppet::puppetdb -# -# This class manages the installation and configuration of PuppetDB -# and its underlying PostgreSQL database on a single node. -# -# It makes use of the puppetlabs-puppetdb module to manage both the -# PuppetDB service and its PostgreSQL backend. -# -class profiles::puppet::puppetdb( - String $puppetdb_host, - String $listen_address = $facts['networking']['ip'], -) { - - # disable the postgresql dnf module for el8+ - if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' { - # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp - package { 'postgresql dnf module': - ensure => 'disabled', - name => 'postgresql', - provider => 'dnfmodule', - before => Class['puppetdb::database::postgresql'], - } - } - - # Install and configure PostgreSQL for PuppetDB - class { 'puppetdb::database::postgresql': - listen_addresses => $listen_address, - postgresql_ssl_on => false, - postgres_version => '15', - puppetdb_server => $puppetdb_host, - before => Class['puppetdb::server'], - } - - class { 'puppetdb::server': - database_host => $listen_address, - postgresql_ssl_on => false, - manage_firewall => false, - } -} diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp new file mode 100644 index 0000000..fb1be2e --- /dev/null +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -0,0 +1,16 @@ +# configure the puppetdb api service +class profiles::puppet::puppetdb_api ( + String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'), + String $listen_address = $facts['networking']['ip'], +) { + + class { 'puppetdb::server': + database_host => $postgres_host, + manage_firewall => false, + ssl_listen_address => $listen_address, + listen_address => $listen_address, + } + + contain ::puppetdb::server + +} diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp new file mode 100644 index 0000000..2d80d30 --- /dev/null +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -0,0 +1,27 @@ +# configure the puppetdb sql service +class profiles::puppet::puppetdb_sql ( + String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), + String $listen_address = $facts['networking']['ip'], +) { + + # disable the postgresql dnf module for el8+ + if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' { + # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp + package { 'postgresql dnf module': + ensure => 'disabled', + name => 'postgresql', + provider => 'dnfmodule', + before => Class['puppetdb::database::postgresql'], + } + } + + # Install and configure PostgreSQL for PuppetDB + class { 'puppetdb::database::postgresql': + listen_addresses => $listen_address, + postgres_version => '15', + puppetdb_server => $puppetdb_host, + } + + contain ::puppetdb::database::postgresql + +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 76a80b6..f2a559a 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -31,16 +31,17 @@ class profiles::puppet::puppetmaster ( include profiles::puppet::autosign class { 'puppetdb::master::config': - puppetdb_server => $puppetdb_host, + puppetdb_server => $puppetdb_host, + manage_storeconfigs => false, } class { 'profiles::puppet::server': - vardir => '/opt/puppetlabs/server/data/puppetserver', - logdir => '/var/log/puppetlabs/puppetserver', - rundir => '/var/run/puppetlabs/puppetserver', - pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', - codedir => '/etc/puppetlabs/code', - dns_alt_names => [ + vardir => '/opt/puppetlabs/server/data/puppetserver', + logdir => '/var/log/puppetlabs/puppetserver', + rundir => '/var/run/puppetlabs/puppetserver', + pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', + codedir => '/etc/puppetlabs/code', + dns_alt_names => [ 'prodinf01n01.main.unkin.net', 'puppet.main.unkin.net', 'puppetca.main.unkin.net', @@ -49,11 +50,13 @@ class profiles::puppet::puppetmaster ( 'puppetca', 'puppetmaster', ], - server => 'prodinf01n01.main.unkin.net', - node_terminus => 'exec', - external_nodes => '/opt/puppetlabs/bin/enc', - autosign => '/etc/puppetlabs/puppet/autosign.conf', - default_manifest => '/etc/puppetlabs/code/environments/develop/manifests', - default_environment => 'develop', + server => 'prodinf01n01.main.unkin.net', + node_terminus => 'exec', + external_nodes => '/opt/puppetlabs/bin/enc', + autosign => '/etc/puppetlabs/puppet/autosign.conf', + default_manifest => '/etc/puppetlabs/code/environments/develop/manifests', + default_environment => 'develop', + storeconfigs => true, + storeconfigs_backend => 'puppetdb', } } diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index ca68998..bfec7d1 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -27,6 +27,8 @@ class profiles::puppet::server ( String $autosign, String $default_manifest, String $default_environment, + Boolean $storeconfigs, + String $storeconfigs_backend, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -35,18 +37,20 @@ class profiles::puppet::server ( group => 'root', mode => '0644', content => epp('profiles/puppet/server/puppet.conf.epp', { - 'vardir' => $vardir, - 'logdir' => $logdir, - 'rundir' => $rundir, - 'pidfile' => $pidfile, - 'codedir' => $codedir, - 'dns_alt_names' => join($dns_alt_names, ','), - 'server' => $server, - 'node_terminus' => $node_terminus, - 'external_nodes' => $external_nodes, - 'autosign' => $autosign, - 'default_manifest' => $default_manifest, - 'default_environment' => $default_environment, + 'vardir' => $vardir, + 'logdir' => $logdir, + 'rundir' => $rundir, + 'pidfile' => $pidfile, + 'codedir' => $codedir, + 'dns_alt_names' => join($dns_alt_names, ','), + 'server' => $server, + 'node_terminus' => $node_terminus, + 'external_nodes' => $external_nodes, + 'autosign' => $autosign, + 'default_manifest' => $default_manifest, + 'default_environment' => $default_environment, + 'storeconfigs' => $storeconfigs, + 'storeconfigs_backend' => $storeconfigs_backend, }), notify => Service['puppetserver'], } diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp index a22777b..c241a70 100644 --- a/site/profiles/templates/puppet/server/puppet.conf.epp +++ b/site/profiles/templates/puppet/server/puppet.conf.epp @@ -17,3 +17,5 @@ external_nodes = <%= $external_nodes %> autosign = <%= $autosign %> default_manifest = <%= $default_manifest %> default_environment = <%= $default_environment %> +storeconfigs = <%= $storeconfigs %> +storeconfigs_backend = <%= $storeconfigs_backend %> diff --git a/site/roles/manifests/puppet/puppetdb_api.pp b/site/roles/manifests/puppet/puppetdb_api.pp new file mode 100644 index 0000000..991102d --- /dev/null +++ b/site/roles/manifests/puppet/puppetdb_api.pp @@ -0,0 +1,6 @@ +# a role to deploy the puppetdb api service +class roles::puppet::puppetdb_api { + include profiles::defaults + include profiles::base + include profiles::puppet::puppetdb_api + } diff --git a/site/roles/manifests/puppet/puppetdb_sql.pp b/site/roles/manifests/puppet/puppetdb_sql.pp new file mode 100644 index 0000000..db640a3 --- /dev/null +++ b/site/roles/manifests/puppet/puppetdb_sql.pp @@ -0,0 +1,6 @@ +# a role to deploy the puppetdb postgresql service +class roles::puppet::puppetdb_sql { + include profiles::defaults + include profiles::base + include profiles::puppet::puppetdb_sql + } From 0171a82d58e79eda2877f5e8a2424cdd78c0ab84 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 23 Oct 2023 22:34:53 +1100 Subject: [PATCH 014/229] feat: add features to puppet.conf - reports, for sending reports to puppetdb - usecacheonfailure, to show faulures in puppetboard (when set to false) --- site/profiles/manifests/puppet/puppetmaster.pp | 2 ++ site/profiles/manifests/puppet/server.pp | 4 ++++ site/profiles/templates/puppet/server/puppet.conf.epp | 2 ++ 3 files changed, 8 insertions(+) diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index f2a559a..9819d5e 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -58,5 +58,7 @@ class profiles::puppet::puppetmaster ( default_environment => 'develop', storeconfigs => true, storeconfigs_backend => 'puppetdb', + reports => 'puppetdb', + usecacheonfailure => false, } } diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index bfec7d1..7f0aec5 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -29,6 +29,8 @@ class profiles::puppet::server ( String $default_environment, Boolean $storeconfigs, String $storeconfigs_backend, + String $reports, + Boolean $usecacheonfailure, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -51,6 +53,8 @@ class profiles::puppet::server ( 'default_environment' => $default_environment, 'storeconfigs' => $storeconfigs, 'storeconfigs_backend' => $storeconfigs_backend, + 'reports' => $reports, + 'usecacheonfailure' => $usecacheonfailure, }), notify => Service['puppetserver'], } diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp index c241a70..226346d 100644 --- a/site/profiles/templates/puppet/server/puppet.conf.epp +++ b/site/profiles/templates/puppet/server/puppet.conf.epp @@ -19,3 +19,5 @@ default_manifest = <%= $default_manifest %> default_environment = <%= $default_environment %> storeconfigs = <%= $storeconfigs %> storeconfigs_backend = <%= $storeconfigs_backend %> +reports = <%= $reports %> +usecacheonfailure = <%= $usecacheonfailure %> From 46c3eb9597a0c7c183f0151103b8def5d650cd00 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 23 Oct 2023 22:30:15 +1100 Subject: [PATCH 015/229] feat: add puppetboard role - add nginx module to manage reverse proxy on host level - add puppetboard venv - add gunicorn instance - add script to start the gunicorn instance - add nginx vhost --- Puppetfile | 1 + hieradata/common.yaml | 4 + site/profiles/manifests/puppet/puppetboard.pp | 138 ++++++++++++++---- .../puppetboard/puppetboard.service.erb | 12 ++ .../puppet/puppetboard/start_puppetboard.erb | 7 + site/roles/manifests/puppet/puppetboard.pp | 6 + 6 files changed, 139 insertions(+), 29 deletions(-) create mode 100644 site/profiles/templates/puppet/puppetboard/puppetboard.service.erb create mode 100644 site/profiles/templates/puppet/puppetboard/start_puppetboard.erb create mode 100644 site/roles/manifests/puppet/puppetboard.pp diff --git a/Puppetfile b/Puppetfile index 5ad891a..e4f3c7d 100644 --- a/Puppetfile +++ b/Puppetfile @@ -20,6 +20,7 @@ mod 'puppet-yum', '7.0.0' mod 'puppet-archive', '7.0.0' mod 'puppet-chrony', '2.6.0' mod 'puppet-puppetboard', '9.0.0' +mod 'puppet-nginx', '5.0.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eea398c..0a0ce3e 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -63,3 +63,7 @@ profiles::base::hosts::additional_hosts: hostname: prodinf01n05.main.unkin.net aliases: - prodinf01n05 + - ip: 198.18.17.6 + hostname: prodinf01n06.main.unkin.net + aliases: + - prodinf01n06 diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 85d2d4e..0085eb5 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -1,43 +1,123 @@ # Class: profiles::puppet::puppetboard # -# This class manages the configuration of Puppetboard, a web frontend for PuppetDB. -# -# Parameters: -# - `python_version`: Specifies the Python version used for the virtualenv where Puppetboard runs. -# - `manage_virtualenv`: Determines if this class should handle the creation of the virtual environment for Puppetboard. -# - `reports_count`: Defines the number of reports to show per node in Puppetboard. -# - `offline_mode`: Determines if Puppetboard should work in offline mode or not. -# - `default_environment`: Sets the default Puppet environment to filter results in Puppetboard. -# -# Usage: -# This class can be called directly in your manifests or through Hiera. -# -# Example: -# To use the default parameters (as shown below), you can declare the class: -# -# include profiles::puppet::puppetboard -# -# Alternatively, you can customize the parameters: -# -# class { 'profiles::puppet::puppetboard': -# python_version => '3.8', -# reports_count => 50, -# offline_mode => false, -# } +# This class manages the Puppetboard, a web interface to PuppetDB. # class profiles::puppet::puppetboard ( - String $python_version = '3.6', - Boolean $manage_virtualenv = false, - Integer $reports_count = 40, - Boolean $offline_mode = true, - String $default_environment = '*', + String $python_version = '3.6', + Boolean $manage_virtualenv = false, + Integer $reports_count = 40, + Boolean $offline_mode = true, + String $default_environment = '*', + String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), + Stdlib::AbsolutePath $basedir = '/opt/puppetboard', + Stdlib::Absolutepath $virtualenv_dir = "${basedir}/venv", + Stdlib::Absolutepath $settings_file = "${basedir}/settings.py", + String $user = 'puppetboard', + String $group = 'puppetboard', + String $gunicorn_bind = '127.0.0.1:8080', + String $gunicorn_bind_prefix = 'http://', + Integer $gunicorn_workers = 1, + Integer $gunicorn_threads = 4, + String $nginx_vhost = 'puppetboard.main.unkin.net', + Integer $nginx_port = 80, + #String[1] $secret_key = "${fqdn_rand_string(32)}", ) { + # store puppet-agents ssl settings/certname + $ssl_dir = $::settings::ssldir + $puppetboard_certname = $trusted['certname'] + + # setup the puppetboard venv class { 'puppetboard': python_version => $python_version, manage_virtualenv => $manage_virtualenv, reports_count => $reports_count, offline_mode => $offline_mode, + basedir => $basedir, + virtualenv_dir => $virtualenv_dir, + settings_file => $settings_file, + #secret_key => $secret_key, default_environment => $default_environment, + puppetdb_host => $puppetdb_host, + puppetdb_port => 8081, + puppetdb_key => "${basedir}/ssl/${puppetboard_certname}.pem", + puppetdb_ssl_verify => "${ssl_dir}/certs/ca.pem", + puppetdb_cert => "${ssl_dir}/certs/${puppetboard_certname}.pem", + user => $user, + group => $group, + notify => Service['puppetboard.service'], + } + + # install gunicorn + python::pip { 'puppetboard_gunicorn': + ensure => 'latest', + pkgname => 'gunicorn', + virtualenv => $virtualenv_dir, + require => Class['puppetboard'], + } + + # create ssl dir for puppetboard + file { "${basedir}/ssl": + ensure => directory, + owner => $user, + group => $group, + mode => '0750', + require => Class['puppetboard'], + } + + # copy the ssl certs for puppetboard + file { "${basedir}/ssl/${puppetboard_certname}.pem": + ensure => present, + owner => $user, + group => $group, + mode => '0750', + source => "${ssl_dir}/private_keys/${puppetboard_certname}.pem", + require => File["${basedir}/ssl"], + notify => Service['puppetboard.service'], + } + + # create script to start service + file { "${virtualenv_dir}/bin/start_puppetboard": + ensure => file, + owner => $user, + group => $group, + mode => '0755', + content => template('profiles/puppet/puppetboard/start_puppetboard.erb'), + require => Class['puppetboard'], + notify => Service['puppetboard.service'], + } + + # create systemd service unit + systemd::unit_file { 'puppetboard.service': + content => template('profiles/puppet/puppetboard/puppetboard.service.erb'), + active => true, + enable => true, + require => File["${virtualenv_dir}/bin/start_puppetboard"], + } + + # ensure the nginx service is managed + class { 'nginx': } + + # create the nginx vhost + nginx::resource::server { $nginx_vhost: + listen_port => $nginx_port, + server_name => [$nginx_vhost], + proxy => "${gunicorn_bind_prefix}${gunicorn_bind}", + proxy_set_header => [ + 'Host $http_host', + 'X-Real-IP $remote_addr', + 'X-Scheme $scheme', + ], + proxy_pass_header => ['Server'], + proxy_redirect => 'off', + proxy_connect_timeout => '10s', + proxy_read_timeout => '10s', + } + + # service static files from nginx for performance + nginx::resource::location { "${nginx_vhost}_static": + location => '/static', + server => $nginx_vhost, + location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static", } } diff --git a/site/profiles/templates/puppet/puppetboard/puppetboard.service.erb b/site/profiles/templates/puppet/puppetboard/puppetboard.service.erb new file mode 100644 index 0000000..08fec4d --- /dev/null +++ b/site/profiles/templates/puppet/puppetboard/puppetboard.service.erb @@ -0,0 +1,12 @@ +[Unit] +Description=puppetboard daemon +After=network.target +[Service] +Type=simple +User=<%= @user %> +Group=<%= @group %> +Environment="PUPPETBOARD_SETTINGS=<%= @settings_file %>" +ExecStart=<%= @virtualenv_dir %>/bin/start_puppetboard +PrivateTmp=true +[Install] +WantedBy=multi-user.target diff --git a/site/profiles/templates/puppet/puppetboard/start_puppetboard.erb b/site/profiles/templates/puppet/puppetboard/start_puppetboard.erb new file mode 100644 index 0000000..46e6da3 --- /dev/null +++ b/site/profiles/templates/puppet/puppetboard/start_puppetboard.erb @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +<%= @virtualenv_dir %>/bin/gunicorn \ + --workers <%= @gunicorn_workers %> \ + --threads <%= @gunicorn_threads %> \ + --config <%= @settings_file %> \ + --bind <%= @gunicorn_bind %> \ + puppetboard.app:app diff --git a/site/roles/manifests/puppet/puppetboard.pp b/site/roles/manifests/puppet/puppetboard.pp new file mode 100644 index 0000000..34862c3 --- /dev/null +++ b/site/roles/manifests/puppet/puppetboard.pp @@ -0,0 +1,6 @@ +# a role to deploy the puppetboard +class roles::puppet::puppetboard { + include profiles::defaults + include profiles::base + include profiles::puppet::puppetboard + } From 130669a1301d630a395786b974d6eaed984e3d91 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 29 Oct 2023 20:17:07 +1100 Subject: [PATCH 016/229] feat: manage puppet clients - manage the service - manage the package, version lock it - deploy the /etc/puppetlabs/puppet/puppet.conf from template for puppet clients only --- hieradata/common.yaml | 10 ++++ site/profiles/manifests/base.pp | 6 +++ site/profiles/manifests/puppet/client.pp | 50 +++++++++++++++++++ .../templates/puppet/client/puppet.conf.erb | 13 +++++ 4 files changed, 79 insertions(+) create mode 100644 site/profiles/manifests/puppet/client.pp create mode 100644 site/profiles/templates/puppet/client/puppet.conf.erb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eea398c..0f3ff84 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -3,6 +3,9 @@ profiles::base::ntp_servers: - 0.au.pool.ntp.org - 1.au.pool.ntp.org +profiles::base::puppet_servers: + - 'prodinf01n01.main.unkin.net' + profiles::base::packages::common: - ccze - curl @@ -31,6 +34,13 @@ profiles::puppet::autosign::domains: # profiles::puppet::autosign::nodes: # - 'somenode.main.unkin.net' +profiles::puppet::client::puppet_version: '7.26.0' +profiles::puppet::client::environment: 'develop' +profiles::puppet::client::runinterval: 1800 +profiles::puppet::client::runtimeout: 3600 +profiles::puppet::client::show_diff: true +profiles::puppet::client::usecacheonfailure: false + profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 056d3e1..35874eb 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -1,6 +1,7 @@ # this is the base class, which will be used by all servers class profiles::base ( Array $ntp_servers, + Array $puppet_servers, ) { class { 'chrony': servers => $ntp_servers, @@ -24,6 +25,11 @@ class profiles::base ( ensure => 'installed', } + # manage puppet clients + if ! member($puppet_servers, $trusted['certname']) { + include profiles::puppet::client + } + # include admin scripts include profiles::base::scripts diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp new file mode 100644 index 0000000..360e296 --- /dev/null +++ b/site/profiles/manifests/puppet/client.pp @@ -0,0 +1,50 @@ +# Class: profiles::puppet::client +# +# This class manages Puppet client configuration and service. +# +# Parameters: +# vardir - Directory path for variable data. +# logdir - Directory path for logs. +# rundir - Directory path for run-time data. +# pidfile - File path for the PID file. +# codedir - Directory path for code data. +# dns_alt_names - Array of alternate DNS names for the server. +# server - Server's name. +# +# site/profile/manifests/puppet/client.pp +class profiles::puppet::client ( + String $dns_alt_names = $trusted['certname'], + String $server = 'puppetmaster', + String $ca_server = 'puppetca', + String $environment = 'develop', + Integer $runinterval = 1800, + Integer $runtimeout = 3600, + Boolean $show_diff = true, + Boolean $usecacheonfailure = false, + String $puppet_version = 'latest', +) { + + # Ensure the puppet-agent package is installed and locked to a specific version + package { 'puppet-agent': + ensure => $puppet_version, + } + + # Ensure the puppet service is running + service { 'puppet': + ensure => 'running', + enable => true, + hasrestart => true, + require => Package['puppet-agent'], + } + + # Assuming you want to manage puppet.conf with this profile + file { '/etc/puppetlabs/puppet/puppet.conf': + ensure => 'present', + content => template('profiles/puppet/client/puppet.conf.erb'), + owner => 'root', + group => 'root', + mode => '0644', + notify => Service['puppet'], + } +} + diff --git a/site/profiles/templates/puppet/client/puppet.conf.erb b/site/profiles/templates/puppet/client/puppet.conf.erb new file mode 100644 index 0000000..e7a86c6 --- /dev/null +++ b/site/profiles/templates/puppet/client/puppet.conf.erb @@ -0,0 +1,13 @@ +[main] +dns_alt_names = <%= @dns_alt_names %> + +[agent] +server = <%= @server %> +ca_server = <%= @ca_server %> +environment = <%= @environment %> +report = true +report_server = <%= @server %> +runinterval = <%= @runinterval %> +runtimeout = <%= @runtimeout %> +show_diff = <%= @show_diff %> +usecacheonfailure = <%= @usecacheonfailure %> From 5076d7383a8594a7d564ac22d02ab8a69b7e2ba0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 2 Nov 2023 20:12:47 +1100 Subject: [PATCH 017/229] feat: add ceph osd/mds/mon roles - basic roles currently - will allow build of ceph to begin --- site/roles/manifests/ceph/mds.pp | 6 ++++++ site/roles/manifests/ceph/mon.pp | 6 ++++++ site/roles/manifests/ceph/osd.pp | 6 ++++++ 3 files changed, 18 insertions(+) create mode 100644 site/roles/manifests/ceph/mds.pp create mode 100644 site/roles/manifests/ceph/mon.pp create mode 100644 site/roles/manifests/ceph/osd.pp diff --git a/site/roles/manifests/ceph/mds.pp b/site/roles/manifests/ceph/mds.pp new file mode 100644 index 0000000..a7a6a2e --- /dev/null +++ b/site/roles/manifests/ceph/mds.pp @@ -0,0 +1,6 @@ +# a role to deploy the ceph mds +# work in progress +class roles::ceph::mds { + include profiles::defaults + include profiles::base +} diff --git a/site/roles/manifests/ceph/mon.pp b/site/roles/manifests/ceph/mon.pp new file mode 100644 index 0000000..b1fe65a --- /dev/null +++ b/site/roles/manifests/ceph/mon.pp @@ -0,0 +1,6 @@ +# a role to deploy the ceph mon +# work in progress +class roles::ceph::mon { + include profiles::defaults + include profiles::base +} diff --git a/site/roles/manifests/ceph/osd.pp b/site/roles/manifests/ceph/osd.pp new file mode 100644 index 0000000..047718a --- /dev/null +++ b/site/roles/manifests/ceph/osd.pp @@ -0,0 +1,6 @@ +# a role to deploy the ceph osd +# work in progress +class roles::ceph::osd { + include profiles::defaults + include profiles::base +} From 75a66a3339fb41f5958a8f9e820b45280d6b364f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 2 Nov 2023 22:08:00 +1100 Subject: [PATCH 018/229] fix: digitalpacific epel repodata broken - change epel to read from aarnet --- hieradata/os/AlmaLinux/all_releases.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 230dbd0..e749c94 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -1,7 +1,7 @@ # hieradata/os/almalinux/all_releases.yaml --- profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au -profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au +profiles::yum::epel::baseurl: http://mirror.aarnet.edu.au/pub/epel profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false From a89a68bc61a9838c83eaa37633e9efbd467f1205 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 2 Nov 2023 22:14:38 +1100 Subject: [PATCH 019/229] fix: debian puppet_version different to EL - change puppet_version to be set per-os in hieradata --- hieradata/common.yaml | 1 - hieradata/os/AlmaLinux/all_releases.yaml | 2 ++ hieradata/os/Debian/Debian11.yaml | 2 ++ hieradata/os/Debian/Debian12.yaml | 2 ++ 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 4ab4245..3a828ea 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -34,7 +34,6 @@ profiles::puppet::autosign::domains: # profiles::puppet::autosign::nodes: # - 'somenode.main.unkin.net' -profiles::puppet::client::puppet_version: '7.26.0' profiles::puppet::client::environment: 'develop' profiles::puppet::client::runinterval: 1800 profiles::puppet::client::runtimeout: 3600 diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index e749c94..bdb6ccb 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -5,3 +5,5 @@ profiles::yum::epel::baseurl: http://mirror.aarnet.edu.au/pub/epel profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false + +profiles::puppet::client::puppet_version: '7.26.0' diff --git a/hieradata/os/Debian/Debian11.yaml b/hieradata/os/Debian/Debian11.yaml index 8ed26ec..41e6201 100644 --- a/hieradata/os/Debian/Debian11.yaml +++ b/hieradata/os/Debian/Debian11.yaml @@ -10,3 +10,5 @@ profiles::apt::components: - contrib - main - non-free + +profiles::puppet::client::puppet_version: '7.25.0-1bullseye' diff --git a/hieradata/os/Debian/Debian12.yaml b/hieradata/os/Debian/Debian12.yaml index 7063126..fab31d1 100644 --- a/hieradata/os/Debian/Debian12.yaml +++ b/hieradata/os/Debian/Debian12.yaml @@ -11,3 +11,5 @@ profiles::apt::components: - main - non-free - non-free-firmware + +profiles::puppet::client::puppet_version: 'latest' From 0cc0bacad33b26b8c79caa41ca674ef603a02d65 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 Nov 2023 18:12:35 +1100 Subject: [PATCH 020/229] feat: add motd and facts - use parameters created by the enc to create external facts - use external facts to generate the motd - use features from https://git.unkin.net/unkinben/puppet-enc/pulls/22 --- site/profiles/manifests/base.pp | 4 +++ site/profiles/manifests/base/facts.pp | 29 +++++++++++++++++++ site/profiles/manifests/base/motd.pp | 20 +++++++++++++ .../profiles/templates/base/facts/enc_env.erb | 1 + .../templates/base/facts/enc_role.erb | 1 + site/profiles/templates/base/motd/motd.erb | 13 +++++++++ 6 files changed, 68 insertions(+) create mode 100644 site/profiles/manifests/base/facts.pp create mode 100644 site/profiles/manifests/base/motd.pp create mode 100644 site/profiles/templates/base/facts/enc_env.erb create mode 100644 site/profiles/templates/base/facts/enc_role.erb create mode 100644 site/profiles/templates/base/motd/motd.erb diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 35874eb..e1a98c0 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -52,4 +52,8 @@ class profiles::base ( # default users include profiles::accounts::sysadmin + # add a motd + include profiles::base::facts + include profiles::base::motd + } diff --git a/site/profiles/manifests/base/facts.pp b/site/profiles/manifests/base/facts.pp new file mode 100644 index 0000000..e234625 --- /dev/null +++ b/site/profiles/manifests/base/facts.pp @@ -0,0 +1,29 @@ +# a class to define some global facts +class profiles::base::facts { + + # The path where external facts are stored + $facts_d_path = '/opt/puppetlabs/facter/facts.d' + + # Ensure the directory exists + file { $facts_d_path: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + # facts to create + $fact_list = [ 'enc_role', 'enc_env' ] + + # Manage the external fact file with content from the template + $fact_list.each | String $item | { + file { "${facts_d_path}/${item}.txt": + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template("profiles/base/facts/${item}.erb"), + require => File[$facts_d_path], + } + } +} diff --git a/site/profiles/manifests/base/motd.pp b/site/profiles/manifests/base/motd.pp new file mode 100644 index 0000000..e1dd5ca --- /dev/null +++ b/site/profiles/manifests/base/motd.pp @@ -0,0 +1,20 @@ +# set the motd +class profiles::base::motd ( + String $enc_role = pick($facts['enc_role'], 'undefined'), + String $enc_env = pick($facts['enc_env'], 'undefined'), + String $fqdn = $facts['networking']['fqdn'], + String $addr = $facts['networking']['ip'], + String $nic = $facts['networking']['primary'], + String $os_name = $facts['os']['name'], + String $os_release = $facts['os']['release']['full'], +) { + + # Use the regsubst function to remove the 'roles::' prefix from the role name + $clean_role = regsubst($enc_role, '^roles::', '') + + # Manage the content of the /etc/motd file + file { '/etc/motd': + ensure => file, + content => template('profiles/base/motd/motd.erb'), + } +} diff --git a/site/profiles/templates/base/facts/enc_env.erb b/site/profiles/templates/base/facts/enc_env.erb new file mode 100644 index 0000000..7695e4d --- /dev/null +++ b/site/profiles/templates/base/facts/enc_env.erb @@ -0,0 +1 @@ +enc_env=<%= @enc_env %> diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb new file mode 100644 index 0000000..d59acdf --- /dev/null +++ b/site/profiles/templates/base/facts/enc_role.erb @@ -0,0 +1 @@ +enc_role=<%= @enc_role[0] %> diff --git a/site/profiles/templates/base/motd/motd.erb b/site/profiles/templates/base/motd/motd.erb new file mode 100644 index 0000000..7ca06df --- /dev/null +++ b/site/profiles/templates/base/motd/motd.erb @@ -0,0 +1,13 @@ +<% +# calculate padding for the longest word +max_length = ['fqdn:', 'os:', 'role:', 'branch:', 'addr:', 'nic:'].max_by(&:length).length +# helper lambda to right-align text +align = ->(word) { word.ljust(max_length) } +%> +<%= align.call('fqdn:') %> <%= @fqdn %> +<%= align.call('os:') %> <%= @os_name %> <%= @os_release %> +<%= align.call('role:') %> <%= @clean_role %> +<%= align.call('branch:') %> <%= @enc_env %> +<%= align.call('addr:') %> <%= @addr %> +<%= align.call('nic:') %> <%= @nic %> + From 56518f1fcb94d265f4add099351e844194555fb4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 Nov 2023 20:25:35 +1100 Subject: [PATCH 021/229] feat: change enc repo to be tagged - enc repository will download a specific tag - defaults to master - hiera set to release tag '0.1' --- hieradata/common.yaml | 4 +++- site/profiles/manifests/puppet/enc.pp | 8 ++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 3a828ea..b8267f4 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -40,7 +40,9 @@ profiles::puppet::client::runtimeout: 3600 profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false -profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git +profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git +profiles::puppet::enc::release: '0.1' +profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp index 6745587..4e84227 100644 --- a/site/profiles/manifests/puppet/enc.pp +++ b/site/profiles/manifests/puppet/enc.pp @@ -34,7 +34,9 @@ # This is designed to work on Unix-like systems only. # class profiles::puppet::enc ( - String $enc_repo, + String $repo, + String $release = 'master', + Boolean $force = false, ) { include profiles::git::git @@ -42,7 +44,9 @@ class profiles::puppet::enc ( vcsrepo { '/opt/puppetlabs/enc': ensure => latest, provider => git, - source => $enc_repo, + source => $repo, + revision => $release, + force => $force, require => Package['git'], } From def2561e6cee4c4e6cc1da12a1083c0d1d465b73 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 27 Aug 2023 00:15:01 +1000 Subject: [PATCH 022/229] feat: add datavol class to manage /data - included puppetlabs-lvm module - created profiles::base::datavol to: - create pv, vg, lv and format the filesystem and mount it --- Puppetfile | 1 + site/profiles/manifests/base/datavol.pp | 62 +++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 site/profiles/manifests/base/datavol.pp diff --git a/Puppetfile b/Puppetfile index 5995d48..258a0c8 100644 --- a/Puppetfile +++ b/Puppetfile @@ -15,3 +15,4 @@ mod 'puppetlabs-vcsrepo', '6.1.0' mod 'puppetlabs-yumrepo_core', '2.0.0' mod 'puppet-yum', '7.0.0' mod 'puppetlabs-apt', '9.1.0' +mod 'puppetlabs-lvm', '2.0.3' diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp new file mode 100644 index 0000000..2d3fb37 --- /dev/null +++ b/site/profiles/manifests/base/datavol.pp @@ -0,0 +1,62 @@ +# profiles::base::datavol +# +# This class manages the creation of a logical volume using the `lvm::volume` definition. +# +# Parameters: +# $ensure - Ensure whether the logical volume is present or not. Defaults to 'present'. +# $vg - Volume group name. No default. +# $pv - Physical volume, typically the disk or partition device path. No default. +# $fstype - Filesystem type for the logical volume. Defaults to 'ext3'. +# $size - Size of the logical volume. No default. +# +class profiles::base::datavol ( + Enum['present', 'absent'] $ensure = 'present', + Enum['ext2', 'ext3', 'ext4', 'xfs', 'btrfs'] $fstype = 'xfs', + String $vg = 'datavg', + String $pv = '/dev/vdb', + String $lv = 'data', + Stdlib::Absolutepath $mount = '/data', + Variant[Pattern[/^[\d+GTP%FREE]$/], Integer] $size = '100%FREE', + Array $mount_options = ['noatime', 'nodiratime'], +) { + + # Ensure the physical volume exists + physical_volume { $pv: + ensure => $ensure, + before => Volume_group[$vg], + } + + # Ensure the volume group exists + volume_group { $vg: + ensure => $ensure, + physical_volumes => [$pv], + before => Logical_volume[$lv], + } + + # Ensure the logical volume exists + logical_volume { $lv: + ensure => $ensure, + volume_group => $vg, + size => $size, + before => Filesystem["/dev/${vg}/${lv}"], + } + + # Ensure the filesystem is created on the logical volume + filesystem { "/dev/${vg}/${lv}": + ensure => $ensure, + fs_type => $fstype, + require => Logical_volume[$lv], + before => Mount[$mount], + } + + # Ensure the logical volume is mounted at the desired location + mount { $mount: + ensure => $ensure, + device => "/dev/${vg}/${lv}", + fstype => $fstype, + options => 'defaults', + dump => 0, + pass => 2, + require => Filesystem["/dev/${vg}/${lv}"], + } +} From 1d1541419afc91c872b9ab4d6a58140dcc0f154d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 5 Nov 2023 17:45:13 +1100 Subject: [PATCH 023/229] feat: adding base packagerepo role - create roles::infra::packagerepo - bump enc version --- hieradata/common.yaml | 2 +- site/roles/manifests/infra/packagerepo.pp | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 site/roles/manifests/infra/packagerepo.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index b8267f4..9533387 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -41,7 +41,7 @@ profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.1' +profiles::puppet::enc::release: '0.2' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' diff --git a/site/roles/manifests/infra/packagerepo.pp b/site/roles/manifests/infra/packagerepo.pp new file mode 100644 index 0000000..1f2afdc --- /dev/null +++ b/site/roles/manifests/infra/packagerepo.pp @@ -0,0 +1,6 @@ +# a role to deploy a packagerepo +class roles::infra::packagerepo { + include profiles::defaults + include profiles::base + include profiles::base::datavol +} From 36142a3565aac5dd748f7444bf3f53f2285461ba Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 5 Nov 2023 17:54:36 +1100 Subject: [PATCH 024/229] fix: bump enc https://git.unkin.net/unkinben/puppet-enc/pulls/24 --- hieradata/common.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 9533387..eb3289a 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -41,7 +41,7 @@ profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.2' +profiles::puppet::enc::release: '0.3' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' From cb9af5a2a8a36495b65c5909964ece765bb0a49b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 5 Nov 2023 18:01:16 +1100 Subject: [PATCH 025/229] fix: variant regex results in error - update the $size variant regex so it actually matches correctly - default $size to undef, which results in 100%FREE --- site/profiles/manifests/base/datavol.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp index 2d3fb37..167f60a 100644 --- a/site/profiles/manifests/base/datavol.pp +++ b/site/profiles/manifests/base/datavol.pp @@ -7,7 +7,7 @@ # $vg - Volume group name. No default. # $pv - Physical volume, typically the disk or partition device path. No default. # $fstype - Filesystem type for the logical volume. Defaults to 'ext3'. -# $size - Size of the logical volume. No default. +# $size - Size of the logical volume. undef = 100%FREE. Changing $size to cause a resize. # class profiles::base::datavol ( Enum['present', 'absent'] $ensure = 'present', @@ -16,7 +16,7 @@ class profiles::base::datavol ( String $pv = '/dev/vdb', String $lv = 'data', Stdlib::Absolutepath $mount = '/data', - Variant[Pattern[/^[\d+GTP%FREE]$/], Integer] $size = '100%FREE', + Optional[Variant[Pattern[/^\d+(M|G|T|P)$/], Integer]] $size = undef, Array $mount_options = ['noatime', 'nodiratime'], ) { From d11dcc0b24f7e79265301f6a971b4213469d246f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 Nov 2023 19:23:52 +1100 Subject: [PATCH 026/229] fix: datavol profile doesnt create the mountpoint - add file resource to create the required mountpath - add Array[Enum[]] for mount_options - fix mount to ensure the mount_options are used - remove pass and dump options, leave as defaults --- site/profiles/manifests/base/datavol.pp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp index 167f60a..4384bb6 100644 --- a/site/profiles/manifests/base/datavol.pp +++ b/site/profiles/manifests/base/datavol.pp @@ -17,7 +17,11 @@ class profiles::base::datavol ( String $lv = 'data', Stdlib::Absolutepath $mount = '/data', Optional[Variant[Pattern[/^\d+(M|G|T|P)$/], Integer]] $size = undef, - Array $mount_options = ['noatime', 'nodiratime'], + Array[Enum[ + 'defaults', 'ro', 'rw', 'sync', 'async', + 'noatime', 'nodiratime', 'noexec', 'nosuid', + 'nodev', 'remount', 'auto', 'noauto' + ]] $mount_options = ['noatime', 'nodiratime'], ) { # Ensure the physical volume exists @@ -49,14 +53,20 @@ class profiles::base::datavol ( before => Mount[$mount], } + # Ensure the mountpath exists + file { $mount: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + # Ensure the logical volume is mounted at the desired location mount { $mount: ensure => $ensure, device => "/dev/${vg}/${lv}", fstype => $fstype, - options => 'defaults', - dump => 0, - pass => 2, + options => $mount_options.join(','), require => Filesystem["/dev/${vg}/${lv}"], } } From 058cc2500840d0a8ceea57399ecaa9c566bf59ed Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 8 Nov 2023 22:03:21 +1100 Subject: [PATCH 027/229] feat: add bash completion - quality of life addition to all hosts --- hieradata/common.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eb3289a..1976320 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -7,6 +7,7 @@ profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' profiles::base::packages::common: + - bash-completion - ccze - curl - dstat From 19836e2069dbc2e1712f84483860b5440b7bec92 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 2 Nov 2023 20:09:22 +1100 Subject: [PATCH 028/229] feat: adding reposync wrapper and tooling - add autosyncer/autopromoter scripts - add timer and service to initial sync process - add timer/service for daily/weekly/monthly autopromote - add define to manage each repo - add nginx webserver to share repos - add favion.ico if enabled - add selinux management, and packages for selinux - cleanup package management, sorting package groups into package classes --- Puppetfile | 1 + hieradata/common.yaml | 44 +++++++- site/profiles/files/reposync/favicon.ico | Bin 0 -> 32038 bytes site/profiles/manifests/base.pp | 21 +--- site/profiles/manifests/base/packages.pp | 27 ----- site/profiles/manifests/git/git.pp | 24 ---- site/profiles/manifests/packages/base.pp | 21 ++++ site/profiles/manifests/packages/git.pp | 11 ++ site/profiles/manifests/packages/reposync.pp | 11 ++ site/profiles/manifests/packages/selinux.pp | 11 ++ site/profiles/manifests/puppet/enc.pp | 2 +- site/profiles/manifests/puppet/r10k.pp | 2 +- .../manifests/reposync/autopromoter.pp | 105 ++++++++++++++++++ .../profiles/manifests/reposync/autosyncer.pp | 44 ++++++++ site/profiles/manifests/reposync/repos.pp | 46 ++++++++ site/profiles/manifests/reposync/syncer.pp | 30 +++++ site/profiles/manifests/reposync/webserver.pp | 58 ++++++++++ .../templates/reposync/autopromoter.erb | 53 +++++++++ .../templates/reposync/autosyncer.erb | 97 ++++++++++++++++ .../profiles/templates/reposync/repo_conf.erb | 8 ++ site/roles/manifests/infra/packagerepo.pp | 1 + 21 files changed, 547 insertions(+), 70 deletions(-) create mode 100644 site/profiles/files/reposync/favicon.ico delete mode 100644 site/profiles/manifests/base/packages.pp delete mode 100644 site/profiles/manifests/git/git.pp create mode 100644 site/profiles/manifests/packages/base.pp create mode 100644 site/profiles/manifests/packages/git.pp create mode 100644 site/profiles/manifests/packages/reposync.pp create mode 100644 site/profiles/manifests/packages/selinux.pp create mode 100644 site/profiles/manifests/reposync/autopromoter.pp create mode 100644 site/profiles/manifests/reposync/autosyncer.pp create mode 100644 site/profiles/manifests/reposync/repos.pp create mode 100644 site/profiles/manifests/reposync/syncer.pp create mode 100644 site/profiles/manifests/reposync/webserver.pp create mode 100644 site/profiles/templates/reposync/autopromoter.erb create mode 100644 site/profiles/templates/reposync/autosyncer.erb create mode 100644 site/profiles/templates/reposync/repo_conf.erb diff --git a/Puppetfile b/Puppetfile index 1e7b959..1da664c 100644 --- a/Puppetfile +++ b/Puppetfile @@ -22,6 +22,7 @@ mod 'puppet-archive', '7.0.0' mod 'puppet-chrony', '2.6.0' mod 'puppet-puppetboard', '9.0.0' mod 'puppet-nginx', '5.0.0' +mod 'puppet-selinux', '4.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eb3289a..66e571c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -6,7 +6,7 @@ profiles::base::ntp_servers: profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' -profiles::base::packages::common: +profiles::packages::base: - ccze - curl - dstat @@ -14,6 +14,7 @@ profiles::base::packages::common: - mtr - ncdu - neovim + - rsync - screen - strace - tmux @@ -56,6 +57,42 @@ puppetdb::master::config::create_puppet_service_resource: false profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net +profiles::reposync::repos_list: + almalinux_8_8_baseos: + repository: 'BaseOS' + description: 'AlmaLinux 8.8 - BaseOS' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_8_appstream: + repository: 'AppStream' + description: 'AlmaLinux 8.8 - AppStream' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_8_highavailability: + repository: 'HighAvailability' + description: 'AlmaLinux 8.8 - HighAvailability' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + epel_8_everything: + repository: 'Everything' + description: 'EPEL 8 Everything' + osname: 'epel' + release: '8' + baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' + gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' + epel_8_modular: + repository: 'Modular' + description: 'EPEL 8 Modular' + osname: 'epel' + release: '8' + baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/' + gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' profiles::base::hosts::additional_hosts: - ip: 198.18.17.3 @@ -78,3 +115,8 @@ profiles::base::hosts::additional_hosts: hostname: prodinf01n06.main.unkin.net aliases: - prodinf01n06 + - ip: 198.18.17.22 + hostname: prodinf01n22.main.unkin.net + aliases: + - prodinf01n22 + - repo.main.unkin.net diff --git a/site/profiles/files/reposync/favicon.ico b/site/profiles/files/reposync/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..6c351da869acfccd096f138b8160e34c5b598f6f GIT binary patch literal 32038 zcmeI*1)N+((g5(~;BdI$1Pzi9Gzk^~?t;4c*>^psr`nx_E6@*KwJ;x)ti`>N+iq)5*~hdXqaZ2X~tRH^SI)J z&p-R59uL5O$dEx{>ZzwL<3I7l6Nk2K+lHBDnkf~u`Nu#0QGTvH-=~{yy7D{TSI@I4 zrkEn$Z#$}uw&{C@p|Ptrr=51%a+}&8fBf<5^=lj_oN&Ta#v5|NOJzg;?&o z^Y$>u9CM_1cG!OVSohiR+_O)oXS?sVYrVSFXfWxdlZNxoJ16z2-&=3FIm|fYjODts z%rZ-Y<>s4i2shq%eOPzhb;{4QInO*D!od6QOMR+;&D8_yjccv=ud?#W;hV3&OmicI z-@=`D+*WT4jnmrso@jm{! z=9&Siy%2s4ufF{8wISrSR34pC>*sKW@M6)_VBkv0+1pB>c%wv?`7TIb%H~UtAA6tX~<1 z3`;{-ynfC(XQg)4d-ILg1NrUUNhX;jTzSRi>6v!*Yc8)G$11l4KkK(=;J*I)Yg4`A z^IG`7Dg4)1WA&szP>;%F8b% zINYa0l8rM=KYcx1iufC+@4x#d%@Oki&%QD8weY|L_lJWIIxx=f_Vwy+y>+iN$F={> zH(!NSS6wB|y?gGyvpg@3KknFY$RP(OJhiVsYr#evZ5V#|{@Xw1UBCK#*Ao2mTqEOh zF}J`+#;>>Dx@G>$d{&7+S@O=?ZzetK+lW(=Pf%?2ZW&pHZO-)pO_()hv&-JcjSJj^ol%t@}Bhw7v01{5A8g%gt1?V2#b2Md-Fizf_w)G99Q(iix@(dQ$YZj>`s|HJy#U;oJKYp=OF;iSH? z+Hk`S60GygGf#N!)mKuRco?s|`R2&<-P*Ncl%aVXy!+w{&nF&u{k2!Z1?Qhv=1X&K z`Q?`@zdJhklRb1{I^Z0Pp7+#n3{$E%JiQv()fZA-G>Z*DBKtOf8>#2Wm!bO1J^?j4h(b6HCMT>BL3>X z_wGC4;bB9<(4m9FOD{ej<=Z#0Uepca++~~Zz1N=Mpa1-4s!yLA6!mKDqO1Cfxv+bI z#+e6}SYnANSKm!E@SZwo`c~wb1s7bP3{!LP$2Vjv`J-QLf(N|Xc8`pDHm<`bo_Ipk zyXUFb4}8qO%K8~6&x|Yiwf_3+mF*@lP9Ejx%{Sec`cz*r572GiC_^*e`ARO)3&B`? z|AptDt2ZXi!QU8IldL^kZM9|CZo6&6&O7ZCc8PrJv$@JfnswG$%d#lL<2u`Hvqimh zrLghF8wKn6_ShiDjiZXfi)mM*e!GiU4>Rg`=%ud~GvrPkiU-5al<(4h;NPah8 z=bwN6^1JE%O*aj6)JmJJ*7Yy9JFZ=8!Jll#&*n}l(GSKSR_}X$*3>oEZE5|c+Hdmt zf{7RNx>O7PZ1`bOR?&IiiF33yin-ocX^lP_YUBNAKb?KnnPnTO7X0U)d+zXBw7bcw zEPI=KB_q|(ZIG9AG;8vgUwodf^jP<@e9d)So7-Qt_vz~cuDY_>_`mYg!;a&p;XfJ~*KYPMn&?wo&FQ9AYD)hczt2nBRBLnq@t-o}$6C&pZ{Li!`FYc%I+Qb(?ejEAR&& zUba3PPr3+w*8N!l-`wd-N8-Frr&_fTF{BHb#(H_h;p*gxs z^v4_&eVW$1JSV_ueH--91L4dwPLK9t|8VljCx+8bJ2f12{Mjy(K zJMQo&e_|1TpSRm~+tg-5I2Z4=CjRi?Yd#?QS}%%z^-C_fIPhyy~YB5>9 zm`5LZxJe#pP5iZW{dLzSn-U(m@WB|9>7x()zI*RUGTVAU?jSa z()_0@<+<`}q%Hd9Vjl6ih%ch|{E=SShS8V!8(#5#al9)(w^n zCOmJU=R7&fh)vt}C5#n{Bo(>#_RfH!-jB`wd-N z6MtjXE6VF4&Xu3pj+<_>N%Yb7k2?KxWt_?OB7AUa3jgB!@SqQ`y2>i${(JQ3p7g}V z+G$Pv(OP_^66gHAW5;>I3CACoWJKoUi~|_KqTp@vk-qP9ey6D`IeY$j=Y~Ar7G8Ma zWK;iD_>=v7R~g@Y&uFqmt z#X1=Wc;b&cW6XoUz`SEai-VB+neKdx`pESfy0#|%+PW?3J#t&XKo>(>@G7}~d~*MN z_lC_k->e?Ia#m)G{?cWaT_&7<`l(fAm$s}Q+ibmc;+4&!FOxqt2NxT!M~@x}7P&dM+;UUGJ?laAH+D<=Q8^pd@1=Y8Ogip$F`x*=9{KiA$p{Bt9-aa&DaC;M+UK;@E8PP4tQS zqVZ@7Z_mlbl~!D_LHw=#`|PuK@|$E@RlBz4_-Fj->+7tuc0JheBbta^Og{N!N#_yk zC*O_Jh{uPg^~-#w2ULUCeK5;g`PaW1&W{k&di9l;n;iSxR%^+>3^Se+pIdzKQeH}t zFZ1V4G0rV!dC4Ug#ko6c$|YTW_0^J0xah(Q()`YRpuNn;?(rL1A97p8>zt9V?!D*k zvdxj}R=bWV|EK=sOm^+swLv&1iM(*d<(Gw9;+$aL3>`W+3?Kez)Y*rn9G)T%@QaU( zem^o#yJwt!T6umIahDg!{+AO~YvEg9bCJE;s@4Bpi~kp_&pz{Xkgt(rmqmExgW>m5 z&dBe{wk03a_fd8u9bax(kM7;W-FMxYbcBXteAayV6&*Wv4D-g~T1%OC-i|@8LSA>p zO7)p}FVB%7(U+6+Kl%S_!Czf8;HzYdkad{NA4xFhn% zO-VmEJkmhvJSqmB+cD@l4I6EvJoGW zmBtf&*o?-AdT)()}c6;@b2gTyuYp0?6;+Z?d__J697&E;2s*jfP ze{Q3A)rU5%e=ooEV&d~N&padWZ|oF(J8Z};x7Z@)Ds7weB6a{dDds^}$n}5yrNmou z;EK7W4dGbro}3f%7Y{XrJGfgL|4a*fmT}QX?jMgRbc6g{9;45dyy<&O@s}gUUSvO1 zwwqxbllT|=XzAyc;xAS&XHCD2;XW?nFMn|OV~>>ittr}%DgJM&-&&qGXZ)=x@^a|L z^0I1a-#g<1{??e@z4u75(ky5Gzu-Sz)RFr4KR&HD&BeXi_$MBUG8_N>odrJhfNJX> zdr0n^^`t2|SB)Pk`G3wi=ScBAb}pam-&yF^eCKl6D%bc$<6f76_upF{pKACub)T#d zyP|*TgTA!D0`mv{)v=+7Bk;9l{OPjxynwkS{N4~f@R&VH^zhuz*m$)Eh+pvSm~+uu zxTA-;BPVxo%<(-v#wCwE_LyYTvFpZ`V&8#WaK5qD#J$K5WI@@NIm$*Ko4$jurE;!_ z=l?#JY~MJ?|M&O*m;%m;h(}A*Z5d1XoQS!rpA%v3WnX^DulL8Eu(9cTmJ@7Wc~)7* z^GDtm_wtAx_3wYeSXrz;_L_jbD5u2L>=)!Wi^DZm7x7JThrCYV8-CYr-5U0nkB#`) z=aK0Tez{tUFJ9VDGKHtdH zQ~#k)SHdr*&rb{<@l5#hVT);JUFf-IpNW3%cByT7Ir<`V?A^}oH3xqCOVnFxsinfZ z(NC)%djNARqzM0$PmD;hkLjnME=)P)lw~^Re&HrI1%7+ZqR_rHnZ+03#6g?gM_BnKm`;_Gg`_3P0E}0+bW>0*-nBS{U@_xfehvvYq zZ}HOq{&%gkpNxEXDCSvekH25cwMc*Oj~FpL*}7=A*kX$&Typ;#ZCJ{05;L@(>AgaV$Mcm@MpNj=4)f{lUwMGhRrR;DwX5oHJ4HMn%h?KeQnCa=DS1J#^5(E$uIm_ zODXYaJkKY-kKfG`@=g(-_1*o%@Ax^D+S<hAlRPGiTH;f-4m#hWwcscF$d-{YKZg84YjD9A zZpC6OtjAy{OJ0m})m}9Cd#@UeiuYRsetqGG40qA~EcR9Wtd4ciTI(Dsc!S0MNjebR zYQbT2;nxSbZm*{G1dL7fi+}N=V&Aa5+-2h4209SAZ@sf78o#D^c68teCpy_*VBDL6 z8*b*Cb9l};D%l<Kli0^P#dJiEpGD0VXY)mkjS+Pd4ld$+RgUBp9diXK;uk6H>pdR}?u<-wji zXTPly_Zi69o_+S&l1)eMn4k8e&?DrP(c$)r=Uki>b6ak_;rev$9Ny!*u{X}yTbpmT zSvjr*4|)$9v9;khmh_$?t$e1Vuu~owcwgGPAU_N3>72#~9Hq6Yw6^87$ThD=@>ls1 zatIr=5~y5*q|u8BU+8(K7S5cgdlAP8|EoI?-D2 z%Tq#2=X4ceZ_}nt;&1t2V979p*Bq5QdF{1V$Fl`*PjV>3o3Gvjqe3oa+r}AEY`fNi zUw`BXe^!Ryc_Q|Dk&oa|j4j{Ekw+d8mR)9Gn^e8W~oYkM}$8SNWS z_*d2eM@#t!ZS5_?FJyPh5svyDxIJStI-iOiz($!p+BME+VGFRID`D}SK1ml7XP#(O z{w(;7L*@H<%vuURIO$|)B*w{?$3CO8fzRBQm+A~W_Uy>GMwm0|H3SQs>43~b7cC1I~TT5F((@A8*Z>c z+Uv_6M*qr^XzCbSX3m5UJ<+C#_^Vrr(|02G|g8t5b(5cfx2?l(C zmiACtPw^SvBA57dCZ2erbdNuxPoLf?$3xC|bKuve+-bI4OX1IWz(E`Dy!}=>Zm3-#pDAT5cPgM#_o#DmDadg;m5OLBzRcg8II=CKiA7w`%km3 zfVc2F88kA=QFP+NBTw~{-&2>qYK^W1e*9^FhW0bvbN{0Ye{LsVwTC{rRQ8wOs}+7@ zc-^(vRJD~`8~zMmQ`cJH?;2xr^ztIVRJJ=d!cSK*m+X_SwjO6ZD&gmEY^qMKJ33c$ zp&|Y!yZA)ee6_&w2mGZyWBjV_SN;<67Ss&lKqfR_i6dhPA_) z)Z&&KZ?w@EEqv2rg7hivo9km7kZ}?vVTm&KER?@ObY%_DHf)eA{nuu%{#0k_?qI;hgZShqH&XU&}kW zsH1MSq3G1|K(ZY6*;x#eO;$P+n}3RrM*sPYUT5Ek0pxR?#e2yszgsb5w2jX``^@MY ze?FZLko(P7`TqO?yX?Gk>eG2>_5||1d1s%fBWqi(j_>vxR`xG8Pyd#m;vIfRe{5Jd z%gr%vm3}MluCw;q2^V=fXyi;ne{2!mpg-6yoz5y9tHa%?+a)M|J=WGNA9@&*66=|JH-Z^ zGtD;7{liKBBcm@xH6=bwH|<8KW4k&L1J$Z}{NkNeZVigA5#^4-AIdS_nCZ_p3_xI7tf)BV_~)%wTx z&d5S5XF=gd=ekvG&o{%Y5*U4*Ygd7n60WN)%_x_xHzc%Ju@`_5nB>N#2CIr)|Em9Fj6eb40K z;nyPn$vHD;h7BE@c-~oemBrY)$4)k$VwK{u;wv{ zHRiBsC)={-SuW;$_RAVWd2z-RKYbE?OyYFxC5B@AAThawf3(sc)$G83uSuh%N+7dyFYyYU7CMnf@frsc`)IG z@pqo$)o+tIL%s-ibNaWh<&O9pMnfXK;6sLe^YvHhd{LjbjcbH6>#YsusoydX$IbaH zcs!r8pXpU=|6(@iiBFA{xp7lm1IdQmUp^BKU%(%|@SwP%H3lu58{~ebK`s4zM?Sz3 zJxXWxkQHs)&Y19%<7bVrMuHLl7jp%S3!VZGIZqDYkLL8R4e@`mM7jgtv9n%{Jw6;7 z=TE=rM;42ayHxatvvbTv=O%XU+$s6kd~a_5-lsnp%TiwDZ>e4W*{)p|PiNWi=ki13 zw#f}KO?uq4)0T35+570z-0??)>{GV(Z@&5FNhcD^Fz%ISB7s4{kH$+OPpo-Gc~+7? zLu!&g+PgOT0jz7eO?nzVg3pe;fgAq9gHOe?hy6~4cda@6?Ik^0o=i!nCY#U*U)xX6 znEc5!Lw__ipX4H5cilBfCltTu(-tRlPJ%o@{33or&$O0VxAFYgrFN&W8<*Z&yzr#D8V%6Mh`YQBz= zeZ@15$Y65=jf(x|&+fBL%!z&W-aF;_8>1GLXnXJz;(z+Hb0z6M)%pel{KcK+Xz;DB zzS`&)zbPiiv@#}LsPZ8Y`$yZVKQ^emSuJlu| zZOJ(@n7!^Q_svz@OUd`-2<2zui)=u1uS=KC(H>qc zS-y5Wrz)S%OYY0fVH3##VE^sB(~c=`z;FNAUvhdphpTV2LD)rdljvq_wHt1@F8N^D z-g14cAI`)Re{_bGd~|v1#~yohI?u|!YW52Iy<7AFu>Z+xc@T6Uza0iwa9$j3<)e>2 zGUa0M{fcjr`Eps=fYtzTh>gm%*EijtuR%X4CpY$Q-k5XFR7SI-jyfXkbtCh&Y0rgz z$p`$3PsP9JLv#>!fiZHAyfEin?GL%(`s-4C`ilExw36#uALST`7dy9!eAfpa7TYV= zkMOF)7w^1dXJOqPZG5_+wVq9A4%3aS2ihpshcEeP?~nKVCfi+cJo%XE(`2)JM0WdI zajgbxu|Asp6z8cky675y$H+btXBJw^<#3_Byclh{2Y)sJ`oTXo8l2(I55Z@EuO570 zVA^BIZ$aO{C&r*}-$R1mXQYSc`e1?=*+S>1hxv^;<9BV0$Kkuo&&l?U`44`(n$4c} zI7FzDJdd!Yzc@zPE8Po;H`Etf#^c7;I9wjjrrR#k-0x}O*?J|8f$z@Vl6OK!;43N0 ZAbt`&$d+iV$g9Nn@GQ!z2-9f&{U5<0A2I*{ literal 0 HcmV?d00001 diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index e1a98c0..692ad57 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -19,22 +19,18 @@ class profiles::base ( } } - # include the base packages profile - class { 'profiles::base::packages': - packages => hiera('profiles::base::packages::common'), - ensure => 'installed', - } - # manage puppet clients if ! member($puppet_servers, $trusted['certname']) { include profiles::puppet::client } - # include admin scripts + # include the base profiles + include profiles::packages::base + include profiles::base::facts + include profiles::base::motd include profiles::base::scripts - - # include admin scripts include profiles::base::hosts + include profiles::accounts::sysadmin # include the python class class { 'python': @@ -49,11 +45,4 @@ class profiles::base ( secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' } - # default users - include profiles::accounts::sysadmin - - # add a motd - include profiles::base::facts - include profiles::base::motd - } diff --git a/site/profiles/manifests/base/packages.pp b/site/profiles/manifests/base/packages.pp deleted file mode 100644 index 6c15811..0000000 --- a/site/profiles/manifests/base/packages.pp +++ /dev/null @@ -1,27 +0,0 @@ -# This class manages the installation of packages for the base profile -# -# Parameters: -# - $packages: An array of package names to be installed (optional) -# -# Description: -# This class installs a list of packages specified in the $packages parameter -# using the `package` resource from Puppet. Each package in the array is installed -# with the `ensure => installed` attribute, ensuring that the package is present -# on the target system. By default, the class retrieves the package list from Hiera -# using the key 'profiles::base::packages::common'. -# -# Example usage: -# class { 'profiles::base::packages': -# packages => ['package1', 'package2', 'package3'], -# -class profiles::base::packages ( - Array $packages, - Enum[ - 'present', - 'absent', - 'latest', - 'installed' - ] $ensure = 'installed', -){ - ensure_packages($packages, {'ensure' => $ensure}) -} diff --git a/site/profiles/manifests/git/git.pp b/site/profiles/manifests/git/git.pp deleted file mode 100644 index ca3b4e7..0000000 --- a/site/profiles/manifests/git/git.pp +++ /dev/null @@ -1,24 +0,0 @@ -# Class: profiles::git::git -# -# This class ensures that the Git package is installed. -# -# It uses the 'package' resource to manage the Git package, -# and will ensure that it is installed. This class does not -# manage any configurations related to Git, it only ensures -# that the package is installed. -# -# The class does not take any parameters. -# -# Example usage: -# -------------- -# To use this class, you simply need to declare it in your manifest: -# -# include profiles::git::git -# -# You do not need to pass any parameters. -# -class profiles::git::git { - package { 'git': - ensure => installed, - } -} diff --git a/site/profiles/manifests/packages/base.pp b/site/profiles/manifests/packages/base.pp new file mode 100644 index 0000000..807c8a8 --- /dev/null +++ b/site/profiles/manifests/packages/base.pp @@ -0,0 +1,21 @@ +# This class manages the installation of packages for the base profile +# +# Parameters: +# - $packages: An array of package names to be installed (optional) +# - $ensure: Enum of present, absent, latest or installed (optional) +# +# Example usage: +# class { 'profiles::base::packages': +# packages => ['package1', 'package2', 'package3'], +# +class profiles::packages::base ( + Array $packages = lookup('profiles::packages::base', Array, 'first', []), + Enum[ + 'present', + 'absent', + 'latest', + 'installed' + ] $ensure = 'installed', +){ + ensure_packages($packages, {'ensure' => $ensure}) +} diff --git a/site/profiles/manifests/packages/git.pp b/site/profiles/manifests/packages/git.pp new file mode 100644 index 0000000..578aca7 --- /dev/null +++ b/site/profiles/manifests/packages/git.pp @@ -0,0 +1,11 @@ +# installs git related packages +# +class profiles::packages::git ( + Array[String] $packages = lookup('profiles::packages::git', Array, 'first', ['git']), +) { + $packages.each |String $package| { + package { $package: + ensure => installed, + } + } +} diff --git a/site/profiles/manifests/packages/reposync.pp b/site/profiles/manifests/packages/reposync.pp new file mode 100644 index 0000000..f6525a5 --- /dev/null +++ b/site/profiles/manifests/packages/reposync.pp @@ -0,0 +1,11 @@ +# installs reposync related packages +# +class profiles::packages::reposync ( + Array[String] $packages = lookup('profiles::packages::reposync', Array, 'first', ['createrepo']), +) { + $packages.each |String $package| { + package { $package: + ensure => installed, + } + } +} diff --git a/site/profiles/manifests/packages/selinux.pp b/site/profiles/manifests/packages/selinux.pp new file mode 100644 index 0000000..1bbd457 --- /dev/null +++ b/site/profiles/manifests/packages/selinux.pp @@ -0,0 +1,11 @@ +# installs selinux related packages +# +class profiles::packages::selinux ( + Array[String] $packages = lookup('profiles::packages::selinux', Array, 'first', ['policycoreutils']), +) { + $packages.each |String $package| { + package { $package: + ensure => installed, + } + } +} diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp index 4e84227..dad9d11 100644 --- a/site/profiles/manifests/puppet/enc.pp +++ b/site/profiles/manifests/puppet/enc.pp @@ -39,7 +39,7 @@ class profiles::puppet::enc ( Boolean $force = false, ) { - include profiles::git::git + include profiles::packages::git vcsrepo { '/opt/puppetlabs/enc': ensure => latest, diff --git a/site/profiles/manifests/puppet/r10k.pp b/site/profiles/manifests/puppet/r10k.pp index 29d302f..402f49a 100644 --- a/site/profiles/manifests/puppet/r10k.pp +++ b/site/profiles/manifests/puppet/r10k.pp @@ -37,7 +37,7 @@ class profiles::puppet::r10k ( String $r10k_repo, ){ - include profiles::git::git + include profiles::packages::git vcsrepo { '/etc/puppetlabs/r10k': ensure => latest, diff --git a/site/profiles/manifests/reposync/autopromoter.pp b/site/profiles/manifests/reposync/autopromoter.pp new file mode 100644 index 0000000..63c2ab7 --- /dev/null +++ b/site/profiles/manifests/reposync/autopromoter.pp @@ -0,0 +1,105 @@ +# setup the autopromoter +class profiles::reposync::autopromoter { + + # Ensure the autopromoter script is present and executable + file { '/usr/local/bin/autopromoter': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + content => template('profiles/reposync/autopromoter.erb'), + } + + # daily autopromote service/timer + $_daily_timer = @(EOT) + [Unit] + Description=autopromoter daily timer + [Timer] + OnCalendar=*-*-* 05:00:00 + RandomizedDelaySec=1s + [Install] + WantedBy=timers.target + EOT + + $_daily_service = @(EOT) + [Unit] + Description=autopromoter daily service + [Service] + Type=oneshot + ExecStart=/usr/local/bin/autopromoter daily + User=root + Group=root + PermissionsStartOnly=false + PrivateTmp=no + EOT + + systemd::timer { 'autopromoter-daily.timer': + timer_content => $_daily_timer, + service_content => $_daily_service, + active => true, + enable => true, + require => File['/usr/local/bin/autopromoter'], + } + + # weekly autopromote service/timer + $_weekly_timer = @(EOT) + [Unit] + Description=autopromoter weekly timer + [Timer] + OnCalendar=Sun *-*-* 05:05:00 + RandomizedDelaySec=1s + [Install] + WantedBy=timers.target + EOT + + $_weekly_service = @(EOT) + [Unit] + Description=autopromoter weekly service + [Service] + Type=oneshot + ExecStart=/usr/local/bin/autopromoter weekly + User=root + Group=root + PermissionsStartOnly=false + PrivateTmp=no + EOT + + systemd::timer { 'autopromoter-weekly.timer': + timer_content => $_weekly_timer, + service_content => $_weekly_service, + active => true, + enable => true, + require => File['/usr/local/bin/autopromoter'], + } + + # monthly autopromote service/timer + $_monthly_timer = @(EOT) + [Unit] + Description=autopromoter monthly timer + [Timer] + OnCalendar=*-*-01 05:10:00 + RandomizedDelaySec=1s + [Install] + WantedBy=timers.target + EOT + + $_monthly_service = @(EOT) + [Unit] + Description=autopromoter monthly service + [Service] + Type=oneshot + ExecStart=/usr/local/bin/autopromoter monthly + User=root + Group=root + PermissionsStartOnly=false + PrivateTmp=no + EOT + + systemd::timer { 'autopromoter-monthly.timer': + timer_content => $_monthly_timer, + service_content => $_monthly_service, + active => true, + enable => true, + require => File['/usr/local/bin/autopromoter'], + } +} diff --git a/site/profiles/manifests/reposync/autosyncer.pp b/site/profiles/manifests/reposync/autosyncer.pp new file mode 100644 index 0000000..e2e8683 --- /dev/null +++ b/site/profiles/manifests/reposync/autosyncer.pp @@ -0,0 +1,44 @@ +# setup the autosyncer +class profiles::reposync::autosyncer { + + # Ensure the autosyncer script is present and executable + file { '/usr/local/bin/autosyncer': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + content => template('profiles/reposync/autosyncer.erb'), + require => Class['profiles::packages::reposync'], + } + + # daily autosyncr service/timer + $_timer = @(EOT) + [Unit] + Description=autosyncer timer + [Timer] + OnCalendar=*-*-* 03:00:00 + RandomizedDelaySec=1s + [Install] + WantedBy=timers.target + EOT + + $_service = @(EOT) + [Unit] + Description=autosyncer service + [Service] + Type=oneshot + ExecStart=/usr/local/bin/autosyncer + User=root + Group=root + PermissionsStartOnly=false + PrivateTmp=no + EOT + + systemd::timer { 'autosyncer.timer': + timer_content => $_timer, + service_content => $_service, + active => true, + enable => true, + require => File['/usr/local/bin/autosyncer'], + } +} diff --git a/site/profiles/manifests/reposync/repos.pp b/site/profiles/manifests/reposync/repos.pp new file mode 100644 index 0000000..5886785 --- /dev/null +++ b/site/profiles/manifests/reposync/repos.pp @@ -0,0 +1,46 @@ +# define to generate repositories in yum +define profiles::reposync::repos ( + String $repository, + String $description, + String $osname, + String $release, + Stdlib::HTTPUrl $baseurl, + Stdlib::HTTPUrl $gpgkey, + String $arch = 'x86_64', + String $repo_owner = 'root', + String $repo_group = 'root', + Stdlib::Absolutepath $basepath = '/data/repos', +){ + + $repos_name = downcase("${osname}-${release}-${repository}-${arch}") + $conf_file = "/etc/reposync/conf.d/${repos_name}.conf" + + # Create the repository configuration + yumrepo { $repos_name: + ensure => 'present', + descr => $description, + baseurl => $baseurl, + gpgkey => $gpgkey, + target => '/etc/yum.repos.d/reposync.repo', + enabled => 0, + gpgcheck => 1, + } + + # Ensure the repo dest path exists + file { "${basepath}/live/${repos_name}" : + ensure => 'directory', + owner => $repo_owner, + group => $repo_group, + mode => '0755', + } + + # Create the repo configuration file + file { $conf_file: + ensure => file, + owner => $repo_owner, + group => $repo_group, + mode => '0644', + content => template('profiles/reposync/repo_conf.erb'), + require => File['/etc/reposync/conf.d'], + } +} diff --git a/site/profiles/manifests/reposync/syncer.pp b/site/profiles/manifests/reposync/syncer.pp new file mode 100644 index 0000000..6f20996 --- /dev/null +++ b/site/profiles/manifests/reposync/syncer.pp @@ -0,0 +1,30 @@ +# setup a reposync syncer +class profiles::reposync::syncer { + + include profiles::packages::reposync + include profiles::reposync::autosyncer + include profiles::reposync::autopromoter + include profiles::reposync::webserver + + # Ensure the reposync config path exists + file { '/etc/reposync': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + file { '/etc/reposync/conf.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + # get a list of repos as a hash, and iterate through them + $repos = lookup('profiles::reposync::repos_list', {}) + $repos.each | String $name, Hash $repo_hash | { + profiles::reposync::repos { $name: + * => $repo_hash, + } + } +} diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp new file mode 100644 index 0000000..66f549a --- /dev/null +++ b/site/profiles/manifests/reposync/webserver.pp @@ -0,0 +1,58 @@ +# setup a reposync webserver +class profiles::reposync::webserver ( + String $www_root = '/data/repos/snap', + String $nginx_vhost = 'repos.main.unkin.net', + Integer $nginx_port = 80, + Boolean $favicon = true, + Boolean $selinux = true, +) { + + class { 'nginx': } + + # create the nginx vhost + nginx::resource::server { $nginx_vhost: + listen_port => $nginx_port, + server_name => [$nginx_vhost], + use_default_location => true, + access_log => "/var/log/nginx/${nginx_vhost}_access.log", + error_log => "/var/log/nginx/${nginx_vhost}_error.log", + www_root => $www_root, + autoindex => 'on', + } + + if $favicon { + file { "${www_root}/favicon.ico": + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/profiles/reposync/favicon.ico', + } + } + + if $selinux { + + # include packages that are required + include profiles::packages::selinux + + # set httpd_sys_content_t to all files under the www_root + selinux::fcontext { $www_root: + ensure => 'present', + seltype => 'httpd_sys_content_t', + pathspec => "${www_root}(/.*)?", + } + + # make sure we can connect to port 80 + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + + exec { "restorecon_${www_root}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${www_root}", + refreshonly => true, + subscribe => Selinux::Fcontext[$www_root], + } + } +} diff --git a/site/profiles/templates/reposync/autopromoter.erb b/site/profiles/templates/reposync/autopromoter.erb new file mode 100644 index 0000000..0bf995f --- /dev/null +++ b/site/profiles/templates/reposync/autopromoter.erb @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# Function to create symlink for snapshots +create_symlink() { + local osname="$1" + local release="$2" + local repository="$3" + local basepath="$4" + local label="$5" # 'monthly', 'weekly', or 'daily' + local date_format="$6" # Date format for finding the snapshot + + # The path where snapshots are stored + local snap_path="${basepath}/snap/${osname}/${release}/${repository}-${date_format}" + + # The target path for the symlink + local symlink_target="${basepath}/snap/${osname}/${release}/${repository}-${label}" + + # Check if the source directory exists + if [[ -d "$snap_path" ]]; then + # Create the symlink, overwrite if it already exists + ln -sfn "$snap_path" "$symlink_target" + echo "Symlink created for $snap_path -> $symlink_target" + else + echo "Snapshot path does not exist: $snap_path" + return 1 + fi +} + +# Determine which snapshot to promote based on the passed argument +case "$1" in + monthly) + promote_date=$(date --date="$(date +%Y%m01) -1 month" +%Y%m%d) + ;; + weekly) + promote_date=$(date --date="last Sunday" +%Y%m%d) + ;; + daily) + promote_date=$(date --date="yesterday" +%Y%m%d) + ;; + *) + echo "Usage: $0 {monthly|weekly|daily}" + exit 1 + ;; +esac + +# Call the function with appropriate arguments +# Iterate over the repositories to create symlinks for each +for conf in /etc/reposync/conf.d/*.conf; do + source "$conf" + + # Create symlink based on the provided argument + create_symlink "$OSNAME" "$RELEASE" "$REPOSITORY" "$BASEPATH" "$1" "$promote_date" +done diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb new file mode 100644 index 0000000..a66ed5d --- /dev/null +++ b/site/profiles/templates/reposync/autosyncer.erb @@ -0,0 +1,97 @@ +#!/usr/bin/bash + +# Function to perform reposync +perform_reposync() { + local reponame="$1" + local basepath="$2" + + /usr/bin/dnf reposync \ + --gpgcheck \ + --delete \ + --downloadcomps \ + --download-metadata \ + --remote-time \ + --disablerepo="*" \ + --enablerepo="${reponame}" \ + --download-path="${basepath}/live" +} + +# Function to download GPG keys +download_gpg_key() { + local gpgkeyurl="$1" + local reponame="$2" + local basepath="$3" + + # Extract filename from URL + local filename=$(basename "$gpgkeyurl") + + # Download GPG key to the specified path with the filename from the URL + wget -q -O "${basepath}/live/${reponame}/${filename}" "$gpgkeyurl" || { + echo "Failed to download GPG key from $gpgkeyurl" + } +} + +# Function to perform rsync with hard links +perform_rsync() { + local source_path="$1" + local dest_path="$2" + + # Create the destination directory if it doesn't exist + mkdir -p "$dest_path" + + # Use rsync to create hard links to the files in the destination directory + rsync -a --link-dest="$source_path" "$source_path"/* "$dest_path" +} + +create_repo_metadata() { + local basepath="${1}" + local osname="${2}" + local release="${3}" + local repository="${4}" + local current_date="${5}" + + local repo_path="${basepath}/snap/${osname}/${release}/${repository}-${current_date}" + + if [[ -d "$repo_path" ]]; then + echo "Running createrepo on ${repo_path}..." + createrepo --update "${repo_path}" + if [[ $? -eq 0 ]]; then + echo "Successfully created repository metadata for ${repository}" + else + echo "Failed to create repository metadata for ${repository}" >&2 + return 1 + fi + else + echo "The specified repository path does not exist: ${repo_path}" >&2 + return 1 + fi +} + +# Current date in the required format +DATE=$(date +%Y%m%d) + +# iterate over each configuration file +for conf in /etc/reposync/conf.d/*.conf; do + + # source the configuration to get the variables + source "$conf" + + # Call the function to download the GPG key + download_gpg_key "$GPGKEYURL" "$REPONAME" "$BASEPATH" + + # Call the reposync function + perform_reposync "$REPONAME" "$BASEPATH" + + # Path for rsync source + live_path="${BASEPATH}/live/${REPONAME}" + + # Path for rsync destination + snap_path="${BASEPATH}/snap/${OSNAME}/${RELEASE}/${REPOSITORY}-${DATE}/${ARCH}/os" + + # Call the rsync function + perform_rsync "$live_path" "$snap_path" + + # After syncing each repo, fix the repository metadata + create_repo_metadata "${BASEPATH}" "${OSNAME}" "${RELEASE}" "${REPOSITORY}" "${DATE}" + +done diff --git a/site/profiles/templates/reposync/repo_conf.erb b/site/profiles/templates/reposync/repo_conf.erb new file mode 100644 index 0000000..99eb2b0 --- /dev/null +++ b/site/profiles/templates/reposync/repo_conf.erb @@ -0,0 +1,8 @@ +# <%= @osname %>-<%= @release %>-<%= @repository %> repository configuration +REPOSITORY="<%= @repository %>" +REPONAME="<%= @repos_name %>" +OSNAME="<%= @osname %>" +RELEASE="<%= @release %>" +ARCH="<%= @arch %>" +BASEPATH="<%= @basepath %>" +GPGKEYURL="<%= @gpgkey %>" diff --git a/site/roles/manifests/infra/packagerepo.pp b/site/roles/manifests/infra/packagerepo.pp index 1f2afdc..ff90820 100644 --- a/site/roles/manifests/infra/packagerepo.pp +++ b/site/roles/manifests/infra/packagerepo.pp @@ -3,4 +3,5 @@ class roles::infra::packagerepo { include profiles::defaults include profiles::base include profiles::base::datavol + include profiles::reposync::syncer } From 9cb730d116bcb22ae904a6004e40bcfa5e66ab43 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 10 Nov 2023 23:21:08 +1100 Subject: [PATCH 029/229] feat: add ntp server/client - add ntp client and server class - add ntp server role - update hiera.yaml to work with enc_role - cleanup base profile --- hiera.yaml | 14 +++++--- hieradata/common.yaml | 16 +++++++-- hieradata/roles/infra/ntpserver.yaml | 10 ++++++ site/profiles/manifests/base.pp | 6 ++-- site/profiles/manifests/ntp/client.pp | 30 ++++++++++++++++ site/profiles/manifests/ntp/server.pp | 34 +++++++++++++++++++ .../templates/base/facts/enc_role.erb | 1 + site/roles/manifests/infra/ntpserver.pp | 6 ++++ 8 files changed, 105 insertions(+), 12 deletions(-) create mode 100644 hieradata/roles/infra/ntpserver.yaml create mode 100644 site/profiles/manifests/ntp/client.pp create mode 100644 site/profiles/manifests/ntp/server.pp create mode 100644 site/roles/manifests/infra/ntpserver.pp diff --git a/hiera.yaml b/hiera.yaml index c601683..d117ebd 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -5,10 +5,14 @@ defaults: data_hash: "yaml_data" hierarchy: - name: Node-specific data - path: "nodes/%{trusted.certname}.yaml" - - name: "Per-OS & Release Specific Data" - path: "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" - - name: "Per-OS Specific Data" - path: "os/%{facts.os.name}/all_releases.yaml" + paths: + - "nodes/%{trusted.certname}.yaml" + - name: Role-specific data + paths: + - "%{facts.enc_role_path}.yaml" + - name: "OS Related" + paths: + - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" + - "os/%{facts.os.name}/all_releases.yaml" - name: Common data shared across nodes path: "common.yaml" diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 47674fe..964e975 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -1,7 +1,7 @@ --- -profiles::base::ntp_servers: - - 0.au.pool.ntp.org - - 1.au.pool.ntp.org +profiles::ntp::client::peers: + - ntp01.main.unkin.net + - ntp02.main.unkin.net profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' @@ -116,6 +116,16 @@ profiles::base::hosts::additional_hosts: hostname: prodinf01n06.main.unkin.net aliases: - prodinf01n06 + - ip: 198.18.17.9 + hostname: prodinf01n09.main.unkin.net + aliases: + - prodinf01n09 + - ntp01.main.unkin.net + - ip: 198.18.17.10 + hostname: prodinf01n10.main.unkin.net + aliases: + - prodinf01n10 + - ntp02.main.unkin.net - ip: 198.18.17.22 hostname: prodinf01n22.main.unkin.net aliases: diff --git a/hieradata/roles/infra/ntpserver.yaml b/hieradata/roles/infra/ntpserver.yaml new file mode 100644 index 0000000..e618573 --- /dev/null +++ b/hieradata/roles/infra/ntpserver.yaml @@ -0,0 +1,10 @@ +--- +profiles::ntp::client::client_only: false +profiles::ntp::server::allowquery: + - '198.18.17.0/24' + +profiles::ntp::server::peers: + - '0.au.pool.ntp.org' + - '1.au.pool.ntp.org' + - '2.au.pool.ntp.org' + - '3.au.pool.ntp.org' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 692ad57..d601bf8 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -1,11 +1,8 @@ # this is the base class, which will be used by all servers class profiles::base ( - Array $ntp_servers, Array $puppet_servers, ) { - class { 'chrony': - servers => $ntp_servers, - } + case $facts['os']['family'] { 'RedHat': { include profiles::yum::global @@ -31,6 +28,7 @@ class profiles::base ( include profiles::base::scripts include profiles::base::hosts include profiles::accounts::sysadmin + include profiles::ntp::client # include the python class class { 'python': diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp new file mode 100644 index 0000000..0429266 --- /dev/null +++ b/site/profiles/manifests/ntp/client.pp @@ -0,0 +1,30 @@ +# setup an ntp client using chrony +# use exported resources from profiles::ntp::server if they are available +class profiles::ntp::client ( + Array $peers, + Boolean $wait_enable = true, + Enum[ + 'running', + 'stopped' + ] $wait_ensure = 'running', + Boolean $client_only = true, +) { + + # If $client_only, setup a client. Servers are set to false so that they are configured + # through the profiles::ntp::server class. + if $client_only { + + # Define the client configuration based on OS family + if $facts['os']['family'] == 'RedHat' { + class { 'chrony': + servers => $peers, + wait_enable => $wait_enable, + wait_ensure => $wait_ensure, + } + } else { + class { 'chrony': + servers => $peers, + } + } + } +} diff --git a/site/profiles/manifests/ntp/server.pp b/site/profiles/manifests/ntp/server.pp new file mode 100644 index 0000000..0739737 --- /dev/null +++ b/site/profiles/manifests/ntp/server.pp @@ -0,0 +1,34 @@ +# chronyd server class with exported resources +class profiles::ntp::server ( + Array[Variant[ + Stdlib::IP::Address::V4, + Stdlib::IP::Address::V4::CIDR + ]] $allowquery = ['127.0.0.1'], + Array[Stdlib::Host] $peers = [ + '0.pool.ntp.org', + '1.pool.ntp.org', + '2.pool.ntp.org', + '3.pool.ntp.org' + ], + Boolean $wait_enable = true, + Enum[ + 'running', + 'stopped' + ] $wait_ensure = 'running', +){ + + # define the server + if $facts['os']['family'] == 'RedHat' { + class { 'chrony': + servers => $peers, + queryhosts => $allowquery, + wait_enable => $wait_enable, + wait_ensure => $wait_ensure, + } + } else { + class { 'chrony': + servers => $peers, + queryhosts => $allowquery, + } + } +} diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb index d59acdf..69c6d06 100644 --- a/site/profiles/templates/base/facts/enc_role.erb +++ b/site/profiles/templates/base/facts/enc_role.erb @@ -1 +1,2 @@ enc_role=<%= @enc_role[0] %> +enc_role=<%= @enc_role[0].gsub('::', '/') %> diff --git a/site/roles/manifests/infra/ntpserver.pp b/site/roles/manifests/infra/ntpserver.pp new file mode 100644 index 0000000..887efce --- /dev/null +++ b/site/roles/manifests/infra/ntpserver.pp @@ -0,0 +1,6 @@ +# a role to deploy a ntp server +class roles::infra::ntpserver { + include profiles::defaults + include profiles::base + include profiles::ntp::server +} From f73c16bca2f960b2fa351b38e6a1b80865a5792f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 Nov 2023 00:03:12 +1100 Subject: [PATCH 030/229] feat: add enc_role_path fact --- hiera.yaml | 14 +++++++++----- site/profiles/templates/base/facts/enc_role.erb | 1 + 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/hiera.yaml b/hiera.yaml index c601683..d117ebd 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -5,10 +5,14 @@ defaults: data_hash: "yaml_data" hierarchy: - name: Node-specific data - path: "nodes/%{trusted.certname}.yaml" - - name: "Per-OS & Release Specific Data" - path: "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" - - name: "Per-OS Specific Data" - path: "os/%{facts.os.name}/all_releases.yaml" + paths: + - "nodes/%{trusted.certname}.yaml" + - name: Role-specific data + paths: + - "%{facts.enc_role_path}.yaml" + - name: "OS Related" + paths: + - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" + - "os/%{facts.os.name}/all_releases.yaml" - name: Common data shared across nodes path: "common.yaml" diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb index d59acdf..dbef811 100644 --- a/site/profiles/templates/base/facts/enc_role.erb +++ b/site/profiles/templates/base/facts/enc_role.erb @@ -1 +1,2 @@ enc_role=<%= @enc_role[0] %> +enc_role_path=<%= @enc_role[0].gsub('::', '/') %> From aef3311fceb28c13686eeb76d2f5709b58fe0f30 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 Nov 2023 00:21:56 +1100 Subject: [PATCH 031/229] chore: bump puppet-enc - includes ntpservers in ntpserver role - https://git.unkin.net/unkinben/puppet-enc/pulls/25 --- hieradata/common.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 47674fe..f5e4439 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -43,7 +43,7 @@ profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.3' +profiles::puppet::enc::release: '0.4' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' From 7da58059d2bb163528ecd83aae4bec3dc492e6a1 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 Nov 2023 21:47:21 +1100 Subject: [PATCH 032/229] feat: add resolver/authoritive dns roles - roles are currently empty, this just exists so I can branch off it and start building test servers with this role --- site/roles/manifests/infra/dns/authoritive.pp | 7 +++++++ site/roles/manifests/infra/dns/resolver.pp | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 site/roles/manifests/infra/dns/authoritive.pp create mode 100644 site/roles/manifests/infra/dns/resolver.pp diff --git a/site/roles/manifests/infra/dns/authoritive.pp b/site/roles/manifests/infra/dns/authoritive.pp new file mode 100644 index 0000000..ab81813 --- /dev/null +++ b/site/roles/manifests/infra/dns/authoritive.pp @@ -0,0 +1,7 @@ +# roles::infra::dns::authoritive +# defines a dns server with master-only zones +# +class roles::infra::dns::authoritive { + include profiles::defaults + include profiles::base +} diff --git a/site/roles/manifests/infra/dns/resolver.pp b/site/roles/manifests/infra/dns/resolver.pp new file mode 100644 index 0000000..1bf97ab --- /dev/null +++ b/site/roles/manifests/infra/dns/resolver.pp @@ -0,0 +1,7 @@ +# roles::infra::dns::resolver +# defines a dns server with forward-only zones +# +class roles::infra::dns::resolver { + include profiles::defaults + include profiles::base +} From 1b9a4f783211ae9e0882548eb11ba206670784d3 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 Nov 2023 23:32:59 +1100 Subject: [PATCH 033/229] refactor: move to ruby-script facts - change enc_role_path fact to be ruby - add enc_role_tier1, enc_role_tier2 and enc_role_tier3 - add new paths to hiera.yaml --- hiera.yaml | 5 ++++- site/profiles/lib/facter/enc_role_path.rb | 14 ++++++++++++++ site/profiles/lib/facter/enc_role_tier1.rb | 15 +++++++++++++++ site/profiles/lib/facter/enc_role_tier2.rb | 14 ++++++++++++++ site/profiles/lib/facter/enc_role_tier3.rb | 14 ++++++++++++++ site/profiles/templates/base/facts/enc_role.erb | 1 - 6 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 site/profiles/lib/facter/enc_role_path.rb create mode 100644 site/profiles/lib/facter/enc_role_tier1.rb create mode 100644 site/profiles/lib/facter/enc_role_tier2.rb create mode 100644 site/profiles/lib/facter/enc_role_tier3.rb diff --git a/hiera.yaml b/hiera.yaml index d117ebd..6d1c6c9 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -9,7 +9,10 @@ hierarchy: - "nodes/%{trusted.certname}.yaml" - name: Role-specific data paths: - - "%{facts.enc_role_path}.yaml" + - "roles/%{::enc_role_tier1}.yaml" + - "roles/${::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "roles/${::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" + - "%{::enc_role_path}.yaml" - name: "OS Related" paths: - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" diff --git a/site/profiles/lib/facter/enc_role_path.rb b/site/profiles/lib/facter/enc_role_path.rb new file mode 100644 index 0000000..7cc901c --- /dev/null +++ b/site/profiles/lib/facter/enc_role_path.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +# create an enc_role_path fact from enc_role, to be used by hiera.yaml +# +# roles::infra::dns::resolver becomes roles/infra/dns/resolver +Facter.add(:enc_role_path) do + setcode do + enc_role = Facter.value(:enc_role) + if enc_role + enc_role_path = enc_role.gsub('::', '/') + enc_role_path + end + end +end diff --git a/site/profiles/lib/facter/enc_role_tier1.rb b/site/profiles/lib/facter/enc_role_tier1.rb new file mode 100644 index 0000000..eba5082 --- /dev/null +++ b/site/profiles/lib/facter/enc_role_tier1.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +# split the enc_role fact into different tiers +# +# e.g. +# enc_role_tier2: roles::infra::dns::resolver -> infra +Facter.add(:enc_role_tier1) do + setcode do + role = Facter.value(:enc_role) + if role + parts = role.split('::') + parts[1] if parts.size > 1 + end + end +end diff --git a/site/profiles/lib/facter/enc_role_tier2.rb b/site/profiles/lib/facter/enc_role_tier2.rb new file mode 100644 index 0000000..d8d722b --- /dev/null +++ b/site/profiles/lib/facter/enc_role_tier2.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +# split the enc_role fact into different tiers +# e.g. +# enc_role_tier2: roles::infra::dns::resolver -> dns +Facter.add(:enc_role_tier2) do + setcode do + role = Facter.value(:enc_role) + if role + parts = role.split('::') + parts[2] if parts.size > 2 + end + end +end diff --git a/site/profiles/lib/facter/enc_role_tier3.rb b/site/profiles/lib/facter/enc_role_tier3.rb new file mode 100644 index 0000000..da994f8 --- /dev/null +++ b/site/profiles/lib/facter/enc_role_tier3.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +# split the enc_role fact into different tiers +# e.g. +# enc_role_tier3: roles::infra::dns::resolver -> resolver +Facter.add(:enc_role_tier3) do + setcode do + role = Facter.value(:enc_role) + if role + parts = role.split('::') + parts[3] if parts.size > 3 + end + end +end diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb index dbef811..d59acdf 100644 --- a/site/profiles/templates/base/facts/enc_role.erb +++ b/site/profiles/templates/base/facts/enc_role.erb @@ -1,2 +1 @@ enc_role=<%= @enc_role[0] %> -enc_role_path=<%= @enc_role[0].gsub('::', '/') %> From 2efde81fff323a17d665703a1b906a4bfd021c02 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 00:17:28 +1100 Subject: [PATCH 034/229] feat: add powertools repo to reposync - add http://mirror.aarnet.edu.au/pub/almalinux/8.8/PowerTools/x86_64/os/ to be synced and mirrored by reposync tools --- hieradata/common.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 47674fe..551503a 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -80,6 +80,13 @@ profiles::reposync::repos_list: release: '8.8' baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/' gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_8_powertools: + repository: 'PowerTools' + description: 'AlmaLinux 8.8 - PowerTools' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/PowerTools/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' epel_8_everything: repository: 'Everything' description: 'EPEL 8 Everything' From 0071f74e601089cfb2f05df5a8d9e5f7b8ff3306 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 13:57:39 +1100 Subject: [PATCH 035/229] chore: reorganise hieradata - move role specific hieradata into respective roles/* paths --- hieradata/common.yaml | 59 ------------------------ hieradata/roles/infra/packagerepo.yaml | 37 +++++++++++++++ hieradata/roles/puppet.yaml | 5 ++ hieradata/roles/puppet/puppetmaster.yaml | 18 ++++++++ 4 files changed, 60 insertions(+), 59 deletions(-) create mode 100644 hieradata/roles/infra/packagerepo.yaml create mode 100644 hieradata/roles/puppet.yaml create mode 100644 hieradata/roles/puppet/puppetmaster.yaml diff --git a/hieradata/common.yaml b/hieradata/common.yaml index b8a2f9d..221c0be 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -27,74 +27,15 @@ profiles::packages::base: profiles::base::scripts::scripts: puppet: puppetwrapper.py -profiles::puppet::autosign::subnet_ranges: - - '198.18.17.0/24' - -profiles::puppet::autosign::domains: - - '*.main.unkin.net' - -# profiles::puppet::autosign::nodes: -# - 'somenode.main.unkin.net' - profiles::puppet::client::environment: 'develop' profiles::puppet::client::runinterval: 1800 profiles::puppet::client::runtimeout: 3600 profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false -profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.4' -profiles::puppet::enc::force: true -profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git -profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' -profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' -profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' -profiles::puppet::g10k::default_environment: 'develop' -profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net -profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net -puppetdb::master::config::create_puppet_service_resource: false -#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" - profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net -profiles::reposync::repos_list: - almalinux_8_8_baseos: - repository: 'BaseOS' - description: 'AlmaLinux 8.8 - BaseOS' - osname: 'almalinux' - release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/' - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - almalinux_8_8_appstream: - repository: 'AppStream' - description: 'AlmaLinux 8.8 - AppStream' - osname: 'almalinux' - release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/' - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - almalinux_8_8_highavailability: - repository: 'HighAvailability' - description: 'AlmaLinux 8.8 - HighAvailability' - osname: 'almalinux' - release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/' - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - epel_8_everything: - repository: 'Everything' - description: 'EPEL 8 Everything' - osname: 'epel' - release: '8' - baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' - gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' - epel_8_modular: - repository: 'Modular' - description: 'EPEL 8 Modular' - osname: 'epel' - release: '8' - baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/' - gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' - profiles::base::hosts::additional_hosts: - ip: 198.18.17.3 hostname: prodinf01n01.main.unkin.net diff --git a/hieradata/roles/infra/packagerepo.yaml b/hieradata/roles/infra/packagerepo.yaml new file mode 100644 index 0000000..95e4c32 --- /dev/null +++ b/hieradata/roles/infra/packagerepo.yaml @@ -0,0 +1,37 @@ +--- +profiles::reposync::repos_list: + almalinux_8_8_baseos: + repository: 'BaseOS' + description: 'AlmaLinux 8.8 - BaseOS' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_8_appstream: + repository: 'AppStream' + description: 'AlmaLinux 8.8 - AppStream' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_8_highavailability: + repository: 'HighAvailability' + description: 'AlmaLinux 8.8 - HighAvailability' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + epel_8_everything: + repository: 'Everything' + description: 'EPEL 8 Everything' + osname: 'epel' + release: '8' + baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' + gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' + epel_8_modular: + repository: 'Modular' + description: 'EPEL 8 Modular' + osname: 'epel' + release: '8' + baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/' + gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' diff --git a/hieradata/roles/puppet.yaml b/hieradata/roles/puppet.yaml new file mode 100644 index 0000000..b2164e7 --- /dev/null +++ b/hieradata/roles/puppet.yaml @@ -0,0 +1,5 @@ +--- +profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net +profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net +puppetdb::master::config::create_puppet_service_resource: false +#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml new file mode 100644 index 0000000..de09f46 --- /dev/null +++ b/hieradata/roles/puppet/puppetmaster.yaml @@ -0,0 +1,18 @@ +--- +profiles::puppet::autosign::subnet_ranges: + - '198.18.17.0/24' + +profiles::puppet::autosign::domains: + - '*.main.unkin.net' + +# profiles::puppet::autosign::nodes: +# - 'somenode.main.unkin.net' + +profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git +profiles::puppet::enc::release: '0.4' +profiles::puppet::enc::force: true +profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git +profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' +profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' +profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' +profiles::puppet::g10k::default_environment: 'develop' From fa211925e431984422684fb0d04a7ac5fbb7d3cd Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 14:42:38 +1100 Subject: [PATCH 036/229] chore: bump enc version - add new dns hosts, update dns roles --- hieradata/roles/puppet/puppetmaster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml index de09f46..eb72974 100644 --- a/hieradata/roles/puppet/puppetmaster.yaml +++ b/hieradata/roles/puppet/puppetmaster.yaml @@ -9,7 +9,7 @@ profiles::puppet::autosign::domains: # - 'somenode.main.unkin.net' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.4' +profiles::puppet::enc::release: '0.5' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' From 48ea444e7c149267f63f74d65843c121fd741cc3 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 15:48:30 +1100 Subject: [PATCH 037/229] fix: resolved issue with repodata - repodata was being created in the wrong location - update script to create in the path where the new snap exists --- site/profiles/templates/reposync/autosyncer.erb | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb index a66ed5d..9c3caed 100644 --- a/site/profiles/templates/reposync/autosyncer.erb +++ b/site/profiles/templates/reposync/autosyncer.erb @@ -44,21 +44,15 @@ perform_rsync() { } create_repo_metadata() { - local basepath="${1}" - local osname="${2}" - local release="${3}" - local repository="${4}" - local current_date="${5}" - - local repo_path="${basepath}/snap/${osname}/${release}/${repository}-${current_date}" + local repo_path="${1}" if [[ -d "$repo_path" ]]; then echo "Running createrepo on ${repo_path}..." createrepo --update "${repo_path}" if [[ $? -eq 0 ]]; then - echo "Successfully created repository metadata for ${repository}" + echo "Successfully created repository metadata for ${repo_path}" else - echo "Failed to create repository metadata for ${repository}" >&2 + echo "Failed to create repository metadata for ${repo_path}" >&2 return 1 fi else @@ -92,6 +86,6 @@ for conf in /etc/reposync/conf.d/*.conf; do perform_rsync "$live_path" "$snap_path" # After syncing each repo, fix the repository metadata - create_repo_metadata "${BASEPATH}" "${OSNAME}" "${RELEASE}" "${REPOSITORY}" "${DATE}" + create_repo_metadata "${snap_path}" done From 1b78904588db4e478e88c24193182abb2bd27b08 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 15:55:19 +1100 Subject: [PATCH 038/229] fix: typo in repo url namne - change repo.main.unkin.net to repos.main.unkin.net --- hieradata/common.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 221c0be..76fd051 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -71,4 +71,4 @@ profiles::base::hosts::additional_hosts: hostname: prodinf01n22.main.unkin.net aliases: - prodinf01n22 - - repo.main.unkin.net + - repos.main.unkin.net From cc77cc7ded7007b6d456783be9e7111991530ead Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 16:17:48 +1100 Subject: [PATCH 039/229] feat: change to use local mirror - change almalinux and epel *.repo files on nodes to use local package mirror - add option to purge yumrepo resources, default to true - add versionlocking to yum, enable it for puppet-agent --- hieradata/os/AlmaLinux/AlmaLinux8.yaml | 3 +- hieradata/os/AlmaLinux/AlmaLinux9.yaml | 1 - hieradata/os/AlmaLinux/all_releases.yaml | 4 +-- hieradata/roles/infra/packagerepo.yaml | 7 +++++ site/profiles/manifests/puppet/client.pp | 14 +++++++++ site/profiles/manifests/yum/base.pp | 37 ++++++++++++++++++++---- site/profiles/manifests/yum/epel.pp | 27 ++++++----------- site/profiles/manifests/yum/global.pp | 21 +++----------- site/profiles/manifests/yum/puppet7.pp | 1 - 9 files changed, 69 insertions(+), 46 deletions(-) diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index 3447bca..ef48076 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -2,8 +2,9 @@ --- profiles::yum::managed_repos: - 'base' - - 'extras' - 'appstream' - 'epel' + - 'powertools' + - 'highavailability' - 'puppet7' - 'yum.postgresql.org' diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index 2613c77..40c32c1 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -2,7 +2,6 @@ --- profiles::yum::managed_repos: - 'base' - - 'extras' - 'appstream' - 'epel' - 'puppet7' diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index bdb6ccb..105a19a 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -1,7 +1,7 @@ # hieradata/os/almalinux/all_releases.yaml --- -profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au -profiles::yum::epel::baseurl: http://mirror.aarnet.edu.au/pub/epel +profiles::yum::base::baseurl: http://repos.main.unkin.net/almalinux +profiles::yum::epel::baseurl: http://repos.main.unkin.net/epel profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false diff --git a/hieradata/roles/infra/packagerepo.yaml b/hieradata/roles/infra/packagerepo.yaml index 1644516..123fbaa 100644 --- a/hieradata/roles/infra/packagerepo.yaml +++ b/hieradata/roles/infra/packagerepo.yaml @@ -28,6 +28,13 @@ profiles::reposync::repos_list: release: '8.8' baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/PowerTools/x86_64/os/' gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_8_extras: + repository: 'extras' + description: 'AlmaLinux 8.8 - extras' + osname: 'almalinux' + release: '8.8' + baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/extras/x86_64/os/' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' epel_8_everything: repository: 'Everything' description: 'EPEL 8 Everything' diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index 360e296..68ab61a 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -29,6 +29,20 @@ class profiles::puppet::client ( ensure => $puppet_version, } + # if puppet-version is anything other than latest, set a versionlock + $puppet_versionlock_ensure = $puppet_version ? { + 'latest' => 'absent', + default => 'present', + } + $puppet_versionlock_version = $puppet_version ? { + 'latest' => undef, + default => $puppet_version, + } + yum::versionlock{'puppet-agent': + ensure => $puppet_versionlock_ensure, + version => $puppet_versionlock_version, + } + # Ensure the puppet service is running service { 'puppet': ensure => 'running', diff --git a/site/profiles/manifests/yum/base.pp b/site/profiles/manifests/yum/base.pp index 4d2ea53..48c38f0 100644 --- a/site/profiles/manifests/yum/base.pp +++ b/site/profiles/manifests/yum/base.pp @@ -1,6 +1,6 @@ # Class: profiles::yum::base # -# This class manages the 'base', extras' and 'appstream' yum +# This class manages the 'base', extras' and 'appstream' yum # repositories for a system, based on the provided list of managed repositories. # # Parameters: @@ -17,7 +17,7 @@ # - Sets up the 'base', extras', and 'appstream' yum repositories # as specified in the $managed_repos parameter, all using the provided baseurl. # -# - Each repo configuration includes the baseurl parameterized with the OS +# - Each repo configuration includes the baseurl parameterized with the OS # release version and architecture, and specifies the GPG key. # # Example usage: @@ -31,8 +31,13 @@ class profiles::yum::base ( Array[String] $managed_repos, String $baseurl, + Enum[ + 'daily', + 'weekly', + 'monthly' + ] $snapshot = 'daily', ) { - $releasever = $facts['os']['release']['major'] + $release = $facts['os']['release']['full'] $basearch = $facts['os']['architecture'] if 'base' in $managed_repos { @@ -40,7 +45,7 @@ class profiles::yum::base ( name => 'base', descr => 'base repository', target => '/etc/yum.repos.d/base.repo', - baseurl => "${baseurl}/${releasever}/BaseOS/${basearch}/os/", + baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/", gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", } } @@ -50,7 +55,7 @@ class profiles::yum::base ( name => 'extras', descr => 'extras repository', target => '/etc/yum.repos.d/extras.repo', - baseurl => "${baseurl}/${releasever}/extras/${basearch}/os/", + baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/", gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", } } @@ -60,7 +65,27 @@ class profiles::yum::base ( name => 'appstream', descr => 'appstream repository', target => '/etc/yum.repos.d/appstream.repo', - baseurl => "${baseurl}/${releasever}/AppStream/${basearch}/os/", + baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/", + gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + } + } + + if 'powertools' in $managed_repos { + yumrepo { 'powertools': + name => 'powertools', + descr => 'powertools repository', + target => '/etc/yum.repos.d/powertools.repo', + baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/", + gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + } + } + + if 'highavailability' in $managed_repos { + yumrepo { 'highavailability': + name => 'highavailability', + descr => 'highavailability repository', + target => '/etc/yum.repos.d/highavailability.repo', + baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/", gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", } } diff --git a/site/profiles/manifests/yum/epel.pp b/site/profiles/manifests/yum/epel.pp index fe2be21..f0e39d9 100644 --- a/site/profiles/manifests/yum/epel.pp +++ b/site/profiles/manifests/yum/epel.pp @@ -11,14 +11,10 @@ # -------- # - Checks the OS release version. # -# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository -# and installs the EPEL release RPM from the provided baseurl. +# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository # # - If the release version is not supported, it raises an error. # -# - The repo configuration includes the baseurl parameterized with the OS -# release version and architecture, and specifies the GPG key. -# # Example usage: # -------------- # To use this class with the default parameters: @@ -31,27 +27,22 @@ class profiles::yum::epel ( Array[String] $managed_repos, String $baseurl, + Enum[ + 'daily', + 'weekly', + 'monthly' + ] $snapshot = 'daily', ) { - $releasever = $facts['os']['release']['major'] + $release = $facts['os']['release']['major'] $basearch = $facts['os']['architecture'] if 'epel' in $managed_repos { - if ($releasever in [7,8,9]) { - $source = "${baseurl}/epel-release-latest-${releasever}.noarch.rpm" - - yum::install { 'epel-release': - ensure => present, - source => $source, - } - } else { - err("Unsupported OS release ${releasever}") - } yumrepo { 'epel': name => 'epel', descr => 'epel repository', target => '/etc/yum.repos.d/epel.repo', - baseurl => "${baseurl}/${releasever}/Everything/${basearch}/", - gpgkey => "${baseurl}/RPM-GPG-KEY-EPEL-${releasever}", + baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/", + gpgkey => "${baseurl}/RPM-GPG-KEY-EPEL-${release}", } } } diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 70481c7..eca5715 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -42,6 +42,7 @@ # class profiles::yum::global ( Array[String] $managed_repos = lookup('profiles::yum::managed_repos'), + Boolean $purge = true, ){ class { 'yum': keep_kernel_devel => true, @@ -58,14 +59,9 @@ class profiles::yum::global ( mirrorlist => 'absent', } -# tidy { '/etc/yum.repos.d': -# matches => ['*.repo', '!*.managed.repo'], -# recurse => true, -# rmdirs => false, -# age => '0s', -# backup => false, -# type => 'ctime', -# } + resources { 'yumrepo': + purge => $purge, + } # Generate the content for the .managed file $managed_file_content = $managed_repos.map |$repo_name| { "${repo_name}.repo" }.join("\n") @@ -76,15 +72,6 @@ class profiles::yum::global ( content => $managed_file_content, } - # Define exec resource to remove .repo files not listed in .managed - exec { 'cleanup_yum_repos': - command => '/bin/bash -c "comm -23 <(ls /etc/yum.repos.d | sort) - <(sort /etc/yum.repos.d/.managed) | - xargs -n1 rm -f /etc/yum.repos.d/{}"', - onlyif => '/bin/bash -c "comm -23 <(ls /etc/yum.repos.d | sort) - <(sort /etc/yum.repos.d/.managed) | grep .repo"', - } - # Setup base repos class { 'profiles::yum::base': managed_repos => $managed_repos, diff --git a/site/profiles/manifests/yum/puppet7.pp b/site/profiles/manifests/yum/puppet7.pp index 4ceb7a1..2733ff2 100644 --- a/site/profiles/manifests/yum/puppet7.pp +++ b/site/profiles/manifests/yum/puppet7.pp @@ -47,7 +47,6 @@ class profiles::yum::puppet7 ( err("Unsupported OS release ${releasever}") } - yumrepo { 'puppet7': name => 'puppet7', descr => 'puppet7 repository', From b2844c4b3a0713729c5fa5d87f82b3c6a7becb89 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Nov 2023 17:26:58 +1100 Subject: [PATCH 040/229] fix: updated path for gpg keys --- site/profiles/manifests/yum/base.pp | 10 +++++----- site/profiles/manifests/yum/epel.pp | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/site/profiles/manifests/yum/base.pp b/site/profiles/manifests/yum/base.pp index 48c38f0..df86cd0 100644 --- a/site/profiles/manifests/yum/base.pp +++ b/site/profiles/manifests/yum/base.pp @@ -46,7 +46,7 @@ class profiles::yum::base ( descr => 'base repository', target => '/etc/yum.repos.d/base.repo', baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + gpgkey => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", } } @@ -56,7 +56,7 @@ class profiles::yum::base ( descr => 'extras repository', target => '/etc/yum.repos.d/extras.repo', baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + gpgkey => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", } } @@ -66,7 +66,7 @@ class profiles::yum::base ( descr => 'appstream repository', target => '/etc/yum.repos.d/appstream.repo', baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + gpgkey => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", } } @@ -76,7 +76,7 @@ class profiles::yum::base ( descr => 'powertools repository', target => '/etc/yum.repos.d/powertools.repo', baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + gpgkey => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", } } @@ -86,7 +86,7 @@ class profiles::yum::base ( descr => 'highavailability repository', target => '/etc/yum.repos.d/highavailability.repo', baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/RPM-GPG-KEY-${facts['os']['name']}", + gpgkey => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", } } } diff --git a/site/profiles/manifests/yum/epel.pp b/site/profiles/manifests/yum/epel.pp index f0e39d9..575e099 100644 --- a/site/profiles/manifests/yum/epel.pp +++ b/site/profiles/manifests/yum/epel.pp @@ -42,7 +42,7 @@ class profiles::yum::epel ( descr => 'epel repository', target => '/etc/yum.repos.d/epel.repo', baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/RPM-GPG-KEY-EPEL-${release}", + gpgkey => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/RPM-GPG-KEY-EPEL-${release}", } } } From 76b54fc59d80a46cefd15af95afc53fc8874270e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 Nov 2023 23:00:55 +1100 Subject: [PATCH 041/229] feat: add dns resolver/master classes - define resolver and master dns server - export A and PTR records from dns clients - collect exported resources for master - create hiera structure for acls, zones and views --- .reek.yml | 5 +++ .rubocop.yml | 10 +++++ Puppetfile | 4 ++ hieradata/roles/infra/dns/master.yaml | 28 ++++++++++++ hieradata/roles/infra/dns/resolver.yaml | 29 ++++++++++++ site/profiles/lib/facter/arpa.rb | 27 ++++++++++++ site/profiles/manifests/base.pp | 3 ++ site/profiles/manifests/dns/client.pp | 34 ++++++++++++++ site/profiles/manifests/dns/master.pp | 27 ++++++++++++ site/profiles/manifests/dns/resolver.pp | 16 +++++++ site/profiles/manifests/dns/server.pp | 44 +++++++++++++++++++ .../infra/dns/{authoritive.pp => master.pp} | 5 ++- site/roles/manifests/infra/dns/resolver.pp | 1 + 13 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 .reek.yml create mode 100644 .rubocop.yml create mode 100644 hieradata/roles/infra/dns/master.yaml create mode 100644 hieradata/roles/infra/dns/resolver.yaml create mode 100644 site/profiles/lib/facter/arpa.rb create mode 100644 site/profiles/manifests/dns/client.pp create mode 100644 site/profiles/manifests/dns/master.pp create mode 100644 site/profiles/manifests/dns/resolver.pp create mode 100644 site/profiles/manifests/dns/server.pp rename site/roles/manifests/infra/dns/{authoritive.pp => master.pp} (52%) diff --git a/.reek.yml b/.reek.yml new file mode 100644 index 0000000..5d9b3c5 --- /dev/null +++ b/.reek.yml @@ -0,0 +1,5 @@ +# .reek.yml + +detectors: + FeatureEnvy: + enabled: false diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..ac0c163 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,10 @@ +# .rubocop.yml + +Style/ClassAndModuleChildren: + EnforcedStyle: compact + +Style/Documentation: + Enabled: false + +Layout/LineLength: + Max: 140 diff --git a/Puppetfile b/Puppetfile index 1da664c..fda7e8a 100644 --- a/Puppetfile +++ b/Puppetfile @@ -27,3 +27,7 @@ mod 'puppet-selinux', '4.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' + +mod 'bind', + :git => 'https://git.unkin.net/unkinben/puppet-bind.git', + :tag => '1.0' diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml new file mode 100644 index 0000000..c2a99c1 --- /dev/null +++ b/hieradata/roles/infra/dns/master.yaml @@ -0,0 +1,28 @@ +--- +profiles::dns::master::acls: + acl-main.unkin.net: + addresses: + - 198.18.17.0/24 + +profiles::dns::master::zones: + main.unkin.net-master: + domain: 'main.unkin.net' + zone_type: 'master' + dynamic: false + 17.18.198.in-addr.arpa-master: + domain: '17.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + +profiles::dns::master::views: + authoritive: + recursion: false + zones: + - main.unkin.net-master + - 17.18.198.in-addr.arpa-master + match_clients: + - acl-main.unkin.net + +profiles::dns::master::tags: + ptr: 'master-ptr-records' + a: 'master-a-records' diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml new file mode 100644 index 0000000..2c0fa2d --- /dev/null +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -0,0 +1,29 @@ +--- +profiles::dns::resolver::acls: + acl-main.unkin.net: + addresses: + - 198.18.17.0/24 + +profiles::dns::resolver::zones: + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + prod.unkin.net-forward: + domain: 'prod.unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.8.1 + forward: 'only' + +profiles::dns::resolver::views: + openforwarder: + recursion: true + zones: + - main.unkin.net-forward + - prod.unkin.net-forward + match_clients: + - acl-main.unkin.net diff --git a/site/profiles/lib/facter/arpa.rb b/site/profiles/lib/facter/arpa.rb new file mode 100644 index 0000000..25d2bad --- /dev/null +++ b/site/profiles/lib/facter/arpa.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +# arpa_fact.rb + +require 'facter' + +Facter.add(:arpa) do + setcode do + arpa_info = {} + Facter.value(:networking)['interfaces'].each do |interface_name, values| + next unless values.key?('ip') + + ip_address = values['ip'] + reversed_ip_parts = ip_address.split('.').reverse + addr = "#{reversed_ip_parts.join('.')}.in-addr.arpa" + + trimmed_ip_parts = reversed_ip_parts[1..] + zone = "#{trimmed_ip_parts.join('.')}.in-addr.arpa" + + arpa_info[interface_name] = { + 'zone' => zone, + 'addr' => addr + } + end + arpa_info + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index d601bf8..1182097 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -30,6 +30,9 @@ class profiles::base ( include profiles::accounts::sysadmin include profiles::ntp::client + # configure dns records for client + profiles::dns::client {"${facts['networking']['fqdn']}-default":} + # include the python class class { 'python': manage_python_package => true, diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp new file mode 100644 index 0000000..60abe10 --- /dev/null +++ b/site/profiles/manifests/dns/client.pp @@ -0,0 +1,34 @@ +# profiles::dns::client +define profiles::dns::client ( + Integer $ttl = 600, + String $intf = $facts['networking']['primary'], + String $addr = $facts['networking']['ip'], + String $fqdn = $facts['networking']['fqdn'], + Boolean $forward = true, + Boolean $reverse = true, +){ + + if $forward { + @@resource_record { "${fqdn}_${intf}-a": + ensure => present, + record => $::facts['networking']['fqdn'], + type => 'A', + data => [$::facts['networking']['ip']], + ttl => $ttl, + zone => "${::facts['networking']['domain']}-master", + tag => 'master-a-record', + } + } + + if $reverse { + @@resource_record { "${fqdn}_${addr}-ptr": + ensure => present, + record => $::facts['arpa'][$intf]['addr'], + type => 'PTR', + data => [$fqdn], + ttl => $ttl, + zone => "${::facts['arpa'][$intf]['zone']}-master", + tag => 'master-ptr-record', + } + } +} diff --git a/site/profiles/manifests/dns/master.pp b/site/profiles/manifests/dns/master.pp new file mode 100644 index 0000000..5b0a158 --- /dev/null +++ b/site/profiles/manifests/dns/master.pp @@ -0,0 +1,27 @@ +# profiles::dns::master authoritative service +class profiles::dns::master ( + Hash $acls = {}, + Hash $zones = {}, + Hash $views = {}, + Hash[ + String, + String + ] $tags = {}, + Boolean $dnssec = false, +){ + + class {'profiles::dns::server': + acls => $acls, + zones => $zones, + views => $views, + forwarders => [], + dnssec => $dnssec, + } + + # collect records + $tags.each | String $key, String $tag_value | { + if $tag_value != undef { + Resource_record <<| tag == $tag_value |>> + } + } +} diff --git a/site/profiles/manifests/dns/resolver.pp b/site/profiles/manifests/dns/resolver.pp new file mode 100644 index 0000000..bc95e6d --- /dev/null +++ b/site/profiles/manifests/dns/resolver.pp @@ -0,0 +1,16 @@ +# profiles::dns::resolver +class profiles::dns::resolver ( + Hash $acls = {}, + Hash $zones = {}, + Hash $views = {}, + Array $forwarders = ['8.8.8.8', '1.1.1.1'], +){ + + class {'profiles::dns::server': + acls => $acls, + zones => $zones, + views => $views, + forwarders => $forwarders, + } + +} diff --git a/site/profiles/manifests/dns/server.pp b/site/profiles/manifests/dns/server.pp new file mode 100644 index 0000000..06a4dba --- /dev/null +++ b/site/profiles/manifests/dns/server.pp @@ -0,0 +1,44 @@ +# profiles::dns::server +class profiles::dns::server ( + Hash $acls = {}, + Hash $zones = {}, + Hash $views = {}, + Array $forwarders = ['8.8.8.8', '1.1.1.1'], + Boolean $dnssec = true, +){ + + # if forwarders are empty, set it to undef + if $forwarders == [] { + $use_forwarders = undef + }else{ + $use_forwarders = $forwarders + } + + # setup base bind server + class { 'bind': + forwarders => $use_forwarders, + dnssec => $dnssec, + version => 'Controlled by Puppet', + } + + # if acls, import them + $acls.each | $name, $data | { + bind::acl { $name: + * => $data, + } + } + + # if zones, import them + $zones.each | $name, $data | { + bind::zone { $name: + * => $data, + } + } + + # if views, import them + $views.each | $name, $data | { + bind::view { $name: + * => $data, + } + } +} diff --git a/site/roles/manifests/infra/dns/authoritive.pp b/site/roles/manifests/infra/dns/master.pp similarity index 52% rename from site/roles/manifests/infra/dns/authoritive.pp rename to site/roles/manifests/infra/dns/master.pp index ab81813..e5d50de 100644 --- a/site/roles/manifests/infra/dns/authoritive.pp +++ b/site/roles/manifests/infra/dns/master.pp @@ -1,7 +1,8 @@ -# roles::infra::dns::authoritive +# roles::infra::dns::master # defines a dns server with master-only zones # -class roles::infra::dns::authoritive { +class roles::infra::dns::master { include profiles::defaults include profiles::base + include profiles::dns::master } diff --git a/site/roles/manifests/infra/dns/resolver.pp b/site/roles/manifests/infra/dns/resolver.pp index 1bf97ab..606ca9f 100644 --- a/site/roles/manifests/infra/dns/resolver.pp +++ b/site/roles/manifests/infra/dns/resolver.pp @@ -4,4 +4,5 @@ class roles::infra::dns::resolver { include profiles::defaults include profiles::base + include profiles::dns::resolver } From d877fd00f382e0dbbaa71f3c5a26730194d4f5ca Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 13 Nov 2023 22:00:19 +1100 Subject: [PATCH 042/229] chore: bump enc version https://git.unkin.net/unkinben/puppet-enc/pulls/27 --- hieradata/roles/puppet/puppetmaster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml index eb72974..931b916 100644 --- a/hieradata/roles/puppet/puppetmaster.yaml +++ b/hieradata/roles/puppet/puppetmaster.yaml @@ -9,7 +9,7 @@ profiles::puppet::autosign::domains: # - 'somenode.main.unkin.net' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.5' +profiles::puppet::enc::release: '0.6' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' From c996c9b7e34606168f79d365e0dcad24b4e67e4f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 13 Nov 2023 22:17:59 +1100 Subject: [PATCH 043/229] fix: enable dynamic/tsig updates - add eyaml to hiera.yaml - consolidate all paths into single tree - change to new profiles::dns::client wrapper - change to new profiles::dns::record wrapper - change to use concat method to build zone file --- hiera.yaml | 18 ++++++----- hieradata/common.yaml | 2 ++ hieradata/roles/infra/dns/master.eyaml | 3 ++ hieradata/roles/infra/dns/master.yaml | 26 +++++++++++----- site/profiles/manifests/dns/client.pp | 33 ++++++++++----------- site/profiles/manifests/dns/master.pp | 28 ++++++++++++++--- site/profiles/manifests/dns/record.pp | 23 ++++++++++++++ site/profiles/manifests/dns/resolver.pp | 2 ++ site/profiles/manifests/dns/server.pp | 8 +++++ site/profiles/manifests/dns/zone.pp | 27 +++++++++++++++++ site/profiles/templates/dns/zone_header.erb | 16 ++++++++++ 11 files changed, 149 insertions(+), 37 deletions(-) create mode 100644 hieradata/roles/infra/dns/master.eyaml create mode 100644 site/profiles/manifests/dns/record.pp create mode 100644 site/profiles/manifests/dns/zone.pp create mode 100644 site/profiles/templates/dns/zone_header.erb diff --git a/hiera.yaml b/hiera.yaml index 6d1c6c9..3097474 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -4,18 +4,22 @@ defaults: datadir: "hieradata" data_hash: "yaml_data" hierarchy: - - name: Node-specific data + - name: Consolidated Data paths: - "nodes/%{trusted.certname}.yaml" - - name: Role-specific data - paths: + - "roles/%{::enc_role_tier1}.eyaml" - "roles/%{::enc_role_tier1}.yaml" + - "roles/${::enc_role_tier1}/%{::enc_role_tier2}.eyaml" - "roles/${::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "roles/${::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml" - "roles/${::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" + - "%{::enc_role_path}.eyaml" - "%{::enc_role_path}.yaml" - - name: "OS Related" - paths: - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" - "os/%{facts.os.name}/all_releases.yaml" - - name: Common data shared across nodes - path: "common.yaml" + - "common.eyaml" + - "common.yaml" + lookup_key: eyaml_lookup_key + options: + pkcs7_private_key: /var/lib/puppet/keys/private_key.pkcs7.pem + pkcs7_public_key: /var/lib/puppet/keys/public_key.pkcs7.pem diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 76fd051..dce34c8 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -6,6 +6,8 @@ profiles::ntp::client::peers: profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' +profiles::dns::master::basedir: '/var/named/sources' + profiles::packages::base: - bash-completion - ccze diff --git a/hieradata/roles/infra/dns/master.eyaml b/hieradata/roles/infra/dns/master.eyaml new file mode 100644 index 0000000..2bdd703 --- /dev/null +++ b/hieradata/roles/infra/dns/master.eyaml @@ -0,0 +1,3 @@ +--- + +profiles::dns::master::secret: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJSp35spGbW0doI4arooNlpVW8JFlftPttnCE/P9bsmlCiA2DIfqu+ug3ZpHc7ELjA+PLJ7/IwZmpm+pfKpeSfZhw3zxFSpGUAi1q94VUnqLx6AbTgWJKT2ral6ZM/PGQSYaZB22rSvMWN7S7ow57yka3umW1KzUVDvqonJkFV2rrcfMrQU+xUm1BqHYd/zHcX6U5q4zAX3GG66jHYJzhMtzjUCeGaDZoMdw7T0nLGA5JFfVbXml3P/EH3lNMWtKT4LVEuJEier+GQA3y4mAwnKTiOml0DWH5Imbrx5beqEnsnN1AETTM21oq8Iv8kJEQMnxo0xxWj74MLG3/c1oB1zCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQMoKOR5PV7MNG9dCAu2sDF4BgCaGIhzEdQIcKBcst+u7vq2pw5vGBeTdz0J+waFyL9IrBmNu9akfIanKauYEU1cPa9KwT5tW2AG4yGpOebW/W+zjlUvupvctWG81zMTrq6So/zSl5dcHU0gX9R8zBb0vF] diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml index c2a99c1..4f0dcbc 100644 --- a/hieradata/roles/infra/dns/master.yaml +++ b/hieradata/roles/infra/dns/master.yaml @@ -1,28 +1,38 @@ --- +profiles::dns::master::nameservers: + - prodinf01n23.main.unkin.net + - prodinf01n24.main.unkin.net + profiles::dns::master::acls: acl-main.unkin.net: addresses: - 198.18.17.0/24 profiles::dns::master::zones: - main.unkin.net-master: + main.unkin.net: domain: 'main.unkin.net' zone_type: 'master' dynamic: false - 17.18.198.in-addr.arpa-master: + ns_notify: true + source: '/var/named/sources/main.unkin.net.conf' + 17.18.198.in-addr.arpa: domain: '17.18.198.in-addr.arpa' zone_type: 'master' dynamic: false + ns_notify: true + source: '/var/named/sources/17.18.198.in-addr.arpa.conf' profiles::dns::master::views: - authoritive: + master-zones: recursion: false zones: - - main.unkin.net-master - - 17.18.198.in-addr.arpa-master + - main.unkin.net + - 17.18.198.in-addr.arpa match_clients: - acl-main.unkin.net -profiles::dns::master::tags: - ptr: 'master-ptr-records' - a: 'master-a-records' +profiles::dns::master::keys: + rndskey: + secret_bits: 512 + algorithm: hmac-sha256 + secret: "%{lookup('profiles::dns::master::secret')}" diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp index 60abe10..1441299 100644 --- a/site/profiles/manifests/dns/client.pp +++ b/site/profiles/manifests/dns/client.pp @@ -1,34 +1,31 @@ # profiles::dns::client define profiles::dns::client ( - Integer $ttl = 600, - String $intf = $facts['networking']['primary'], - String $addr = $facts['networking']['ip'], - String $fqdn = $facts['networking']['fqdn'], Boolean $forward = true, Boolean $reverse = true, + Integer $order = 10, ){ + $intf = $facts['networking']['primary'] + $fqdn = $facts['networking']['fqdn'] + $last_octet = regsubst($::facts['networking']['ip'], '^.*\.', '') + if $forward { - @@resource_record { "${fqdn}_${intf}-a": - ensure => present, - record => $::facts['networking']['fqdn'], + profiles::dns::record { "${fqdn}_${intf}_A": + value => $::facts['networking']['ip'], type => 'A', - data => [$::facts['networking']['ip']], - ttl => $ttl, - zone => "${::facts['networking']['domain']}-master", - tag => 'master-a-record', + record => $::facts['networking']['hostname'], + zone => $::facts['networking']['domain'], + order => $order, } } if $reverse { - @@resource_record { "${fqdn}_${addr}-ptr": - ensure => present, - record => $::facts['arpa'][$intf]['addr'], + profiles::dns::record { "${fqdn}_${intf}_PTR": + value => "${::facts['networking']['fqdn']}.", type => 'PTR', - data => [$fqdn], - ttl => $ttl, - zone => "${::facts['arpa'][$intf]['zone']}-master", - tag => 'master-ptr-record', + record => $last_octet, + zone => $::facts['arpa'][$intf]['zone'], + order => $order, } } } diff --git a/site/profiles/manifests/dns/master.pp b/site/profiles/manifests/dns/master.pp index 5b0a158..a66b665 100644 --- a/site/profiles/manifests/dns/master.pp +++ b/site/profiles/manifests/dns/master.pp @@ -1,12 +1,17 @@ # profiles::dns::master authoritative service class profiles::dns::master ( + Array[String] $nameservers, + Stdlib::AbsolutePath $basedir, Hash $acls = {}, Hash $zones = {}, Hash $views = {}, + Hash $keys = {}, Hash[ String, String ] $tags = {}, + String $owner = 'root', + String $group = 'named', Boolean $dnssec = false, ){ @@ -14,14 +19,29 @@ class profiles::dns::master ( acls => $acls, zones => $zones, views => $views, + keys => $keys, forwarders => [], dnssec => $dnssec, } - # collect records - $tags.each | String $key, String $tag_value | { - if $tag_value != undef { - Resource_record <<| tag == $tag_value |>> + # ensure the target basedir exists + file { $basedir: + ensure => directory, + owner => $owner, + group => $group, + } + + # create zones + $zones.each | String $name, Hash $data | { + if $data['zone_type'] == 'master' { + profiles::dns::zone { $name: + zone => $data['domain'], + basedir => $basedir, + nameservers => $nameservers, + owner => $owner, + group => $group, + before => Bind::Zone[$name] + } } } } diff --git a/site/profiles/manifests/dns/record.pp b/site/profiles/manifests/dns/record.pp new file mode 100644 index 0000000..53dc887 --- /dev/null +++ b/site/profiles/manifests/dns/record.pp @@ -0,0 +1,23 @@ +# defines the base record that will be exported +define profiles::dns::record ( + String $record, + Enum[ + 'PTR', + 'A', + 'CNAME', + 'MX', + 'NS', + 'SRV', + 'TXT' + ] $type, + String $value, + String $zone, + Integer $order, + Stdlib::AbsolutePath $basedir = lookup('profiles::dns::master::basedir'), +) { + @@concat::fragment { "${zone}_${name}": + target => "${basedir}/${zone}.conf", + content => "${record} IN ${type} ${value}\n", + order => $order, + } +} diff --git a/site/profiles/manifests/dns/resolver.pp b/site/profiles/manifests/dns/resolver.pp index bc95e6d..9024c13 100644 --- a/site/profiles/manifests/dns/resolver.pp +++ b/site/profiles/manifests/dns/resolver.pp @@ -3,6 +3,7 @@ class profiles::dns::resolver ( Hash $acls = {}, Hash $zones = {}, Hash $views = {}, + Hash $keys = {}, Array $forwarders = ['8.8.8.8', '1.1.1.1'], ){ @@ -10,6 +11,7 @@ class profiles::dns::resolver ( acls => $acls, zones => $zones, views => $views, + keys => $keys, forwarders => $forwarders, } diff --git a/site/profiles/manifests/dns/server.pp b/site/profiles/manifests/dns/server.pp index 06a4dba..be403fa 100644 --- a/site/profiles/manifests/dns/server.pp +++ b/site/profiles/manifests/dns/server.pp @@ -3,6 +3,7 @@ class profiles::dns::server ( Hash $acls = {}, Hash $zones = {}, Hash $views = {}, + Hash $keys = {}, Array $forwarders = ['8.8.8.8', '1.1.1.1'], Boolean $dnssec = true, ){ @@ -21,6 +22,13 @@ class profiles::dns::server ( version => 'Controlled by Puppet', } + # if keys, import them + $keys.each | $name, $data | { + bind::key { $name: + * => $data, + } + } + # if acls, import them $acls.each | $name, $data | { bind::acl { $name: diff --git a/site/profiles/manifests/dns/zone.pp b/site/profiles/manifests/dns/zone.pp new file mode 100644 index 0000000..f3de4fd --- /dev/null +++ b/site/profiles/manifests/dns/zone.pp @@ -0,0 +1,27 @@ +# defines a zone +define profiles::dns::zone ( + String $zone, + Array[String] $nameservers, + Stdlib::AbsolutePath $basedir, + String $owner, + String $group, +) { + + # Define the concat resource for the zone file + concat { "${basedir}/${zone}.conf": + ensure => present, + owner => $owner, + group => $group, + mode => '0640', + } + + # Add the header fragment (from the template) + concat::fragment { "${basedir}/${zone}_header": + target => "${basedir}/${zone}.conf", + content => template('profiles/dns/zone_header.erb'), + order => '01', + } + + # Collect exported fragments for this zone + Concat::Fragment <<| target == "${basedir}/${zone}.conf" |>> +} diff --git a/site/profiles/templates/dns/zone_header.erb b/site/profiles/templates/dns/zone_header.erb new file mode 100644 index 0000000..563ccc9 --- /dev/null +++ b/site/profiles/templates/dns/zone_header.erb @@ -0,0 +1,16 @@ +; Managed by Puppet, do not change manually +$ORIGIN <%= @zone %>. +$TTL 600 +@ IN SOA <%= @nameservers[0] %>. hostmaster.<%= @zone %>. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 600 ) ; Negative Cache TTL + +; Name servers +<% @nameservers.each do |ns| -%> +@ IN NS <%= ns %>. +<% end %> + +; Dynamically generated host records From fdb13b7338eedfad5e093c130e17b2aed4c9afd4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 17 Nov 2023 21:13:59 +1100 Subject: [PATCH 044/229] feat: find resolvers by role - use puppetdbquery module to query puppetdb for resolvers - move dns client config to profiles::dns::base - manage the /etc/resolv.conf file --- Puppetfile | 1 + hieradata/common.yaml | 1 + site/profiles/manifests/base.pp | 4 +-- site/profiles/manifests/dns/base.pp | 31 ++++++++++++++++++++++ site/profiles/manifests/dns/client.pp | 6 ++--- site/profiles/manifests/dns/resolvconf.pp | 14 ++++++++++ site/profiles/templates/dns/resolvconf.erb | 7 +++++ 7 files changed, 58 insertions(+), 6 deletions(-) create mode 100644 site/profiles/manifests/dns/base.pp create mode 100644 site/profiles/manifests/dns/resolvconf.pp create mode 100644 site/profiles/templates/dns/resolvconf.erb diff --git a/Puppetfile b/Puppetfile index fda7e8a..06bdf6b 100644 --- a/Puppetfile +++ b/Puppetfile @@ -27,6 +27,7 @@ mod 'puppet-selinux', '4.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' +mod 'dalen-puppetdbquery', '3.0.1' mod 'bind', :git => 'https://git.unkin.net/unkinben/puppet-bind.git', diff --git a/hieradata/common.yaml b/hieradata/common.yaml index dce34c8..dcf2885 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -7,6 +7,7 @@ profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' profiles::dns::master::basedir: '/var/named/sources' +profiles::dns::base::ns_role: 'roles::infra::dns::resolver' profiles::packages::base: - bash-completion diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 1182097..9abb043 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -29,9 +29,7 @@ class profiles::base ( include profiles::base::hosts include profiles::accounts::sysadmin include profiles::ntp::client - - # configure dns records for client - profiles::dns::client {"${facts['networking']['fqdn']}-default":} + include profiles::dns::base # include the python class class { 'python': diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp new file mode 100644 index 0000000..6510453 --- /dev/null +++ b/site/profiles/manifests/dns/base.pp @@ -0,0 +1,31 @@ +# profiles::dns::base +class profiles::dns::base ( + String $ns_role = undef, + Array $search = [], + Array $nameservers = ['8.8.8.8', '1.1.1.1'], +){ + + # if ns_role is set, find all hosts matching that enc_role + if $ns_role == undef { + $nameserver_array = $nameservers + }else{ + $nameserver_array = query_nodes("enc_role='${ns_role}'", 'networking.ip') + } + + # if search is undef, fallback to domainname from facts + if $search == [] { + $search_array = [$::facts['networking']['domain']] + }else{ + $search_array = $search + } + + # include resolvconf class + class { 'profiles::dns::resolvconf': + nameservers => $nameserver_array, + search_domains => $search_array, + } + + # export dns records for client + profiles::dns::client {"${facts['networking']['fqdn']}-default":} + +} diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp index 1441299..3dca748 100644 --- a/site/profiles/manifests/dns/client.pp +++ b/site/profiles/manifests/dns/client.pp @@ -1,8 +1,8 @@ # profiles::dns::client define profiles::dns::client ( - Boolean $forward = true, - Boolean $reverse = true, - Integer $order = 10, + Boolean $forward = true, + Boolean $reverse = true, + Integer $order = 10, ){ $intf = $facts['networking']['primary'] diff --git a/site/profiles/manifests/dns/resolvconf.pp b/site/profiles/manifests/dns/resolvconf.pp new file mode 100644 index 0000000..e8b44c9 --- /dev/null +++ b/site/profiles/manifests/dns/resolvconf.pp @@ -0,0 +1,14 @@ +# profiles::dns::resolvconf +class profiles::dns::resolvconf ( + Array[String] $nameservers, + Array[String] $search_domains, +) { + + file { '/etc/resolv.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/dns/resolvconf.erb'), + } +} diff --git a/site/profiles/templates/dns/resolvconf.erb b/site/profiles/templates/dns/resolvconf.erb new file mode 100644 index 0000000..f0a91c8 --- /dev/null +++ b/site/profiles/templates/dns/resolvconf.erb @@ -0,0 +1,7 @@ +# Managed by Puppet +<% @nameservers.each do |ns| -%> +nameserver <%= ns %> +<% end -%> +<% unless @search_domains.empty? -%> +search <%= @search_domains.join(' ') %> +<% end -%> From 8d80fa3c516046d6d1fe81a6891b087de63de595 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 17 Nov 2023 22:17:24 +1100 Subject: [PATCH 045/229] feat: manage cloudinit - add/remove cloud-init, default to remove --- site/profiles/manifests/base.pp | 1 + site/profiles/manifests/cloudinit/init.pp | 28 +++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 site/profiles/manifests/cloudinit/init.pp diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 1182097..6d1d6dc 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -29,6 +29,7 @@ class profiles::base ( include profiles::base::hosts include profiles::accounts::sysadmin include profiles::ntp::client + include profiles::cloudinit::init # configure dns records for client profiles::dns::client {"${facts['networking']['fqdn']}-default":} diff --git a/site/profiles/manifests/cloudinit/init.pp b/site/profiles/manifests/cloudinit/init.pp new file mode 100644 index 0000000..f2edb9c --- /dev/null +++ b/site/profiles/manifests/cloudinit/init.pp @@ -0,0 +1,28 @@ +# profiles::cloudinit::init +class profiles::cloudinit::init ( + Boolean $enabled = false, + String $package = 'cloud-init', + String $service = 'cloud-init', +){ + + if $enabled { + package { $package: + ensure => installed, + } + + service { $service: + ensure => running, + enable => true, + require => Package[$package], + } + } else { + service { $service: + ensure => stopped, + enable => false, + } + + package { $package: + ensure => absent, + } + } +} From d6f3262836317884529b31bffeef964141db4d38 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 17 Nov 2023 22:25:43 +1100 Subject: [PATCH 046/229] feat: manage qemu-agent --- site/profiles/manifests/base.pp | 4 ++++ site/profiles/manifests/qemu/agent.pp | 28 +++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 site/profiles/manifests/qemu/agent.pp diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 1182097..b22badc 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -46,4 +46,8 @@ class profiles::base ( secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' } + # manage virtualised guest agents + if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { + include profiles::qemu::agent + } } diff --git a/site/profiles/manifests/qemu/agent.pp b/site/profiles/manifests/qemu/agent.pp new file mode 100644 index 0000000..5a9eeba --- /dev/null +++ b/site/profiles/manifests/qemu/agent.pp @@ -0,0 +1,28 @@ +# profiles::qemu::agent +class profiles::qemu::agent ( + Boolean $enabled = true, + String $package = 'qemu-guest-agent', + String $service = 'qemu-guest-agent', +){ + + if $enabled { + package { $package: + ensure => installed, + } + + service { $service: + ensure => running, + enable => true, + require => Package[$package], + } + } else { + service { $service: + ensure => stopped, + enable => false, + } + + package { $package: + ensure => absent, + } + } +} From a21b7ffc96d246842d543f772b82255bcbc22545 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 17 Nov 2023 22:59:26 +1100 Subject: [PATCH 047/229] feat: setup metrics agents - set puppet::puppetdb_api class to export puppetdb - set infra::dns::server class to export bind - set all to export node and systemd metrics --- Puppetfile | 1 + hieradata/common.yaml | 3 +++ hieradata/roles/infra/dns.yaml | 2 ++ site/profiles/manifests/base.pp | 1 + site/profiles/manifests/dns/server.pp | 10 +++++++--- site/profiles/manifests/metrics/default.pp | 11 +++++++++++ site/profiles/manifests/puppet/puppetdb_api.pp | 5 +++++ 7 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 hieradata/roles/infra/dns.yaml create mode 100644 site/profiles/manifests/metrics/default.pp diff --git a/Puppetfile b/Puppetfile index fda7e8a..94859aa 100644 --- a/Puppetfile +++ b/Puppetfile @@ -23,6 +23,7 @@ mod 'puppet-chrony', '2.6.0' mod 'puppet-puppetboard', '9.0.0' mod 'puppet-nginx', '5.0.0' mod 'puppet-selinux', '4.1.0' +mod 'puppet-prometheus', '13.4.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index dce34c8..5a2cb4a 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -35,6 +35,9 @@ profiles::puppet::client::runtimeout: 3600 profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false +prometheus::node_exporter::export_scrape_job: true +prometheus::systemd_exporter::export_scrape_job: true + profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net diff --git a/hieradata/roles/infra/dns.yaml b/hieradata/roles/infra/dns.yaml new file mode 100644 index 0000000..e31b12e --- /dev/null +++ b/hieradata/roles/infra/dns.yaml @@ -0,0 +1,2 @@ +--- +prometheus::bind_exporter::export_scrape_job: true diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 1182097..8130ec2 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -29,6 +29,7 @@ class profiles::base ( include profiles::base::hosts include profiles::accounts::sysadmin include profiles::ntp::client + include profiles::metrics::default # configure dns records for client profiles::dns::client {"${facts['networking']['fqdn']}-default":} diff --git a/site/profiles/manifests/dns/server.pp b/site/profiles/manifests/dns/server.pp index be403fa..0835cd5 100644 --- a/site/profiles/manifests/dns/server.pp +++ b/site/profiles/manifests/dns/server.pp @@ -17,11 +17,15 @@ class profiles::dns::server ( # setup base bind server class { 'bind': - forwarders => $use_forwarders, - dnssec => $dnssec, - version => 'Controlled by Puppet', + forwarders => $use_forwarders, + dnssec => $dnssec, + version => 'Controlled by Puppet', + statistics_port => '8053', } + # setup bind_exporter + include prometheus::bind_exporter + # if keys, import them $keys.each | $name, $data | { bind::key { $name: diff --git a/site/profiles/manifests/metrics/default.pp b/site/profiles/manifests/metrics/default.pp new file mode 100644 index 0000000..4aa086b --- /dev/null +++ b/site/profiles/manifests/metrics/default.pp @@ -0,0 +1,11 @@ +# profiles::metrics::default +# +# these exporters will be setup on all nodes +class profiles::metrics::default ( + Boolean $node_exporter = true, + Boolean $systemd_exporter = true, +) { + + include prometheus::node_exporter + include prometheus::systemd_exporter +} diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index fb1be2e..fa51753 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -13,4 +13,9 @@ class profiles::puppet::puppetdb_api ( contain ::puppetdb::server + class { 'prometheus::puppetdb_exporter': + puppetdb_url => "http://${listen_address}:8080/pdb/query", + export_scrape_job => true, + } + } From dffc97ad4c9dc3e363ac66fb3f1ac3f0307403a5 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Nov 2023 18:25:44 +1100 Subject: [PATCH 048/229] chore: reorganise ntp server - bump enc to match changes - change ntp client to find servers through puppetdb query - changed default ntp servers to publicly available nodes --- hieradata/common.yaml | 7 +++++-- .../infra/{ntpserver.yaml => ntp/server.yaml} | 0 hieradata/roles/puppet/puppetmaster.yaml | 2 +- site/profiles/manifests/ntp/client.pp | 15 +++++++++++++-- site/profiles/manifests/ntp/server.pp | 2 +- .../infra/{ntpserver.pp => ntp/server.pp} | 2 +- 6 files changed, 21 insertions(+), 7 deletions(-) rename hieradata/roles/infra/{ntpserver.yaml => ntp/server.yaml} (100%) rename site/roles/manifests/infra/{ntpserver.pp => ntp/server.pp} (77%) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 5c36c0c..77fddd3 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -1,7 +1,10 @@ --- +profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - - ntp01.main.unkin.net - - ntp02.main.unkin.net + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' diff --git a/hieradata/roles/infra/ntpserver.yaml b/hieradata/roles/infra/ntp/server.yaml similarity index 100% rename from hieradata/roles/infra/ntpserver.yaml rename to hieradata/roles/infra/ntp/server.yaml diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml index 931b916..25403d8 100644 --- a/hieradata/roles/puppet/puppetmaster.yaml +++ b/hieradata/roles/puppet/puppetmaster.yaml @@ -9,7 +9,7 @@ profiles::puppet::autosign::domains: # - 'somenode.main.unkin.net' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.6' +profiles::puppet::enc::release: '0.7.1' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp index 0429266..e3c90a7 100644 --- a/site/profiles/manifests/ntp/client.pp +++ b/site/profiles/manifests/ntp/client.pp @@ -2,6 +2,10 @@ # use exported resources from profiles::ntp::server if they are available class profiles::ntp::client ( Array $peers, + Variant[ + String, + Undef + ] $ntp_role = undef, Boolean $wait_enable = true, Enum[ 'running', @@ -14,16 +18,23 @@ class profiles::ntp::client ( # through the profiles::ntp::server class. if $client_only { + # if ntp_role is set, find all hosts matching that enc_role + if $ntp_role == undef { + $ntpserver_array = $peers + }else{ + $ntpserver_array = query_nodes("enc_role='${ntp_role}'", 'networking.fqdn') + } + # Define the client configuration based on OS family if $facts['os']['family'] == 'RedHat' { class { 'chrony': - servers => $peers, + servers => $ntpserver_array, wait_enable => $wait_enable, wait_ensure => $wait_ensure, } } else { class { 'chrony': - servers => $peers, + servers => $ntpserver_array, } } } diff --git a/site/profiles/manifests/ntp/server.pp b/site/profiles/manifests/ntp/server.pp index c2f9b83..88f1426 100644 --- a/site/profiles/manifests/ntp/server.pp +++ b/site/profiles/manifests/ntp/server.pp @@ -19,7 +19,7 @@ class profiles::ntp::server ( # check the enc_role has been set, it can take two puppet runs to do this # TODO: change away from external fact - if $facts['enc_role'] == 'roles::infra::ntpserver' { + if $facts['enc_role'] == 'roles::infra::ntp::server' { # define the server if $facts['os']['family'] == 'RedHat' { diff --git a/site/roles/manifests/infra/ntpserver.pp b/site/roles/manifests/infra/ntp/server.pp similarity index 77% rename from site/roles/manifests/infra/ntpserver.pp rename to site/roles/manifests/infra/ntp/server.pp index 887efce..cfc685d 100644 --- a/site/roles/manifests/infra/ntpserver.pp +++ b/site/roles/manifests/infra/ntp/server.pp @@ -1,5 +1,5 @@ # a role to deploy a ntp server -class roles::infra::ntpserver { +class roles::infra::ntp::server { include profiles::defaults include profiles::base include profiles::ntp::server From 460f9bc7e8a6076b4b8fe9e745c2346ca5af0cec Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Nov 2023 18:44:11 +1100 Subject: [PATCH 049/229] refactor: move puppet::* roles to infra::puppet - start creation on apps:: roles - reorganise hieradata to match role changes - remove tagging for enc repo --- hieradata/roles/apps.yaml | 1 + hieradata/roles/{puppet.yaml => infra.yaml} | 0 .../{puppet/puppetmaster.yaml => infra/puppet/master.yaml} | 2 -- .../{puppet/puppetmaster.pp => infra/puppet/master.pp} | 2 +- .../{puppet/puppetboard.pp => infra/puppetboard/server.pp} | 2 +- .../{puppet/puppetdb_api.pp => infra/puppetdb/api.pp} | 2 +- .../{puppet/puppetdb_sql.pp => infra/puppetdb/sql.pp} | 2 +- site/roles/manifests/puppet/puppetdb.pp | 7 ------- 8 files changed, 5 insertions(+), 13 deletions(-) create mode 100644 hieradata/roles/apps.yaml rename hieradata/roles/{puppet.yaml => infra.yaml} (100%) rename hieradata/roles/{puppet/puppetmaster.yaml => infra/puppet/master.yaml} (89%) rename site/roles/manifests/{puppet/puppetmaster.pp => infra/puppet/master.pp} (81%) rename site/roles/manifests/{puppet/puppetboard.pp => infra/puppetboard/server.pp} (76%) rename site/roles/manifests/{puppet/puppetdb_api.pp => infra/puppetdb/api.pp} (80%) rename site/roles/manifests/{puppet/puppetdb_sql.pp => infra/puppetdb/sql.pp} (81%) delete mode 100644 site/roles/manifests/puppet/puppetdb.pp diff --git a/hieradata/roles/apps.yaml b/hieradata/roles/apps.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/hieradata/roles/apps.yaml @@ -0,0 +1 @@ +--- diff --git a/hieradata/roles/puppet.yaml b/hieradata/roles/infra.yaml similarity index 100% rename from hieradata/roles/puppet.yaml rename to hieradata/roles/infra.yaml diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/infra/puppet/master.yaml similarity index 89% rename from hieradata/roles/puppet/puppetmaster.yaml rename to hieradata/roles/infra/puppet/master.yaml index 931b916..5a5f87c 100644 --- a/hieradata/roles/puppet/puppetmaster.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -9,8 +9,6 @@ profiles::puppet::autosign::domains: # - 'somenode.main.unkin.net' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.6' -profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' diff --git a/site/roles/manifests/puppet/puppetmaster.pp b/site/roles/manifests/infra/puppet/master.pp similarity index 81% rename from site/roles/manifests/puppet/puppetmaster.pp rename to site/roles/manifests/infra/puppet/master.pp index b87f183..01e8877 100644 --- a/site/roles/manifests/puppet/puppetmaster.pp +++ b/site/roles/manifests/infra/puppet/master.pp @@ -1,6 +1,6 @@ # a role to deploy the puppetmaster # work in progress -class roles::puppet::puppetmaster { +class roles::infra::puppet::master { include profiles::defaults include profiles::base include profiles::puppet::puppetmaster diff --git a/site/roles/manifests/puppet/puppetboard.pp b/site/roles/manifests/infra/puppetboard/server.pp similarity index 76% rename from site/roles/manifests/puppet/puppetboard.pp rename to site/roles/manifests/infra/puppetboard/server.pp index 34862c3..4742810 100644 --- a/site/roles/manifests/puppet/puppetboard.pp +++ b/site/roles/manifests/infra/puppetboard/server.pp @@ -1,5 +1,5 @@ # a role to deploy the puppetboard -class roles::puppet::puppetboard { +class roles::infra::puppetboard::server { include profiles::defaults include profiles::base include profiles::puppet::puppetboard diff --git a/site/roles/manifests/puppet/puppetdb_api.pp b/site/roles/manifests/infra/puppetdb/api.pp similarity index 80% rename from site/roles/manifests/puppet/puppetdb_api.pp rename to site/roles/manifests/infra/puppetdb/api.pp index 991102d..65bee4c 100644 --- a/site/roles/manifests/puppet/puppetdb_api.pp +++ b/site/roles/manifests/infra/puppetdb/api.pp @@ -1,5 +1,5 @@ # a role to deploy the puppetdb api service -class roles::puppet::puppetdb_api { +class roles::infra::puppetdb::api { include profiles::defaults include profiles::base include profiles::puppet::puppetdb_api diff --git a/site/roles/manifests/puppet/puppetdb_sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp similarity index 81% rename from site/roles/manifests/puppet/puppetdb_sql.pp rename to site/roles/manifests/infra/puppetdb/sql.pp index db640a3..97ebc96 100644 --- a/site/roles/manifests/puppet/puppetdb_sql.pp +++ b/site/roles/manifests/infra/puppetdb/sql.pp @@ -1,5 +1,5 @@ # a role to deploy the puppetdb postgresql service -class roles::puppet::puppetdb_sql { +class roles::infra::puppetdb::sql { include profiles::defaults include profiles::base include profiles::puppet::puppetdb_sql diff --git a/site/roles/manifests/puppet/puppetdb.pp b/site/roles/manifests/puppet/puppetdb.pp deleted file mode 100644 index 29ece76..0000000 --- a/site/roles/manifests/puppet/puppetdb.pp +++ /dev/null @@ -1,7 +0,0 @@ -# a role to deploy the puppetdb -# work in progress -class roles::puppet::puppetdb { - include profiles::defaults - include profiles::base - include profiles::puppet::puppetdb - } From dd334da2b06f02d1aa9c60674e792feb99bd8b20 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Nov 2023 20:08:16 +1100 Subject: [PATCH 050/229] chore: reorganise reposync role --- .../roles/infra/{packagerepo.yaml => reposync/syncer.yaml} | 0 .../manifests/infra/{packagerepo.pp => reposync/syncer.pp} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename hieradata/roles/infra/{packagerepo.yaml => reposync/syncer.yaml} (100%) rename site/roles/manifests/infra/{packagerepo.pp => reposync/syncer.pp} (80%) diff --git a/hieradata/roles/infra/packagerepo.yaml b/hieradata/roles/infra/reposync/syncer.yaml similarity index 100% rename from hieradata/roles/infra/packagerepo.yaml rename to hieradata/roles/infra/reposync/syncer.yaml diff --git a/site/roles/manifests/infra/packagerepo.pp b/site/roles/manifests/infra/reposync/syncer.pp similarity index 80% rename from site/roles/manifests/infra/packagerepo.pp rename to site/roles/manifests/infra/reposync/syncer.pp index ff90820..8c5a613 100644 --- a/site/roles/manifests/infra/packagerepo.pp +++ b/site/roles/manifests/infra/reposync/syncer.pp @@ -1,5 +1,5 @@ # a role to deploy a packagerepo -class roles::infra::packagerepo { +class roles::infra::reposync::syncer { include profiles::defaults include profiles::base include profiles::base::datavol From c34a2b23606b6f8ecb1fd9e8752e6f82b9ac54ba Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Nov 2023 20:21:27 +1100 Subject: [PATCH 051/229] feat: add forwarding for 17.18.198.in-addr.arpa - add forward zone for 198.18.17.0/24 reverse dns zone --- hieradata/roles/infra/dns/resolver.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index 2c0fa2d..2e80a11 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -18,6 +18,13 @@ profiles::dns::resolver::zones: forwarders: - 10.10.8.1 forward: 'only' + 17.18.198.in-addr.arpa-forward: + domain: '17.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' profiles::dns::resolver::views: openforwarder: @@ -25,5 +32,6 @@ profiles::dns::resolver::views: zones: - main.unkin.net-forward - prod.unkin.net-forward + - 17.18.198.in-addr.arpa-forward match_clients: - acl-main.unkin.net From a5207eb7174c1536558031aff0736f45be1c6f98 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Nov 2023 18:21:41 +1100 Subject: [PATCH 052/229] feat: add prometheus server - bump enc, include prometheus server nodes - add prometheus role and server class --- hieradata/roles/infra/metrics/server.yaml | 10 ++++++++ hieradata/roles/puppet/puppetmaster.yaml | 2 +- site/profiles/manifests/metrics/server.pp | 25 +++++++++++++++++++ .../manifests/infra/metrics/prometheus.pp | 7 ++++++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 hieradata/roles/infra/metrics/server.yaml create mode 100644 site/profiles/manifests/metrics/server.pp create mode 100644 site/roles/manifests/infra/metrics/prometheus.pp diff --git a/hieradata/roles/infra/metrics/server.yaml b/hieradata/roles/infra/metrics/server.yaml new file mode 100644 index 0000000..1b5c298 --- /dev/null +++ b/hieradata/roles/infra/metrics/server.yaml @@ -0,0 +1,10 @@ +--- +profiles::metrics::server::version: '2.48.0' +profiles::metrics::server::manage_user: true +profiles::metrics::server::manage_group: true +profiles::metrics::server::retention: 30d +profiles::metrics::server::scrape_jobs: + - node + - bind + - puppetdb + - systemd diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml index 931b916..7ca990d 100644 --- a/hieradata/roles/puppet/puppetmaster.yaml +++ b/hieradata/roles/puppet/puppetmaster.yaml @@ -9,7 +9,7 @@ profiles::puppet::autosign::domains: # - 'somenode.main.unkin.net' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.6' +profiles::puppet::enc::release: '0.7' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' diff --git a/site/profiles/manifests/metrics/server.pp b/site/profiles/manifests/metrics/server.pp new file mode 100644 index 0000000..1bb82cf --- /dev/null +++ b/site/profiles/manifests/metrics/server.pp @@ -0,0 +1,25 @@ +# profiles::metrics::server +class profiles::metrics::server ( + String $version = '2.48.0', + Boolean $manage_user = true, + Boolean $manage_group = true, + String $retention = '30d', + Array $scrape_jobs = [], +) { + + $collect_scrape_jobs = $scrape_jobs.map |$job| { + { + 'job_name' => $job, + } + } + + class { 'prometheus::server': + manage_user => $manage_user, + manage_group => $manage_group, + version => $version, + collect_scrape_jobs => $collect_scrape_jobs, + extra_options => { + 'storage.tsdb.retention.time' => $retention, + }, + } +} diff --git a/site/roles/manifests/infra/metrics/prometheus.pp b/site/roles/manifests/infra/metrics/prometheus.pp new file mode 100644 index 0000000..d3dd8ea --- /dev/null +++ b/site/roles/manifests/infra/metrics/prometheus.pp @@ -0,0 +1,7 @@ +# a role to deploy a prometheus server +class roles::infra::metrics::prometheus { + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::metrics::server +} From 10a6085b84003e449153b94789c14ef1fc154a8f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 21 Nov 2023 19:50:09 +1100 Subject: [PATCH 053/229] fix: resolve prometheus issues - broken prometheus::server config, resolve conflicts - move hieradata for role to match role, not profile --- .../infra/metrics/{server.yaml => prometheus.yaml} | 1 + site/profiles/manifests/metrics/server.pp | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) rename hieradata/roles/infra/metrics/{server.yaml => prometheus.yaml} (82%) diff --git a/hieradata/roles/infra/metrics/server.yaml b/hieradata/roles/infra/metrics/prometheus.yaml similarity index 82% rename from hieradata/roles/infra/metrics/server.yaml rename to hieradata/roles/infra/metrics/prometheus.yaml index 1b5c298..5ce72d4 100644 --- a/hieradata/roles/infra/metrics/server.yaml +++ b/hieradata/roles/infra/metrics/prometheus.yaml @@ -8,3 +8,4 @@ profiles::metrics::server::scrape_jobs: - bind - puppetdb - systemd +profiles::metrics::server::localstorage: /data/prometheus diff --git a/site/profiles/manifests/metrics/server.pp b/site/profiles/manifests/metrics/server.pp index 1bb82cf..517bc12 100644 --- a/site/profiles/manifests/metrics/server.pp +++ b/site/profiles/manifests/metrics/server.pp @@ -4,7 +4,11 @@ class profiles::metrics::server ( Boolean $manage_user = true, Boolean $manage_group = true, String $retention = '30d', - Array $scrape_jobs = [], + Array $scrape_jobs = [], + Variant[ + Stdlib::Absolutepath, + Boolean[false] + ] $localstorage = '/var/lib/prometheus', ) { $collect_scrape_jobs = $scrape_jobs.map |$job| { @@ -18,8 +22,7 @@ class profiles::metrics::server ( manage_group => $manage_group, version => $version, collect_scrape_jobs => $collect_scrape_jobs, - extra_options => { - 'storage.tsdb.retention.time' => $retention, - }, + storage_retention => $retention, + localstorage => $localstorage, } } From 609f9135df85129b6ef4235c6dd395c602973f2d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 21 Nov 2023 20:13:14 +1100 Subject: [PATCH 054/229] feat: add base grafana role - include puppet-grafana module - infra::metrics::grafana role is currently clone of base --- Puppetfile | 1 + site/roles/manifests/infra/metrics/grafana.pp | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 site/roles/manifests/infra/metrics/grafana.pp diff --git a/Puppetfile b/Puppetfile index 7d50617..87a97c4 100644 --- a/Puppetfile +++ b/Puppetfile @@ -24,6 +24,7 @@ mod 'puppet-puppetboard', '9.0.0' mod 'puppet-nginx', '5.0.0' mod 'puppet-selinux', '4.1.0' mod 'puppet-prometheus', '13.4.0' +mod 'puppet-grafana', '13.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/site/roles/manifests/infra/metrics/grafana.pp b/site/roles/manifests/infra/metrics/grafana.pp new file mode 100644 index 0000000..db6f757 --- /dev/null +++ b/site/roles/manifests/infra/metrics/grafana.pp @@ -0,0 +1,5 @@ +# a role to deploy a grafana service +class roles::infra::metrics::grafana { + include profiles::defaults + include profiles::base +} From a0d1623286b3c40f8774d811e3cf271cf2beafbf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 21 Nov 2023 21:00:12 +1100 Subject: [PATCH 055/229] feat: add galera role - add a base galera cluster member role - include mysql and galera modules --- Puppetfile | 2 ++ site/roles/manifests/infra/sql/galera.pp | 5 +++++ 2 files changed, 7 insertions(+) create mode 100644 site/roles/manifests/infra/sql/galera.pp diff --git a/Puppetfile b/Puppetfile index 7d50617..d102a6b 100644 --- a/Puppetfile +++ b/Puppetfile @@ -13,6 +13,7 @@ mod 'puppetlabs-puppetdb', '7.13.0' mod 'puppetlabs-postgresql', '9.1.0' mod 'puppetlabs-firewall', '6.0.0' mod 'puppetlabs-accounts', '8.1.0' +mod 'puppetlabs-mysql', '15.0.0' # puppet mod 'puppet-python', '7.0.0' @@ -29,6 +30,7 @@ mod 'puppet-prometheus', '13.4.0' mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' mod 'dalen-puppetdbquery', '3.0.1' +mod 'markt-galera', '3.1.0' mod 'bind', :git => 'https://git.unkin.net/unkinben/puppet-bind.git', diff --git a/site/roles/manifests/infra/sql/galera.pp b/site/roles/manifests/infra/sql/galera.pp new file mode 100644 index 0000000..dac21c5 --- /dev/null +++ b/site/roles/manifests/infra/sql/galera.pp @@ -0,0 +1,5 @@ +# a role to deploy a mariadb galera node +class roles::infra::sql::galera { + include profiles::defaults + include profiles::base +} From e183ee2b443a1f168c9af45a31999843acda872f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 27 Nov 2023 18:16:54 +1100 Subject: [PATCH 056/229] feat: add extra repositories - mariadb 11.2 - puppet el8 --- hieradata/roles/infra/reposync/syncer.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 123fbaa..0427abe 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -49,3 +49,17 @@ profiles::reposync::repos_list: release: '8' baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/' gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' + mariadb_11_2_el8: + repository: 'el8' + description: 'MariaDB 11.2' + osname: 'mariadb' + release: '11.2' + baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.2/rhel8-amd64/' + gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB' + puppet7_el8: + repository: '8' + description: 'Puppet 7 EL8' + osname: 'puppet7' + release: 'el' + baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/' + gpgkey: 'http://yum.puppet.com/RPM-GPG-KEY-puppet' From 705c02c3a1ffaab8e3cd82d180a89ee38afc7519 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 27 Nov 2023 23:19:01 +1100 Subject: [PATCH 057/229] feat: fix selinux permissions each sync - restorecon on each sync, to update selinux for new files/directories --- site/profiles/manifests/reposync/autosyncer.pp | 4 +++- site/profiles/templates/reposync/autosyncer.erb | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/reposync/autosyncer.pp b/site/profiles/manifests/reposync/autosyncer.pp index e2e8683..04393cd 100644 --- a/site/profiles/manifests/reposync/autosyncer.pp +++ b/site/profiles/manifests/reposync/autosyncer.pp @@ -1,5 +1,7 @@ # setup the autosyncer -class profiles::reposync::autosyncer { +class profiles::reposync::autosyncer ( + Stdlib::Absolutepath $basepath = '/data/repos', +) { # Ensure the autosyncer script is present and executable file { '/usr/local/bin/autosyncer': diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb index 9c3caed..cd6c963 100644 --- a/site/profiles/templates/reposync/autosyncer.erb +++ b/site/profiles/templates/reposync/autosyncer.erb @@ -88,4 +88,7 @@ for conf in /etc/reposync/conf.d/*.conf; do # After syncing each repo, fix the repository metadata create_repo_metadata "${snap_path}" + # Update selinux + restorecon <%= @basepath %> + done From cfec05f3c77a5e98c6a98ecb122e5f6eb83f5ccf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 27 Nov 2023 23:27:44 +1100 Subject: [PATCH 058/229] feat: update repositories to sync - remove epel modular - add postgresql 16 for rhel8 - add postgresql common for rhel8 --- hieradata/roles/infra/reposync/syncer.yaml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 0427abe..04bf952 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -42,13 +42,6 @@ profiles::reposync::repos_list: release: '8' baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' - epel_8_modular: - repository: 'Modular' - description: 'EPEL 8 Modular' - osname: 'epel' - release: '8' - baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/' - gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' mariadb_11_2_el8: repository: 'el8' description: 'MariaDB 11.2' @@ -63,3 +56,17 @@ profiles::reposync::repos_list: release: 'el' baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/' gpgkey: 'http://yum.puppet.com/RPM-GPG-KEY-puppet' + postgresql_rhel8_common: + repository: 'common' + description: 'PostgreSQL Common RHEL 8' + osname: 'postgresql' + release: 'rhel8' + baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' + postgresql_rhel8_16: + repository: '16' + description: 'PostgreSQL 16 RHEL 8' + osname: 'postgresql' + release: 'rhel8' + baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' From ae05b870aad0cb5e4994282ea9afc0fc786286ab Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 27 Nov 2023 23:38:25 +1100 Subject: [PATCH 059/229] fix: wrong scheme for gpgkey - change gpg key for puppet7 from http:// to https:// --- hieradata/roles/infra/reposync/syncer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 04bf952..d76231e 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -55,7 +55,7 @@ profiles::reposync::repos_list: osname: 'puppet7' release: 'el' baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/' - gpgkey: 'http://yum.puppet.com/RPM-GPG-KEY-puppet' + gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet' postgresql_rhel8_common: repository: 'common' description: 'PostgreSQL Common RHEL 8' From 1ccd8141abcbde5594f4cdd02edc256cc61b623c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 29 Nov 2023 23:08:01 +1100 Subject: [PATCH 060/229] feat: add cname for repos --- site/profiles/manifests/reposync/webserver.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index 66f549a..9321db1 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -30,6 +30,15 @@ class profiles::reposync::webserver ( } } + # export cnames for webserver + profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME": + value => $::facts['networking']['hostname'], + type => 'CNAME', + record => 'repos.main.unkin.net.', + zone => $::facts['networking']['domain'], + order => 10, + } + if $selinux { # include packages that are required From 8a6b3ef0fb299124fa1e316efbdb7842465a4c36 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 2 Dec 2023 23:45:35 +1100 Subject: [PATCH 061/229] feat: add mirrorlist capability to reposyncer - add mirrorlist param to reposyncer repos - update almalinux 8.8 repos to use mirrorlist - add almalinux 8.9 repos --- hieradata/roles/infra/reposync/syncer.yaml | 48 +++++++++++++++++++--- site/profiles/manifests/reposync/repos.pp | 22 ++++++---- 2 files changed, 56 insertions(+), 14 deletions(-) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index d76231e..e6a341e 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -5,42 +5,78 @@ profiles::reposync::repos_list: description: 'AlmaLinux 8.8 - BaseOS' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/baseos gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_appstream: repository: 'AppStream' description: 'AlmaLinux 8.8 - AppStream' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/appstream gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_highavailability: repository: 'HighAvailability' description: 'AlmaLinux 8.8 - HighAvailability' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/ha gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_powertools: repository: 'PowerTools' description: 'AlmaLinux 8.8 - PowerTools' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/PowerTools/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/powertools gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_extras: repository: 'extras' description: 'AlmaLinux 8.8 - extras' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/extras/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/extras + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_baseos: + repository: 'BaseOS' + description: 'AlmaLinux 8.9 - BaseOS' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_appstream: + repository: 'AppStream' + description: 'AlmaLinux 8.9 - AppStream' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_highavailability: + repository: 'HighAvailability' + description: 'AlmaLinux 8.9 - HighAvailability' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_powertools: + repository: 'PowerTools' + description: 'AlmaLinux 8.9 - PowerTools' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_extras: + repository: 'extras' + description: 'AlmaLinux 8.9 - extras' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' epel_8_everything: repository: 'Everything' description: 'EPEL 8 Everything' osname: 'epel' release: '8' - baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' + # baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' + mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64' gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' mariadb_11_2_el8: repository: 'el8' diff --git a/site/profiles/manifests/reposync/repos.pp b/site/profiles/manifests/reposync/repos.pp index 5886785..046e404 100644 --- a/site/profiles/manifests/reposync/repos.pp +++ b/site/profiles/manifests/reposync/repos.pp @@ -4,26 +4,32 @@ define profiles::reposync::repos ( String $description, String $osname, String $release, - Stdlib::HTTPUrl $baseurl, Stdlib::HTTPUrl $gpgkey, String $arch = 'x86_64', String $repo_owner = 'root', String $repo_group = 'root', Stdlib::Absolutepath $basepath = '/data/repos', + Optional[Stdlib::HTTPUrl] $baseurl = undef, + Optional[Stdlib::HTTPUrl] $mirrorlist = undef, ){ + if ($mirrorlist == undef and $baseurl == undef) or ($mirrorlist != undef and $baseurl != undef) { + fail('profiles::reposync::repos must have either mirrorlist or baseurl set, but not both') + } + $repos_name = downcase("${osname}-${release}-${repository}-${arch}") $conf_file = "/etc/reposync/conf.d/${repos_name}.conf" # Create the repository configuration yumrepo { $repos_name: - ensure => 'present', - descr => $description, - baseurl => $baseurl, - gpgkey => $gpgkey, - target => '/etc/yum.repos.d/reposync.repo', - enabled => 0, - gpgcheck => 1, + ensure => 'present', + descr => $description, + baseurl => $baseurl, + mirrorlist => $mirrorlist, + gpgkey => $gpgkey, + target => '/etc/yum.repos.d/reposync.repo', + enabled => 0, + gpgcheck => 1, } # Ensure the repo dest path exists From 08c14c232959188c87dc3b6ebcdb21ca4019e027 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Dec 2023 16:49:38 +1100 Subject: [PATCH 062/229] feat: split agent service/package from config - split package/service from config so puppetservers agents can be managed in the same was as clients --- hieradata/os/AlmaLinux/all_releases.yaml | 2 +- hieradata/os/Debian/Debian11.yaml | 2 +- hieradata/os/Debian/Debian12.yaml | 2 +- site/profiles/manifests/base.pp | 3 ++ site/profiles/manifests/puppet/agent.pp | 35 +++++++++++++++++++++ site/profiles/manifests/puppet/client.pp | 39 +----------------------- 6 files changed, 42 insertions(+), 41 deletions(-) create mode 100644 site/profiles/manifests/puppet/agent.pp diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 105a19a..6592ae6 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -6,4 +6,4 @@ profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false -profiles::puppet::client::puppet_version: '7.26.0' +profiles::puppet::agent::puppet_version: '7.26.0' diff --git a/hieradata/os/Debian/Debian11.yaml b/hieradata/os/Debian/Debian11.yaml index 41e6201..594461c 100644 --- a/hieradata/os/Debian/Debian11.yaml +++ b/hieradata/os/Debian/Debian11.yaml @@ -11,4 +11,4 @@ profiles::apt::components: - main - non-free -profiles::puppet::client::puppet_version: '7.25.0-1bullseye' +profiles::puppet::agent::puppet_version: '7.25.0-1bullseye' diff --git a/hieradata/os/Debian/Debian12.yaml b/hieradata/os/Debian/Debian12.yaml index fab31d1..f6b5f7d 100644 --- a/hieradata/os/Debian/Debian12.yaml +++ b/hieradata/os/Debian/Debian12.yaml @@ -12,4 +12,4 @@ profiles::apt::components: - non-free - non-free-firmware -profiles::puppet::client::puppet_version: 'latest' +profiles::puppet::agent::puppet_version: 'latest' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 6337422..62b242e 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -16,6 +16,9 @@ class profiles::base ( } } + # manage the puppet agent + include profiles::puppet::agent + # manage puppet clients if ! member($puppet_servers, $trusted['certname']) { include profiles::puppet::client diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp new file mode 100644 index 0000000..0c2122e --- /dev/null +++ b/site/profiles/manifests/puppet/agent.pp @@ -0,0 +1,35 @@ +# profiles::puppet::agent +# This class manages Puppet agent package and service. +class profiles::puppet::agent ( + String $puppet_version = 'latest', +) { + + # Ensure the puppet-agent package is installed and locked to a specific version + package { 'puppet-agent': + ensure => $puppet_version, + } + + # if puppet-version is anything other than latest, set a versionlock + $puppet_versionlock_ensure = $puppet_version ? { + 'latest' => 'absent', + default => 'present', + } + $puppet_versionlock_version = $puppet_version ? { + 'latest' => undef, + default => $puppet_version, + } + yum::versionlock{'puppet-agent': + ensure => $puppet_versionlock_ensure, + version => $puppet_versionlock_version, + } + + # Ensure the puppet service is running + service { 'puppet': + ensure => 'running', + enable => true, + hasrestart => true, + require => Package['puppet-agent'], + } + +} + diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index 68ab61a..973f621 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -1,15 +1,6 @@ # Class: profiles::puppet::client # -# This class manages Puppet client configuration and service. -# -# Parameters: -# vardir - Directory path for variable data. -# logdir - Directory path for logs. -# rundir - Directory path for run-time data. -# pidfile - File path for the PID file. -# codedir - Directory path for code data. -# dns_alt_names - Array of alternate DNS names for the server. -# server - Server's name. +# This class manages Puppet client configuration. # # site/profile/manifests/puppet/client.pp class profiles::puppet::client ( @@ -21,36 +12,8 @@ class profiles::puppet::client ( Integer $runtimeout = 3600, Boolean $show_diff = true, Boolean $usecacheonfailure = false, - String $puppet_version = 'latest', ) { - # Ensure the puppet-agent package is installed and locked to a specific version - package { 'puppet-agent': - ensure => $puppet_version, - } - - # if puppet-version is anything other than latest, set a versionlock - $puppet_versionlock_ensure = $puppet_version ? { - 'latest' => 'absent', - default => 'present', - } - $puppet_versionlock_version = $puppet_version ? { - 'latest' => undef, - default => $puppet_version, - } - yum::versionlock{'puppet-agent': - ensure => $puppet_versionlock_ensure, - version => $puppet_versionlock_version, - } - - # Ensure the puppet service is running - service { 'puppet': - ensure => 'running', - enable => true, - hasrestart => true, - require => Package['puppet-agent'], - } - # Assuming you want to manage puppet.conf with this profile file { '/etc/puppetlabs/puppet/puppet.conf': ensure => 'present', From 8f04de2b5212b51b7f420c6db51df1e8f9177bad Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Dec 2023 17:07:45 +1100 Subject: [PATCH 063/229] feat: add/remove capabilities for packages - add deepmerge lookup_options - add packages to remove and packages to add to profiles::packages::base class --- hieradata/common.yaml | 41 +++++++++++++++++++++++- site/profiles/manifests/packages/base.pp | 30 ++++++++--------- 2 files changed, 55 insertions(+), 16 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 77fddd3..7e4f7ee 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -1,4 +1,12 @@ --- +lookup_options: + profiles::packages::base::add: + merge: + strategy: deep + profiles::packages::base::remove: + merge: + strategy: deep + profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - 0.pool.ntp.org @@ -12,23 +20,54 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' -profiles::packages::base: +profiles::packages::base::add: - bash-completion + - bzip2 - ccze - curl - dstat + - gzip - htop + - inotify-tools + - iotop + - jq + - lz4 + - lzo - mtr - ncdu - neovim + - p7zip + - pbzip2 + - pigz + - pv - rsync - screen - strace + - sysstat - tmux + - traceroute - vim - vnstat - wget + - xz - zsh + - zstd + +profiles::packages::base::remove: + - iwl100-firmware + - iwl1000-firmware + - iwl105-firmware + - iwl135-firmware + - iwl2000-firmware + - iwl2030-firmware + - iwl3160-firmware + - iwl5000-firmware + - iwl5150-firmware + - iwl6000-firmware + - iwl6000g2a-firmware + - iwl6050-firmware + - iwl7260-firmware + - puppet7-release profiles::base::scripts::scripts: puppet: puppetwrapper.py diff --git a/site/profiles/manifests/packages/base.pp b/site/profiles/manifests/packages/base.pp index 807c8a8..f7d51cf 100644 --- a/site/profiles/manifests/packages/base.pp +++ b/site/profiles/manifests/packages/base.pp @@ -1,21 +1,21 @@ # This class manages the installation of packages for the base profile # # Parameters: -# - $packages: An array of package names to be installed (optional) -# - $ensure: Enum of present, absent, latest or installed (optional) -# -# Example usage: -# class { 'profiles::base::packages': -# packages => ['package1', 'package2', 'package3'], +# - $add: An array of package names to be installed +# - $remove: An array of package names to be removed # class profiles::packages::base ( - Array $packages = lookup('profiles::packages::base', Array, 'first', []), - Enum[ - 'present', - 'absent', - 'latest', - 'installed' - ] $ensure = 'installed', -){ - ensure_packages($packages, {'ensure' => $ensure}) + Array $add = [], + Array $remove = [], +) { + + # Ensure packages to add are installed + ensure_packages($add, {'ensure' => 'present'}) + + # Ensure packages to remove are absent + $remove.each |String $package| { + package { $package: + ensure => 'absent', + } + } } From d8ff9ddb11d1900c3e8b979d13a0bd508b8809d3 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Dec 2023 17:43:49 +1100 Subject: [PATCH 064/229] feat: setup/manage dnf-autoupdate - create service to run dnf update - create timer to call the service - manage settings via params --- site/profiles/manifests/yum/autoupdater.pp | 18 ++++++++++++++++++ site/profiles/manifests/yum/global.pp | 4 ++++ .../templates/yum/autoupdate_service.erb | 6 ++++++ .../templates/yum/autoupdate_timer.erb | 10 ++++++++++ 4 files changed, 38 insertions(+) create mode 100644 site/profiles/manifests/yum/autoupdater.pp create mode 100644 site/profiles/templates/yum/autoupdate_service.erb create mode 100644 site/profiles/templates/yum/autoupdate_timer.erb diff --git a/site/profiles/manifests/yum/autoupdater.pp b/site/profiles/manifests/yum/autoupdater.pp new file mode 100644 index 0000000..17b2935 --- /dev/null +++ b/site/profiles/manifests/yum/autoupdater.pp @@ -0,0 +1,18 @@ +# profiles::yum::autoupdater +# +# manage automatic updates for dnf +# +class profiles::yum::autoupdater ( + String $on_calendar = '*-*-* 05:00:00', + Integer $randomized_delay_sec = 1800, + Boolean $enabled = true, +) { + + # Ensure the timer is enabled and running + systemd::timer { 'dnf-autoupdate.timer': + timer_content => template('profiles/yum/autoupdate_timer.erb'), + service_content => template('profiles/yum/autoupdate_service.erb'), + active => true, + enable => true, + } +} diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index eca5715..119230e 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -86,4 +86,8 @@ class profiles::yum::global ( class { 'profiles::yum::puppet7': managed_repos => $managed_repos, } + + # setup dnf-autoupdate + include profiles::yum::autoupdater + } diff --git a/site/profiles/templates/yum/autoupdate_service.erb b/site/profiles/templates/yum/autoupdate_service.erb new file mode 100644 index 0000000..988b272 --- /dev/null +++ b/site/profiles/templates/yum/autoupdate_service.erb @@ -0,0 +1,6 @@ +[Unit] +Description=dnf-autoupdater-service + +[Service] +Type=oneshot +ExecStart=/usr/bin/dnf update -y diff --git a/site/profiles/templates/yum/autoupdate_timer.erb b/site/profiles/templates/yum/autoupdate_timer.erb new file mode 100644 index 0000000..6dcc3cb --- /dev/null +++ b/site/profiles/templates/yum/autoupdate_timer.erb @@ -0,0 +1,10 @@ +[Unit] +Description=dnf-autoupdater-timer + +[Timer] +OnCalendar=<%= @on_calendar %> +RandomizedDelaySec=<%= @randomized_delay_sec %> +Persistent=true + +[Install] +WantedBy=timers.target From ebd20a5e5ae7e24f598b43e83e43a27020e9ced9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 8 Dec 2023 21:25:01 +1100 Subject: [PATCH 065/229] feat: mysql wsrep_ facts - add facts generated from mysql's wsrep status variables --- site/profiles/lib/facter/mysql_wsrep.rb | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 site/profiles/lib/facter/mysql_wsrep.rb diff --git a/site/profiles/lib/facter/mysql_wsrep.rb b/site/profiles/lib/facter/mysql_wsrep.rb new file mode 100644 index 0000000..caf5459 --- /dev/null +++ b/site/profiles/lib/facter/mysql_wsrep.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +# skip if mysql isnt installed or active +next unless system('which mysql > /dev/null 2>&1') +next unless system('systemctl is-active --quiet mariadb') + +# export mysql wsrep status +wsrep_status = `mysql -e "SHOW STATUS LIKE 'wsrep%';"` + +# loop over the output +wsrep_status.each_line do |line| + # skip the line unless it starts with 'wsrep_' + next unless line.match(/^wsrep_/) + + key, value = line.split("\t") + Facter.add("mysql_#{key.strip}") do + setcode do + value.strip + end + end +end From a9aabfa161e18b5079caf04dc624e88042cbce14 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 8 Dec 2023 21:32:32 +1100 Subject: [PATCH 066/229] fix: failed to test previously - change next's outside of a loop to a single if statement --- site/profiles/lib/facter/mysql_wsrep.rb | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/site/profiles/lib/facter/mysql_wsrep.rb b/site/profiles/lib/facter/mysql_wsrep.rb index caf5459..e5ff2a2 100644 --- a/site/profiles/lib/facter/mysql_wsrep.rb +++ b/site/profiles/lib/facter/mysql_wsrep.rb @@ -1,21 +1,21 @@ # frozen_string_literal: true # skip if mysql isnt installed or active -next unless system('which mysql > /dev/null 2>&1') -next unless system('systemctl is-active --quiet mariadb') +if system('which mysql > /dev/null 2>&1') && system('systemctl is-active --quiet mariadb') -# export mysql wsrep status -wsrep_status = `mysql -e "SHOW STATUS LIKE 'wsrep%';"` + # export mysql wsrep status + wsrep_status = `mysql -e "SHOW STATUS LIKE 'wsrep%';"` -# loop over the output -wsrep_status.each_line do |line| - # skip the line unless it starts with 'wsrep_' - next unless line.match(/^wsrep_/) + # loop over the output + wsrep_status.each_line do |line| + # skip the line unless it starts with 'wsrep_' + next unless line.match(/^wsrep_/) - key, value = line.split("\t") - Facter.add("mysql_#{key.strip}") do - setcode do - value.strip + key, value = line.split("\t") + Facter.add("mysql_#{key.strip}") do + setcode do + value.strip + end end end end From 11a98b16bb64092989ed22ec630f123c747f4689 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 Nov 2023 19:38:11 +1100 Subject: [PATCH 067/229] feat: setup galera cluster member profile - add eyaml support for role - add /data volume for galera cluster members - create profiles::selinux namespace for defining selinux configuration - create profiles::selinux::mysqld for managing specifics for mysqld - create profiles::selinux::setenforce to manage selinux mode - parameterised options required in mysqld::server module - add mariadb repo - add additional facts for managing mysqld and galera --- Puppetfile | 1 + hieradata/common.yaml | 1 + hieradata/roles/infra/sql/galera.eyaml | 3 + hieradata/roles/infra/sql/galera.yaml | 11 + site/profiles/lib/facter/mariadb_active.rb | 11 + site/profiles/lib/facter/mariadb_datapath.rb | 22 ++ .../lib/facter/mariadb_galera_active.rb | 16 ++ site/profiles/lib/facter/mariadb_installed.rb | 8 + site/profiles/manifests/selinux/mysqld.pp | 44 ++++ site/profiles/manifests/selinux/setenforce.pp | 9 + site/profiles/manifests/sql/galera_member.pp | 215 ++++++++++++++++++ site/profiles/manifests/yum/mariadb.pp | 24 ++ site/roles/manifests/infra/sql/galera.pp | 2 + 13 files changed, 367 insertions(+) create mode 100644 hieradata/roles/infra/sql/galera.eyaml create mode 100644 hieradata/roles/infra/sql/galera.yaml create mode 100644 site/profiles/lib/facter/mariadb_active.rb create mode 100644 site/profiles/lib/facter/mariadb_datapath.rb create mode 100644 site/profiles/lib/facter/mariadb_galera_active.rb create mode 100644 site/profiles/lib/facter/mariadb_installed.rb create mode 100644 site/profiles/manifests/selinux/mysqld.pp create mode 100644 site/profiles/manifests/selinux/setenforce.pp create mode 100644 site/profiles/manifests/sql/galera_member.pp create mode 100644 site/profiles/manifests/yum/mariadb.pp diff --git a/Puppetfile b/Puppetfile index 57514ca..c197bde 100644 --- a/Puppetfile +++ b/Puppetfile @@ -14,6 +14,7 @@ mod 'puppetlabs-postgresql', '9.1.0' mod 'puppetlabs-firewall', '6.0.0' mod 'puppetlabs-accounts', '8.1.0' mod 'puppetlabs-mysql', '15.0.0' +mod 'puppetlabs-xinetd', '3.4.1' # puppet mod 'puppet-python', '7.0.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 77fddd3..d56d46c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -29,6 +29,7 @@ profiles::packages::base: - vnstat - wget - zsh + - socat profiles::base::scripts::scripts: puppet: puppetwrapper.py diff --git a/hieradata/roles/infra/sql/galera.eyaml b/hieradata/roles/infra/sql/galera.eyaml new file mode 100644 index 0000000..2ed8803 --- /dev/null +++ b/hieradata/roles/infra/sql/galera.eyaml @@ -0,0 +1,3 @@ +--- +profiles::sql::galera_member::root_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdR+LgWom6UO3PhwmlkpttcJUkzvqsfJVGRYhNfbBtmzITSW2obN9q4ifCPweGA78+zsd8WzG8Ydd2vNsALLl0LogLHt2vpGnv3xomJROQYI03ipc4ih0mIcFii2m7f/quumbPzT4m7rotACtQtquWeYIXcTW6LMqAesLE97kTtSeTIcYmzOLAmkY0kWGMPsik3H6dJbjIFNtdQpu1e3Ah/2+dgbrr1zDzcPArk/5eb7RwMQpLGZHwvbXrNTCxpzAUA7ZclmKRT8SyDmOKAS/WTMe8Z6khp97cmT5N32HH3KHinSdxp8g40XrN4Ue86feEPxwKbeFF3Fzq4B7MYVSyDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBHcYpDTcYJHQX8iz3gvAbwgDA6h78+zGZ6Yn3VveL29fCzsKEvkalRGnHDcu8sZunNYbDrZDIrAdo/zI7Tivvb+TQ=] +profiles::sql::galera_member::status_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAj0Zjb+XijI6Fqxv9nemJrONvuqEr2uG7dRtZ/ZSDIQCFDAAMilM6EKg+6hMdHVAno45qLDsmJUUgznEQEPe7qkvFKNzzZecGGLdyj0FVU9YMDL69qfcpTxhXxA7mxE+LrtbpArRNjWAgiiRv1REvo54ZdsMThLFrDvQG6myDRaNaWxQ9RWQ1o+oy57AYwrurNgsM8ziOEU3ZfF+ax1zGA+GlGgIiM6XW+w5aH4tLdaUbvfYhBZpGaa0Wh594TSDlzBslfmO4gx6076xUua0pi71ZeMfx63kedTyjj2k07C3SLKpknm+FqYG0ZhdEMSscCodnys/KYT3qiN5fStWN3zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCCeXDpaOYDKhr1Q7A8I30ygDC7BBHB/UtDJLjuGZ4cll0MsfBlrQwAGDJm0j25JnsLCYqBvz1XjxFs1JhKJXLe42c=] diff --git a/hieradata/roles/infra/sql/galera.yaml b/hieradata/roles/infra/sql/galera.yaml new file mode 100644 index 0000000..f6965e6 --- /dev/null +++ b/hieradata/roles/infra/sql/galera.yaml @@ -0,0 +1,11 @@ +--- +profiles::sql::galera_member::cluster_name: galera01 +profiles::sql::galera_member::galera_master: prodinf01n29.main.unkin.net +profiles::sql::galera_member::configure_firewall: false +profiles::sql::galera_member::wsrep_sst_method: rsync +profiles::sql::galera_member::galera_members_lookup: true +profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera +profiles::sql::galera_member::datadir: /data/mariadb +profiles::sql::galera_member::innodb_buffer_pool_size: 256M +profiles::sql::galera_member::innodb_file_per_table: 1 +profiles::sql::galera_member::package_name: mariadb-galera-server diff --git a/site/profiles/lib/facter/mariadb_active.rb b/site/profiles/lib/facter/mariadb_active.rb new file mode 100644 index 0000000..66f6b51 --- /dev/null +++ b/site/profiles/lib/facter/mariadb_active.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +# create a boolean for when the mariadb service is active +require 'English' + +Facter.add('mariadb_active') do + setcode do + system('systemctl is-active --quiet mariadb') + $CHILD_STATUS.exitstatus.zero? + end +end diff --git a/site/profiles/lib/facter/mariadb_datapath.rb b/site/profiles/lib/facter/mariadb_datapath.rb new file mode 100644 index 0000000..410b4e5 --- /dev/null +++ b/site/profiles/lib/facter/mariadb_datapath.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +# check if the /etc/my.cnf.d/server.cnf file exists, +# open it and search for the 'datadir =' option +# store the datadir value as this fact +require 'facter' + +Facter.add('mariadb_datapath') do + setcode do + if File.exist?('/etc/my.cnf.d/server.cnf') + datadir = nil + File.foreach('/etc/my.cnf.d/server.cnf') do |line| + match = line.match(/^\s*datadir\s*=\s*(.+)\s*$/) + if match + datadir = match[1].strip + break + end + end + datadir + end + end +end diff --git a/site/profiles/lib/facter/mariadb_galera_active.rb b/site/profiles/lib/facter/mariadb_galera_active.rb new file mode 100644 index 0000000..623ffe3 --- /dev/null +++ b/site/profiles/lib/facter/mariadb_galera_active.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +# check if the mariadb server exists +# check if the mariadb_datapath fact exists, else set /var/lib/mysql as the datapath +# check if the galera grastate.dat file exists, identifying if galera is boostrapped +require 'facter' + +if system('systemctl is-active --quiet mariadb') + + Facter.add('mariadb_galera_active') do + setcode do + mariadb_datapath = Facter.value(:mariadb_datapath) || '/var/lib/mysql' + File.exist?("#{mariadb_datapath}/grastate.dat") + end + end +end diff --git a/site/profiles/lib/facter/mariadb_installed.rb b/site/profiles/lib/facter/mariadb_installed.rb new file mode 100644 index 0000000..1287cda --- /dev/null +++ b/site/profiles/lib/facter/mariadb_installed.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +# create boolean for if mariadb is installed based of the default service file +Facter.add('mariadb_installed') do + setcode do + File.exist?('/usr/lib/systemd/system/mariadb.service') + end +end diff --git a/site/profiles/manifests/selinux/mysqld.pp b/site/profiles/manifests/selinux/mysqld.pp new file mode 100644 index 0000000..2c31e82 --- /dev/null +++ b/site/profiles/manifests/selinux/mysqld.pp @@ -0,0 +1,44 @@ +# profiles::selinux::mysqld +# selinux settings for mysqld and galera +class profiles::selinux::mysqld ( + Stdlib::Absolutepath $datadir = '/var/lib/mysql', + Boolean $persistent = true, + Boolean $mysql_connect_any = true, + Boolean $selinuxuser_mysql_connect_enabled = true, + String $selinux_mode = 'enforcing', +){ + # include packages that are required + include profiles::packages::selinux + + # setenforce + class { 'profiles::selinux::setenforce': + mode => $selinux_mode, + } + + # set mysqld_db_t to all files under the datadir + selinux::fcontext { $datadir: + ensure => 'present', + seltype => 'mysqld_db_t', + pathspec => "${datadir}(/.*)?", + } + + # make sure we can connect to mysql on the local system + selboolean { 'selinuxuser_mysql_connect_enabled': + persistent => $persistent, + value => $selinuxuser_mysql_connect_enabled, + } + + # make sure mysql can connect to other hosts + selboolean { 'mysql_connect_any': + persistent => $persistent, + value => $mysql_connect_any, + } + + exec { "restorecon_${datadir}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${datadir}", + refreshonly => true, + subscribe => Selinux::Fcontext[$datadir], + } +} + diff --git a/site/profiles/manifests/selinux/setenforce.pp b/site/profiles/manifests/selinux/setenforce.pp new file mode 100644 index 0000000..fa2c753 --- /dev/null +++ b/site/profiles/manifests/selinux/setenforce.pp @@ -0,0 +1,9 @@ +# profiles::selinux::setenforce +class profiles::selinux::setenforce ( + Enum['enforcing', 'permissive', 'disabled'] $mode = 'enforcing', +) { + class { 'selinux': + mode => $mode, + } +} + diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp new file mode 100644 index 0000000..d79c28a --- /dev/null +++ b/site/profiles/manifests/sql/galera_member.pp @@ -0,0 +1,215 @@ +# profiles::sql::galera_member +class profiles::sql::galera_member ( + String $cluster_name, + String $root_password, + String $status_password, + Enum[ + 'mariabackup', + 'mysqldump', + 'rsync', + 'skip', + 'xtrabackup', + 'xtrabackup-v2' + ] $wsrep_sst_method = 'xtrabackup-v2', + Integer $mysql_port = 3306, + Boolean $galera_members_lookup = false, + String $galera_members_role = undef, + String $galera_master = undef, + Array $galera_servers = [], + Boolean $configure_firewall = false, + Integer $wsrep_state_transfer_port = 4444, + Integer $wsrep_inc_state_transfer_port = 4568, + Integer $wsrep_group_comm_port = 4567, + String $innodb_buffer_pool_size = '256M', + Integer $innodb_file_per_table = 1, + Integer $innodb_autoinc_lock_mode = 2, + Stdlib::IP::Address $local_ip = $facts['networking']['ip'], + Stdlib::Absolutepath $datadir = '/var/lib/mysql', + Hash $override_options_mysqld = {}, + Hash $override_options_galera = {}, + Boolean $package_manage = true, + String $package_name = 'mariadb-server', + Boolean $epel_needed = false, + Boolean $selinux = true, + Boolean $manage_repo = true, +) { + + # check that the master is named + unless !($galera_master == undef) { + fail("galera_master must be provided for ${title}") + } + + # if lookup is enabled + if $galera_members_lookup { + + # check that the role is also set + unless !($galera_members_role == undef) { + fail("galera_members_role must be provided for ${title} when galera_members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${galera_members_role}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $galera_servers + } + + # if its not an empty array. Give puppetdb a chance to be populated with data. + if length($servers_array) >= 3 { + + # if selinux is defined, manage it + if $selinux { + + # set permissive on first run, as we need mariadb installed/started at a custom path before adding fcontext + if $::facts['mariadb_acti'] { $selinux_mode = 'enforcing' }else{ $selinux_mode = 'permissive' } + + # call the mysqld selinux class + class { 'profiles::selinux::mysqld': + datadir => $datadir, + selinux_mode => $selinux_mode, + require => Class['Mysql::Server'], + } + } + + # check if this is the master_node + if $galera_master == $::facts['networking']['fqdn'] { + $galera_master_bool = true + }else{ + $galera_master_bool = false + } + + # find bootstrap status for servers + $bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${galera_members_role}' }").map |$node| { + { + 'fqdn' => $node['certname'], + 'bootstrap' => $node['facts']['mariadb_galera_active'], + } + } + + # determine if the cluster is bootstrapped + $cluster_bootstrapped = $bootstrap_array.any |$server| { + $server['fqdn'] == $galera_master and $server['bootstrap'] == true + } + + # for setting puppetlabs-mysql params + # ['mysqld']['datadir'] = /var/lib/mysql + # TODO move to a params class later, mysql and galera + $default_override_options_mysqld = { + 'mysqld' => { + 'datadir' => $datadir, + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => $innodb_file_per_table, + 'innodb_autoinc_lock_mode' => $innodb_autoinc_lock_mode, + 'binlog_format' => 'ROW', + 'default-storage-engine' => 'innodb', + 'query_cache_size' => '0', + 'query_cache_type' => '0' + } + } + $default_override_options_galera = { + 'galera' => { + 'wsrep_on' => 'ON', + 'wsrep_node_name' => $::facts['networking']['hostname'], + 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', + 'wsrep_cluster_name' => $cluster_name, + 'wsrep_cluster_address' => "gcomm://${join($servers_array, ',')}", + 'wsrep_sst_method' => $wsrep_sst_method, + 'wsrep_provider_options' => ["ist.recv_addr=${local_ip}:${wsrep_inc_state_transfer_port}", "ist.recv_bind=${local_ip}", ''], + 'wsrep_node_address' => "${local_ip}:${wsrep_group_comm_port}" + } + } + + # merge the mysqld/galera defaults with the $override_options_{mysqld|galera} + $merged_overrides_mysqld_only = merge($default_override_options_mysqld, $override_options_mysqld) + $merged_overrides_galera_only = merge($default_override_options_mysqld, $override_options_mysqld) + + # merge both galera and mariadb + $merged_overrides_both = merge($default_override_options_galera, $merged_overrides_mysqld_only) + + # prepare non-master cluster members + if $::facts['mariadb_installed'] and ! $galera_master_bool { + + # set service manage/enabled to match $cluster_bootstrapped + $real_service_manage = $cluster_bootstrapped + $real_service_enabled = $cluster_bootstrapped + + # if cluster master is bootstrapped, add these nodes to the cluster + if $cluster_bootstrapped { + $merged_overrides = $merged_overrides_both + }else{ + $merged_overrides = $merged_overrides_mysqld_only + } + + # if cluster is boostrapped, but galera is not active on this node, then + # restart mariadb after mysql class reconfigures mariadb + if $cluster_bootstrapped and $::facts['mariadb_galera_active'] == false { + $restart_mariadb = true + }else{ + $restart_mariadb = false + } + } + + # prepare master cluster member + if $::facts['mariadb_installed'] and $galera_master_bool{ + + # set restart option for mariadb + $restart_mariadb = false + + # check if cluster is already bootstrapped + if $cluster_bootstrapped { + + # set service manage/enabled to match $cluster_bootstrapped + $real_service_manage = true + $real_service_enabled = true + + # set overrides + $merged_overrides = $merged_overrides_both + + }else{ + + # set overrides + $merged_overrides = $merged_overrides_both + + # bootstrap a cluster, as this is the first setup, mariadb should be active + if $::facts['mariadb_active'] { + + # stop mariadb before bootstrapping + exec { 'stop_mariadb_for_bootstrap': + command => 'systemctl stop mariadb', + path => ['/bin', '/usr/bin'], + require => Class['Mysql::server'], + } + + # bootstrap galera cluster + # only run if the cluster is not already bootstrapped + exec { 'bootstrap_galera_new_cluster': + command => 'galera_new_cluster', + path => ['/bin', '/usr/bin'], + require => Class['Mysql::server'], + } + } + } + } + + # prepare for initial run, this will create a single-node mariadb host + if ! $::facts['mariadb_installed'] { + $merged_overrides = $merged_overrides_mysqld_only + $restart_mariadb = true + } + + class { 'mysql::server': + root_password => $root_password, + remove_default_accounts => true, + restart => $restart_mariadb, + service_manage => $real_service_manage, + service_enabled => $real_service_enabled, + package_manage => $package_manage, + package_name => $package_name, + override_options => $merged_overrides, + } + + }else{ + notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.") + } +} diff --git a/site/profiles/manifests/yum/mariadb.pp b/site/profiles/manifests/yum/mariadb.pp new file mode 100644 index 0000000..df3d71e --- /dev/null +++ b/site/profiles/manifests/yum/mariadb.pp @@ -0,0 +1,24 @@ +# Class: profiles::yum::mariadb +# +# This class manages the mariadb yum repository for the system. +# +class profiles::yum::mariadb ( + String $baseurl = 'http://repos.main.unkin.net', + String $version = '11.2', + Enum[ + 'daily', + 'weekly', + 'monthly' + ] $snapshot = 'daily', +) { + $release = $facts['os']['release']['major'] + $basearch = $facts['os']['architecture'] + + yumrepo { 'mariadb': + name => 'mariadb', + descr => 'mariadb repository', + target => '/etc/yum.repos.d/mariadb.repo', + baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/", + gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB", + } +} diff --git a/site/roles/manifests/infra/sql/galera.pp b/site/roles/manifests/infra/sql/galera.pp index dac21c5..a116c8c 100644 --- a/site/roles/manifests/infra/sql/galera.pp +++ b/site/roles/manifests/infra/sql/galera.pp @@ -2,4 +2,6 @@ class roles::infra::sql::galera { include profiles::defaults include profiles::base + include profiles::base::datavol + include profiles::sql::galera_member } From 685d7db264bb46dd4f2940f1334a56dfebf90060 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 11 Dec 2023 21:09:25 +1100 Subject: [PATCH 068/229] feat: add nodelookup - add helper script to make quering puppetdb easier and more efficient --- site/profiles/manifests/base.pp | 1 + .../profiles/manifests/helpers/node_lookup.pp | 56 +++++++++++++++++ .../templates/helpers/node_lookup.erb | 61 +++++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 site/profiles/manifests/helpers/node_lookup.pp create mode 100644 site/profiles/templates/helpers/node_lookup.erb diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 62b242e..607136b 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -35,6 +35,7 @@ class profiles::base ( include profiles::dns::base include profiles::cloudinit::init include profiles::metrics::default + include profiles::helpers::node_lookup # include the python class class { 'python': diff --git a/site/profiles/manifests/helpers/node_lookup.pp b/site/profiles/manifests/helpers/node_lookup.pp new file mode 100644 index 0000000..b155f6c --- /dev/null +++ b/site/profiles/manifests/helpers/node_lookup.pp @@ -0,0 +1,56 @@ +# profiles::helpers::node_lookup +# +# wrapper class for python, pip and venv +class profiles::helpers::node_lookup ( + String $script_name = 'node_lookup', + Stdlib::AbsolutePath $base_path = "/opt/${script_name}", + Stdlib::AbsolutePath $venv_path = "${base_path}/venv", + String $owner = 'root', + String $group = 'root', + Boolean $systempkgs = false, + String $version = 'system', + Array[String[1]] $packages = ['requests'], +){ + + # ensure the base_path exists + file { $base_path: + ensure => directory, + mode => '0755', + owner => $owner, + group => $group, + } + # create a venv + python::pyvenv { $venv_path : + ensure => present, + version => $version, + systempkgs => $systempkgs, + venv_dir => $venv_path, + owner => $owner, + group => $group, + require => File[$base_path], + } + + # install the required pip packages + $packages.each |String $package| { + python::pip { "${venv_path}_${package}": + ensure => present, + pkgname => $package, + virtualenv => $venv_path, + } + } + + # create the script from a template + file { "${base_path}/${script_name}": + ensure => file, + mode => '0755', + content => template("profiles/helpers/${script_name}.erb"), + require => Python::Pyvenv[$venv_path], + } + + # create symbolic link in $PATH + file { "/usr/local/bin/${script_name}": + ensure => 'link', + target => "${base_path}/${script_name}", + require => File["${base_path}/${script_name}"], + } +} diff --git a/site/profiles/templates/helpers/node_lookup.erb b/site/profiles/templates/helpers/node_lookup.erb new file mode 100644 index 0000000..7596821 --- /dev/null +++ b/site/profiles/templates/helpers/node_lookup.erb @@ -0,0 +1,61 @@ +#!/usr/bin/env <%= @venv_path %>/bin/python +import requests +import sys +import argparse +import json + +def build_query(node=None, fact_name=None, match=None, show_role=False): + query_filters = [] + + if node: + query_filters.append(["=", "certname", node]) + if fact_name: + query_filters.append(["=", "name", fact_name]) + elif show_role: + query_filters.append(["=", "name", "enc_role"]) + + if match: + query_filters.append(["~", "value", match]) + + if not query_filters: + return '["=", "name", "enc_role"]' + else: + return json.dumps(["and"] + query_filters) + +def query_puppetdb(query): + url = 'http://puppetdb:8080/pdb/query/v4/facts' + response = requests.get(url, params={'query': query}) + process_response(response) + +def process_response(response): + if response.status_code == 200: + for fact in response.json(): + print(f"{fact['certname']} {fact['value']}") + else: + print(f"Error querying PuppetDB: HTTP {response.status_code}") + print("Response content:", response.text) + +def parse_stdin(): + for line in sys.stdin: + yield line.split()[0] + +def main(): + parser = argparse.ArgumentParser(description="Query PuppetDB for nodes.") + parser.add_argument("-n", "--node", help="Node name or partial match") + parser.add_argument("-R", "--role", action="store_true", help="Show the role for matched hosts") + parser.add_argument("-F", "--fact", help="Specify a fact name") + parser.add_argument("-m", "--match", help="Simple pattern match for the value") + + args = parser.parse_args() + + if not args.node and not sys.stdin.isatty(): + for node in parse_stdin(): + args.node = node + query = build_query(node=args.node, fact_name=args.fact, match=args.match, show_role=args.role) + query_puppetdb(query) + else: + query = build_query(node=args.node, fact_name=args.fact, match=args.match, show_role=args.role) + query_puppetdb(query) + +if __name__ == "__main__": + main() From 5b75cf735a4ad0df780ce79f3743f8ec3878ea8b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 11 Dec 2023 21:58:24 +1100 Subject: [PATCH 069/229] feat: manage ruby/puppet gems - manage installation of puppet_gem packages for puppetmasters --- hieradata/roles/infra/puppet/master.yaml | 4 ++++ site/profiles/manifests/puppet/gems.pp | 12 ++++++++++++ site/profiles/manifests/puppet/puppetmaster.pp | 1 + site/profiles/manifests/puppet/server.pp | 1 - 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 site/profiles/manifests/puppet/gems.pp diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 5a5f87c..f47db83 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -14,3 +14,7 @@ profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' profiles::puppet::g10k::default_environment: 'develop' +profiles::puppet::gems::puppet: + - 'deep_merge' + - 'ipaddr' + - 'hiera-eyaml' diff --git a/site/profiles/manifests/puppet/gems.pp b/site/profiles/manifests/puppet/gems.pp new file mode 100644 index 0000000..b7a9369 --- /dev/null +++ b/site/profiles/manifests/puppet/gems.pp @@ -0,0 +1,12 @@ +# profiles::puppet::gems +class profiles::puppet::gems ( + Array $puppet = [], +){ + # install puppetmaster gems + $puppet.each | $pgem | { + package { $pgem: + ensure => installed, + provider => 'puppet_gem', + } + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 9819d5e..627f247 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -29,6 +29,7 @@ class profiles::puppet::puppetmaster ( include profiles::puppet::g10k include profiles::puppet::enc include profiles::puppet::autosign + include profiles::puppet::gems class { 'puppetdb::master::config': puppetdb_server => $puppetdb_host, diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 7f0aec5..4930582 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -66,4 +66,3 @@ class profiles::puppet::server ( hasrestart => true, } } - From bf729d9b114019e8debd3b847cf266c095165a33 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 11 Dec 2023 22:14:45 +1100 Subject: [PATCH 070/229] feat: add selinux support to puppetboard - required to allow nginx to reach puppetdb --- site/profiles/manifests/puppet/puppetboard.pp | 11 ++++++++++ site/profiles/manifests/selinux/nginx.pp | 22 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 site/profiles/manifests/selinux/nginx.pp diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 0085eb5..5d229a0 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -20,6 +20,7 @@ class profiles::puppet::puppetboard ( Integer $gunicorn_threads = 4, String $nginx_vhost = 'puppetboard.main.unkin.net', Integer $nginx_port = 80, + Boolean $selinux = true, #String[1] $secret_key = "${fqdn_rand_string(32)}", ) { @@ -120,4 +121,14 @@ class profiles::puppet::puppetboard ( server => $nginx_vhost, location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static", } + + + # if selinux is defined, manage it + if $selinux { + + # call the nginx selinux class + class { 'profiles::selinux::nginx': + require => Class['Nginx'], + } + } } diff --git a/site/profiles/manifests/selinux/nginx.pp b/site/profiles/manifests/selinux/nginx.pp new file mode 100644 index 0000000..2c8f585 --- /dev/null +++ b/site/profiles/manifests/selinux/nginx.pp @@ -0,0 +1,22 @@ +# profiles::selinux::nginx +# selinux settings for nginx +class profiles::selinux::nginx ( + Boolean $persistent = true, + Boolean $httpd_can_network_connect = true, + String $selinux_mode = 'enforcing', +){ + # include packages that are required + include profiles::packages::selinux + + # setenforce + class { 'profiles::selinux::setenforce': + mode => $selinux_mode, + } + + # make sure we can connect to network resources + selboolean { 'httpd_can_network_connect': + persistent => $persistent, + value => $httpd_can_network_connect, + } +} + From f9562a910934a6c9f220a465dd7176b735596474 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 18 Dec 2023 23:51:39 +1100 Subject: [PATCH 071/229] fix: check for python3_version - check for python3 version before attempting to setup node_lookup --- .../profiles/manifests/helpers/node_lookup.pp | 83 ++++++++++--------- 1 file changed, 46 insertions(+), 37 deletions(-) diff --git a/site/profiles/manifests/helpers/node_lookup.pp b/site/profiles/manifests/helpers/node_lookup.pp index b155f6c..4e6ee01 100644 --- a/site/profiles/manifests/helpers/node_lookup.pp +++ b/site/profiles/manifests/helpers/node_lookup.pp @@ -12,45 +12,54 @@ class profiles::helpers::node_lookup ( Array[String[1]] $packages = ['requests'], ){ - # ensure the base_path exists - file { $base_path: - ensure => directory, - mode => '0755', - owner => $owner, - group => $group, - } - # create a venv - python::pyvenv { $venv_path : - ensure => present, - version => $version, - systempkgs => $systempkgs, - venv_dir => $venv_path, - owner => $owner, - group => $group, - require => File[$base_path], - } + if $::facts['python3_version'] { - # install the required pip packages - $packages.each |String $package| { - python::pip { "${venv_path}_${package}": + $python_version = $version ? { + 'system' => $::facts['python3_version'], + default => $version, + } + + # ensure the base_path exists + file { $base_path: + ensure => directory, + mode => '0755', + owner => $owner, + group => $group, + } + + # create a venv + python::pyvenv { $venv_path : ensure => present, - pkgname => $package, - virtualenv => $venv_path, + version => $python_version, + systempkgs => $systempkgs, + venv_dir => $venv_path, + owner => $owner, + group => $group, + require => File[$base_path], + } + + # install the required pip packages + $packages.each |String $package| { + python::pip { "${venv_path}_${package}": + ensure => present, + pkgname => $package, + virtualenv => $venv_path, + } + } + + # create the script from a template + file { "${base_path}/${script_name}": + ensure => file, + mode => '0755', + content => template("profiles/helpers/${script_name}.erb"), + require => Python::Pyvenv[$venv_path], + } + + # create symbolic link in $PATH + file { "/usr/local/bin/${script_name}": + ensure => 'link', + target => "${base_path}/${script_name}", + require => File["${base_path}/${script_name}"], } } - - # create the script from a template - file { "${base_path}/${script_name}": - ensure => file, - mode => '0755', - content => template("profiles/helpers/${script_name}.erb"), - require => Python::Pyvenv[$venv_path], - } - - # create symbolic link in $PATH - file { "/usr/local/bin/${script_name}": - ensure => 'link', - target => "${base_path}/${script_name}", - require => File["${base_path}/${script_name}"], - } } From dcf83aa46639468b76b65e22266b2d4bf42720dc Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 22 Dec 2023 19:17:04 +1100 Subject: [PATCH 072/229] feat: add minio base role --- site/roles/manifests/infra/storage/minio.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 site/roles/manifests/infra/storage/minio.pp diff --git a/site/roles/manifests/infra/storage/minio.pp b/site/roles/manifests/infra/storage/minio.pp new file mode 100644 index 0000000..252b35e --- /dev/null +++ b/site/roles/manifests/infra/storage/minio.pp @@ -0,0 +1,5 @@ +# a role to deploy a minio node +class roles::infra::storage::minio { + include profiles::defaults + include profiles::base +} From 0c1548fbd87591f4eb736575334592714fef385a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 24 Dec 2023 12:54:09 +1100 Subject: [PATCH 073/229] feat: add new datavol - add datavol define to replace the datavol class, which has more flexibility through additional params, and the ability to call it multiple times for multiple datavolumes --- site/profiles/manifests/storage/datavol.pp | 75 ++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 site/profiles/manifests/storage/datavol.pp diff --git a/site/profiles/manifests/storage/datavol.pp b/site/profiles/manifests/storage/datavol.pp new file mode 100644 index 0000000..ecc9a9d --- /dev/null +++ b/site/profiles/manifests/storage/datavol.pp @@ -0,0 +1,75 @@ +# profiles::storage::datavol +# +# This define manages the creation of a logical volume using the `lvm::volume` definition. +# +# Parameters: +# $ensure - Ensure whether the logical volume is present or not. Defaults to 'present'. +# $vg - Volume group name. No default. +# $pv - Physical volume, typically the disk or partition device path. No default. +# $fstype - Filesystem type for the logical volume. Defaults to 'ext3'. +# $size - Size of the logical volume. undef = 100%FREE. Changing $size to cause a resize. +# +define profiles::storage::datavol ( + Enum['present', 'absent'] $ensure = 'present', + Enum['ext2', 'ext3', 'ext4', 'xfs', 'btrfs'] $fstype = 'xfs', + String $vg = 'datavg', + String $pv = '/dev/vdb', + String $lv = 'data', + String $owner = 'root', + String $group = 'root', + Stdlib::Filemode $mode = '0755', + Stdlib::Absolutepath $mount = '/data', + Optional[Variant[Pattern[/^\d+(M|G|T|P)$/], Integer]] $size = undef, + Array[Enum[ + 'defaults', 'ro', 'rw', 'sync', 'async', + 'noatime', 'nodiratime', 'noexec', 'nosuid', + 'nodev', 'remount', 'auto', 'noauto' + ]] $mount_options = ['noatime', 'nodiratime'], +) { + + # Ensure the physical volume exists + physical_volume { $pv: + ensure => $ensure, + before => Volume_group[$vg], + } + + # Ensure the volume group exists + volume_group { $vg: + ensure => $ensure, + physical_volumes => [$pv], + before => Logical_volume[$lv], + } + + # Ensure the logical volume exists + logical_volume { $lv: + ensure => $ensure, + volume_group => $vg, + size => $size, + before => Filesystem["/dev/${vg}/${lv}"], + } + + # Ensure the filesystem is created on the logical volume + filesystem { "/dev/${vg}/${lv}": + ensure => $ensure, + fs_type => $fstype, + require => Logical_volume[$lv], + before => Mount[$mount], + } + + # Ensure the mountpath exists + file { $mount: + ensure => directory, + owner => $owner, + group => $group, + mode => $mode, + } + + # Ensure the logical volume is mounted at the desired location + mount { $mount: + ensure => $ensure, + device => "/dev/${vg}/${lv}", + fstype => $fstype, + options => $mount_options.join(','), + require => Filesystem["/dev/${vg}/${lv}"], + } +} From 7431ebf51ce6e909aa3a5e8f2b609c9eb5cee7ad Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 24 Dec 2023 14:12:54 +1100 Subject: [PATCH 074/229] feat: add region fact - add fact that maps primary ip subnet to a region code - defaults to 'lost' if there is no subnet to region mapping --- site/profiles/lib/facter/region.rb | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 site/profiles/lib/facter/region.rb diff --git a/site/profiles/lib/facter/region.rb b/site/profiles/lib/facter/region.rb new file mode 100644 index 0000000..966fa10 --- /dev/null +++ b/site/profiles/lib/facter/region.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +# set region based on the subnet + +Facter.add('region') do + setcode do + # use facts['networking']['ip']to find the promary IP address + ip = Facter.value(:networking)['ip'] + + # subnet to region mapping + subnet_to_region = { + '198.18.17.0/24' => 'au-drw-1' + } + + require 'ipaddr' + + # Find the region for the IP + region = 'lost' # default to 'lost' if no region matches + subnet_to_region.each do |subnet, region_name| + if IPAddr.new(subnet).include?(IPAddr.new(ip)) + region = region_name + break + end + end + + region + end +end From dbec0222b35e626e4f591a8b48d551485cf054be Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 Dec 2023 14:51:40 +1100 Subject: [PATCH 075/229] feat: add/update location facts - add country fact, change region to exclude country string --- site/profiles/lib/facter/country.rb | 28 ++++++++++++++++++++++++++++ site/profiles/lib/facter/region.rb | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 site/profiles/lib/facter/country.rb diff --git a/site/profiles/lib/facter/country.rb b/site/profiles/lib/facter/country.rb new file mode 100644 index 0000000..52977d6 --- /dev/null +++ b/site/profiles/lib/facter/country.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +# set country based on the subnet + +Facter.add('country') do + setcode do + # use facts['networking']['ip']to find the promary IP address + ip = Facter.value(:networking)['ip'] + + # subnet to region mapping + subnet_to_country = { + '198.18.17.0/24' => 'au' + } + + require 'ipaddr' + + # Find the region for the IP + country = 'stateless' # default to 'stateless' if no country matches + subnet_to_country.each do |subnet, country_initial| + if IPAddr.new(subnet).include?(IPAddr.new(ip)) + country = country_initial + break + end + end + + country + end +end diff --git a/site/profiles/lib/facter/region.rb b/site/profiles/lib/facter/region.rb index 966fa10..248fb12 100644 --- a/site/profiles/lib/facter/region.rb +++ b/site/profiles/lib/facter/region.rb @@ -9,7 +9,7 @@ Facter.add('region') do # subnet to region mapping subnet_to_region = { - '198.18.17.0/24' => 'au-drw-1' + '198.18.17.0/24' => 'drw1' } require 'ipaddr' From a144e4ec2d79b2197d36e10426d82222c1489a58 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 Dec 2023 16:27:28 +1100 Subject: [PATCH 076/229] feat: install bind-utils --- hieradata/common.yaml | 3 +++ site/profiles/manifests/dns/base.pp | 3 +++ 2 files changed, 6 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 79f8edb..0d96f9b 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -7,6 +7,9 @@ lookup_options: merge: strategy: deep +# this switch installs bind-utils +bind::defaults::nsupdate_package: true + profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - 0.pool.ntp.org diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index 6510453..6bd2458 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -5,6 +5,9 @@ class profiles::dns::base ( Array $nameservers = ['8.8.8.8', '1.1.1.1'], ){ + # install bind_utils + include bind::updater + # if ns_role is set, find all hosts matching that enc_role if $ns_role == undef { $nameserver_array = $nameservers From aabce289a4f73e04fb01437ca13c821559aefc66 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 Dec 2023 16:31:40 +1100 Subject: [PATCH 077/229] feat: remove boolean for bind::updater - default to the default set by the module --- hieradata/common.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 0d96f9b..79f8edb 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -7,9 +7,6 @@ lookup_options: merge: strategy: deep -# this switch installs bind-utils -bind::defaults::nsupdate_package: true - profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - 0.pool.ntp.org From 8e0ab958722f1a8eeeaf36af81b1b9bbfa668a3b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 28 Dec 2023 17:30:26 +1100 Subject: [PATCH 078/229] fix: fixed fact variables in hiera.yaml - replaced ${..} with %{..} --- hiera.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hiera.yaml b/hiera.yaml index 3097474..bccbba6 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -9,10 +9,10 @@ hierarchy: - "nodes/%{trusted.certname}.yaml" - "roles/%{::enc_role_tier1}.eyaml" - "roles/%{::enc_role_tier1}.yaml" - - "roles/${::enc_role_tier1}/%{::enc_role_tier2}.eyaml" - - "roles/${::enc_role_tier1}/%{::enc_role_tier2}.yaml" - - "roles/${::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml" - - "roles/${::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" + - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml" + - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml" + - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" - "%{::enc_role_path}.eyaml" - "%{::enc_role_path}.yaml" - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" From d8751ac6c8455aada5390d70cd67aca50c74ab7a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 24 Dec 2023 13:54:40 +1100 Subject: [PATCH 079/229] feat: add minio profile - add additional modules in Puppetfile - update puppetlabs-lvm to 2.1.0 - add facts.d base path to hieradata - add infra/storage and infra/storage/minio role data to hieradata - add new facts for minio setup status - add a static yaml minio-facts file to assist dynamic ruby facts - updated hiera with additional directories (country/{role,region}) --- Puppetfile | 4 +- hiera.yaml | 26 ++- hieradata/common.yaml | 2 + .../au/region/drw1/infra/storage/minio.yaml | 6 + hieradata/roles/infra/storage/minio.eyaml | 2 + hieradata/roles/infra/storage/minio.yaml | 9 + .../lib/facter/minio_datadirs_initialised.rb | 26 +++ .../profiles/lib/facter/minio_group_exists.rb | 20 ++ site/profiles/lib/facter/minio_pool_dns.rb | 35 +++ site/profiles/lib/facter/minio_user_exists.rb | 20 ++ site/profiles/manifests/minio/server.pp | 208 ++++++++++++++++++ site/profiles/manifests/pki/puppetcerts.pp | 42 ++++ .../templates/minio/minio.service.erb | 38 ++++ .../templates/minio/minio_facts.yaml.erb | 17 ++ site/roles/manifests/infra/storage/minio.pp | 1 + 15 files changed, 449 insertions(+), 7 deletions(-) create mode 100644 hieradata/country/au/region/drw1/infra/storage/minio.yaml create mode 100644 hieradata/roles/infra/storage/minio.eyaml create mode 100644 hieradata/roles/infra/storage/minio.yaml create mode 100644 site/profiles/lib/facter/minio_datadirs_initialised.rb create mode 100644 site/profiles/lib/facter/minio_group_exists.rb create mode 100644 site/profiles/lib/facter/minio_pool_dns.rb create mode 100644 site/profiles/lib/facter/minio_user_exists.rb create mode 100644 site/profiles/manifests/minio/server.pp create mode 100644 site/profiles/manifests/pki/puppetcerts.pp create mode 100644 site/profiles/templates/minio/minio.service.erb create mode 100644 site/profiles/templates/minio/minio_facts.yaml.erb diff --git a/Puppetfile b/Puppetfile index c197bde..4654fa0 100644 --- a/Puppetfile +++ b/Puppetfile @@ -8,7 +8,7 @@ mod 'puppetlabs-concat', '9.0.0' mod 'puppetlabs-vcsrepo', '6.1.0' mod 'puppetlabs-yumrepo_core', '2.0.0' mod 'puppetlabs-apt', '9.1.0' -mod 'puppetlabs-lvm', '2.0.3' +mod 'puppetlabs-lvm', '2.1.0' mod 'puppetlabs-puppetdb', '7.13.0' mod 'puppetlabs-postgresql', '9.1.0' mod 'puppetlabs-firewall', '6.0.0' @@ -33,6 +33,8 @@ mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' mod 'dalen-puppetdbquery', '3.0.1' mod 'markt-galera', '3.1.0' +mod 'kogitoapp-minio', '1.1.4' +mod 'broadinstitute-certs', '3.0.1' mod 'bind', :git => 'https://git.unkin.net/unkinben/puppet-bind.git', diff --git a/hiera.yaml b/hiera.yaml index bccbba6..b763ee3 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -7,14 +7,28 @@ hierarchy: - name: Consolidated Data paths: - "nodes/%{trusted.certname}.yaml" - - "roles/%{::enc_role_tier1}.eyaml" - - "roles/%{::enc_role_tier1}.yaml" - - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml" - - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml" + - "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" + - "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml" + - "country/%{::country}/region/%{::region}/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "country/%{::country}/region/%{::region}/%{::enc_role_tier1}.eyaml" + - "country/%{::country}/region/%{::region}/%{::enc_role_tier1}.yaml" + - "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml" + - "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" + - "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml" + - "country/%{::country}/roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "country/%{::country}/roles/%{::enc_role_tier1}.eyaml" + - "country/%{::country}/roles/%{::enc_role_tier1}.yaml" + - "country/%{::country}/region/%{::region}.eyaml" + - "country/%{::country}/region/%{::region}.yaml" + - "country/%{::country}.eyaml" + - "country/%{::country}.yaml" - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.eyaml" - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}/%{::enc_role_tier3}.yaml" - - "%{::enc_role_path}.eyaml" - - "%{::enc_role_path}.yaml" + - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.eyaml" + - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml" + - "roles/%{::enc_role_tier1}.eyaml" + - "roles/%{::enc_role_tier1}.yaml" - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" - "os/%{facts.os.name}/all_releases.yaml" - "common.eyaml" diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 79f8edb..dc4b711 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -7,6 +7,8 @@ lookup_options: merge: strategy: deep +facts_path: '/opt/puppetlabs/facter/facts.d' + profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - 0.pool.ntp.org diff --git a/hieradata/country/au/region/drw1/infra/storage/minio.yaml b/hieradata/country/au/region/drw1/infra/storage/minio.yaml new file mode 100644 index 0000000..1b428c1 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/storage/minio.yaml @@ -0,0 +1,6 @@ +--- +profiles::minio::server::minio_members: 5 +profiles::minio::server::blockdev: + - /dev/sda + - /dev/sdb +profiles::minio::server::minio_storage_class: 'EC:2' diff --git a/hieradata/roles/infra/storage/minio.eyaml b/hieradata/roles/infra/storage/minio.eyaml new file mode 100644 index 0000000..08e0b2d --- /dev/null +++ b/hieradata/roles/infra/storage/minio.eyaml @@ -0,0 +1,2 @@ +--- +profiles::minio::server::minio_root_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcAGh4K8P/bOwHs7FEAssBcYgtT+FlkMW4/jpJf230sbOh0jswvCl0woQMMw+AIpkXNJ//YcmDBkhdE92RCK8C4Xi/2nkdWjPt9FQwuT47BhAKISjunRs9R61dKj5aOwAlTQ3lNtsQsknGz17AMTyPEGQC9SnPxYirLRr9VgJX/EKPjl7M2LbkZTJChwIE6IiT+LSzye7YgpkJ7O6h4jNIp5ryWaUqSUfooYjqHc1zl4Bs9ZfyY1K/CWCTIbtd4hY1ZlskRlVa9yA0cWhsufV0gw43RA/bCAJPowLc64bZ4XlLx9Fy0qHKjTCDRLzysUoq0QjIR2Ulf1TkcCJAVLwFDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC3+P+RW/JoQemkVJE/mpAngDAw1JpFkBvLj4AlbJePvpnG+fFN8coOE+5N94NgGd9Gtl2NZt/g5x/7xFHS28cSlIg=] diff --git a/hieradata/roles/infra/storage/minio.yaml b/hieradata/roles/infra/storage/minio.yaml new file mode 100644 index 0000000..62505fb --- /dev/null +++ b/hieradata/roles/infra/storage/minio.yaml @@ -0,0 +1,9 @@ +--- +profiles::minio::server::minio_members_role: roles::infra::storage::minio +profiles::minio::server::minio_root_user: admin +profiles::minio::server::minio_opts: + - '--anonymous' +profiles::minio::server::minio_members_lookup: true +profiles::minio::server::version: 'RELEASE.2023-12-20T01-00-02Z' +profiles::minio::server::checksum: '09fafaf399885b4912bafda6fa03fc4ccbc39ec45e17239677217317915d6aeb' +profiles::minio::server::checksum_type: 'sha256' diff --git a/site/profiles/lib/facter/minio_datadirs_initialised.rb b/site/profiles/lib/facter/minio_datadirs_initialised.rb new file mode 100644 index 0000000..17180ab --- /dev/null +++ b/site/profiles/lib/facter/minio_datadirs_initialised.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +# check all datadirs for minio are initialised + +require 'yaml' +Facter.add('minio_datadirs_initialised') do + setcode do + yaml_file_path = '/opt/puppetlabs/facter/facts.d/minio_facts.yaml' + + # check if the YAML file exists first + next false unless File.exist?(yaml_file_path) + + minio_facts = YAML.load_file(yaml_file_path) + dev_count = minio_facts['minio_blockdev_count'] + datadir = minio_facts['minio_datadir'] + + # check datadir if no blockdevices are used, otherwise check the store locations + if dev_count.zero? + Dir.exist?(datadir) + else + (1..dev_count).all? do |number| + Dir.exist?("#{datadir}/store#{number}") + end + end + end +end diff --git a/site/profiles/lib/facter/minio_group_exists.rb b/site/profiles/lib/facter/minio_group_exists.rb new file mode 100644 index 0000000..14c322a --- /dev/null +++ b/site/profiles/lib/facter/minio_group_exists.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# check that the minio group exists + +require 'yaml' +Facter.add('minio_group_exists') do + setcode do + yaml_file_path = '/opt/puppetlabs/facter/facts.d/minio_facts.yaml' + + # check if the YAML file exists first + next false unless File.exist?(yaml_file_path) + + minio_facts = YAML.load_file(yaml_file_path) + group_name = minio_facts['minio_group'] + + group_exists = system("getent group #{group_name} >/dev/null 2>&1") + + group_exists + end +end diff --git a/site/profiles/lib/facter/minio_pool_dns.rb b/site/profiles/lib/facter/minio_pool_dns.rb new file mode 100644 index 0000000..6ccf804 --- /dev/null +++ b/site/profiles/lib/facter/minio_pool_dns.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +require 'facter' +require 'yaml' + +Facter.add('minio_pool_dns') do + setcode do + yaml_file_path = '/opt/puppetlabs/facter/facts.d/minio_facts.yaml' + + # check if the YAML file exists + next {} unless File.exist?(yaml_file_path) + + # load data from YAML + data = YAML.load_file(yaml_file_path) + minio_members = data['minio_members'] + minio_region = data['minio_region'] + minio_pool = data['minio_pool'] + domain = Facter.value(:networking)['domain'] + + # create result hash + result = {} + + # Check CNAME for each node_id from 1 to minio_members + (1..minio_members).each do |node_id| + cname_target = "#{minio_region}-#{minio_pool}-#{node_id}.#{domain}" + command = "host #{cname_target} > /dev/null 2>&1" + + # Using system method to execute the command + # It returns true if the command gives exit status 0 (success), otherwise false + result[cname_target] = system(command) + end + + result + end +end diff --git a/site/profiles/lib/facter/minio_user_exists.rb b/site/profiles/lib/facter/minio_user_exists.rb new file mode 100644 index 0000000..e1b3ef2 --- /dev/null +++ b/site/profiles/lib/facter/minio_user_exists.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# check that the minio user exists + +require 'yaml' +Facter.add('minio_user_exists') do + setcode do + yaml_file_path = '/opt/puppetlabs/facter/facts.d/minio_facts.yaml' + + # check if the YAML file exists first + next false unless File.exist?(yaml_file_path) + + minio_facts = YAML.load_file(yaml_file_path) + user_name = minio_facts['minio_user'] + + user_exists = system("id #{user_name} >/dev/null 2>&1") + + user_exists + end +end diff --git a/site/profiles/manifests/minio/server.pp b/site/profiles/manifests/minio/server.pp new file mode 100644 index 0000000..509e970 --- /dev/null +++ b/site/profiles/manifests/minio/server.pp @@ -0,0 +1,208 @@ +# profiles::minio::server +class profiles::minio::server ( + String $minio_root_user, + String $minio_root_pass, + Array $minio_opts = [], + Boolean $minio_members_lookup = false, + String $minio_members_role = undef, + Integer $minio_members = undef, + Array $minio_servers = [], + String $minio_storage_class = 'EC:2', + String $version = 'RELEASE.2023-12-20T01-00-02Z', + String $checksum = '09fafaf399885b4912bafda6fa03fc4ccbc39ec45e17239677217317915d6aeb', + String $checksum_type = 'sha256', + String $owner = 'minio', + String $group = 'minio', + Stdlib::Fqdn $url_domain = $::facts['networking']['domain'], + Enum['http', 'https'] $url_scheme = 'http', + Enum['puppet', undef] $cert_type = 'puppet', + Array[String[0]] $blockdev = [], + Stdlib::Port $listen_port = 9000, + Stdlib::IP::Address $listen_addr = $::facts['networking']['ip'], + Stdlib::AbsolutePath $datadir = '/data/minio', + Stdlib::AbsolutePath $confdir = '/etc/minio', + Stdlib::AbsolutePath $homedir = '/var/lib/minio', + Stdlib::AbsolutePath $bindir = '/opt/minio', +) { + + # create the region string + $minio_region = "${::facts['country']}-${::facts['region']}" + + # count the block devices + $blockdev_count = count($blockdev) + + # create minio static facts, which are used by pre-compile facts + file { "${lookup('facts_path')}/minio_facts.yaml": + ensure => file, + content => template('profiles/minio/minio_facts.yaml.erb'), + } + + # create the user if its not yet initialised, if it is initialised, let the minio::server class manage + # manage the resource. This is done so that the user/group exist before attempting to create the data- + # directories. + if ! $::facts['minio_user_exists'] { + class {'minio::server::user': + manage_user => true, + manage_group => true, + manage_home => true, + owner => $owner, + group => $group, + home => $homedir, + } + } + + # create the datadir + if ! $::facts['minio_datadirs_initialised'] { + + # create the datadir root + exec { "mkdir_p_${datadir}": + command => "mkdir -p '${datadir}'", + unless => "test -d '${datadir}'", + path => '/bin:/usr/bin', + } + + # create te datavol's if blockdev's are listed + $blockdev.each |Integer $index, String $device| { + $id = $index + 1 + profiles::storage::datavol {"${::facts['networking']['fqdn']}_${device}": + fstype => 'xfs', + vg => "minio_vg${id}", + pv => $device, + lv => "store${id}", + owner => $owner, + group => $group, + mount => "${datadir}/store${id}", + require => Exec["mkdir_p_${datadir}"], + } + } + } + + # copy puppet certs to /etc/pki/tls/puppet + include profiles::pki::puppetcerts + + # create the cert configuration hash + if $cert_type == 'puppet' { + $cert_conf = { + 'source_path' => '/etc/pki/tls/puppet', + 'source_cert_name' => $::facts['networking']['fqdn'], + 'source_key_name' => $::facts['networking']['fqdn'], + } + } + + # if lookup is enabled, find all the hosts in the specified role and create the servers_array + if $minio_members_lookup { + + # check that the role is also set + unless !($minio_members_role == undef) { + fail("minio_members_role must be provided for ${title} when minio_members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + #$servers_array = sort(query_nodes("enc_role='${minio_members_role}'", 'networking.fqdn')) + $servers_array = sort(query_nodes("enc_role='${minio_members_role}' and minio_region='${minio_region}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $minio_servers + } + + # iterate through the servers_array and find the nodeid for each host + $servers_array.each |Integer $index, String $server| { + $id = $index + 1 + if $::facts['networking']['fqdn'] == $server { + $nodeid = $id + if $::facts['minio_pool'] != undef { + + # create a cname which is used to create a sequential group of names for distributed minio pool + profiles::dns::record { "${minio_region}-${::facts['minio_pool']}-${nodeid}.${::facts['networking']['domain']}_CNAME": + value => $::facts['networking']['hostname'], + type => 'CNAME', + record => "${minio_region}-${::facts['minio_pool']}-${nodeid}.${::facts['networking']['domain']}.", + zone => $::facts['networking']['domain'], + order => 10, + } + } + } + } + + # wait until all expected servers in the pool have reported into puppet + if count($servers_array) == $::facts['minio_members'] and $::facts['minio_pool'] != undef { + + # if datadirs and user have been initialised, prepare configuration. + if $::facts['minio_datadirs_initialised'] and $::facts['minio_user_exists'] { + + # join the minio_opts + $options = join($minio_opts, ' ') + + # create vars for $deployment_definition, others used below are params + $url_location = "${minio_region}-${::facts['minio_pool']}" + $url_servers = "1...${count($servers_array)}" + + # create the deployment definition line + # >= 1 : https://au-somewhere-1-pool1-{1...5}.example.domain/var/minio/store{1...4} + # == 1 : https://au-somewhere-1-pool1-{1...5}.example.domain/var/minio/store1 + # else : https://au-somewhere-1-pool1-{1...5}.example.domain/var/minio + if $blockdev_count >= 1 { + $deployment_definition = "${url_scheme}://${url_location}-{${url_servers}}.${url_domain}:${listen_port}${datadir}/store{1...${blockdev_count}}" + }elsif $blockdev_count == 1 { + $deployment_definition = "${url_scheme}://${url_location}-{${url_servers}}.${url_domain}:${listen_port}${datadir}/store1" + }else{ + $deployment_definition = "${url_scheme}://${url_location}-{${url_servers}}.${url_domain}:${listen_port}${datadir}" + } + + # create the configuration hash + $configuration = { + 'MINIO_ROOT_USER' => $minio_root_user, + 'MINIO_ROOT_PASSWORD' => $minio_root_pass.unwrap, + 'MINIO_REGION_NAME' => $minio_region, + 'MINIO_OPTS' => "\'${options}\'", + 'MINIO_DEPLOYMENT_DEFINITION' => $deployment_definition, + 'MINIO_STORAGE_CLASS_STANDARD' => $minio_storage_class, + } + } + } + + # check all the expected DNS CNAME records do not exist + $all_dns_exist = $::facts['minio_pool_dns'].all |String $cname, Boolean $exists| { $exists } + + # create the minio server if all dns records exist + if $all_dns_exist { + class { 'minio::server::install': + package_ensure => 'present', + owner => $owner, + group => $group, + base_url => 'https://dl.minio.io/server/minio/release', + version => $version, + checksum => $checksum, + checksum_type => $checksum_type, + configuration_directory => $confdir, + installation_directory => $bindir, + storage_root => $datadir, + listen_ip => $listen_addr, + listen_port => $listen_port, + manage_service => true, + service_template => 'profiles/minio/minio.service.erb', + service_provider => 'systemd', + cert_directory => "${confdir}/certs", + custom_configuration_file_path => '/etc/default/minio', + } + + class { 'minio::server::config': + owner => $owner, + group => $group, + configuration_directory => $confdir, + installation_directory => $bindir, + storage_root => $datadir, + configuration => $configuration, + custom_configuration_file_path => '/etc/default/minio', + require => Class['Minio::Server::Install'], + } + + class { 'minio::server::service': + manage_service => true, + service_provider => 'systemd', + service_ensure => 'running', + require => Class['Minio::Server::Config'], + } + } +} diff --git a/site/profiles/manifests/pki/puppetcerts.pp b/site/profiles/manifests/pki/puppetcerts.pp new file mode 100644 index 0000000..c3d2920 --- /dev/null +++ b/site/profiles/manifests/pki/puppetcerts.pp @@ -0,0 +1,42 @@ +# profiles::pki::puppetcerts +class profiles::pki::puppetcerts { + + # Define the directory + file { '/etc/pki/tls/puppet': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + + # Copy the CA certificate + file { '/etc/pki/tls/puppet/ca.pem': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + source => '/etc/puppetlabs/puppet/ssl/certs/ca.pem', + require => File['/etc/pki/tls/puppet'], + } + + # Copy the private key + file { "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key": + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0600', + source => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem", + require => File['/etc/pki/tls/puppet'], + } + + # Copy the certificate + $cert = "/etc/puppetlabs/puppet/ssl/certs/${facts['networking']['fqdn']}.pem" + file { "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt": + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + source => "/etc/puppetlabs/puppet/ssl/certs/${facts['networking']['fqdn']}.pem", + require => File['/etc/pki/tls/puppet'], + } +} diff --git a/site/profiles/templates/minio/minio.service.erb b/site/profiles/templates/minio/minio.service.erb new file mode 100644 index 0000000..efaddbe --- /dev/null +++ b/site/profiles/templates/minio/minio.service.erb @@ -0,0 +1,38 @@ +[Unit] +Description=Minio +Documentation=https://docs.minio.io +Wants=network-online.target +After=network-online.target +After=syslog.target network.target +AssertFileIsExecutable=<%= @installation_directory %>/minio + +[Service] +WorkingDirectory=<%= @installation_directory %> + +User=<%= @owner %> +Group=<%= @group %> + +PermissionsStartOnly=true + +EnvironmentFile=<%= @configuration_file_path %> +ExecStart=<%= @installation_directory %>/minio server $MINIO_OPTS --address <%= @listen_ip %>:<%= @listen_port %> $MINIO_DEPLOYMENT_DEFINITION + +StandardOutput=journal +StandardError=inherit + +# Specifies the maximum file descriptor number that can be opened by this process +LimitNOFILE=65536 + +# Disable timeout logic and wait until process is stopped +TimeoutStopSec=0 + +# SIGTERM signal is used to stop Minio +KillSignal=SIGTERM + +SendSIGKILL=no + +SuccessExitStatus=0 + +[Install] +WantedBy=multi-user.target + diff --git a/site/profiles/templates/minio/minio_facts.yaml.erb b/site/profiles/templates/minio/minio_facts.yaml.erb new file mode 100644 index 0000000..bc205b0 --- /dev/null +++ b/site/profiles/templates/minio/minio_facts.yaml.erb @@ -0,0 +1,17 @@ +# minio_facts.yaml +minio_user: '<%= @owner %>' +minio_group: '<%= @group %>' +minio_pool: '<%= @minio_pool %>' +minio_datadir: '<%= @datadir %>' +minio_confdir: '<%= @confdir %>' +minio_homedir: '<%= @homedir %>' +minio_bindir: '<%= @bindir %>' +minio_region: '<%= @minio_region %>' +minio_members: <%= @minio_members %> +minio_blockdev_count: <%= @blockdev_count %> +<% unless @blockdev.empty? -%> +minio_blockdevs: +<% @blockdev.each do |device| -%> + - '<%= device %>' +<% end -%> +<% end -%> diff --git a/site/roles/manifests/infra/storage/minio.pp b/site/roles/manifests/infra/storage/minio.pp index 252b35e..72411e8 100644 --- a/site/roles/manifests/infra/storage/minio.pp +++ b/site/roles/manifests/infra/storage/minio.pp @@ -2,4 +2,5 @@ class roles::infra::storage::minio { include profiles::defaults include profiles::base + include profiles::minio::server } From db23e203c62e904729d9216ad2fda2f80187ae95 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 5 Jan 2024 22:00:10 +1100 Subject: [PATCH 080/229] fix: fix minio certificate param - change enum['string', undef] to an optional param so undef can be set --- site/profiles/manifests/minio/server.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/site/profiles/manifests/minio/server.pp b/site/profiles/manifests/minio/server.pp index 509e970..3fdec43 100644 --- a/site/profiles/manifests/minio/server.pp +++ b/site/profiles/manifests/minio/server.pp @@ -13,16 +13,16 @@ class profiles::minio::server ( String $checksum_type = 'sha256', String $owner = 'minio', String $group = 'minio', - Stdlib::Fqdn $url_domain = $::facts['networking']['domain'], - Enum['http', 'https'] $url_scheme = 'http', - Enum['puppet', undef] $cert_type = 'puppet', - Array[String[0]] $blockdev = [], - Stdlib::Port $listen_port = 9000, - Stdlib::IP::Address $listen_addr = $::facts['networking']['ip'], - Stdlib::AbsolutePath $datadir = '/data/minio', - Stdlib::AbsolutePath $confdir = '/etc/minio', - Stdlib::AbsolutePath $homedir = '/var/lib/minio', - Stdlib::AbsolutePath $bindir = '/opt/minio', + Stdlib::Fqdn $url_domain = $::facts['networking']['domain'], + Enum['http', 'https'] $url_scheme = 'http', + Array[String[0]] $blockdev = [], + Stdlib::Port $listen_port = 9000, + Stdlib::IP::Address $listen_addr = $::facts['networking']['ip'], + Stdlib::AbsolutePath $datadir = '/data/minio', + Stdlib::AbsolutePath $confdir = '/etc/minio', + Stdlib::AbsolutePath $homedir = '/var/lib/minio', + Stdlib::AbsolutePath $bindir = '/opt/minio', + Optional[Enum['puppet']] $cert_type = 'puppet', ) { # create the region string From da53e28f0ec2a24e3bc205af8ae62f9fb45eb48e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 7 Jan 2024 18:34:34 +1100 Subject: [PATCH 081/229] feat: add haproxy role - add infra::halb section for highly available load balancers --- site/roles/manifests/infra/halb/haproxy.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 site/roles/manifests/infra/halb/haproxy.pp diff --git a/site/roles/manifests/infra/halb/haproxy.pp b/site/roles/manifests/infra/halb/haproxy.pp new file mode 100644 index 0000000..81c7455 --- /dev/null +++ b/site/roles/manifests/infra/halb/haproxy.pp @@ -0,0 +1,5 @@ +# a role to deploy a haproxy node +class roles::infra::halb::haproxy { + include profiles::defaults + include profiles::base +} From dc97d15ef95a2d4445af69a1fa7f9e1342bb1b6e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 6 Feb 2024 22:51:59 +1100 Subject: [PATCH 082/229] feat: add consul role --- site/roles/manifests/infra/storage/consul.pp | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 site/roles/manifests/infra/storage/consul.pp diff --git a/site/roles/manifests/infra/storage/consul.pp b/site/roles/manifests/infra/storage/consul.pp new file mode 100644 index 0000000..22c3489 --- /dev/null +++ b/site/roles/manifests/infra/storage/consul.pp @@ -0,0 +1,6 @@ + +# a role to deploy a consul node +class roles::infra::storage::consul { + include profiles::defaults + include profiles::base +} From 5471294f1e68e8ac54c23d7e875da695a37da501 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 10 Feb 2024 14:13:59 +1100 Subject: [PATCH 083/229] feat: cleanup almalinux 8.8 reposync - syncing almalinux 8.8 no longer required --- hieradata/roles/infra/reposync/syncer.yaml | 36 ---------------------- 1 file changed, 36 deletions(-) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index e6a341e..b9d9dc0 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -1,40 +1,5 @@ --- profiles::reposync::repos_list: - almalinux_8_8_baseos: - repository: 'BaseOS' - description: 'AlmaLinux 8.8 - BaseOS' - osname: 'almalinux' - release: '8.8' - mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/baseos - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - almalinux_8_8_appstream: - repository: 'AppStream' - description: 'AlmaLinux 8.8 - AppStream' - osname: 'almalinux' - release: '8.8' - mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/appstream - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - almalinux_8_8_highavailability: - repository: 'HighAvailability' - description: 'AlmaLinux 8.8 - HighAvailability' - osname: 'almalinux' - release: '8.8' - mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/ha - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - almalinux_8_8_powertools: - repository: 'PowerTools' - description: 'AlmaLinux 8.8 - PowerTools' - osname: 'almalinux' - release: '8.8' - mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/powertools - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' - almalinux_8_8_extras: - repository: 'extras' - description: 'AlmaLinux 8.8 - extras' - osname: 'almalinux' - release: '8.8' - mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/extras - gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_9_baseos: repository: 'BaseOS' description: 'AlmaLinux 8.9 - BaseOS' @@ -75,7 +40,6 @@ profiles::reposync::repos_list: description: 'EPEL 8 Everything' osname: 'epel' release: '8' - # baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64' gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' mariadb_11_2_el8: From d6eeed0b61f4e03fb62da15957ce8a084d8eb586 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 10 Feb 2024 14:15:53 +1100 Subject: [PATCH 084/229] feat: add vault role - add basic vault role to begin building servers --- site/roles/manifests/infra/storage/vault.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 site/roles/manifests/infra/storage/vault.pp diff --git a/site/roles/manifests/infra/storage/vault.pp b/site/roles/manifests/infra/storage/vault.pp new file mode 100644 index 0000000..9d17004 --- /dev/null +++ b/site/roles/manifests/infra/storage/vault.pp @@ -0,0 +1,5 @@ +# a role to deploy a vault node +class roles::infra::storage::vault { + include profiles::defaults + include profiles::base +} From 8332d4f374aeeda8d2aa5a243addf5141325c766 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 10 Feb 2024 15:19:12 +1100 Subject: [PATCH 085/229] fix: recursive restorecon for reposync - set reposync to restore selinux controls on all files in the new snap_path --- site/profiles/templates/reposync/autosyncer.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb index cd6c963..4f48e58 100644 --- a/site/profiles/templates/reposync/autosyncer.erb +++ b/site/profiles/templates/reposync/autosyncer.erb @@ -89,6 +89,6 @@ for conf in /etc/reposync/conf.d/*.conf; do create_repo_metadata "${snap_path}" # Update selinux - restorecon <%= @basepath %> + restorecon -R ${snap_path} done From a054a94d986f8f1f305e46d8bfbbbcda06754e16 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 10 Feb 2024 15:31:45 +1100 Subject: [PATCH 086/229] feat: puppet wrapper replace dot - set puppet wrapper to replace '.' with '_' in the branch name --- site/profiles/templates/base/scripts/puppetwrapper.py.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/templates/base/scripts/puppetwrapper.py.erb b/site/profiles/templates/base/scripts/puppetwrapper.py.erb index 57ca8b1..809fd71 100644 --- a/site/profiles/templates/base/scripts/puppetwrapper.py.erb +++ b/site/profiles/templates/base/scripts/puppetwrapper.py.erb @@ -11,7 +11,7 @@ def main(): if index + 1 < len(args): # Check if there's another argument after "-E" environment_value = args[index + 1] # Replace \ and - with _ - modified_environment_value = environment_value.replace("\\", "_").replace("-", "_").replace("/","_") + modified_environment_value = environment_value.replace("\\", "_").replace("-", "_").replace("/","_").replace(".","_") args[index + 1] = modified_environment_value # Construct the full puppet command with the modified args From 71c316e7aeed834b8667a05e3c8de94dc7d35a1e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 10 Feb 2024 15:37:24 +1100 Subject: [PATCH 087/229] feat: cleanup reposync conf files - add feature to /etc/reposync/conf.d to ensure the subfiles are cleaned up when they are not defined --- site/profiles/manifests/reposync/syncer.pp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/site/profiles/manifests/reposync/syncer.pp b/site/profiles/manifests/reposync/syncer.pp index 6f20996..a670679 100644 --- a/site/profiles/manifests/reposync/syncer.pp +++ b/site/profiles/manifests/reposync/syncer.pp @@ -14,10 +14,13 @@ class profiles::reposync::syncer { mode => '0755', } file { '/etc/reposync/conf.d': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + purge => true, + recurse => true, + force => true, } # get a list of repos as a hash, and iterate through them From 8cb6b68b53fe0b277558d236fab0020428526348 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 10 Feb 2024 23:50:13 +1100 Subject: [PATCH 088/229] feat: add consul server profile - install/configure consul - install/configure dnsmasq as dns proxy for consul - add unkin yumrepo definition as source for consul - update datavol to ensure the /data volume is mounted --- Puppetfile | 1 + .../au/region/drw1/infra/storage/consul.eyaml | 4 + .../au/region/drw1/infra/storage/consul.yaml | 3 + hieradata/os/AlmaLinux/AlmaLinux8.yaml | 1 + hieradata/os/AlmaLinux/all_releases.yaml | 1 + hieradata/roles/infra/storage/consul.eyaml | 2 + hieradata/roles/infra/storage/consul.yaml | 22 +++ site/profiles/manifests/base/datavol.pp | 3 +- site/profiles/manifests/consul/server.pp | 125 ++++++++++++++++++ site/profiles/manifests/yum/global.pp | 5 + site/profiles/manifests/yum/unkin.pp | 23 ++++ site/roles/manifests/infra/storage/consul.pp | 2 + 12 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 hieradata/country/au/region/drw1/infra/storage/consul.eyaml create mode 100644 hieradata/country/au/region/drw1/infra/storage/consul.yaml create mode 100644 hieradata/roles/infra/storage/consul.eyaml create mode 100644 hieradata/roles/infra/storage/consul.yaml create mode 100644 site/profiles/manifests/consul/server.pp create mode 100644 site/profiles/manifests/yum/unkin.pp diff --git a/Puppetfile b/Puppetfile index 4654fa0..85a9ba9 100644 --- a/Puppetfile +++ b/Puppetfile @@ -27,6 +27,7 @@ mod 'puppet-nginx', '5.0.0' mod 'puppet-selinux', '4.1.0' mod 'puppet-prometheus', '13.4.0' mod 'puppet-grafana', '13.1.0' +mod 'puppet-consul', '8.0.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.eyaml b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml new file mode 100644 index 0000000..948b16f --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml @@ -0,0 +1,4 @@ +--- +profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] +profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] +profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.yaml b/hieradata/country/au/region/drw1/infra/storage/consul.yaml new file mode 100644 index 0000000..fef2905 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/storage/consul.yaml @@ -0,0 +1,3 @@ +--- +profiles::consul::server::bootstrap_count: 3 +profiles::consul::server::raft_multiplier: 10 diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index ef48076..75984dc 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -8,3 +8,4 @@ profiles::yum::managed_repos: - 'highavailability' - 'puppet7' - 'yum.postgresql.org' + - 'unkin' diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 6592ae6..9a85522 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -2,6 +2,7 @@ --- profiles::yum::base::baseurl: http://repos.main.unkin.net/almalinux profiles::yum::epel::baseurl: http://repos.main.unkin.net/epel +profiles::yum::unkin::baseurl: http://repos.main.unkin.net/unkin profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false diff --git a/hieradata/roles/infra/storage/consul.eyaml b/hieradata/roles/infra/storage/consul.eyaml new file mode 100644 index 0000000..4182583 --- /dev/null +++ b/hieradata/roles/infra/storage/consul.eyaml @@ -0,0 +1,2 @@ +--- +profiles::consul::server::acl_master_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAFCDnJyImf/X8f6WGqt37XbuuSg5hCeC5Uhdd0u1/Jjlz4AzMyhF41Vs6iVrV6irlsMDziSQrcEvGumTPmYShRQiRv0GvkhHUpn2XROKd63KolsWRj2K2S5FhgwolgtQc05DLmGaQ6FIUMVk3aKU/v8IGSDopcjdhwTJtheOLgiiEjv8TsjWKOOIa0H7caa6ZiZxcf2Y99Wv9gIZdt+LnXGdlDuO88+gkYTpRM07RY21nr4VS821y0MwFcYx2SyzMDk60RvgCmvA6RdoyHBUYAu07IX6IjP5LZwpAkcPcA4gADVP7vOPT2WhVAtkzpg+RwNxkuWYA5roO2r1UhERixjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9TM/c8nXJswHAUSU6kFCDgDBob2r0tFLq1Jw313Ys8jUtKsetsrc5x7uIDYzOqr7ulEM9B0VOD2ekR9IRYZMsBCg=] diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml new file mode 100644 index 0000000..e3eb0fd --- /dev/null +++ b/hieradata/roles/infra/storage/consul.yaml @@ -0,0 +1,22 @@ +--- +profiles::consul::server::members_role: roles::infra::storage::consul +profiles::consul::server::members_lookup: true +profiles::consul::server::data_dir: /data/consul +profiles::consul::server::primary_datacenter: 'au-drw1' +profiles::consul::server::addresses: + dns: "%{::networking.ip}" + http: "%{::networking.ip}" + https: "%{::networking.ip}" + grpc: "%{::networking.ip}" + grpc_tls: "%{::networking.ip}" +profiles::consul::server::ports: + dns: 8600 + http: 8500 + https: -1 +profiles::consul::server::acl: + enabled: true + default_policy: 'deny' + down_policy: 'extend-cache' + tokens: + initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}" + default: "%{alias('profiles::consul::server::acl_tokens_default')}" diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp index 4384bb6..5cb2a12 100644 --- a/site/profiles/manifests/base/datavol.pp +++ b/site/profiles/manifests/base/datavol.pp @@ -11,6 +11,7 @@ # class profiles::base::datavol ( Enum['present', 'absent'] $ensure = 'present', + Enum['present', 'absent', 'mounted'] $mountstate = 'mounted', Enum['ext2', 'ext3', 'ext4', 'xfs', 'btrfs'] $fstype = 'xfs', String $vg = 'datavg', String $pv = '/dev/vdb', @@ -63,7 +64,7 @@ class profiles::base::datavol ( # Ensure the logical volume is mounted at the desired location mount { $mount: - ensure => $ensure, + ensure => $mountstate, device => "/dev/${vg}/${lv}", fstype => $fstype, options => $mount_options.join(','), diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp new file mode 100644 index 0000000..83dac9f --- /dev/null +++ b/site/profiles/manifests/consul/server.pp @@ -0,0 +1,125 @@ +# profiles::consul::server +class profiles::consul::server ( + String $gossip_key, + String $primary_datacenter, + Hash $acl, + Hash $ports, + Hash $addresses, + Boolean $members_lookup = false, + String $members_role = undef, + Array $consul_servers = [], + Boolean $enable_ui = true, + Boolean $enable_ui_config = true, + Boolean $manage_repo = false, + String $package_ensure = 'latest', + String $package_name = 'consul', + Integer $bootstrap_count = 1, + String $domain = 'consul', + Integer $raft_multiplier = 1, + Enum[ + 'allow', + 'deny', + 'extend-cache', + 'async-cache' + ] $acl_down_policy = 'extend-cache', + Enum[ + 'allow', + 'deny' + ] $acl_default_policy = 'deny', + Enum[ + 'url', + 'package', + 'docker', + 'none' + ] $install_method = 'package', + Stdlib::IP::Address $client_addr = '0.0.0.0', + Stdlib::Absolutepath $data_dir = '/opt/consul', + Stdlib::Absolutepath $bin_dir = '/usr/bin', + Boolean $disable_remote_exec = true, + Boolean $disable_update_check = true, +) { + + # set a datacentre/cluster name + $consul_cluster = "${::facts['country']}-${::facts['region']}" + + # if lookup is enabled, find all the hosts in the specified role and create the servers_array + if $members_lookup { + + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $consul_servers + } + + # if $data_dir starts with /data, ensure the data mount exists + if ($data_dir.stdlib::start_with('/data') and $::facts['mountpoints']['/data']) or ! $data_dir.stdlib::start_with('/data') { + + # install consul + class { 'consul': + install_method => $install_method, + manage_repo => $manage_repo, + package_name => $package_name, + package_ensure => $package_ensure, + bin_dir => $bin_dir, + config_hash => { + 'primary_datacenter' => $primary_datacenter, + 'acl' => $acl, + 'ports' => $ports, + 'addresses' => $addresses, + 'disable_remote_exec' => $disable_remote_exec, + 'disable_update_check' => $disable_update_check, + 'domain' => $domain, + 'bootstrap_expect' => $bootstrap_count, + 'client_addr' => '0.0.0.0', + 'data_dir' => $data_dir, + 'datacenter' => $consul_cluster, + 'log_level' => 'INFO', + 'node_name' => $::facts['networking']['fqdn'], + 'server' => true, + 'ui' => $enable_ui, + 'ui_config' => { 'enabled' => $enable_ui_config }, + 'performance' => { 'raft_multiplier' => $raft_multiplier }, + 'bind_addr' => $::facts['networking']['ip'], + 'advertise_addr' => $::facts['networking']['ip'], + 'retry_join' => $servers_array + }, + } + } + + # consul before dnsmasq + if defined(Class['consul']) { + + # get the dns port from the $ports hash, otherwise use the default + $dns_port = pick($ports['dns'], 8600) + + # install dnsmasq + package { 'dnsmasq': + ensure => installed, + } + + # create the 10-consul.conf file + file { '/etc/dnsmasq.d/10-consul.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => "server=/${domain}/${::facts['networking']['ip']}#${dns_port}\n", + require => Package['dnsmasq'], + notify => Service['dnsmasq'], + } + + # ensure dnsmasq service is running and enabled at boot + service { 'dnsmasq': + ensure => running, + enable => true, + subscribe => File['/etc/dnsmasq.d/10-consul.conf'], # Restart dnsmasq if the consul config changes + } + } +} diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 119230e..796b491 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -87,6 +87,11 @@ class profiles::yum::global ( managed_repos => $managed_repos, } + # Setup unkin repo if included in managed_repos + class { 'profiles::yum::unkin': + managed_repos => $managed_repos, + } + # setup dnf-autoupdate include profiles::yum::autoupdater diff --git a/site/profiles/manifests/yum/unkin.pp b/site/profiles/manifests/yum/unkin.pp new file mode 100644 index 0000000..be5be37 --- /dev/null +++ b/site/profiles/manifests/yum/unkin.pp @@ -0,0 +1,23 @@ +# Class: profiles::yum::unkin +class profiles::yum::unkin ( + Array[String] $managed_repos, + String $baseurl, + Enum[ + 'daily', + 'weekly', + 'monthly' + ] $snapshot = 'daily', +) { + $release = $facts['os']['release']['major'] + $basearch = $facts['os']['architecture'] + + if 'unkin' in $managed_repos { + yumrepo { 'unkin': + name => 'unkin', + descr => 'unkin repository', + target => '/etc/yum.repos.d/unkin.repo', + baseurl => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/", + gpgcheck => false, + } + } +} diff --git a/site/roles/manifests/infra/storage/consul.pp b/site/roles/manifests/infra/storage/consul.pp index 22c3489..e47a108 100644 --- a/site/roles/manifests/infra/storage/consul.pp +++ b/site/roles/manifests/infra/storage/consul.pp @@ -3,4 +3,6 @@ class roles::infra::storage::consul { include profiles::defaults include profiles::base + include profiles::base::datavol + include profiles::consul::server } From 09291da89f2dcd65a1a6e38523c3593618116de6 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 11 Feb 2024 21:05:48 +1100 Subject: [PATCH 089/229] fix: use fact to determine if selinux in use --- site/profiles/manifests/puppet/puppetboard.pp | 3 +-- site/profiles/manifests/reposync/webserver.pp | 3 +-- site/profiles/manifests/sql/galera_member.pp | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 5d229a0..ec6f164 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -20,7 +20,6 @@ class profiles::puppet::puppetboard ( Integer $gunicorn_threads = 4, String $nginx_vhost = 'puppetboard.main.unkin.net', Integer $nginx_port = 80, - Boolean $selinux = true, #String[1] $secret_key = "${fqdn_rand_string(32)}", ) { @@ -124,7 +123,7 @@ class profiles::puppet::puppetboard ( # if selinux is defined, manage it - if $selinux { + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { # call the nginx selinux class class { 'profiles::selinux::nginx': diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index 9321db1..8008968 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -4,7 +4,6 @@ class profiles::reposync::webserver ( String $nginx_vhost = 'repos.main.unkin.net', Integer $nginx_port = 80, Boolean $favicon = true, - Boolean $selinux = true, ) { class { 'nginx': } @@ -39,7 +38,7 @@ class profiles::reposync::webserver ( order => 10, } - if $selinux { + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { # include packages that are required include profiles::packages::selinux diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp index d79c28a..5a6fb94 100644 --- a/site/profiles/manifests/sql/galera_member.pp +++ b/site/profiles/manifests/sql/galera_member.pp @@ -30,7 +30,6 @@ class profiles::sql::galera_member ( Boolean $package_manage = true, String $package_name = 'mariadb-server', Boolean $epel_needed = false, - Boolean $selinux = true, Boolean $manage_repo = true, ) { @@ -59,7 +58,7 @@ class profiles::sql::galera_member ( if length($servers_array) >= 3 { # if selinux is defined, manage it - if $selinux { + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { # set permissive on first run, as we need mariadb installed/started at a custom path before adding fcontext if $::facts['mariadb_acti'] { $selinux_mode = 'enforcing' }else{ $selinux_mode = 'permissive' } From fe05c864635fd2d1f071d6494fd60b65283bc166 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 13 Feb 2024 22:48:23 +1100 Subject: [PATCH 090/229] feat: add vault server profile - add vault module to puppetfile - define class to manage the install and config of vault - manage the datavol and raft storage - manage the unzip and other compression tools - define custom unseal script and service - add documentation on initial setup of vault --- Puppetfile | 2 + doc/vault/setup.md | 48 ++++++++++ hieradata/common.yaml | 1 + hieradata/roles/infra/storage/vault.eyaml | 7 ++ hieradata/roles/infra/storage/vault.yaml | 8 ++ site/profiles/manifests/pki/puppetcerts.pp | 2 +- site/profiles/manifests/vault/server.pp | 90 +++++++++++++++++++ site/profiles/manifests/vault/unseal.pp | 37 ++++++++ site/profiles/templates/vault/unseal_keys.erb | 3 + .../templates/vault/vault-unseal.service.erb | 14 +++ .../templates/vault/vault_unseal.sh.erb | 23 +++++ site/roles/manifests/infra/storage/vault.pp | 3 + 12 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 doc/vault/setup.md create mode 100644 hieradata/roles/infra/storage/vault.eyaml create mode 100644 hieradata/roles/infra/storage/vault.yaml create mode 100644 site/profiles/manifests/vault/server.pp create mode 100644 site/profiles/manifests/vault/unseal.pp create mode 100644 site/profiles/templates/vault/unseal_keys.erb create mode 100644 site/profiles/templates/vault/vault-unseal.service.erb create mode 100644 site/profiles/templates/vault/vault_unseal.sh.erb diff --git a/Puppetfile b/Puppetfile index 85a9ba9..5701a66 100644 --- a/Puppetfile +++ b/Puppetfile @@ -28,6 +28,7 @@ mod 'puppet-selinux', '4.1.0' mod 'puppet-prometheus', '13.4.0' mod 'puppet-grafana', '13.1.0' mod 'puppet-consul', '8.0.0' +mod 'puppet-vault', '4.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' @@ -36,6 +37,7 @@ mod 'dalen-puppetdbquery', '3.0.1' mod 'markt-galera', '3.1.0' mod 'kogitoapp-minio', '1.1.4' mod 'broadinstitute-certs', '3.0.1' +mod 'stm-file_capability', '6.0.0' mod 'bind', :git => 'https://git.unkin.net/unkinben/puppet-bind.git', diff --git a/doc/vault/setup.md b/doc/vault/setup.md new file mode 100644 index 0000000..1ec2ca2 --- /dev/null +++ b/doc/vault/setup.md @@ -0,0 +1,48 @@ +# root ca + vault secrets enable -path=pki_root pki + + vault write -field=certificate pki_root/root/generate/internal \ + common_name="unkin.net" \ + issuer_name="unkinroot-2024" \ + ttl=87600h > unkinroot_2024_ca.crt + + vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6 + + vault write pki_root/roles/2024-servers allow_any_name=true + + vault write pki_root/config/urls \ + issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \ + crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl" + +# intermediate + vault secrets enable -path=pki_int pki + vault secrets tune -max-lease-ttl=43800h pki_int + + vault write -format=json pki_int/intermediate/generate/internal \ + common_name="unkin.net Intermediate Authority" \ + issuer_name="unkin-dot-net-intermediate" \ + | jq -r '.data.csr' > pki_intermediate.csr + + vault write -format=json pki_root/root/sign-intermediate \ + issuer_ref="unkinroot-2024" \ + csr=@pki_intermediate.csr \ + format=pem_bundle ttl="43800h" \ + | jq -r '.data.certificate' > intermediate.cert.pem + + vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem + +# create role + vault write pki_int/roles/unkin-dot-net \ + issuer_ref="$(vault read -field=default pki_int/config/issuers)" \ + allowed_domains="unkin.net" \ + allow_subdomains=true \ + max_ttl="2160h" + +# test generating a domain cert + vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h" + vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h" + vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h" + + +# remove expired certificates + vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true diff --git a/hieradata/common.yaml b/hieradata/common.yaml index dc4b711..a257843 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -49,6 +49,7 @@ profiles::packages::base::add: - sysstat - tmux - traceroute + - unzip - vim - vnstat - wget diff --git a/hieradata/roles/infra/storage/vault.eyaml b/hieradata/roles/infra/storage/vault.eyaml new file mode 100644 index 0000000..4e68db5 --- /dev/null +++ b/hieradata/roles/infra/storage/vault.eyaml @@ -0,0 +1,7 @@ +--- +vault::unseal_keys: + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAobuA26wCD25sP6t0w3VgcrjBdpwVsglUz119X/y9o5FHkUibXuHkesNktUKzSMWpVBV+EsoTQ9HFisUOX3ykSIyYOVntm4BTECYBZKAyVXzkolAqX32IWtYqV4H4eKb3/OXw8zayJn9cPWbQkVtNDq3mZUMzgGj46DPFpH8aNQOI/xpovldY+WK1wo6WY7MGSCKw/+0mXK1Qa6wjh2K1X8cCg344ODZQD/h2SCT25qYPFVSBEzFwzQyLWULFOozg5RdE4OXkviqtq2PFtWxCD4S87WiG4elpttJAH0bbKFJs4PMZFgi0HdHqnMHXWiQgB/A9lNRhSPaU16Y2OTJ2HzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCw46SHa6ZZKMhxpG8VG7fJgDDj4cQ2/7//RszV99oDP3OyCHRPt6PylAyWVBCxj54faILV/2OaF3GwW05gWzlmwVI=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKeXpQMz90SUeIojz659+AX9hdTn5EiPOprrdI4EjqPL5BItr2xkrk8XbDnhlgM6PWwbo5jzEKBYGFTRbnHHF6/xdQQoUALMyhD3SSwDZOv8B92zSWkRMUpXlrUFMJeHldDMXS9enpg4Y4jL7i7GWsf7PEuEOTidNid3ZViKT32miSoJvGRENZvGyYA8Rd1Vh+3lIxtJNWqEUiw6yDUUO6H8bRKQ0JVBxW4JQOkLeaKbz+M2WjvE+PDeYykCWaApzfcxE3XPxv7MhBLJskf/37h/pHFGLhAUEcATiXrdUHzDuGnCLHQohW4B6NnKH7GNTby7Nbxzuq5zA3g9yavKj1DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCbXFapwcT7R268E9Zih4i2gDC4cSSmU+33i5j6uKbgydDGqeooT4j2GzWCr0Ya52aVZnoeqYEFdp+dBFcCnvwFTQU=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEApI/exTnGbzLFuIYAVqLi27O8CxBXDOPDB5K9GVIDIL8pyXoqv8LDO1fkg0TZJREZIHUNBwx4DNg0ruveuEcHXTleLLKGk51Cn89YQB3bvUPJ7BfBq8GRV6TpNNj50jstjGqyesw+q4r9cx8F/l1qxlHBmJPT6h332GXO1Fzmh6wIF+poqD2KfsbppOtk/YGLtdTa87RuNS0eQ9LcayMIqWE2+vrkUlEtjNYgNWHnKFQhlB0kety4IKV6rdZd9thVIbyQctJmoNSf8mB2vLm+ufgQqQHc6RpwwZEkAaX+i6pACN44tgEnFuQ96KMW+GX5LCZ7cAUfrLXDNoGfbve2LDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC/1fBbDfgMoKR98FOvafR2gDDhENLMdjZWJBNHmMYJj2xYOnfv9tAe7F/JCIPrs2yPMwriyzOsgoAHFGkznKWHyvw=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAbx8zkPuZRlyeA/27xJZqXyjNkEA4JjsJQPh7BwuiLAqXUDeLLcUWTPOZ/YcJUS2IxLcYXsyWC/WAuhvKrLPCObHDndyWOq32sjI2ywaehMJc2w2cG0Iq4wdHo9Plfmu8T2jA2Tbe/cSuV84bh+toBTIKgckqulcBcgCMKSb5NUbdb33pB/YGieUMdrMfVyLVQUT88lmIXpKkfPN4z49cGEHXxbI7mgi7iUM0JbDJDddkH3jD1v3AI8Cr+/3y68+KMMxPVn1kwzPmLAjxkIJ/WySf7uEBEPrbshvsqS0D+OLk4ujOoBb3dpk5o07O6Sv4UA3R3Qa3Co63l8hGykjNSzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA70ywaIoOH465wLatsqHP3gDDB+GjjyySugoeismeS+5WMCuepilQ9mBned/nqw0i+8+WrNhsSTTP23hmpWeYAdug=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoVY4a2yUJnvWJAC1gs0+ZgYcMMI1ZDGniNbIc4h6vb3ic7OPSa+QKZtEyboNSGWyLgLDhO6IPeeW+YgOhwo6tpgltBu34/1czwWiRSd9pZo7kq9J+UnnmvXxlfcD9S/hGAqzv+ouPQjWcpOm9rMYGrq78e3Z/VnscA3LtdtQVQtXLFERCIc3xCDNat47rQnWLvCGsDMSqCbUFOX/xnExmifLnHoRlOrg8K+Iw+oIIbI6LlOiE1lb5b8ml8RqckcKTx3ppRQiVNSCGIrjyVyWLtOU+zDmHFqsSf6JLZ0Twlfboafu2/Iz3NZiikSma564NcexTVkbk5bsZeMWB3+oWDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDoWpCRs2064iTVyEvjpXg9gDB/Y/86kLRp6IqmPjFH71oslQ674PK3SfO1jpJJRyJ/61zrdoef+jaK0eEvvJIW70o=] diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml new file mode 100644 index 0000000..df6387a --- /dev/null +++ b/hieradata/roles/infra/storage/vault.yaml @@ -0,0 +1,8 @@ +--- +profiles::vault::server::members_role: roles::infra::storage::vault +profiles::vault::server::members_lookup: true +profiles::vault::server::data_dir: /data/vault +profiles::vault::server::primary_datacenter: 'au-drw1' +profiles::vault::server::manage_storage_dir: true +profiles::vault::server::tls_disable: false +vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vault_1.15.5_linux_amd64.zip diff --git a/site/profiles/manifests/pki/puppetcerts.pp b/site/profiles/manifests/pki/puppetcerts.pp index c3d2920..bf02ecd 100644 --- a/site/profiles/manifests/pki/puppetcerts.pp +++ b/site/profiles/manifests/pki/puppetcerts.pp @@ -24,7 +24,7 @@ class profiles::pki::puppetcerts { ensure => 'file', owner => 'root', group => 'root', - mode => '0600', + mode => '0644', source => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem", require => File['/etc/pki/tls/puppet'], } diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp new file mode 100644 index 0000000..a0e760a --- /dev/null +++ b/site/profiles/manifests/vault/server.pp @@ -0,0 +1,90 @@ +# profiles::vault::server +class profiles::vault::server ( + Boolean $members_lookup = false, + String $members_role = undef, + Array $vault_servers = [], + Enum[ + 'archive', + 'repo' + ] $install_method = 'archive', + Boolean $tls_disable = false, + Stdlib::Port $client_port = 8200, + Stdlib::Port $cluster_port = 8201, + Boolean $manage_storage_dir = false, + Stdlib::Absolutepath $data_dir = '/opt/vault', + Stdlib::Absolutepath $bin_dir = '/usr/bin', +){ + + # use puppet certs as base + include profiles::pki::puppetcerts + + # set a datacentre/cluster name + $vault_cluster = "${::facts['country']}-${::facts['region']}" + + # if lookup is enabled, find all the hosts in the specified role and create the servers_array + if $members_lookup { + + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $vault_servers + } + + # set http scheme + $http_scheme = $tls_disable ? { + true => 'http', + false => 'https' + } + + # create vault urls + $server_urls = $servers_array.map |$fqdn| { + { + leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", + leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", + leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", + leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem', + } + } + + class { 'vault': + install_method => $install_method, + manage_storage_dir => $manage_storage_dir, + enable_ui => true, + storage => { + raft => { + node_id => $::facts['networking']['fqdn'], + path => $data_dir, + retry_join => $server_urls, + } + }, + api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}", + extra_config => { + cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}", + }, + listener => [ + { + tcp => { + address => "127.0.0.1:${client_port}", + cluster_address => "127.0.0.1:${cluster_port}", + tls_disable => true, + } + }, + { + tcp => { + address => "${::facts['networking']['ip']}:${client_port}", + cluster_address => "${::facts['networking']['ip']}:${cluster_port}", + tls_disable => $tls_disable, + tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", + tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", + } + } + ] + } +} diff --git a/site/profiles/manifests/vault/unseal.pp b/site/profiles/manifests/vault/unseal.pp new file mode 100644 index 0000000..81ccb89 --- /dev/null +++ b/site/profiles/manifests/vault/unseal.pp @@ -0,0 +1,37 @@ +# profiles::vault::unseal +class profiles::vault::unseal ( + Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []), + Variant[ + Stdlib::HTTPSUrl, + Stdlib::HTTPUrl + ] $vault_address = 'http://127.0.0.1:8200', +){ + + # deploy the unseal keys file + file { '/etc/vault/unseal_keys': + ensure => file, + owner => 'root', + group => 'root', + mode => '0600', + content => Sensitive(template('profiles/vault/unseal_keys.erb')), + require => Class['vault'], + } + + # deploy the unseal script + file { '/usr/local/bin/vault-unseal.sh': + ensure => file, + owner => 'root', + group => 'root', + mode => '0750', + content => template('profiles/vault/vault_unseal.sh.erb'), + } + + # create systemd service unit + systemd::unit_file { 'vault-unseal.service': + content => template('profiles/vault/vault-unseal.service.erb'), + active => true, + enable => true, + require => File['/usr/local/bin/vault-unseal.sh'], + subscribe => Service['vault'], + } +} diff --git a/site/profiles/templates/vault/unseal_keys.erb b/site/profiles/templates/vault/unseal_keys.erb new file mode 100644 index 0000000..0ee4751 --- /dev/null +++ b/site/profiles/templates/vault/unseal_keys.erb @@ -0,0 +1,3 @@ +<% @unseal_keys.each do |key| -%> +<%= key %> +<% end -%> diff --git a/site/profiles/templates/vault/vault-unseal.service.erb b/site/profiles/templates/vault/vault-unseal.service.erb new file mode 100644 index 0000000..83b0e1a --- /dev/null +++ b/site/profiles/templates/vault/vault-unseal.service.erb @@ -0,0 +1,14 @@ +[Unit] +Description=Unseal Vault Service +After=vault.service network.target +Requires=vault.service +PartOf=vault.service + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/vault-unseal.sh +RemainAfterExit=yes +User=root + +[Install] +WantedBy=multi-user.target diff --git a/site/profiles/templates/vault/vault_unseal.sh.erb b/site/profiles/templates/vault/vault_unseal.sh.erb new file mode 100644 index 0000000..5e4d5aa --- /dev/null +++ b/site/profiles/templates/vault/vault_unseal.sh.erb @@ -0,0 +1,23 @@ +#!/bin/bash + +# Script to unseal Vault + +VAULT_ADDR='<%= @vault_address %>' +UNSEAL_KEYS_FILE='/etc/vault/unseal_keys' + +# Check if Vault is sealed +is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed') +if [ "$is_sealed" != "true" ]; then + echo "Vault is already unsealed." + exit 0 +fi + +# Retrieve unseal keys from plaintext file +unseal_keys=$(cat "$UNSEAL_KEYS_FILE") + +# Loop through the unseal keys and use them to unseal Vault +for key in $unseal_keys; do + curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal +done + +echo "Vault has been unsealed." diff --git a/site/roles/manifests/infra/storage/vault.pp b/site/roles/manifests/infra/storage/vault.pp index 9d17004..b6afe40 100644 --- a/site/roles/manifests/infra/storage/vault.pp +++ b/site/roles/manifests/infra/storage/vault.pp @@ -2,4 +2,7 @@ class roles::infra::storage::vault { include profiles::defaults include profiles::base + include profiles::base::datavol + include profiles::vault::server + include profiles::vault::unseal } From d92c13525c1b7730053ba9b4aa237243f932c054 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 17 Feb 2024 21:19:55 +1100 Subject: [PATCH 091/229] fix: fact was misspelled - fixed fact name --- site/profiles/manifests/sql/galera_member.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp index 5a6fb94..66f189c 100644 --- a/site/profiles/manifests/sql/galera_member.pp +++ b/site/profiles/manifests/sql/galera_member.pp @@ -61,7 +61,7 @@ class profiles::sql::galera_member ( if $::facts['os']['selinux']['config_mode'] == 'enforcing' { # set permissive on first run, as we need mariadb installed/started at a custom path before adding fcontext - if $::facts['mariadb_acti'] { $selinux_mode = 'enforcing' }else{ $selinux_mode = 'permissive' } + if $::facts['mariadb_active'] { $selinux_mode = 'enforcing' }else{ $selinux_mode = 'permissive' } # call the mysqld selinux class class { 'profiles::selinux::mysqld': From 12ff053c6d9da7be9d3caa7ab15600e33ef5482c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 17 Feb 2024 22:35:30 +1100 Subject: [PATCH 092/229] refacter: cleanup packages setup --- hieradata/common.yaml | 15 ++++++++---- hieradata/roles/infra.yaml | 3 +++ hieradata/roles/infra/reposync/syncer.yaml | 3 +++ site/profiles/manifests/base.pp | 2 +- site/profiles/manifests/packages.pp | 23 +++++++++++++++++++ site/profiles/manifests/packages/base.pp | 21 ----------------- site/profiles/manifests/packages/git.pp | 11 --------- site/profiles/manifests/packages/reposync.pp | 11 --------- site/profiles/manifests/packages/selinux.pp | 11 --------- site/profiles/manifests/puppet/enc.pp | 2 -- site/profiles/manifests/puppet/g10k.pp | 4 +--- site/profiles/manifests/puppet/r10k.pp | 2 -- .../profiles/manifests/reposync/autosyncer.pp | 2 +- site/profiles/manifests/reposync/syncer.pp | 1 - site/profiles/manifests/reposync/webserver.pp | 3 --- site/profiles/manifests/selinux/mysqld.pp | 2 -- site/profiles/manifests/selinux/nginx.pp | 2 -- site/profiles/manifests/selinux/setenforce.pp | 3 ++- 18 files changed, 45 insertions(+), 76 deletions(-) create mode 100644 site/profiles/manifests/packages.pp delete mode 100644 site/profiles/manifests/packages/base.pp delete mode 100644 site/profiles/manifests/packages/git.pp delete mode 100644 site/profiles/manifests/packages/reposync.pp delete mode 100644 site/profiles/manifests/packages/selinux.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index a257843..aa7b70c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -1,9 +1,15 @@ --- lookup_options: - profiles::packages::base::add: + profiles::packages::install: merge: strategy: deep - profiles::packages::base::remove: + profiles::packages::install_exclude: + merge: + strategy: deep + profiles::packages::remove: + merge: + strategy: deep + profiles::packages::remove_exclude: merge: strategy: deep @@ -22,13 +28,14 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' -profiles::packages::base::add: +profiles::packages::install: - bash-completion - bzip2 - ccze - curl - dstat - gzip + - git - htop - inotify-tools - iotop @@ -57,7 +64,7 @@ profiles::packages::base::add: - zsh - zstd -profiles::packages::base::remove: +profiles::packages::remove: - iwl100-firmware - iwl1000-firmware - iwl105-firmware diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml index b2164e7..3192355 100644 --- a/hieradata/roles/infra.yaml +++ b/hieradata/roles/infra.yaml @@ -1,4 +1,7 @@ --- +profiles::packages::install: + - policycoreutils + profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net puppetdb::master::config::create_puppet_service_resource: false diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index b9d9dc0..762a9d4 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -1,4 +1,7 @@ --- +profiles::packages::install: + - createrepo + profiles::reposync::repos_list: almalinux_8_9_baseos: repository: 'BaseOS' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 607136b..40eaa2b 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -25,7 +25,7 @@ class profiles::base ( } # include the base profiles - include profiles::packages::base + include profiles::packages include profiles::base::facts include profiles::base::motd include profiles::base::scripts diff --git a/site/profiles/manifests/packages.pp b/site/profiles/manifests/packages.pp new file mode 100644 index 0000000..ca43908 --- /dev/null +++ b/site/profiles/manifests/packages.pp @@ -0,0 +1,23 @@ +# This class manages the installation of packages for the base profile +# +# Parameters: +# - $install: An array of package names to be installed +# - $remove: An array of package names to be removed +# +class profiles::packages ( + Array $install = [], + Array $install_exclude = [], + Array $remove = [], + Array $remove_exclude = [], +) { + + # Filter out excluded packages + $install_real = $install.filter |$item| { !$install_exclude.any |$exclude_item| { $exclude_item == $item } } + $remove_real = $remove.filter |$item| { !$remove_exclude.any |$exclude_item| { $exclude_item == $item } } + + # Ensure packages to install are installed + ensure_packages($install_real, {'ensure' => 'present'}) + + # Ensure packages to remove are absent + ensure_packages($remove_real, {'ensure' => 'absent'}) +} diff --git a/site/profiles/manifests/packages/base.pp b/site/profiles/manifests/packages/base.pp deleted file mode 100644 index f7d51cf..0000000 --- a/site/profiles/manifests/packages/base.pp +++ /dev/null @@ -1,21 +0,0 @@ -# This class manages the installation of packages for the base profile -# -# Parameters: -# - $add: An array of package names to be installed -# - $remove: An array of package names to be removed -# -class profiles::packages::base ( - Array $add = [], - Array $remove = [], -) { - - # Ensure packages to add are installed - ensure_packages($add, {'ensure' => 'present'}) - - # Ensure packages to remove are absent - $remove.each |String $package| { - package { $package: - ensure => 'absent', - } - } -} diff --git a/site/profiles/manifests/packages/git.pp b/site/profiles/manifests/packages/git.pp deleted file mode 100644 index 578aca7..0000000 --- a/site/profiles/manifests/packages/git.pp +++ /dev/null @@ -1,11 +0,0 @@ -# installs git related packages -# -class profiles::packages::git ( - Array[String] $packages = lookup('profiles::packages::git', Array, 'first', ['git']), -) { - $packages.each |String $package| { - package { $package: - ensure => installed, - } - } -} diff --git a/site/profiles/manifests/packages/reposync.pp b/site/profiles/manifests/packages/reposync.pp deleted file mode 100644 index f6525a5..0000000 --- a/site/profiles/manifests/packages/reposync.pp +++ /dev/null @@ -1,11 +0,0 @@ -# installs reposync related packages -# -class profiles::packages::reposync ( - Array[String] $packages = lookup('profiles::packages::reposync', Array, 'first', ['createrepo']), -) { - $packages.each |String $package| { - package { $package: - ensure => installed, - } - } -} diff --git a/site/profiles/manifests/packages/selinux.pp b/site/profiles/manifests/packages/selinux.pp deleted file mode 100644 index 1bbd457..0000000 --- a/site/profiles/manifests/packages/selinux.pp +++ /dev/null @@ -1,11 +0,0 @@ -# installs selinux related packages -# -class profiles::packages::selinux ( - Array[String] $packages = lookup('profiles::packages::selinux', Array, 'first', ['policycoreutils']), -) { - $packages.each |String $package| { - package { $package: - ensure => installed, - } - } -} diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp index dad9d11..b0a4a49 100644 --- a/site/profiles/manifests/puppet/enc.pp +++ b/site/profiles/manifests/puppet/enc.pp @@ -39,8 +39,6 @@ class profiles::puppet::enc ( Boolean $force = false, ) { - include profiles::packages::git - vcsrepo { '/opt/puppetlabs/enc': ensure => latest, provider => git, diff --git a/site/profiles/manifests/puppet/g10k.pp b/site/profiles/manifests/puppet/g10k.pp index 617190b..eddb6f1 100644 --- a/site/profiles/manifests/puppet/g10k.pp +++ b/site/profiles/manifests/puppet/g10k.pp @@ -36,9 +36,6 @@ class profiles::puppet::g10k ( String $environments_path, String $default_environment, ){ - package { 'unzip': - ensure => installed, - } archive { '/tmp/g10k.zip': ensure => present, @@ -47,6 +44,7 @@ class profiles::puppet::g10k ( extract_path => '/opt/puppetlabs/bin', creates => '/opt/puppetlabs/bin/g10k', cleanup => true, + require => Package['unzip'] } file { '/opt/puppetlabs/bin/puppet-g10k': diff --git a/site/profiles/manifests/puppet/r10k.pp b/site/profiles/manifests/puppet/r10k.pp index 402f49a..baa16d5 100644 --- a/site/profiles/manifests/puppet/r10k.pp +++ b/site/profiles/manifests/puppet/r10k.pp @@ -37,8 +37,6 @@ class profiles::puppet::r10k ( String $r10k_repo, ){ - include profiles::packages::git - vcsrepo { '/etc/puppetlabs/r10k': ensure => latest, provider => git, diff --git a/site/profiles/manifests/reposync/autosyncer.pp b/site/profiles/manifests/reposync/autosyncer.pp index 04393cd..5271ec2 100644 --- a/site/profiles/manifests/reposync/autosyncer.pp +++ b/site/profiles/manifests/reposync/autosyncer.pp @@ -10,7 +10,7 @@ class profiles::reposync::autosyncer ( group => 'root', mode => '0755', content => template('profiles/reposync/autosyncer.erb'), - require => Class['profiles::packages::reposync'], + require => Package['createrepo'], } # daily autosyncr service/timer diff --git a/site/profiles/manifests/reposync/syncer.pp b/site/profiles/manifests/reposync/syncer.pp index a670679..3be81d8 100644 --- a/site/profiles/manifests/reposync/syncer.pp +++ b/site/profiles/manifests/reposync/syncer.pp @@ -1,7 +1,6 @@ # setup a reposync syncer class profiles::reposync::syncer { - include profiles::packages::reposync include profiles::reposync::autosyncer include profiles::reposync::autopromoter include profiles::reposync::webserver diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index 8008968..789ce21 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -40,9 +40,6 @@ class profiles::reposync::webserver ( if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - # include packages that are required - include profiles::packages::selinux - # set httpd_sys_content_t to all files under the www_root selinux::fcontext { $www_root: ensure => 'present', diff --git a/site/profiles/manifests/selinux/mysqld.pp b/site/profiles/manifests/selinux/mysqld.pp index 2c31e82..8a5d3b0 100644 --- a/site/profiles/manifests/selinux/mysqld.pp +++ b/site/profiles/manifests/selinux/mysqld.pp @@ -7,8 +7,6 @@ class profiles::selinux::mysqld ( Boolean $selinuxuser_mysql_connect_enabled = true, String $selinux_mode = 'enforcing', ){ - # include packages that are required - include profiles::packages::selinux # setenforce class { 'profiles::selinux::setenforce': diff --git a/site/profiles/manifests/selinux/nginx.pp b/site/profiles/manifests/selinux/nginx.pp index 2c8f585..25d47f6 100644 --- a/site/profiles/manifests/selinux/nginx.pp +++ b/site/profiles/manifests/selinux/nginx.pp @@ -5,8 +5,6 @@ class profiles::selinux::nginx ( Boolean $httpd_can_network_connect = true, String $selinux_mode = 'enforcing', ){ - # include packages that are required - include profiles::packages::selinux # setenforce class { 'profiles::selinux::setenforce': diff --git a/site/profiles/manifests/selinux/setenforce.pp b/site/profiles/manifests/selinux/setenforce.pp index fa2c753..309ea71 100644 --- a/site/profiles/manifests/selinux/setenforce.pp +++ b/site/profiles/manifests/selinux/setenforce.pp @@ -3,7 +3,8 @@ class profiles::selinux::setenforce ( Enum['enforcing', 'permissive', 'disabled'] $mode = 'enforcing', ) { class { 'selinux': - mode => $mode, + mode => $mode, + require => Package['policycoreutils'] } } From 1f7b347ef4e1f66336623de42eb6d1875172ea9b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 17 Feb 2024 22:57:36 +1100 Subject: [PATCH 093/229] refacter: tidy facts - create a facts module, move all facts to this module --- environment.conf | 2 +- {site/profiles => modules/facts}/lib/facter/arpa.rb | 0 {site/profiles => modules/facts}/lib/facter/country.rb | 0 {site/profiles => modules/facts}/lib/facter/enc_role_path.rb | 0 {site/profiles => modules/facts}/lib/facter/enc_role_tier1.rb | 0 {site/profiles => modules/facts}/lib/facter/enc_role_tier2.rb | 0 {site/profiles => modules/facts}/lib/facter/enc_role_tier3.rb | 0 {site/profiles => modules/facts}/lib/facter/mariadb_active.rb | 0 {site/profiles => modules/facts}/lib/facter/mariadb_datapath.rb | 0 .../facts}/lib/facter/mariadb_galera_active.rb | 0 .../profiles => modules/facts}/lib/facter/mariadb_installed.rb | 0 .../facts}/lib/facter/minio_datadirs_initialised.rb | 0 .../profiles => modules/facts}/lib/facter/minio_group_exists.rb | 0 {site/profiles => modules/facts}/lib/facter/minio_pool_dns.rb | 0 .../profiles => modules/facts}/lib/facter/minio_user_exists.rb | 0 {site/profiles => modules/facts}/lib/facter/mysql_wsrep.rb | 0 {site/profiles => modules/facts}/lib/facter/region.rb | 0 17 files changed, 1 insertion(+), 1 deletion(-) rename {site/profiles => modules/facts}/lib/facter/arpa.rb (100%) rename {site/profiles => modules/facts}/lib/facter/country.rb (100%) rename {site/profiles => modules/facts}/lib/facter/enc_role_path.rb (100%) rename {site/profiles => modules/facts}/lib/facter/enc_role_tier1.rb (100%) rename {site/profiles => modules/facts}/lib/facter/enc_role_tier2.rb (100%) rename {site/profiles => modules/facts}/lib/facter/enc_role_tier3.rb (100%) rename {site/profiles => modules/facts}/lib/facter/mariadb_active.rb (100%) rename {site/profiles => modules/facts}/lib/facter/mariadb_datapath.rb (100%) rename {site/profiles => modules/facts}/lib/facter/mariadb_galera_active.rb (100%) rename {site/profiles => modules/facts}/lib/facter/mariadb_installed.rb (100%) rename {site/profiles => modules/facts}/lib/facter/minio_datadirs_initialised.rb (100%) rename {site/profiles => modules/facts}/lib/facter/minio_group_exists.rb (100%) rename {site/profiles => modules/facts}/lib/facter/minio_pool_dns.rb (100%) rename {site/profiles => modules/facts}/lib/facter/minio_user_exists.rb (100%) rename {site/profiles => modules/facts}/lib/facter/mysql_wsrep.rb (100%) rename {site/profiles => modules/facts}/lib/facter/region.rb (100%) diff --git a/environment.conf b/environment.conf index 19e7e87..0368a47 100644 --- a/environment.conf +++ b/environment.conf @@ -1,3 +1,3 @@ manifest = manifests/site.pp -modulepath = external_modules:site +modulepath = external_modules:modules:site config_version = '/usr/bin/grep signature /etc/puppetlabs/code/environments/$environment/.g10k-deploy.json | /usr/bin/cut -d \" -f 4' diff --git a/site/profiles/lib/facter/arpa.rb b/modules/facts/lib/facter/arpa.rb similarity index 100% rename from site/profiles/lib/facter/arpa.rb rename to modules/facts/lib/facter/arpa.rb diff --git a/site/profiles/lib/facter/country.rb b/modules/facts/lib/facter/country.rb similarity index 100% rename from site/profiles/lib/facter/country.rb rename to modules/facts/lib/facter/country.rb diff --git a/site/profiles/lib/facter/enc_role_path.rb b/modules/facts/lib/facter/enc_role_path.rb similarity index 100% rename from site/profiles/lib/facter/enc_role_path.rb rename to modules/facts/lib/facter/enc_role_path.rb diff --git a/site/profiles/lib/facter/enc_role_tier1.rb b/modules/facts/lib/facter/enc_role_tier1.rb similarity index 100% rename from site/profiles/lib/facter/enc_role_tier1.rb rename to modules/facts/lib/facter/enc_role_tier1.rb diff --git a/site/profiles/lib/facter/enc_role_tier2.rb b/modules/facts/lib/facter/enc_role_tier2.rb similarity index 100% rename from site/profiles/lib/facter/enc_role_tier2.rb rename to modules/facts/lib/facter/enc_role_tier2.rb diff --git a/site/profiles/lib/facter/enc_role_tier3.rb b/modules/facts/lib/facter/enc_role_tier3.rb similarity index 100% rename from site/profiles/lib/facter/enc_role_tier3.rb rename to modules/facts/lib/facter/enc_role_tier3.rb diff --git a/site/profiles/lib/facter/mariadb_active.rb b/modules/facts/lib/facter/mariadb_active.rb similarity index 100% rename from site/profiles/lib/facter/mariadb_active.rb rename to modules/facts/lib/facter/mariadb_active.rb diff --git a/site/profiles/lib/facter/mariadb_datapath.rb b/modules/facts/lib/facter/mariadb_datapath.rb similarity index 100% rename from site/profiles/lib/facter/mariadb_datapath.rb rename to modules/facts/lib/facter/mariadb_datapath.rb diff --git a/site/profiles/lib/facter/mariadb_galera_active.rb b/modules/facts/lib/facter/mariadb_galera_active.rb similarity index 100% rename from site/profiles/lib/facter/mariadb_galera_active.rb rename to modules/facts/lib/facter/mariadb_galera_active.rb diff --git a/site/profiles/lib/facter/mariadb_installed.rb b/modules/facts/lib/facter/mariadb_installed.rb similarity index 100% rename from site/profiles/lib/facter/mariadb_installed.rb rename to modules/facts/lib/facter/mariadb_installed.rb diff --git a/site/profiles/lib/facter/minio_datadirs_initialised.rb b/modules/facts/lib/facter/minio_datadirs_initialised.rb similarity index 100% rename from site/profiles/lib/facter/minio_datadirs_initialised.rb rename to modules/facts/lib/facter/minio_datadirs_initialised.rb diff --git a/site/profiles/lib/facter/minio_group_exists.rb b/modules/facts/lib/facter/minio_group_exists.rb similarity index 100% rename from site/profiles/lib/facter/minio_group_exists.rb rename to modules/facts/lib/facter/minio_group_exists.rb diff --git a/site/profiles/lib/facter/minio_pool_dns.rb b/modules/facts/lib/facter/minio_pool_dns.rb similarity index 100% rename from site/profiles/lib/facter/minio_pool_dns.rb rename to modules/facts/lib/facter/minio_pool_dns.rb diff --git a/site/profiles/lib/facter/minio_user_exists.rb b/modules/facts/lib/facter/minio_user_exists.rb similarity index 100% rename from site/profiles/lib/facter/minio_user_exists.rb rename to modules/facts/lib/facter/minio_user_exists.rb diff --git a/site/profiles/lib/facter/mysql_wsrep.rb b/modules/facts/lib/facter/mysql_wsrep.rb similarity index 100% rename from site/profiles/lib/facter/mysql_wsrep.rb rename to modules/facts/lib/facter/mysql_wsrep.rb diff --git a/site/profiles/lib/facter/region.rb b/modules/facts/lib/facter/region.rb similarity index 100% rename from site/profiles/lib/facter/region.rb rename to modules/facts/lib/facter/region.rb From 1030ba460e82ebeb0366055632fb7bbec257323c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 17 Feb 2024 23:03:54 +1100 Subject: [PATCH 094/229] refacter: renamed facts to libs --- modules/{facts => libs}/lib/facter/arpa.rb | 0 modules/{facts => libs}/lib/facter/country.rb | 0 modules/{facts => libs}/lib/facter/enc_role_path.rb | 0 modules/{facts => libs}/lib/facter/enc_role_tier1.rb | 0 modules/{facts => libs}/lib/facter/enc_role_tier2.rb | 0 modules/{facts => libs}/lib/facter/enc_role_tier3.rb | 0 modules/{facts => libs}/lib/facter/mariadb_active.rb | 0 modules/{facts => libs}/lib/facter/mariadb_datapath.rb | 0 modules/{facts => libs}/lib/facter/mariadb_galera_active.rb | 0 modules/{facts => libs}/lib/facter/mariadb_installed.rb | 0 modules/{facts => libs}/lib/facter/minio_datadirs_initialised.rb | 0 modules/{facts => libs}/lib/facter/minio_group_exists.rb | 0 modules/{facts => libs}/lib/facter/minio_pool_dns.rb | 0 modules/{facts => libs}/lib/facter/minio_user_exists.rb | 0 modules/{facts => libs}/lib/facter/mysql_wsrep.rb | 0 modules/{facts => libs}/lib/facter/region.rb | 0 16 files changed, 0 insertions(+), 0 deletions(-) rename modules/{facts => libs}/lib/facter/arpa.rb (100%) rename modules/{facts => libs}/lib/facter/country.rb (100%) rename modules/{facts => libs}/lib/facter/enc_role_path.rb (100%) rename modules/{facts => libs}/lib/facter/enc_role_tier1.rb (100%) rename modules/{facts => libs}/lib/facter/enc_role_tier2.rb (100%) rename modules/{facts => libs}/lib/facter/enc_role_tier3.rb (100%) rename modules/{facts => libs}/lib/facter/mariadb_active.rb (100%) rename modules/{facts => libs}/lib/facter/mariadb_datapath.rb (100%) rename modules/{facts => libs}/lib/facter/mariadb_galera_active.rb (100%) rename modules/{facts => libs}/lib/facter/mariadb_installed.rb (100%) rename modules/{facts => libs}/lib/facter/minio_datadirs_initialised.rb (100%) rename modules/{facts => libs}/lib/facter/minio_group_exists.rb (100%) rename modules/{facts => libs}/lib/facter/minio_pool_dns.rb (100%) rename modules/{facts => libs}/lib/facter/minio_user_exists.rb (100%) rename modules/{facts => libs}/lib/facter/mysql_wsrep.rb (100%) rename modules/{facts => libs}/lib/facter/region.rb (100%) diff --git a/modules/facts/lib/facter/arpa.rb b/modules/libs/lib/facter/arpa.rb similarity index 100% rename from modules/facts/lib/facter/arpa.rb rename to modules/libs/lib/facter/arpa.rb diff --git a/modules/facts/lib/facter/country.rb b/modules/libs/lib/facter/country.rb similarity index 100% rename from modules/facts/lib/facter/country.rb rename to modules/libs/lib/facter/country.rb diff --git a/modules/facts/lib/facter/enc_role_path.rb b/modules/libs/lib/facter/enc_role_path.rb similarity index 100% rename from modules/facts/lib/facter/enc_role_path.rb rename to modules/libs/lib/facter/enc_role_path.rb diff --git a/modules/facts/lib/facter/enc_role_tier1.rb b/modules/libs/lib/facter/enc_role_tier1.rb similarity index 100% rename from modules/facts/lib/facter/enc_role_tier1.rb rename to modules/libs/lib/facter/enc_role_tier1.rb diff --git a/modules/facts/lib/facter/enc_role_tier2.rb b/modules/libs/lib/facter/enc_role_tier2.rb similarity index 100% rename from modules/facts/lib/facter/enc_role_tier2.rb rename to modules/libs/lib/facter/enc_role_tier2.rb diff --git a/modules/facts/lib/facter/enc_role_tier3.rb b/modules/libs/lib/facter/enc_role_tier3.rb similarity index 100% rename from modules/facts/lib/facter/enc_role_tier3.rb rename to modules/libs/lib/facter/enc_role_tier3.rb diff --git a/modules/facts/lib/facter/mariadb_active.rb b/modules/libs/lib/facter/mariadb_active.rb similarity index 100% rename from modules/facts/lib/facter/mariadb_active.rb rename to modules/libs/lib/facter/mariadb_active.rb diff --git a/modules/facts/lib/facter/mariadb_datapath.rb b/modules/libs/lib/facter/mariadb_datapath.rb similarity index 100% rename from modules/facts/lib/facter/mariadb_datapath.rb rename to modules/libs/lib/facter/mariadb_datapath.rb diff --git a/modules/facts/lib/facter/mariadb_galera_active.rb b/modules/libs/lib/facter/mariadb_galera_active.rb similarity index 100% rename from modules/facts/lib/facter/mariadb_galera_active.rb rename to modules/libs/lib/facter/mariadb_galera_active.rb diff --git a/modules/facts/lib/facter/mariadb_installed.rb b/modules/libs/lib/facter/mariadb_installed.rb similarity index 100% rename from modules/facts/lib/facter/mariadb_installed.rb rename to modules/libs/lib/facter/mariadb_installed.rb diff --git a/modules/facts/lib/facter/minio_datadirs_initialised.rb b/modules/libs/lib/facter/minio_datadirs_initialised.rb similarity index 100% rename from modules/facts/lib/facter/minio_datadirs_initialised.rb rename to modules/libs/lib/facter/minio_datadirs_initialised.rb diff --git a/modules/facts/lib/facter/minio_group_exists.rb b/modules/libs/lib/facter/minio_group_exists.rb similarity index 100% rename from modules/facts/lib/facter/minio_group_exists.rb rename to modules/libs/lib/facter/minio_group_exists.rb diff --git a/modules/facts/lib/facter/minio_pool_dns.rb b/modules/libs/lib/facter/minio_pool_dns.rb similarity index 100% rename from modules/facts/lib/facter/minio_pool_dns.rb rename to modules/libs/lib/facter/minio_pool_dns.rb diff --git a/modules/facts/lib/facter/minio_user_exists.rb b/modules/libs/lib/facter/minio_user_exists.rb similarity index 100% rename from modules/facts/lib/facter/minio_user_exists.rb rename to modules/libs/lib/facter/minio_user_exists.rb diff --git a/modules/facts/lib/facter/mysql_wsrep.rb b/modules/libs/lib/facter/mysql_wsrep.rb similarity index 100% rename from modules/facts/lib/facter/mysql_wsrep.rb rename to modules/libs/lib/facter/mysql_wsrep.rb diff --git a/modules/facts/lib/facter/region.rb b/modules/libs/lib/facter/region.rb similarity index 100% rename from modules/facts/lib/facter/region.rb rename to modules/libs/lib/facter/region.rb From 7f03bc5c76543a529133cf210ae0480f7bba8928 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 19 Feb 2024 21:08:33 +1100 Subject: [PATCH 095/229] feat: add certmanager helper - add certmanager script and config.yaml file - install into pyenv for certmanager - deploy to puppet-masters only --- hieradata/roles/infra/puppet/master.eyaml | 2 + hieradata/roles/infra/puppet/master.yaml | 7 ++ .../profiles/manifests/helpers/certmanager.pp | 75 +++++++++++++++++++ .../profiles/manifests/puppet/puppetmaster.pp | 1 + .../templates/helpers/certmanager.erb | 68 +++++++++++++++++ .../helpers/certmanager_config.yaml.erb | 7 ++ 6 files changed, 160 insertions(+) create mode 100644 hieradata/roles/infra/puppet/master.eyaml create mode 100644 site/profiles/manifests/helpers/certmanager.pp create mode 100644 site/profiles/templates/helpers/certmanager.erb create mode 100644 site/profiles/templates/helpers/certmanager_config.yaml.erb diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml new file mode 100644 index 0000000..ab3e7f1 --- /dev/null +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -0,0 +1,2 @@ +--- +certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAXnyY0VPJZ/EFBzgYBGbTQUpqcHSlGVRisDtoV54LCWM02MBFtIALvBdRovt7qP0rU1EYKObVN2r/AzxG1pOVkQdAb8IcJXochjz+kstxP8z1ZpXENOFmD8PWoqstvppC9r0RrCCXOgDCvffdV+XygKg5/LLBjOcf8cR6hsyGpgIn8xO5L2nrzQFl9/ROb3mh7/0OL3dEqyQXF74rAn3pWq4yjlbWNK0aku5gQOaNfVn2Q7+3nMYwUsGSrN1ikVSKsa4pMbEMf6qN+EqpbVMKFPXvdw+OXBkHbKpqYHHSCPN9bDJeT1icYk61DwJSJ3GFi/zREbdSNgTdZ7yNqnxvwDCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ+d/jLP79UV3MypBSdFteiYBgU539y/m6r2oiYwVeIDzUrPfLdoQpZCCg8mFSYlFiD1ZyhKeq+qLvExmdbL95f9oLF2n9D7bMt+A5iefVWzrK6UcvVJuZ5slU3bqsfhlieIFiV8EMP6N/LuUphWnwuzA5] diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index f47db83..39e92b4 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -18,3 +18,10 @@ profiles::puppet::gems::puppet: - 'deep_merge' - 'ipaddr' - 'hiera-eyaml' + +profiles::helpers::certmanager::vault_config: + addr: 'https://198.18.17.39:8200' + mount_point: 'pki_int' + role_name: 'unkin-dot-net' + output_path: '/tmp/certmanager' + token: "%{lookup('certmanager::vault_token')}" diff --git a/site/profiles/manifests/helpers/certmanager.pp b/site/profiles/manifests/helpers/certmanager.pp new file mode 100644 index 0000000..860d0ea --- /dev/null +++ b/site/profiles/manifests/helpers/certmanager.pp @@ -0,0 +1,75 @@ +# profiles::helpers::certmanager +# +# wrapper class for python, pip and venv +class profiles::helpers::certmanager ( + String $script_name = 'certmanager', + Stdlib::AbsolutePath $base_path = "/opt/${script_name}", + Stdlib::AbsolutePath $venv_path = "${base_path}/venv", + Stdlib::AbsolutePath $config_path = "${base_path}/config.yaml", + Hash $vault_config = {}, + String $owner = 'root', + String $group = 'root', + Boolean $systempkgs = false, + String $version = 'system', + Array[String[1]] $packages = ['requests', 'pyyaml'], +){ + + if $::facts['python3_version'] { + + $python_version = $version ? { + 'system' => $::facts['python3_version'], + default => $version, + } + + # ensure the base_path exists + file { $base_path: + ensure => directory, + mode => '0755', + owner => $owner, + group => $group, + } + + # create a venv + python::pyvenv { $venv_path : + ensure => present, + version => $python_version, + systempkgs => $systempkgs, + venv_dir => $venv_path, + owner => $owner, + group => $group, + require => File[$base_path], + } + + # install the required pip packages + $packages.each |String $package| { + python::pip { "${venv_path}_${package}": + ensure => present, + pkgname => $package, + virtualenv => $venv_path, + } + } + + # create the script from a template + file { "${base_path}/${script_name}": + ensure => file, + mode => '0755', + content => template("profiles/helpers/${script_name}.erb"), + require => Python::Pyvenv[$venv_path], + } + + # create the config from a template + file { $config_path: + ensure => file, + mode => '0600', + content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")), + require => Python::Pyvenv[$venv_path], + } + + # create symbolic link in $PATH + file { "/usr/local/bin/${script_name}": + ensure => 'link', + target => "${base_path}/${script_name}", + require => File["${base_path}/${script_name}"], + } + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 627f247..bf7254b 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -30,6 +30,7 @@ class profiles::puppet::puppetmaster ( include profiles::puppet::enc include profiles::puppet::autosign include profiles::puppet::gems + include profiles::helpers::certmanager class { 'puppetdb::master::config': puppetdb_server => $puppetdb_host, diff --git a/site/profiles/templates/helpers/certmanager.erb b/site/profiles/templates/helpers/certmanager.erb new file mode 100644 index 0000000..59c9ae8 --- /dev/null +++ b/site/profiles/templates/helpers/certmanager.erb @@ -0,0 +1,68 @@ +#!/usr/bin/env <%= @venv_path %>/bin/python + +import argparse +import requests +import json +import os +import yaml +from zipfile import ZipFile + +def load_config(config_path): + with open(config_path, 'r') as file: + config = yaml.safe_load(file) + return config['vault'] + +def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_config): + url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/issue/{vault_config['role_name']}" + headers = {'X-Vault-Token': vault_config['token']} + payload = { + "common_name": common_name, + "alt_names": ",".join(alt_names), + "ip_sans": ",".join(ip_sans), + "ttl": f"{expiry_days}d" + } + response = requests.post(url, headers=headers, json=payload, verify=False) + if response.status_code == 200: + return response.json() + else: + print(f"Error requesting certificate: {response.text}") + return None + +def save_cert_files(certificate_response, common_name, compress, config): + base_path = config.get('output_path', '.') + cert_dir = os.path.join(base_path, common_name) + if not compress: + os.makedirs(cert_dir, exist_ok=True) + with open(os.path.join(cert_dir, "certificate.crt"), "w") as cert_file: + cert_file.write(certificate_response['data']['certificate']) + with open(os.path.join(cert_dir, "private.key"), "w") as key_file: + key_file.write(certificate_response['data']['private_key']) + with open(os.path.join(cert_dir, "full_chain.crt"), "w") as full_chain_file: + full_chain_file.write(certificate_response['data']['issuing_ca'] + "\n" + certificate_response['data']['certificate']) + else: + zip_name = f"{os.path.join(base_path, common_name)}.zip" + with ZipFile(zip_name, 'w') as zipf: + zipf.writestr("certificate.crt", certificate_response['data']['certificate']) + zipf.writestr("private.key", certificate_response['data']['private_key']) + zipf.writestr("full_chain.crt", certificate_response['data']['issuing_ca'] + "\n" + certificate_response['data']['certificate']) + +def main(config_file): + config = load_config(config_file) + parser = argparse.ArgumentParser(description='Request and retrieve a certificate from Vault.') + parser.add_argument('common_name', type=str, help='Common Name for the certificate') + parser.add_argument('-a', '--alt-names', type=str, default='', help='Comma-separated alternative names for the certificate') + parser.add_argument('-i', '--ip-sans', type=str, default='', help='Comma-separated IP Subject Alternative Names for the certificate') + parser.add_argument('-e', '--expiry-days', type=int, default=365, help='Validity of the certificate in days (default: 365)') + parser.add_argument('-c', '--compress', action='store_true', help='Compress the certificate, key, and full chain into a zip file') + args = parser.parse_args() + alt_names = [name.strip() for name in args.alt_names.split(',') if name] + ip_sans = [ip.strip() for ip in args.ip_sans.split(',') if ip] + certificate_response = request_certificate(args.common_name, alt_names, ip_sans, args.expiry_days, config) + if certificate_response: + save_cert_files(certificate_response, args.common_name, args.compress, config) + else: + print("Failed to obtain certificate.") + +if __name__ == "__main__": + config_file = '<%= @config_path %>' + main(config_file) diff --git a/site/profiles/templates/helpers/certmanager_config.yaml.erb b/site/profiles/templates/helpers/certmanager_config.yaml.erb new file mode 100644 index 0000000..aea4d18 --- /dev/null +++ b/site/profiles/templates/helpers/certmanager_config.yaml.erb @@ -0,0 +1,7 @@ +vault: + addr: '<%= @vault_config['addr'] %>' + token: '<%= @vault_config['token'] %>' + mount_point: '<%= @vault_config['mount_point'] %>' + role_name: '<%= @vault_config['role_name'] %>' +output_path: '<%= @vault_config['output_path'] %>' + From f6110f534c58f0bfc8bca62f3ee3e67ba9578c8f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 19:31:32 +1100 Subject: [PATCH 096/229] feat: certmanager output as json - prepare certmanager for pki::vault class - allow puppet to read certmanager config --- site/profiles/manifests/helpers/certmanager.pp | 4 +++- .../profiles/templates/helpers/certmanager.erb | 18 +++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/site/profiles/manifests/helpers/certmanager.pp b/site/profiles/manifests/helpers/certmanager.pp index 860d0ea..41d1730 100644 --- a/site/profiles/manifests/helpers/certmanager.pp +++ b/site/profiles/manifests/helpers/certmanager.pp @@ -60,7 +60,9 @@ class profiles::helpers::certmanager ( # create the config from a template file { $config_path: ensure => file, - mode => '0600', + mode => '0660', + owner => 'puppet', + group => 'root', content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")), require => Python::Pyvenv[$venv_path], } diff --git a/site/profiles/templates/helpers/certmanager.erb b/site/profiles/templates/helpers/certmanager.erb index 59c9ae8..44588e5 100644 --- a/site/profiles/templates/helpers/certmanager.erb +++ b/site/profiles/templates/helpers/certmanager.erb @@ -28,10 +28,18 @@ def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_conf print(f"Error requesting certificate: {response.text}") return None -def save_cert_files(certificate_response, common_name, compress, config): +def save_cert_files(certificate_response, common_name, compress, config, json_output): base_path = config.get('output_path', '.') cert_dir = os.path.join(base_path, common_name) - if not compress: + if json_output: + import json + output = { + 'certificate': certificate_response['data']['certificate'], + 'private_key': certificate_response['data']['private_key'], + 'full_chain': certificate_response['data']['issuing_ca'] + "\n" + certificate_response['data']['certificate'], + } + print(json.dumps(output)) + elif not compress: os.makedirs(cert_dir, exist_ok=True) with open(os.path.join(cert_dir, "certificate.crt"), "w") as cert_file: cert_file.write(certificate_response['data']['certificate']) @@ -54,12 +62,16 @@ def main(config_file): parser.add_argument('-i', '--ip-sans', type=str, default='', help='Comma-separated IP Subject Alternative Names for the certificate') parser.add_argument('-e', '--expiry-days', type=int, default=365, help='Validity of the certificate in days (default: 365)') parser.add_argument('-c', '--compress', action='store_true', help='Compress the certificate, key, and full chain into a zip file') + parser.add_argument('--json', action='store_true', help='Output results in JSON format') args = parser.parse_args() alt_names = [name.strip() for name in args.alt_names.split(',') if name] ip_sans = [ip.strip() for ip in args.ip_sans.split(',') if ip] certificate_response = request_certificate(args.common_name, alt_names, ip_sans, args.expiry_days, config) if certificate_response: - save_cert_files(certificate_response, args.common_name, args.compress, config) + if args.json: + save_cert_files(certificate_response, args.common_name, args.compress, config, True) + else: + save_cert_files(certificate_response, args.common_name, args.compress, config, False) else: print("Failed to obtain certificate.") From 48e0bd6796a92c73cb14b629e981fdb0ea9b4005 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 21:03:55 +1100 Subject: [PATCH 097/229] fix: vault role fails on new servers - vault server fails on new servers - move unseal class to be included after vault class --- site/profiles/manifests/vault/server.pp | 103 ++++++++++---------- site/roles/manifests/infra/storage/vault.pp | 1 - 2 files changed, 54 insertions(+), 50 deletions(-) diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index a0e760a..2d00013 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -1,7 +1,10 @@ # profiles::vault::server class profiles::vault::server ( Boolean $members_lookup = false, - String $members_role = undef, + Variant[ + String, + Undef + ] $members_role = undef, Array $vault_servers = [], Enum[ 'archive', @@ -22,12 +25,7 @@ class profiles::vault::server ( $vault_cluster = "${::facts['country']}-${::facts['region']}" # if lookup is enabled, find all the hosts in the specified role and create the servers_array - if $members_lookup { - - # check that the role is also set - unless !($members_role == undef) { - fail("members_role must be provided for ${title} when members_lookup is True") - } + if $members_lookup and $members_role != undef { # if it is, find hosts, sort them so they dont cause changes every run $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) @@ -37,54 +35,61 @@ class profiles::vault::server ( $servers_array = $vault_servers } - # set http scheme - $http_scheme = $tls_disable ? { - true => 'http', - false => 'https' - } + # configure vault if servers_array isnt empty + if ! $servers_array.empty() { - # create vault urls - $server_urls = $servers_array.map |$fqdn| { - { - leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", - leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", - leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", - leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem', + # set http scheme + $http_scheme = $tls_disable ? { + true => 'http', + false => 'https' } - } - class { 'vault': - install_method => $install_method, - manage_storage_dir => $manage_storage_dir, - enable_ui => true, - storage => { - raft => { - node_id => $::facts['networking']['fqdn'], - path => $data_dir, - retry_join => $server_urls, - } - }, - api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}", - extra_config => { - cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}", - }, - listener => [ + # create vault urls + $server_urls = $servers_array.map |$fqdn| { { - tcp => { - address => "127.0.0.1:${client_port}", - cluster_address => "127.0.0.1:${cluster_port}", - tls_disable => true, + leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", + leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", + leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", + leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem', + } + } + + class { 'vault': + install_method => $install_method, + manage_storage_dir => $manage_storage_dir, + enable_ui => true, + storage => { + raft => { + node_id => $::facts['networking']['fqdn'], + path => $data_dir, + retry_join => $server_urls, } }, - { - tcp => { - address => "${::facts['networking']['ip']}:${client_port}", - cluster_address => "${::facts['networking']['ip']}:${cluster_port}", - tls_disable => $tls_disable, - tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", - tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", + api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}", + extra_config => { + cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}", + }, + listener => [ + { + tcp => { + address => "127.0.0.1:${client_port}", + cluster_address => "127.0.0.1:${cluster_port}", + tls_disable => true, + } + }, + { + tcp => { + address => "${::facts['networking']['ip']}:${client_port}", + cluster_address => "${::facts['networking']['ip']}:${cluster_port}", + tls_disable => $tls_disable, + tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", + tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", + } } - } - ] + ] + } + + # include unseal class + include profiles::vault::unseal } } diff --git a/site/roles/manifests/infra/storage/vault.pp b/site/roles/manifests/infra/storage/vault.pp index b6afe40..fce67af 100644 --- a/site/roles/manifests/infra/storage/vault.pp +++ b/site/roles/manifests/infra/storage/vault.pp @@ -4,5 +4,4 @@ class roles::infra::storage::vault { include profiles::base include profiles::base::datavol include profiles::vault::server - include profiles::vault::unseal } From 8112c07ba84464c5317e2dd16dddfcf15ab0de12 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 21:19:43 +1100 Subject: [PATCH 098/229] fix: rebuild vault - rebuilt vault, updated root token and unseak keys --- hieradata/roles/infra/puppet/master.eyaml | 2 +- hieradata/roles/infra/storage/vault.eyaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index ab3e7f1..7816abf 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,2 +1,2 @@ --- -certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAXnyY0VPJZ/EFBzgYBGbTQUpqcHSlGVRisDtoV54LCWM02MBFtIALvBdRovt7qP0rU1EYKObVN2r/AzxG1pOVkQdAb8IcJXochjz+kstxP8z1ZpXENOFmD8PWoqstvppC9r0RrCCXOgDCvffdV+XygKg5/LLBjOcf8cR6hsyGpgIn8xO5L2nrzQFl9/ROb3mh7/0OL3dEqyQXF74rAn3pWq4yjlbWNK0aku5gQOaNfVn2Q7+3nMYwUsGSrN1ikVSKsa4pMbEMf6qN+EqpbVMKFPXvdw+OXBkHbKpqYHHSCPN9bDJeT1icYk61DwJSJ3GFi/zREbdSNgTdZ7yNqnxvwDCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ+d/jLP79UV3MypBSdFteiYBgU539y/m6r2oiYwVeIDzUrPfLdoQpZCCg8mFSYlFiD1ZyhKeq+qLvExmdbL95f9oLF2n9D7bMt+A5iefVWzrK6UcvVJuZ5slU3bqsfhlieIFiV8EMP6N/LuUphWnwuzA5] +certmanager::vault_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANKWImr/Mj97ucJs1pFUmhsBl4T6sqrj+viKZHxgEhBAlZ0HbR9Gh07wLG46XAJQ498mfB6XSdkIaX50/1uZCabisB91EQj+sRQNg2OFtCYqABZkYFeodaFdKx7CcpvlLCk+QPZgI2BiGaoeCWuLnIAP8wFN3zS/ZRh3F4X2RBH4dX2Jcg5onhlxYtPiHr/nYMpSFdf6jFSnpny80afUyMRtSjn+7QCSYcnr8uctd4QPs8xiEndBhxX7J3U0FRO+hN4ksWxu6VjmbieX+icSNOWUoX+MLrb37q2vUgT8h10+OY971PeWy/JWCQiu5qBqEzyy5eAUFBmsVzy3KGplWITBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAZxV6E1i1ycfzVcxZtYw7ngCDJYUvvQu98jbPE/Pe2nFum0JhNvac6Dompeolr9yNzjg==] diff --git a/hieradata/roles/infra/storage/vault.eyaml b/hieradata/roles/infra/storage/vault.eyaml index 4e68db5..11fff31 100644 --- a/hieradata/roles/infra/storage/vault.eyaml +++ b/hieradata/roles/infra/storage/vault.eyaml @@ -1,7 +1,7 @@ --- vault::unseal_keys: - - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAobuA26wCD25sP6t0w3VgcrjBdpwVsglUz119X/y9o5FHkUibXuHkesNktUKzSMWpVBV+EsoTQ9HFisUOX3ykSIyYOVntm4BTECYBZKAyVXzkolAqX32IWtYqV4H4eKb3/OXw8zayJn9cPWbQkVtNDq3mZUMzgGj46DPFpH8aNQOI/xpovldY+WK1wo6WY7MGSCKw/+0mXK1Qa6wjh2K1X8cCg344ODZQD/h2SCT25qYPFVSBEzFwzQyLWULFOozg5RdE4OXkviqtq2PFtWxCD4S87WiG4elpttJAH0bbKFJs4PMZFgi0HdHqnMHXWiQgB/A9lNRhSPaU16Y2OTJ2HzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCw46SHa6ZZKMhxpG8VG7fJgDDj4cQ2/7//RszV99oDP3OyCHRPt6PylAyWVBCxj54faILV/2OaF3GwW05gWzlmwVI=] - - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKeXpQMz90SUeIojz659+AX9hdTn5EiPOprrdI4EjqPL5BItr2xkrk8XbDnhlgM6PWwbo5jzEKBYGFTRbnHHF6/xdQQoUALMyhD3SSwDZOv8B92zSWkRMUpXlrUFMJeHldDMXS9enpg4Y4jL7i7GWsf7PEuEOTidNid3ZViKT32miSoJvGRENZvGyYA8Rd1Vh+3lIxtJNWqEUiw6yDUUO6H8bRKQ0JVBxW4JQOkLeaKbz+M2WjvE+PDeYykCWaApzfcxE3XPxv7MhBLJskf/37h/pHFGLhAUEcATiXrdUHzDuGnCLHQohW4B6NnKH7GNTby7Nbxzuq5zA3g9yavKj1DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCbXFapwcT7R268E9Zih4i2gDC4cSSmU+33i5j6uKbgydDGqeooT4j2GzWCr0Ya52aVZnoeqYEFdp+dBFcCnvwFTQU=] - - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEApI/exTnGbzLFuIYAVqLi27O8CxBXDOPDB5K9GVIDIL8pyXoqv8LDO1fkg0TZJREZIHUNBwx4DNg0ruveuEcHXTleLLKGk51Cn89YQB3bvUPJ7BfBq8GRV6TpNNj50jstjGqyesw+q4r9cx8F/l1qxlHBmJPT6h332GXO1Fzmh6wIF+poqD2KfsbppOtk/YGLtdTa87RuNS0eQ9LcayMIqWE2+vrkUlEtjNYgNWHnKFQhlB0kety4IKV6rdZd9thVIbyQctJmoNSf8mB2vLm+ufgQqQHc6RpwwZEkAaX+i6pACN44tgEnFuQ96KMW+GX5LCZ7cAUfrLXDNoGfbve2LDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC/1fBbDfgMoKR98FOvafR2gDDhENLMdjZWJBNHmMYJj2xYOnfv9tAe7F/JCIPrs2yPMwriyzOsgoAHFGkznKWHyvw=] - - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAbx8zkPuZRlyeA/27xJZqXyjNkEA4JjsJQPh7BwuiLAqXUDeLLcUWTPOZ/YcJUS2IxLcYXsyWC/WAuhvKrLPCObHDndyWOq32sjI2ywaehMJc2w2cG0Iq4wdHo9Plfmu8T2jA2Tbe/cSuV84bh+toBTIKgckqulcBcgCMKSb5NUbdb33pB/YGieUMdrMfVyLVQUT88lmIXpKkfPN4z49cGEHXxbI7mgi7iUM0JbDJDddkH3jD1v3AI8Cr+/3y68+KMMxPVn1kwzPmLAjxkIJ/WySf7uEBEPrbshvsqS0D+OLk4ujOoBb3dpk5o07O6Sv4UA3R3Qa3Co63l8hGykjNSzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA70ywaIoOH465wLatsqHP3gDDB+GjjyySugoeismeS+5WMCuepilQ9mBned/nqw0i+8+WrNhsSTTP23hmpWeYAdug=] - - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoVY4a2yUJnvWJAC1gs0+ZgYcMMI1ZDGniNbIc4h6vb3ic7OPSa+QKZtEyboNSGWyLgLDhO6IPeeW+YgOhwo6tpgltBu34/1czwWiRSd9pZo7kq9J+UnnmvXxlfcD9S/hGAqzv+ouPQjWcpOm9rMYGrq78e3Z/VnscA3LtdtQVQtXLFERCIc3xCDNat47rQnWLvCGsDMSqCbUFOX/xnExmifLnHoRlOrg8K+Iw+oIIbI6LlOiE1lb5b8ml8RqckcKTx3ppRQiVNSCGIrjyVyWLtOU+zDmHFqsSf6JLZ0Twlfboafu2/Iz3NZiikSma564NcexTVkbk5bsZeMWB3+oWDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDoWpCRs2064iTVyEvjpXg9gDB/Y/86kLRp6IqmPjFH71oslQ674PK3SfO1jpJJRyJ/61zrdoef+jaK0eEvvJIW70o=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHfDhuu2C5ZEALdJlmOqWukEiAQQiVJ7KjpSRuf9h7RYwR+u8UNdcJYK1xFvYwmUczw6hkST/Zr06T4JwavpAHHuaRbyl8N1qZjlwt4MO5CPUTBT8k+EOaocF2byUXpYBThETjLB+WNLJAU3Dq8JboekCJ2F1Zjd8Mmdtu1C3Ip5ii5iVGbQShxDSPsdjtk8Q49lUKj61tLyuvadcTcxllHyXs6siWl7atBfIS6OX5KgA66VJhxOeoyyBaiqSSu7OqqZa2siYGTvjJS3UFDf8J+itsJJ1+0KUtkl07PvItkIruSAlHZGagVPrizAyEx1j4hFvVTGHac86bcV/5M9z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDCjxoJHSXr/4XvXaxVbUGOgDCQ4DL05Qnw3+3qHWZRKvNChHgrhRPi2HmkiGni+A4ZVF9LHs+mF8TQ/t3Q1DrSy3I=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoapLUNj1f+7BEvjzR9CO0Qz3LhI5M326BVliikRY7hpL2+0CnTOlR9K3YapD83LtpuiNbXqbk1mhi44ak0CTet8yz0ZH/BPkVYgV2Ll9ISdN4Knnnlf2Ljt/gHGf03jiUKwfXxu87LfvCySAMgzYonQ90cfIDc+XH6CoQv27WM3U1q79RcWl/w9Z/XwJiKyANSCXfBT16+RawrzmVo+zWbteqx09MfOHr7Q36VwOqjJaO94A/Dj3m/YJIOhmYXd52h+am6Kc1Q9dnzycKZYoKYOv+qi+bY4frx9sRvBxoGDGMb1mXTDSPeIT6NXbMCIsTsmYxjxAvBET72oKWXJUcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDy/pkTHpz4F9l1J6cKW4A9gDD873VdHr3ArjpE1R82wS5brCbBe7ntEuNFQMbnFPvOXwI4EaYV3IMRNv6Lzk6BBSI=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAVKVb6/nhbgEx6b2b90gfuXbZglZpoJjQtyzDQtCZzcZxh/xVFjwUy1XX/3+dueazFd5Ge5NnqQdxs/h5MBSjexHJhEm3fmA+gnns8sdYX5SDJSnhYvS1cB/wmfHuvkj3ZhIFxg0jlPlKz24QST99ouxKI2c490ByIbcFCr+A5GWnO7D/kf1Y+M0Sg2YiPE4zqF2zx1sgOfaV2xvQbRqqSjDPim/mYff95AtWwN9KbcAvc/7vDi4PrHR8GY9RXhI8FBEvelAT0H0NmnaCw4TvWXF/YxztlG9E55G3MsFyVAQJT7Dl8w4w5nk4AJJBMaXlO2s4AWD4Y+MVQh62hjqgHjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBptatyhSChU/V0R+IVd5hRgDCmA07/V4UBz1nVMc2vZm2KvnUOPofO74hwkkoxOnk6O2h6arbw8GNHj7WxeHXoXPk=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOGvhPhbKt8hkYTif5C+IE7iqcoeXm68BeUzlzE9qAY7lzQoAENauDKoIgoQT0hA7zrKZXPTUDrcw8SdxNp7Zo/Dr44urdr4LiT+QZwYTE09Xn8yIA3ij1XnXQ5bYP70TycuOjpVT0BKK+qSkklfd7IAw76AnUWF1D6P9MjT+shOmVNHQQSRrL2JLNppetQRCyOEMzkeDI/58/ohexvyUcY8WT4YMNhl/IrNBdcJ3xOwnJqEAXSUTre15T2I+7f+prhj4cS2V9qd0ZwUXSueL38EIMKwmq1ugb+zm8UYzqfKpRk/1THqT8T/r8B4PR2QxtiwtzLk388ag1mqQ/jHL9zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAlKLuJOARFD1vt/R9gfp4LgDA0irHwG41ByRyYcKT87ra9tsdhb+i9ugnNRbFQ1UPTk7bFwS3HUteEJwNzcNIwFXY=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEQvjVATvI+UVWrowTWSxtluiPrfa8akOSgr+MdcAh5Mgypw6RUeVJ2Sh8jekePZOO7Y0IQSfyNWOFAsaxBgeG7aEu6loFwxcSzrilg9c/2bV7Ybxr5saDViTjHO+UOYPPVRsJKeYvWd+vTdM+J7Eg3LGwzdLqyYu824affGm41KsSJdtxbNC1EzR+AOEU7SO8FkDIUZl2ekwz+3FfBX5TyXywlZGrbS7DkABB1jrO/JJtgnRu4D1AgUWjSJINXKyi9Xf91ZUyYCbVJ1asmRhOcCDcRigs82CF6nWbsSad80Z/ZoGVGYSlCsSXd4t8iEujCzeTkfBRK6Azr71f0zbBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAeR7zOfSz3Sd19UkcmdMJLgDBiPUNdk6zh2inhCqms/qnt7BqDBAYEzHuzbsM3U3PO+UIeJdym51cu3YKw3MkVuyw=] From d1f5d3c09e2a03843f4b6bbf0516e614de947767 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 21:23:43 +1100 Subject: [PATCH 099/229] fix: restart vault-unseal - restart vault-unseal when the unseal keys change --- site/profiles/manifests/vault/unseal.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/vault/unseal.pp b/site/profiles/manifests/vault/unseal.pp index 81ccb89..cff32a1 100644 --- a/site/profiles/manifests/vault/unseal.pp +++ b/site/profiles/manifests/vault/unseal.pp @@ -32,6 +32,6 @@ class profiles::vault::unseal ( active => true, enable => true, require => File['/usr/local/bin/vault-unseal.sh'], - subscribe => Service['vault'], + subscribe => [Service['vault'],File['/etc/vault/unseal_keys']], } } From 6bcdda1a93141a5fab2e3db11e3169b70828ced2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 22:11:31 +1100 Subject: [PATCH 100/229] chore: update vault policy - updated vault policy for certificates --- hieradata/roles/infra/puppet/master.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 39e92b4..86dcbec 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -22,6 +22,6 @@ profiles::puppet::gems::puppet: profiles::helpers::certmanager::vault_config: addr: 'https://198.18.17.39:8200' mount_point: 'pki_int' - role_name: 'unkin-dot-net' + role_name: 'servers_default' output_path: '/tmp/certmanager' token: "%{lookup('certmanager::vault_token')}" From 5b56767be7707a8688d2e1fa989fb26a466d9587 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 22:32:18 +1100 Subject: [PATCH 101/229] chore: updated vault_token --- hieradata/roles/infra/puppet/master.eyaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index 7816abf..2efc6d9 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,2 +1,2 @@ --- -certmanager::vault_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANKWImr/Mj97ucJs1pFUmhsBl4T6sqrj+viKZHxgEhBAlZ0HbR9Gh07wLG46XAJQ498mfB6XSdkIaX50/1uZCabisB91EQj+sRQNg2OFtCYqABZkYFeodaFdKx7CcpvlLCk+QPZgI2BiGaoeCWuLnIAP8wFN3zS/ZRh3F4X2RBH4dX2Jcg5onhlxYtPiHr/nYMpSFdf6jFSnpny80afUyMRtSjn+7QCSYcnr8uctd4QPs8xiEndBhxX7J3U0FRO+hN4ksWxu6VjmbieX+icSNOWUoX+MLrb37q2vUgT8h10+OY971PeWy/JWCQiu5qBqEzyy5eAUFBmsVzy3KGplWITBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAZxV6E1i1ycfzVcxZtYw7ngCDJYUvvQu98jbPE/Pe2nFum0JhNvac6Dompeolr9yNzjg==] +certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] From 36c2e6afaaab54aaf211dc737dc366029a04fe06 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 23:04:43 +1100 Subject: [PATCH 102/229] fix: ssl warning breaks puppet run - remove ssl warning for certmanager temporarily --- site/profiles/templates/helpers/certmanager.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/profiles/templates/helpers/certmanager.erb b/site/profiles/templates/helpers/certmanager.erb index 44588e5..d1d2c0b 100644 --- a/site/profiles/templates/helpers/certmanager.erb +++ b/site/profiles/templates/helpers/certmanager.erb @@ -7,6 +7,9 @@ import os import yaml from zipfile import ZipFile +# remove this after certs are generated everywhere +requests.packages.urllib3.disable_warnings() + def load_config(config_path): with open(config_path, 'r') as file: config = yaml.safe_load(file) From 8009b595142208ca57901b446b75ac3ef9bc19dd Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 25 Feb 2024 19:13:46 +1100 Subject: [PATCH 103/229] feat: automatically generate vault certs - certificate will be generated for: - fqdn - hostname - primary ip address - localhost - 127.0.0.1 - update base profile to generate vault certificate for all - create facts for use with vault_certs --- .../libs/lib/facter/vault_cert_altnames.rb | 15 +++ .../libs/lib/facter/vault_cert_expiring.rb | 21 ++++ site/profiles/manifests/base.pp | 1 + site/profiles/manifests/pki/vault.pp | 106 ++++++++++++++++++ 4 files changed, 143 insertions(+) create mode 100644 modules/libs/lib/facter/vault_cert_altnames.rb create mode 100644 modules/libs/lib/facter/vault_cert_expiring.rb create mode 100644 site/profiles/manifests/pki/vault.pp diff --git a/modules/libs/lib/facter/vault_cert_altnames.rb b/modules/libs/lib/facter/vault_cert_altnames.rb new file mode 100644 index 0000000..05194f0 --- /dev/null +++ b/modules/libs/lib/facter/vault_cert_altnames.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +# lib/facter/vault_cert_altnames.rb +require 'puppet' + +Facter.add('vault_cert_altnames') do + setcode do + alt_names_file = '/etc/pki/tls/vault/alt_names' + if File.exist?(alt_names_file) + File.read(alt_names_file).split("\n") + else + [] + end + end +end diff --git a/modules/libs/lib/facter/vault_cert_expiring.rb b/modules/libs/lib/facter/vault_cert_expiring.rb new file mode 100644 index 0000000..359609c --- /dev/null +++ b/modules/libs/lib/facter/vault_cert_expiring.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +# lib/facter/vault_cert_expiring.rb +require 'puppet' + +Facter.add(:vault_cert_expiring) do + setcode do + require 'openssl' + cert_path = '/etc/pki/tls/vault/certificate.crt' + if File.exist?(cert_path) + # If the certificate file exists, check its expiration + cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) + cert_expiry = cert.not_after + days_remaining = (cert_expiry - Time.now).to_i / (24 * 60 * 60) + days_remaining < 30 + else + # Report true if the certificate file does not exist + true + end + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 40eaa2b..f38d247 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -33,6 +33,7 @@ class profiles::base ( include profiles::accounts::sysadmin include profiles::ntp::client include profiles::dns::base + include profiles::pki::vault include profiles::cloudinit::init include profiles::metrics::default include profiles::helpers::node_lookup diff --git a/site/profiles/manifests/pki/vault.pp b/site/profiles/manifests/pki/vault.pp new file mode 100644 index 0000000..820836c --- /dev/null +++ b/site/profiles/manifests/pki/vault.pp @@ -0,0 +1,106 @@ +# profiles::pki::vault +class profiles::pki::vault ( + Optional[Array[Stdlib::Host]] $alt_names = [], + Optional[Array[Stdlib::IP::Address]] $ip_sans = [], +){ + + # validate and prepare additional alt_names, if any + $default_alt_names = [$::facts['networking']['hostname'], $::facts['networking']['fqdn']] + $effective_alt_names = $alt_names ? { + [] => $default_alt_names, + default => concat($default_alt_names, $alt_names), + } + + # validate and prepare additional ip_sans, if any + $default_ip_sans = ['127.0.0.1', $::facts['networking']['ip']] + $effective_ip_sans = $ip_sans ? { + [] => $default_ip_sans, + default => concat($default_ip_sans, $ip_sans), + } + + # path for the alt names file + $base_path = '/etc/pki/tls/vault' + $alt_names_file = "${base_path}/alt_names" + + # ensure the base directory exists + file { $base_path: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + # alt_names_file contents + $alt_names_content = concat($effective_alt_names, $effective_ip_sans) + + # manage the alt names file + file { $alt_names_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => join($alt_names_content, "\n"), + } + + # compare the sorted arrays of altnames from disk (fact) vs what is intended (this run) + $alt_names_match = sort($::facts['vault_cert_altnames']) == sort($alt_names_content) + + # only renew certificate if its expiring or the alt names have changed + if $::facts['vault_cert_expiring'] or ! $alt_names_match { + + # certificate variables + $common_name = $::facts['networking']['fqdn'] + $valid_days = 90 + + # prepare alt_names and ip_sans arguments conditionally + $alt_names_string = $effective_alt_names.empty() ? { + true => '', + default => join($effective_alt_names, ','), + } + $ip_sans_string = $effective_ip_sans.empty() ? { + true => '', + default => join($effective_ip_sans, ','), + } + + # certmanager arguments + $cmd = '/usr/local/bin/certmanager' + $alt_names_arg = '--alt-names' + $ip_sans_arg = '--ip-sans' + $expiry_days_arg = '--expiry-days' + + # call the script with generate(), capturing json output + $json_output = generate( + $cmd, + $common_name, + $alt_names_arg, + $alt_names_string, + $ip_sans_arg, + $ip_sans_string, + $expiry_days_arg, + $valid_days, + '--json' + ) + $cert_data = parsejson($json_output) + + # manage certificate file resources based on script output + $certificate_files = { + "${base_path}/certificate.crt" => $cert_data['certificate'], + "${base_path}/private.key" => $cert_data['private_key'], + "${base_path}/full_chain.crt" => $cert_data['full_chain'], + "${base_path}/ca_certificate.crt" => $cert_data['ca_certificate'], + "${base_path}/certificate.pem" => "${cert_data['certificate']}\n${cert_data['private_key']}", + } + + # manage each file resources + $certificate_files.each |$file_path, $content| { + file { $file_path: + ensure => file, + content => $content, + owner => 'root', + group => 'root', + mode => '0644', + require => File[$base_path], + } + } + } +} From 3e98ced8da8999185c709f366d0cd779908631fe Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Mar 2024 14:42:31 +1100 Subject: [PATCH 104/229] feat: change nginx to use vault ssl certs - update packagerepo webserver class to allow using ssl --- hieradata/roles/infra/reposync/syncer.yaml | 5 ++ site/profiles/manifests/reposync/webserver.pp | 54 ++++++++++++++++++- 2 files changed, 57 insertions(+), 2 deletions(-) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 762a9d4..bbf8213 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -2,6 +2,11 @@ profiles::packages::install: - createrepo +profiles::pki::vault::alt_names: + - repos.main.unkin.net + +profiles::reposync::webserver::nginx_listen_mode: both +profiles::reposync::webserver::nginx_cert_type: vault profiles::reposync::repos_list: almalinux_8_9_baseos: repository: 'BaseOS' diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index 789ce21..baa7f76 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -2,21 +2,71 @@ class profiles::reposync::webserver ( String $www_root = '/data/repos/snap', String $nginx_vhost = 'repos.main.unkin.net', - Integer $nginx_port = 80, + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, Boolean $favicon = true, + Enum['http','https','both'] $nginx_listen_mode = 'http', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault' ) { + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + } + default: { + # enum param prevents this ever being reached + } + } + class { 'nginx': } # create the nginx vhost nginx::resource::server { $nginx_vhost: - listen_port => $nginx_port, + listen_port => $listen_port, server_name => [$nginx_vhost], use_default_location => true, access_log => "/var/log/nginx/${nginx_vhost}_access.log", error_log => "/var/log/nginx/${nginx_vhost}_error.log", www_root => $www_root, autoindex => 'on', + ssl => $enable_ssl, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ssl_port => $listen_ssl_port, } if $favicon { From 05d2599bc5fc2adc01f5a734c53f9a080ecc011f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Mar 2024 14:07:23 +1100 Subject: [PATCH 105/229] feat: ensure vaultca certificate is trusted - install the vault rootca on all nodes - update ca-trust store on changes to the rootca certificate deployed --- site/profiles/manifests/base.pp | 1 + site/profiles/manifests/pki/vaultca.pp | 37 ++++++++++++++++ .../templates/pki/vaultcaroot.pem.erb | 42 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 site/profiles/manifests/pki/vaultca.pp create mode 100644 site/profiles/templates/pki/vaultcaroot.pem.erb diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index f38d247..d098b7b 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -34,6 +34,7 @@ class profiles::base ( include profiles::ntp::client include profiles::dns::base include profiles::pki::vault + include profiles::pki::vaultca include profiles::cloudinit::init include profiles::metrics::default include profiles::helpers::node_lookup diff --git a/site/profiles/manifests/pki/vaultca.pp b/site/profiles/manifests/pki/vaultca.pp new file mode 100644 index 0000000..856459f --- /dev/null +++ b/site/profiles/manifests/pki/vaultca.pp @@ -0,0 +1,37 @@ +# ensure the ca certificate for vault is installed everywhere +class profiles::pki::vaultca { + $root_cacert = 'vaultcaroot.pem' + + # Define the target path based on the operating system + case $facts['os']['family'] { + 'RedHat': { + $ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}" + $update_ca_cert_command = 'update-ca-trust extract' + } + 'Debian': { + $ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}" + $update_ca_cert_command = 'update-ca-certificates' + } + default: { + fail("Unsupported operating system: ${facts['os']['family']}") + } + } + + # Ensure the CA certificate is present and contains the content from the template + file { $ca_cert_target_path: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/pki/vaultcaroot.pem.erb'), + notify => Exec['update_ca_trust_store'], + } + + # Execute the system command to update the CA trust store + exec { 'update_ca_trust_store': + command => $update_ca_cert_command, + path => ['/bin', '/usr/bin'], + refreshonly => true, + require => File[$ca_cert_target_path], + } +} diff --git a/site/profiles/templates/pki/vaultcaroot.pem.erb b/site/profiles/templates/pki/vaultcaroot.pem.erb new file mode 100644 index 0000000..aacae0e --- /dev/null +++ b/site/profiles/templates/pki/vaultcaroot.pem.erb @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDrDCCApSgAwIBAgIUAyjDayxDtmvXzttcT1jUg9KU08swDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDI0NloXDTI5MDIy +MzExMDMxNlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo +b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCft5vNuV0S+WPN +qIm8N09yQcWUjK7S5LeWqFi2sYvxB3PZIsbGF4oB5QQKbHOvwSp+/70gQ0HeyBpq +yS3bVJK/OYMQXbYj+wpS8FXd1WeD5XphAEPV/vfWixQWOHLm4A+yjVbyFiaD4Z8e +0/cvi48WPp3uzyVFW12U/XRZ/eHF4psJ1tsNt8e1JcAsAmRXUr1R0JgKNDBJsu2Q +2EPa6MqRpJVKfI4cvOYM3XyXN5pCogAJaleg+TMdZ3wCQljTBpojzX947Ky1Yosa +GtZ2tNes8cpq3mzHqH8fms89H1JBPttOCVJXwK1sEdwkXYh6aktUDGkjppvaG013 +eSx/LDFvAgMBAAGjgd4wgdswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFEMfNj+VqQQF2XHJm1qK0RhCZxnRMB8GA1UdIwQYMBaAFCqI +QnrNBzDWmM1YryAlmIbAnwLPMEAGCCsGAQUFBwEBBDQwMjAwBggrBgEFBQcwAoYk +aHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraV9yb290L2NhMDYGA1UdHwQvMC0w +K6ApoCeGJWh0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJ +KoZIhvcNAQELBQADggEBALMGlMJ7twlrBkBJLBgDmF7+Q5rpiHz9zBhLU8fh0HiR +dhqe3yJcO87o3CrCiQXqtWHGy4Ogl2QvastKKhFBIcwp8BBXxzp68HG+SIJAzWau +val0pncs/2V3TIk1iOXLY7YXDm6x4ND+iUz5rmILs/0q82S3iAbro4IckinfmGjI +7En8eg7VRv8z2FL51+giov5zqH7NT3TjvYZzf20EKHmOlyZhAboktNxVpoj4cAGl +iUW3GFSva8F6VS49I9pejBFJUQeIILz5jeTEdzG643DnujjjNqw8ad3ivakBYD1G +YxGhYmLfh5RmESCeAgBbLQgRa1vNz1YYWhjn4OP0KKs= +-----END CERTIFICATE----- +,-----BEGIN CERTIFICATE----- +MIIDLzCCAhegAwIBAgIUeXJ+O/IJWu4Fl4+KdZl5r166SokwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDEwNVoXDTM0MDIy +MjExMDEzNFowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAzKFwXIKAkavv5RgGUEzGQIgys1Uw97RBp4aE7glT++hs +60WSwKBRr+sk7zdL3LGMK/xClTIBt3eFJ2RMxEf/N/qLPoA1JqOzsHua1nXCR1sA +puP5HVfrS6YvfsXGpqJywX7tfaqk+7+Mq4Bbp22+JXmgBpfcQhCy9CNRd8gaLM67 +LaznQEcmeurdqvqeUxSMUsymeLLSi2+Fx+M9bPiYYXvK3Hu7k7VVsDPamglBsZaG +QC7Up7ZD1h+UaweK/lC5v8HkW6xZ8OWZBEm0F6XFRIRRbroFTZXniAUu60FpoCCD +Ga9AfUrAAIWFQjd0iJ2fgzbX1qeLozKn1T/oMAiKhQIDAQABo3kwdzAOBgNVHQ8B +Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUKohCes0HMNaYzViv +ICWYhsCfAs8wHwYDVR0jBBgwFoAUKohCes0HMNaYzVivICWYhsCfAs8wFAYDVR0R +BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQCBVjvJIAp3AtEhRO/V +wYtF/t6ntSKs8limCGnHHvJDvUJGkIP5ihCDQYviNyYIf7CrtRUmYzzOmwA4OEjq +cwxrdRynqkUz8jeRL2Ljc1kEs5A4rY2X8EtoUaCu4p55wm7Bh/m2lYASHHMpuza8 +CR2DtlSQR8/x9gFKzAZO6rOw89qqU34p/cf7DlymDACjJr0QmhLa5IQMSj8ObsbT +c9sb9NXMFTsFkuCrkF5iLmeDZgmgyJNXkzFEh3TPeL15jKBXSJOHsBe8j3E3VMWS +YOL0pDU1XzfJedKGzX3LxvK6aUuBbtgaf/PW3IYX3KToolqfB30H2AO6Q/3LBl8M +aN8H +-----END CERTIFICATE----- From 88ba8406b84e694cfab6c74e4dd5772b63168a75 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Mar 2024 15:01:14 +1100 Subject: [PATCH 106/229] feat: deep merge alt_names and ip_sans - set hiera to deep-merge alt_names and ip_sans for generating vault certificates --- hieradata/common.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index aa7b70c..e8395ca 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -12,6 +12,12 @@ lookup_options: profiles::packages::remove_exclude: merge: strategy: deep + profiles::pki::vault::alt_names: + merge: + strategy: deep + profiles::pki::vault::ip_sans: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' From 0782cd5679ee7c3a3c6b7dc7dd81b924580bf74d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Mar 2024 15:22:01 +1100 Subject: [PATCH 107/229] feat: dynamically add subscribe to nginx resource - add subscribe option to nginx resource dependent on nginx_listen_mode - ensure nginx reloads when the ssl_cert or ssl_key changes, only if these values are not undef - ensure the file resources are defined for certificates --- site/profiles/manifests/pki/vault.pp | 20 +++++++++ site/profiles/manifests/reposync/webserver.pp | 42 ++++++++++++------- 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/site/profiles/manifests/pki/vault.pp b/site/profiles/manifests/pki/vault.pp index 820836c..7008085 100644 --- a/site/profiles/manifests/pki/vault.pp +++ b/site/profiles/manifests/pki/vault.pp @@ -102,5 +102,25 @@ class profiles::pki::vault ( require => File[$base_path], } } + + }else{ + # manage each file resources, but dont change the content + $certificate_files = [ + "${base_path}/certificate.crt", + "${base_path}/private.key", + "${base_path}/full_chain.crt", + "${base_path}/ca_certificate.crt", + "${base_path}/certificate.pem" + ] + + $certificate_files.each |$file_path| { + file { $file_path: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + require => File[$base_path], + } + } } } diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index baa7f76..12ec17d 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -32,6 +32,7 @@ class profiles::reposync::webserver ( $ssl_key = undef $listen_port = $nginx_port $listen_ssl_port = undef + $extras_hash = {} } 'https': { $enable_ssl = true @@ -39,6 +40,9 @@ class profiles::reposync::webserver ( $ssl_key = $selected_ssl_key $listen_port = $nginx_ssl_port $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } } 'both': { $enable_ssl = true @@ -46,29 +50,37 @@ class profiles::reposync::webserver ( $ssl_key = $selected_ssl_key $listen_port = $nginx_port $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } } default: { # enum param prevents this ever being reached } } - class { 'nginx': } - - # create the nginx vhost - nginx::resource::server { $nginx_vhost: - listen_port => $listen_port, - server_name => [$nginx_vhost], - use_default_location => true, - access_log => "/var/log/nginx/${nginx_vhost}_access.log", - error_log => "/var/log/nginx/${nginx_vhost}_error.log", - www_root => $www_root, - autoindex => 'on', - ssl => $enable_ssl, - ssl_cert => $ssl_cert, - ssl_key => $ssl_key, - ssl_port => $listen_ssl_port, + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => [$nginx_vhost], + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'www_root' => $www_root, + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, } + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # create the nginx vhost with the merged parameters + class { 'nginx': } + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + if $favicon { file { "${www_root}/favicon.ico": ensure => 'file', From 51d0ca16ec5397ad41fa5551e2f4457535f7fe35 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 Mar 2024 16:38:03 +1100 Subject: [PATCH 108/229] feat: update yumrepos to use https:// - require vaultca on all repos on repos.main.unkin.net --- hieradata/os/AlmaLinux/all_releases.yaml | 6 +++--- site/profiles/manifests/yum/global.pp | 4 ++++ site/profiles/manifests/yum/mariadb.pp | 3 ++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 9a85522..7e78309 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -1,8 +1,8 @@ # hieradata/os/almalinux/all_releases.yaml --- -profiles::yum::base::baseurl: http://repos.main.unkin.net/almalinux -profiles::yum::epel::baseurl: http://repos.main.unkin.net/epel -profiles::yum::unkin::baseurl: http://repos.main.unkin.net/unkin +profiles::yum::base::baseurl: https://repos.main.unkin.net/almalinux +profiles::yum::epel::baseurl: https://repos.main.unkin.net/epel +profiles::yum::unkin::baseurl: https://repos.main.unkin.net/unkin profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 796b491..18a0d88 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -75,21 +75,25 @@ class profiles::yum::global ( # Setup base repos class { 'profiles::yum::base': managed_repos => $managed_repos, + require => Class['profiles::pki::vaultca'], } # Setup epel if included in managed_repos class { 'profiles::yum::epel': managed_repos => $managed_repos, + require => Class['profiles::pki::vaultca'], } # Setup puppet7 if included in managed_repos class { 'profiles::yum::puppet7': managed_repos => $managed_repos, + require => Class['profiles::pki::vaultca'], } # Setup unkin repo if included in managed_repos class { 'profiles::yum::unkin': managed_repos => $managed_repos, + require => Class['profiles::pki::vaultca'], } # setup dnf-autoupdate diff --git a/site/profiles/manifests/yum/mariadb.pp b/site/profiles/manifests/yum/mariadb.pp index df3d71e..3c6c4e6 100644 --- a/site/profiles/manifests/yum/mariadb.pp +++ b/site/profiles/manifests/yum/mariadb.pp @@ -3,7 +3,7 @@ # This class manages the mariadb yum repository for the system. # class profiles::yum::mariadb ( - String $baseurl = 'http://repos.main.unkin.net', + String $baseurl = 'https://repos.main.unkin.net', String $version = '11.2', Enum[ 'daily', @@ -20,5 +20,6 @@ class profiles::yum::mariadb ( target => '/etc/yum.repos.d/mariadb.repo', baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/", gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB", + require => Class['profiles::pki::vaultca'], } } From 816bec9f1756d9a33dd5f3fafa8b0b3238f5dc9a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 5 Mar 2024 22:53:49 +1100 Subject: [PATCH 109/229] feat: add base role for redis --- site/roles/manifests/infra/db/redis.pp | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 site/roles/manifests/infra/db/redis.pp diff --git a/site/roles/manifests/infra/db/redis.pp b/site/roles/manifests/infra/db/redis.pp new file mode 100644 index 0000000..fda1b3a --- /dev/null +++ b/site/roles/manifests/infra/db/redis.pp @@ -0,0 +1,6 @@ + +# a role to deploy a redis node +class roles::infra::db::redis { + include profiles::defaults + include profiles::base +} From 5dff24d9b9f80e12c0d5971f92a6b37cfc73d322 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 Mar 2024 15:42:14 +1100 Subject: [PATCH 110/229] feat: merge subnet facts - add fact for environment - define 198.18.18.0/24 subnet --- modules/libs/lib/facter/country.rb | 28 -------------------- modules/libs/lib/facter/region.rb | 28 -------------------- modules/libs/lib/facter/subnet_facts.rb | 34 +++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 56 deletions(-) delete mode 100644 modules/libs/lib/facter/country.rb delete mode 100644 modules/libs/lib/facter/region.rb create mode 100644 modules/libs/lib/facter/subnet_facts.rb diff --git a/modules/libs/lib/facter/country.rb b/modules/libs/lib/facter/country.rb deleted file mode 100644 index 52977d6..0000000 --- a/modules/libs/lib/facter/country.rb +++ /dev/null @@ -1,28 +0,0 @@ -# frozen_string_literal: true - -# set country based on the subnet - -Facter.add('country') do - setcode do - # use facts['networking']['ip']to find the promary IP address - ip = Facter.value(:networking)['ip'] - - # subnet to region mapping - subnet_to_country = { - '198.18.17.0/24' => 'au' - } - - require 'ipaddr' - - # Find the region for the IP - country = 'stateless' # default to 'stateless' if no country matches - subnet_to_country.each do |subnet, country_initial| - if IPAddr.new(subnet).include?(IPAddr.new(ip)) - country = country_initial - break - end - end - - country - end -end diff --git a/modules/libs/lib/facter/region.rb b/modules/libs/lib/facter/region.rb deleted file mode 100644 index 248fb12..0000000 --- a/modules/libs/lib/facter/region.rb +++ /dev/null @@ -1,28 +0,0 @@ -# frozen_string_literal: true - -# set region based on the subnet - -Facter.add('region') do - setcode do - # use facts['networking']['ip']to find the promary IP address - ip = Facter.value(:networking)['ip'] - - # subnet to region mapping - subnet_to_region = { - '198.18.17.0/24' => 'drw1' - } - - require 'ipaddr' - - # Find the region for the IP - region = 'lost' # default to 'lost' if no region matches - subnet_to_region.each do |subnet, region_name| - if IPAddr.new(subnet).include?(IPAddr.new(ip)) - region = region_name - break - end - end - - region - end -end diff --git a/modules/libs/lib/facter/subnet_facts.rb b/modules/libs/lib/facter/subnet_facts.rb new file mode 100644 index 0000000..7e26ee9 --- /dev/null +++ b/modules/libs/lib/facter/subnet_facts.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +require 'ipaddr' + +# a class that creates facts based on the subnet +class SubnetAttributes + SUBNET_TO_ATTRIBUTES = { + '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' }, + '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' } + }.freeze + + # Default attributes if no subnet matches, also defined as a constant + DEFAULT_ATTRIBUTES = { environment: 'unknown', region: 'unknown', country: 'unknown' }.freeze + + # provide ip to return attributes + def self.attributes(ip) + SUBNET_TO_ATTRIBUTES.each do |subnet, attrs| + return attrs if IPAddr.new(subnet).include?(IPAddr.new(ip)) + end + + DEFAULT_ATTRIBUTES + end +end + +# Use the primary IP address from facts +ip = Facter.value(:networking)['ip'] + +# Call the class method directly without creating an instance +subnet_attributes = SubnetAttributes.attributes(ip) + +# Add separate facts for environment, region, and country +Facter.add('environment') { setcode { subnet_attributes[:environment] } } +Facter.add('region') { setcode { subnet_attributes[:region] } } +Facter.add('country') { setcode { subnet_attributes[:country] } } From 428dc910bba9928613e3c64a7d9482d1f1ffe097 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 Mar 2024 15:48:26 +1100 Subject: [PATCH 111/229] feat: add country/region/environment to motd --- site/profiles/manifests/base/motd.pp | 2 ++ site/profiles/templates/base/motd/motd.erb | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/base/motd.pp b/site/profiles/manifests/base/motd.pp index e1dd5ca..4799976 100644 --- a/site/profiles/manifests/base/motd.pp +++ b/site/profiles/manifests/base/motd.pp @@ -7,6 +7,8 @@ class profiles::base::motd ( String $nic = $facts['networking']['primary'], String $os_name = $facts['os']['name'], String $os_release = $facts['os']['release']['full'], + String $location = "${facts['country']}-${facts['region']}", + String $env = $facts['environment'], ) { # Use the regsubst function to remove the 'roles::' prefix from the role name diff --git a/site/profiles/templates/base/motd/motd.erb b/site/profiles/templates/base/motd/motd.erb index 7ca06df..6e2f7df 100644 --- a/site/profiles/templates/base/motd/motd.erb +++ b/site/profiles/templates/base/motd/motd.erb @@ -1,6 +1,6 @@ <% # calculate padding for the longest word -max_length = ['fqdn:', 'os:', 'role:', 'branch:', 'addr:', 'nic:'].max_by(&:length).length +max_length = ['fqdn:', 'os:', 'role:', 'branch:', 'addr:', 'nic:', 'location:', 'env:'].max_by(&:length).length # helper lambda to right-align text align = ->(word) { word.ljust(max_length) } %> @@ -10,4 +10,6 @@ align = ->(word) { word.ljust(max_length) } <%= align.call('branch:') %> <%= @enc_env %> <%= align.call('addr:') %> <%= @addr %> <%= align.call('nic:') %> <%= @nic %> +<%= align.call('location:') %> <%= @location %> +<%= align.call('env:') %> <%= @env %> From bca5d3279328112849797fe425e0f1766f795b4e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 Mar 2024 16:18:03 +1100 Subject: [PATCH 112/229] fix: updated gpg key for psql repos --- hieradata/roles/infra/reposync/syncer.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index bbf8213..39991b8 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -70,11 +70,11 @@ profiles::reposync::repos_list: osname: 'postgresql' release: 'rhel8' baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/' - gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' postgresql_rhel8_16: repository: '16' description: 'PostgreSQL 16 RHEL 8' osname: 'postgresql' release: 'rhel8' baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/' - gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' From 15e4e1109795a6cbe0255bbaa9200432a9f6cb6b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 Mar 2024 19:01:14 +1100 Subject: [PATCH 113/229] feat: require vaultca for all yumrepos --- site/profiles/manifests/base.pp | 5 ++++- site/profiles/manifests/defaults.pp | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index d098b7b..647b5ea 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -3,6 +3,10 @@ class profiles::base ( Array $puppet_servers, ) { + # install the vault ca first + include profiles::pki::vaultca + + # manage package repositories case $facts['os']['family'] { 'RedHat': { include profiles::yum::global @@ -34,7 +38,6 @@ class profiles::base ( include profiles::ntp::client include profiles::dns::base include profiles::pki::vault - include profiles::pki::vaultca include profiles::cloudinit::init include profiles::metrics::default include profiles::helpers::node_lookup diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp index 5c72fb6..1db27c8 100644 --- a/site/profiles/manifests/defaults.pp +++ b/site/profiles/manifests/defaults.pp @@ -27,4 +27,8 @@ class profiles::defaults { ensure => present, shell => '/bin/bash', } + + Yumrepo { + require => Class['profiles::pki::vaultca'], + } } From 3587ea22957a3a8113a70256bfa1c1994d8d54f4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 13 Mar 2024 22:31:03 +1100 Subject: [PATCH 114/229] feat: add ovirt base roles --- site/roles/manifests/infra/ovirt/engine.pp | 5 +++++ site/roles/manifests/infra/ovirt/node.pp | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 site/roles/manifests/infra/ovirt/engine.pp create mode 100644 site/roles/manifests/infra/ovirt/node.pp diff --git a/site/roles/manifests/infra/ovirt/engine.pp b/site/roles/manifests/infra/ovirt/engine.pp new file mode 100644 index 0000000..f437516 --- /dev/null +++ b/site/roles/manifests/infra/ovirt/engine.pp @@ -0,0 +1,5 @@ +# role to manage ovirt management engine nodes +class roles::infra::ovirt::engine { + include profiles::defaults + include profiles::base +} diff --git a/site/roles/manifests/infra/ovirt/node.pp b/site/roles/manifests/infra/ovirt/node.pp new file mode 100644 index 0000000..0ecdc23 --- /dev/null +++ b/site/roles/manifests/infra/ovirt/node.pp @@ -0,0 +1,5 @@ +# role to manage ovirt hypervisor nodes +class roles::infra::ovirt::node { + include profiles::defaults + include profiles::base +} From 8f5e9e40a13686abf64209f9ee45e3d9c86ab6cf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 11 Mar 2024 18:51:14 +1100 Subject: [PATCH 115/229] feat: add ovirt roles - add repositories for ovirt - add role/profile for ovirt/engine and ovirt/node - add deep-merge for managed_repos - change repos to allow filesource (URL or file://) - change reposync to use curl instead of wget --- hieradata/common.yaml | 3 + hieradata/os/AlmaLinux/all_releases.yaml | 1 + hieradata/roles/infra/ovirt/engine.yaml | 10 ++++ hieradata/roles/infra/ovirt/node.yaml | 17 ++++++ hieradata/roles/infra/reposync/syncer.yaml | 56 +++++++++++++++++++ site/profiles/manifests/ovirt/node.pp | 20 +++++++ site/profiles/manifests/reposync/repos.pp | 2 +- site/profiles/manifests/yum/global.pp | 6 ++ site/profiles/manifests/yum/ovirt.pp | 48 ++++++++++++++++ .../templates/reposync/autosyncer.erb | 2 +- site/roles/manifests/infra/ovirt/node.pp | 1 + 11 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 hieradata/roles/infra/ovirt/engine.yaml create mode 100644 hieradata/roles/infra/ovirt/node.yaml create mode 100644 site/profiles/manifests/ovirt/node.pp create mode 100644 site/profiles/manifests/yum/ovirt.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index e8395ca..f2785d0 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -18,6 +18,9 @@ lookup_options: profiles::pki::vault::ip_sans: merge: strategy: deep + profiles::yum::managed_repos: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 7e78309..e883c29 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -3,6 +3,7 @@ profiles::yum::base::baseurl: https://repos.main.unkin.net/almalinux profiles::yum::epel::baseurl: https://repos.main.unkin.net/epel profiles::yum::unkin::baseurl: https://repos.main.unkin.net/unkin +profiles::yum::ovirt::baseurl: https://repos.main.unkin.net/centos profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false diff --git a/hieradata/roles/infra/ovirt/engine.yaml b/hieradata/roles/infra/ovirt/engine.yaml new file mode 100644 index 0000000..94fcdbd --- /dev/null +++ b/hieradata/roles/infra/ovirt/engine.yaml @@ -0,0 +1,10 @@ +--- +profiles::yum::managed_repos: + - 'virt-advanced-virtualization' + - 'storage-ceph-pacific' + - 'cloud-openstack-xena' + - 'messaging-rabbitmq-38' + - 'nfv-openvswitch-2' + - 'opstools-collectd-5' + - 'storage-gluster-10' + - 'virt-ovirt-45' diff --git a/hieradata/roles/infra/ovirt/node.yaml b/hieradata/roles/infra/ovirt/node.yaml new file mode 100644 index 0000000..e02910a --- /dev/null +++ b/hieradata/roles/infra/ovirt/node.yaml @@ -0,0 +1,17 @@ +--- +profiles::firewall::firewalld::ensure_package: 'installed' +profiles::firewall::firewalld::ensure_service: 'running' +profiles::yum::managed_repos: + - 'virt-advanced-virtualization' + - 'storage-ceph-pacific' + - 'cloud-openstack-xena' + - 'messaging-rabbitmq-38' + - 'nfv-openvswitch-2' + - 'opstools-collectd-5' + - 'storage-gluster-10' + - 'virt-ovirt-45' + +sudo::purge_ignore: + - '50_vdsm' + - '50_vdsm_hook_ovirt_provider_ovn_hook' + - '60_ovirt-ha' diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 39991b8..7455441 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -43,6 +43,62 @@ profiles::reposync::repos_list: release: '8.9' mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + centos_8_advanced_virtualization: + repository: 'virt-advanced-virtualization' + description: 'CentOS Advanced Virtualization' + osname: 'centos' + release: '8' # Assumed static value for demonstration + mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_ceph_pacific: + repository: 'storage-ceph-pacific' + description: 'CentOS Ceph Pacific' + osname: 'centos' + release: '8' # Assumed static value for demonstration + mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' + centos_8_rabbitmq_38: + repository: 'messaging-rabbitmq-38' + description: 'CentOS RabbitMQ 38' + osname: 'centos' + release: '8-stream' # Specified based on the repository name + mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging' + centos_8_nfv_openvswitch: + repository: 'nfv-openvswitch-2' + description: 'CentOS NFV OpenvSwitch' + osname: 'centos' + release: '8-stream' # Assumed static value for demonstration + mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV' + centos_8_openstack_xena: + repository: 'cloud-openstack-xena' + description: 'CentOS OpenStack Xena' + osname: 'centos' + release: '8-stream' # Directly taken from the provided mirrorlist + mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud' + centos_8_opstools: + repository: 'opstools-collectd-5' + description: 'CentOS OpsTools - collectd' + osname: 'centos' + release: '8-stream' # Assumed static value for demonstration + mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools' + centos_8_ovirt45: + repository: 'virt-ovirt-45' + description: 'CentOS oVirt 4.5' + osname: 'centos' + release: '8-stream' # Assumed static value for demonstration + mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_stream_gluster10: + repository: 'storage-gluster-10' + description: 'CentOS oVirt 4.5 - Glusterfs 10' + osname: 'centos' + release: '8-stream' # Assumed static value for demonstration + mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64' + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' epel_8_everything: repository: 'Everything' description: 'EPEL 8 Everything' diff --git a/site/profiles/manifests/ovirt/node.pp b/site/profiles/manifests/ovirt/node.pp new file mode 100644 index 0000000..9979c95 --- /dev/null +++ b/site/profiles/manifests/ovirt/node.pp @@ -0,0 +1,20 @@ +# profiles::ovirt::node +class profiles::ovirt::node { + # Define the DNF modules to be enabled + $dnf_modules_to_enable = { + 'javapackages-tools' => { 'ensure' => 'latest' }, + 'pki-deps' => { 'ensure' => 'latest' }, + 'postgresql' => { 'ensure' => '12' }, + 'mod_auth_openidc' => { 'ensure' => '2.3' }, + 'nodejs' => { 'ensure' => '14' }, + } + + # Enable the DNF modules + create_resources( + 'package', + $dnf_modules_to_enable, { + provider => dnfmodule, + enable_only => true + } + ) +} diff --git a/site/profiles/manifests/reposync/repos.pp b/site/profiles/manifests/reposync/repos.pp index 046e404..0be17f7 100644 --- a/site/profiles/manifests/reposync/repos.pp +++ b/site/profiles/manifests/reposync/repos.pp @@ -4,7 +4,7 @@ define profiles::reposync::repos ( String $description, String $osname, String $release, - Stdlib::HTTPUrl $gpgkey, + Stdlib::Filesource $gpgkey, String $arch = 'x86_64', String $repo_owner = 'root', String $repo_group = 'root', diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 18a0d88..755bd31 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -96,6 +96,12 @@ class profiles::yum::global ( require => Class['profiles::pki::vaultca'], } + # Setup ovirt repo if included in managed_repos + class { 'profiles::yum::ovirt': + managed_repos => $managed_repos, + require => Class['profiles::pki::vaultca'], + } + # setup dnf-autoupdate include profiles::yum::autoupdater diff --git a/site/profiles/manifests/yum/ovirt.pp b/site/profiles/manifests/yum/ovirt.pp new file mode 100644 index 0000000..d04b145 --- /dev/null +++ b/site/profiles/manifests/yum/ovirt.pp @@ -0,0 +1,48 @@ +# Class: profiles::yum::ovirt +class profiles::yum::ovirt ( + Array[String] $managed_repos, + String $baseurl, + Enum[ + 'daily', + 'weekly', + 'monthly' + ] $snapshot = 'daily', +) { + $release = $facts['os']['release']['major'] + $basearch = $facts['os']['architecture'] + + $centos_nonstream = [ + 'virt-advanced-virtualization', + 'storage-ceph-pacific' + ] + $centos_stream = [ + 'cloud-openstack-xena', + 'messaging-rabbitmq-38', + 'nfv-openvswitch-2', + 'opstools-collectd-5', + 'storage-gluster-10', + 'virt-ovirt-45' + ] + $centos_nonstream.each |$name| { + if $name in $managed_repos { + yumrepo { $name: + name => $name, + descr => $name, + target => '/etc/yum.repos.d/ovirt.repo', + baseurl => "${baseurl}/${release}/${name}-20240311/${basearch}/os/", + gpgcheck => false, + } + } + } + $centos_stream.each |$name| { + if $name in $managed_repos { + yumrepo { $name: + name => $name, + descr => $name, + target => '/etc/yum.repos.d/ovirt.repo', + baseurl => "${baseurl}/${release}-stream/${name}-20240311/${basearch}/os/", + gpgcheck => false, + } + } + } +} diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb index 4f48e58..0cc2551 100644 --- a/site/profiles/templates/reposync/autosyncer.erb +++ b/site/profiles/templates/reposync/autosyncer.erb @@ -26,7 +26,7 @@ download_gpg_key() { local filename=$(basename "$gpgkeyurl") # Download GPG key to the specified path with the filename from the URL - wget -q -O "${basepath}/live/${reponame}/${filename}" "$gpgkeyurl" || { + curl -s --create-dirs -o "${basepath}/live/${reponame}/${filename}" "$gpgkeyurl" || { echo "Failed to download GPG key from $gpgkeyurl" } } diff --git a/site/roles/manifests/infra/ovirt/node.pp b/site/roles/manifests/infra/ovirt/node.pp index 0ecdc23..5182092 100644 --- a/site/roles/manifests/infra/ovirt/node.pp +++ b/site/roles/manifests/infra/ovirt/node.pp @@ -2,4 +2,5 @@ class roles::infra::ovirt::node { include profiles::defaults include profiles::base + include profiles::ovirt::node } From fe4af852b630a8e189940d3ad24107d4da0b2046 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 17 Mar 2024 17:52:34 +1100 Subject: [PATCH 116/229] feat: cobbler setup - add cobbler profile - add dhcp server profile --- site/roles/manifests/infra/cobbler/server.pp | 5 +++++ site/roles/manifests/infra/dhcp/server.pp | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 site/roles/manifests/infra/cobbler/server.pp create mode 100644 site/roles/manifests/infra/dhcp/server.pp diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp new file mode 100644 index 0000000..438547e --- /dev/null +++ b/site/roles/manifests/infra/cobbler/server.pp @@ -0,0 +1,5 @@ +# cobbler server profile +class roles::infra::cobbler::server { + include profiles::defaults + include profiles::base +} diff --git a/site/roles/manifests/infra/dhcp/server.pp b/site/roles/manifests/infra/dhcp/server.pp new file mode 100644 index 0000000..f7dd3e8 --- /dev/null +++ b/site/roles/manifests/infra/dhcp/server.pp @@ -0,0 +1,5 @@ +# dhcp server profile +class roles::infra::dhcp::server { + include profiles::defaults + include profiles::base +} From f2cdcb8c8e96cd3119689bc3c653148a030cdd03 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 21 Mar 2024 22:00:24 +1100 Subject: [PATCH 117/229] feat: add sydney subnets --- hieradata/roles/infra/dns/resolver.yaml | 3 +++ modules/libs/lib/facter/subnet_facts.rb | 2 ++ 2 files changed, 5 insertions(+) diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index 2e80a11..b949c1a 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -2,6 +2,9 @@ profiles::dns::resolver::acls: acl-main.unkin.net: addresses: + - 198.18.21.160/27 + - 198.18.15.0/24 + - 198.18.16.0/24 - 198.18.17.0/24 profiles::dns::resolver::zones: diff --git a/modules/libs/lib/facter/subnet_facts.rb b/modules/libs/lib/facter/subnet_facts.rb index 7e26ee9..bbe7125 100644 --- a/modules/libs/lib/facter/subnet_facts.rb +++ b/modules/libs/lib/facter/subnet_facts.rb @@ -5,6 +5,8 @@ require 'ipaddr' # a class that creates facts based on the subnet class SubnetAttributes SUBNET_TO_ATTRIBUTES = { + '198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, + '198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' }, '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' }, '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' } }.freeze From 748a0e86324f98f21b4c4f6f2d51f6eb28e52257 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 28 Mar 2024 20:08:00 +1100 Subject: [PATCH 118/229] feat: enable sydney subnets --- hieradata/roles/infra/dns/master.yaml | 14 ++++++++++++++ hieradata/roles/infra/ntp/server.yaml | 2 ++ hieradata/roles/infra/puppet/master.yaml | 2 ++ 3 files changed, 18 insertions(+) diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml index 4f0dcbc..ef7d4c4 100644 --- a/hieradata/roles/infra/dns/master.yaml +++ b/hieradata/roles/infra/dns/master.yaml @@ -21,6 +21,18 @@ profiles::dns::master::zones: dynamic: false ns_notify: true source: '/var/named/sources/17.18.198.in-addr.arpa.conf' + 16.18.198.in-addr.arpa: + domain: '16.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/16.18.198.in-addr.arpa.conf' + 15.18.198.in-addr.arpa: + domain: '15.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/15.18.198.in-addr.arpa.conf' profiles::dns::master::views: master-zones: @@ -28,6 +40,8 @@ profiles::dns::master::views: zones: - main.unkin.net - 17.18.198.in-addr.arpa + - 16.18.198.in-addr.arpa + - 15.18.198.in-addr.arpa match_clients: - acl-main.unkin.net diff --git a/hieradata/roles/infra/ntp/server.yaml b/hieradata/roles/infra/ntp/server.yaml index e618573..fddfc78 100644 --- a/hieradata/roles/infra/ntp/server.yaml +++ b/hieradata/roles/infra/ntp/server.yaml @@ -1,6 +1,8 @@ --- profiles::ntp::client::client_only: false profiles::ntp::server::allowquery: + - '198.18.15.0/24' + - '198.18.16.0/24' - '198.18.17.0/24' profiles::ntp::server::peers: diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 86dcbec..f475770 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -1,5 +1,7 @@ --- profiles::puppet::autosign::subnet_ranges: + - '198.18.15.0/24' + - '198.18.16.0/24' - '198.18.17.0/24' profiles::puppet::autosign::domains: From 0383db2b1024b4e9dc2379738d965be7d38c142c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 28 Mar 2024 20:33:18 +1100 Subject: [PATCH 119/229] feat: set sysadmin password --- hieradata/common.eyaml | 2 ++ site/profiles/manifests/accounts/sysadmin.pp | 16 ++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) create mode 100644 hieradata/common.eyaml diff --git a/hieradata/common.eyaml b/hieradata/common.eyaml new file mode 100644 index 0000000..d6fee43 --- /dev/null +++ b/hieradata/common.eyaml @@ -0,0 +1,2 @@ +--- +profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn] diff --git a/site/profiles/manifests/accounts/sysadmin.pp b/site/profiles/manifests/accounts/sysadmin.pp index 81bde92..0c21bf7 100644 --- a/site/profiles/manifests/accounts/sysadmin.pp +++ b/site/profiles/manifests/accounts/sysadmin.pp @@ -1,15 +1,15 @@ # create the sysadmin user class profiles::accounts::sysadmin( + String $password, Array[String] $sshkeys = [], ){ profiles::base::account {'sysadmin': - username => 'sysadmin', - uid => 1000, - gid => 1000, - groups => ['wheel'], - sshkeys => $sshkeys, - sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'], - password => '', - ignore_pass => true, + username => 'sysadmin', + uid => 1000, + gid => 1000, + groups => ['adm', 'wheel', 'systemd-journal'], + sshkeys => $sshkeys, + sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'], + password => $password, } } From e02921be75d7764e2ececa26e8c764c7d75de6fa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 28 Mar 2024 21:13:23 +1100 Subject: [PATCH 120/229] feat: deep merge yum repos to manage - fixed merging of yum repos - changed puppet7 to use local copy of repo --- hieradata/common.yaml | 2 +- hieradata/os/AlmaLinux/AlmaLinux8.yaml | 2 +- hieradata/os/AlmaLinux/AlmaLinux9.yaml | 2 +- hieradata/roles/infra/ovirt/engine.yaml | 2 +- hieradata/roles/infra/ovirt/node.yaml | 2 +- hieradata/roles/infra/reposync/syncer.yaml | 2 +- site/profiles/manifests/puppet/agent.pp | 3 ++- site/profiles/manifests/yum/global.pp | 2 +- site/profiles/manifests/yum/puppet7.pp | 18 ++++-------------- 9 files changed, 13 insertions(+), 22 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index f2785d0..b2ad056 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -18,7 +18,7 @@ lookup_options: profiles::pki::vault::ip_sans: merge: strategy: deep - profiles::yum::managed_repos: + profiles::yum::global::managed_repos: merge: strategy: deep diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index 75984dc..e0b4a27 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -1,6 +1,6 @@ # hieradata/os/AlmaLinux/AlmaLinux8.yaml --- -profiles::yum::managed_repos: +profiles::yum::global::managed_repos: - 'base' - 'appstream' - 'epel' diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index 40c32c1..c6e95cc 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -1,6 +1,6 @@ # hieradata/os/AlmaLinux/AlmaLinux9.yaml --- -profiles::yum::managed_repos: +profiles::yum::global::managed_repos: - 'base' - 'appstream' - 'epel' diff --git a/hieradata/roles/infra/ovirt/engine.yaml b/hieradata/roles/infra/ovirt/engine.yaml index 94fcdbd..44c4baa 100644 --- a/hieradata/roles/infra/ovirt/engine.yaml +++ b/hieradata/roles/infra/ovirt/engine.yaml @@ -1,5 +1,5 @@ --- -profiles::yum::managed_repos: +profiles::yum::global::managed_repos: - 'virt-advanced-virtualization' - 'storage-ceph-pacific' - 'cloud-openstack-xena' diff --git a/hieradata/roles/infra/ovirt/node.yaml b/hieradata/roles/infra/ovirt/node.yaml index e02910a..847efc6 100644 --- a/hieradata/roles/infra/ovirt/node.yaml +++ b/hieradata/roles/infra/ovirt/node.yaml @@ -1,7 +1,7 @@ --- profiles::firewall::firewalld::ensure_package: 'installed' profiles::firewall::firewalld::ensure_service: 'running' -profiles::yum::managed_repos: +profiles::yum::global::managed_repos: - 'virt-advanced-virtualization' - 'storage-ceph-pacific' - 'cloud-openstack-xena' diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 7455441..f893a5b 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -119,7 +119,7 @@ profiles::reposync::repos_list: osname: 'puppet7' release: 'el' baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/' - gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet' + gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406' postgresql_rhel8_common: repository: 'common' description: 'PostgreSQL Common RHEL 8' diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp index 0c2122e..8cb1696 100644 --- a/site/profiles/manifests/puppet/agent.pp +++ b/site/profiles/manifests/puppet/agent.pp @@ -6,7 +6,8 @@ class profiles::puppet::agent ( # Ensure the puppet-agent package is installed and locked to a specific version package { 'puppet-agent': - ensure => $puppet_version, + ensure => $puppet_version, + require => Class['profiles::yum::puppet7'], } # if puppet-version is anything other than latest, set a versionlock diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 755bd31..2296b7f 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -41,7 +41,7 @@ # - 'appstream' # class profiles::yum::global ( - Array[String] $managed_repos = lookup('profiles::yum::managed_repos'), + Array[String] $managed_repos, Boolean $purge = true, ){ class { 'yum': diff --git a/site/profiles/manifests/yum/puppet7.pp b/site/profiles/manifests/yum/puppet7.pp index 2733ff2..1d6c802 100644 --- a/site/profiles/manifests/yum/puppet7.pp +++ b/site/profiles/manifests/yum/puppet7.pp @@ -30,29 +30,19 @@ # } class profiles::yum::puppet7 ( Array[String] $managed_repos, - String $baseurl = 'http://yum.puppet.com', + String $baseurl = 'http://repos.main.unkin.net/puppet7', ) { $releasever = $facts['os']['release']['major'] $basearch = $facts['os']['architecture'] if 'puppet7' in $managed_repos { - if ($releasever in [7,8,9]) { - $source = "${baseurl}/puppet7-release-el-${releasever}.noarch.rpm" - - yum::install { 'puppet-release-el': - ensure => present, - source => $source, - } - } else { - err("Unsupported OS release ${releasever}") - } - yumrepo { 'puppet7': name => 'puppet7', descr => 'puppet7 repository', target => '/etc/yum.repos.d/puppet7.repo', - baseurl => "${baseurl}/puppet/el/${releasever}/${basearch}/", - gpgkey => "${baseurl}/RPM-GPG-KEY-puppet", + baseurl => "${baseurl}/el/${releasever}-daily/${basearch}/os/", + gpgkey => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406', + #gpgkey => "${baseurl}/el/${releasever}-daily/${basearch}/os/RPM-GPG-KEY-puppet", } } } From 80b7ad86396798484eac98d18b428825d34cb45c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 17 Mar 2024 21:31:05 +1100 Subject: [PATCH 121/229] feat: add cobbler profile - add datavol to cobbler nodes - add cobbler profile - add cobbler role hieradata - manage selinux where required for cobbler - manage service cname --- hieradata/roles/infra/cobbler/server.eyaml | 2 + hieradata/roles/infra/cobbler/server.yaml | 17 + site/profiles/manifests/cobbler/ipxebins.pp | 46 ++ site/profiles/manifests/cobbler/server.pp | 119 +++++ .../templates/cobbler/debmirror.conf.erb | 79 +++ .../templates/cobbler/httpd_ssl.conf.erb | 203 ++++++++ site/profiles/templates/cobbler/main.ipxe.erb | 47 ++ .../templates/cobbler/settings.yaml.erb | 466 ++++++++++++++++++ site/roles/manifests/infra/cobbler/server.pp | 2 + 9 files changed, 981 insertions(+) create mode 100644 hieradata/roles/infra/cobbler/server.eyaml create mode 100644 hieradata/roles/infra/cobbler/server.yaml create mode 100644 site/profiles/manifests/cobbler/ipxebins.pp create mode 100644 site/profiles/manifests/cobbler/server.pp create mode 100644 site/profiles/templates/cobbler/debmirror.conf.erb create mode 100644 site/profiles/templates/cobbler/httpd_ssl.conf.erb create mode 100644 site/profiles/templates/cobbler/main.ipxe.erb create mode 100644 site/profiles/templates/cobbler/settings.yaml.erb diff --git a/hieradata/roles/infra/cobbler/server.eyaml b/hieradata/roles/infra/cobbler/server.eyaml new file mode 100644 index 0000000..9f6f432 --- /dev/null +++ b/hieradata/roles/infra/cobbler/server.eyaml @@ -0,0 +1,2 @@ +--- +profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml new file mode 100644 index 0000000..4aaea83 --- /dev/null +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -0,0 +1,17 @@ +--- +profiles::packages::install: + - cobbler + - cobbler3.2-web + - httpd + - syslinux + - dnf-plugins-core + - debmirror + - pykickstart + - fence-agents + - selinux-policy-devel + - ipxe-bootimgs + +profiles::pki::vault::alt_names: + - cobbler.main.unkin.net + +profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net' diff --git a/site/profiles/manifests/cobbler/ipxebins.pp b/site/profiles/manifests/cobbler/ipxebins.pp new file mode 100644 index 0000000..125c353 --- /dev/null +++ b/site/profiles/manifests/cobbler/ipxebins.pp @@ -0,0 +1,46 @@ +# profiles::cobbler::ipxebins +class profiles::cobbler::ipxebins { + + # download the custom undionly.kpxe file + # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1 + exec { 'download_undionly_kpxe': + command => 'wget -O /var/lib/tftpboot/undionly.kpxe http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/undionly.kpxe', + path => ['/bin', '/usr/bin'], + creates => '/var/lib/tftpboot/undionly.kpxe', + } + + # set correct permissions ipxe boot image to tftpboot + file { '/var/lib/tftpboot/undionly.kpxe': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + require => [ + Package['ipxe-bootimgs'], + Package['cobbler'], + Exec['download_undionly_kpxe'] + ], + } + + # download the custom ipxe.efi file + # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1 + exec { 'download_ipxe_efi': + command => 'wget -O /var/lib/tftpboot/ipxe.efi http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/ipxe.efi', + path => ['/bin', '/usr/bin'], + creates => '/var/lib/tftpboot/ipxe.efi', + } + + # set correct permissions ipxe boot image to tftpboot + file { '/var/lib/tftpboot/ipxe.efi': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + require => [ + Package['ipxe-bootimgs'], + Package['cobbler'], + Exec['download_ipxe_efi'] + ], + } +} + diff --git a/site/profiles/manifests/cobbler/server.pp b/site/profiles/manifests/cobbler/server.pp new file mode 100644 index 0000000..3dba1dc --- /dev/null +++ b/site/profiles/manifests/cobbler/server.pp @@ -0,0 +1,119 @@ +# profiles::cobbler::server +class profiles::cobbler::server ( + Stdlib::Fqdn $service_cname, + String $default_password_crypted, + Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', + Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', + Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', + String $server = $::facts['networking']['ip'], + String $next_server = $::facts['networking']['ip'], + Boolean $pxe_just_once = true, +) { + + include profiles::cobbler::ipxebins + + # manage the cobbler settings file + file { '/etc/cobbler/settings.yaml': + ensure => 'file', + content => template('profiles/cobbler/settings.yaml.erb'), + group => 'apache', + owner => 'root', + mode => '0640', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # fix permissions in /var/lib/cobbler/web.ss + file {'/var/lib/cobbler/web.ss': + ensure => 'file', + group => 'root', + owner => 'apache', + mode => '0660', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the debmirror config to meet cobbler requirements + file { '/etc/debmirror.conf': + ensure => 'file', + content => template('profiles/cobbler/debmirror.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['debmirror'], + } + + # manage the httpd ssl configuration + file { '/etc/httpd/conf.d/ssl.conf': + ensure => 'file', + content => template('profiles/cobbler/httpd_ssl.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['httpd'], + notify => Service['httpd'], + } + + # manage the main ipxe menu script + file { '/var/lib/tftpboot/main.ipxe': + ensure => 'file', + content => template('profiles/cobbler/main.ipxe.erb'), + owner => 'root', + group => 'root', + mode => '0644', + require => Package['cobbler'], + } + + # ensure cobblerd is running + service {'cobblerd': + ensure => 'running', + enable => true, + require => File['/etc/cobbler/settings.yaml'], + } + + # ensure httpd is running + service {'httpd': + ensure => 'running', + enable => true, + require => File['/etc/httpd/conf.d/ssl.conf'], + } + + # export cnames for cobbler + profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": + value => $::facts['networking']['hostname'], + type => 'CNAME', + record => "${service_cname}.", + zone => $::facts['networking']['domain'], + order => 10, + } + + # manage selinux requirements for cobbler + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + $enable_sebooleans = [ + 'httpd_can_network_connect_cobbler', + 'httpd_serve_cobbler_files', + 'cobbler_can_network_connect' + ] + + $enable_sebooleans.each |$bool| { + selboolean { $bool: + value => on, + persistent => true, + } + } + + selinux::fcontext { $tftpboot_path: + ensure => 'present', + seltype => 'cobbler_var_lib_t', + pathspec => "${tftpboot_path}(/.*)?", + } + + exec { "restorecon_${tftpboot_path}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${tftpboot_path}", + refreshonly => true, + subscribe => Selinux::Fcontext[$tftpboot_path], + } + } +} diff --git a/site/profiles/templates/cobbler/debmirror.conf.erb b/site/profiles/templates/cobbler/debmirror.conf.erb new file mode 100644 index 0000000..9c66ca1 --- /dev/null +++ b/site/profiles/templates/cobbler/debmirror.conf.erb @@ -0,0 +1,79 @@ +# Puppet managed config for debmirror + +# The config file is a perl script so take care to follow perl syntax. +# Any setting in /etc/debmirror.conf overrides these defaults and +# ~/.debmirror.conf overrides those again. Take only what you need. +# +# The syntax is the same as on the command line and variable names +# loosely match option names. If you don't recognize something here +# then just stick to the command line. +# +# Options specified on the command line override settings in the config +# files. + +# Location of the local mirror (use with care) +# $mirrordir="/path/to/mirrordir" + +# Output options +$verbose=0; +$progress=0; +$debug=0; + +# Download options +$host="ftp.debian.org"; +$user="anonymous"; +$passwd="anonymous@"; +$remoteroot="debian"; +$download_method="ftp"; +# @dists="sid"; +@sections="main,main/debian-installer,contrib,non-free,non-free-firmware"; +# @arches="i386"; +# @ignores=""; +# @excludes=""; +# @includes=""; +# @excludes_deb_section=""; +# @limit_priority=""; +$omit_suite_symlinks=0; +$skippackages=0; +# @rsync_extra="doc,tools"; +$i18n=0; +$getcontents=0; +$do_source=1; +$max_batch=0; + +# @di_dists="dists"; +# @di_archs="arches"; + +# Save mirror state between runs; value sets validity of cache in days +$state_cache_days=0; + +# Security/Sanity options +$ignore_release_gpg=0; +$ignore_release=0; +$check_md5sums=0; +$ignore_small_errors=0; + +# Cleanup +$cleanup=0; +$post_cleanup=1; + +# Locking options +$timeout=300; + +# Rsync options +$rsync_batch=200; +$rsync_options="-aIL --partial"; + +# FTP/HTTP options +$passive=0; +# $proxy="http://proxy:port/"; + +# Dry run +$dry_run=0; + +# Don't keep diff files but use them +$diff_mode="use"; + +# The config file must return true or perl complains. +# Always copy this. +1; diff --git a/site/profiles/templates/cobbler/httpd_ssl.conf.erb b/site/profiles/templates/cobbler/httpd_ssl.conf.erb new file mode 100644 index 0000000..9b95ba5 --- /dev/null +++ b/site/profiles/templates/cobbler/httpd_ssl.conf.erb @@ -0,0 +1,203 @@ +# managed by puppet +# +# When we also provide SSL we have to listen to the +# standard HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# List the protocol versions which clients are allowed to connect with. +# The OpenSSL system profile is used by default. See +# update-crypto-policies(8) for more details. +#SSLProtocol all -SSLv3 +#SSLProxyProtocol all -SSLv3 + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. +SSLCipherSuite PROFILE=SYSTEM +SSLProxyCipherSuite PROFILE=SYSTEM + +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. +SSLCertificateFile <%= @httpd_ssl_certificate %> + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel +SSLCertificateKeyFile <%= @httpd_ssl_privatekey %> + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convenience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is sent or allowed to be received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is sent and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + diff --git a/site/profiles/templates/cobbler/main.ipxe.erb b/site/profiles/templates/cobbler/main.ipxe.erb new file mode 100644 index 0000000..386d262 --- /dev/null +++ b/site/profiles/templates/cobbler/main.ipxe.erb @@ -0,0 +1,47 @@ +#!ipxe +dhcp + +# Some menu defaults +set menu-timeout 5000 +set submenu-timeout ${menu-timeout} +set menu-default cobbler + +:start +menu iPXE boot menu +item --gap -- ----------------------------- Cobbler ------------------------------------ +item cobbler Cobbler (kickstart or boot from disk) +item --gap -- ------------------------- Advanced options ------------------------------- +item --key s shell Drop to iPXE shell +item --key r reboot Reboot +item +item --key x exit Exit iPXE and continue BIOS boot +choose --timeout ${menu-timeout} --default ${menu-default} selected || goto cancel +set menu-timeout 0 +goto ${selected} + +:cancel +echo You cancelled the menu, dropping you to a shell + +:no_system +echo No system configuration found for MAC address ${mac} +goto exit + +:shell +echo Type 'exit' to get the back to the menu +shell +set menu-timeout 0 +set submenu-timeout 0 +goto start + +:reboot +reboot + +:exit +exit + +### +### Custom menu entries +### + +:cobbler +chain --autofree http://${next-server}/cblr/svc/op/gpxe/mac/${net0/mac} || goto no_system diff --git a/site/profiles/templates/cobbler/settings.yaml.erb b/site/profiles/templates/cobbler/settings.yaml.erb new file mode 100644 index 0000000..1869444 --- /dev/null +++ b/site/profiles/templates/cobbler/settings.yaml.erb @@ -0,0 +1,466 @@ +# Cobbler settings file + +# Restart cobblerd and run "cobbler sync" after making changes. +# This config file is in YAML 1.2 format; see "http://yaml.org". + +# If "true", Cobbler will allow insertions of system records that duplicate the "--dns-name" information of other system +# records. In general, this is undesirable and should be left "false". +allow_duplicate_hostnames: false + +# If "true", Cobbler will allow insertions of system records that duplicate the ip address information of other system +# records. In general, this is undesirable and should be left "false". +allow_duplicate_ips: false + +# If "true", Cobbler will allow insertions of system records that duplicate the MAC address information of other system +# records. In general, this is undesirable. +allow_duplicate_macs: false + +# If "true", Cobbler will allow settings to be changed dynamically without a restart of the cobblerd daemon. You can +# only change this variable by manually editing the settings file, and you MUST restart cobblerd after changing it. +allow_dynamic_settings: false + +# By default, installs are *not* set to send installation logs to the Cobbler server. With "anamon_enabled", automatic +# installation templates may use the "pre_anamon" snippet to allow remote live monitoring of their installations from +# the Cobbler server. Installation logs will be stored under "/var/log/cobbler/anamon/". +# NOTE: This does allow an xmlrpc call to send logs to this directory, without authentication, so enable only if you are +# ok with this limitation. +anamon_enabled: false + +# If using "authn_pam" in the "modules.conf", this can be configured to change the PAM service authentication will be +# tested against. +# The default value is "login". +authn_pam_service: "login" + +# How long the authentication token is valid for, in seconds. +auth_token_expiration: 3600 + +# This is a directory of files that Cobbler uses to make templating easier. See the Wiki for more information. Changing +# this directory should not be required. +autoinstall_snippets_dir: /var/lib/cobbler/snippets +autoinstall_templates_dir: /var/lib/cobbler/templates + +# location of templates used for boot loader config generation +boot_loader_conf_template_dir: "/etc/cobbler/boot_loader_conf" + +# Email out a report when Cobbler finishes installing a system. +# enabled: set to true to turn this feature on +# sender: optional +# email: which addresses to email +# smtp_server: used to specify another server for an MTA +# subject: use the default subject unless overridden +build_reporting_enabled: false +build_reporting_sender: "" +build_reporting_email: [ 'root@localhost' ] +build_reporting_smtp_server: "localhost" +build_reporting_subject: "" +build_reporting_ignorelist: [] + +# If cache_enabled is true, a cache will keep converted records in memory to make checking them faster. This helps with +# use cases like writing out large numbers of records. There is a known issue with cache and remote XMLRPC API calls. +# If you will use Cobbler with config management or infrastructure-as-code tools such as Terraform, it is recommended +# to disable by setting to false. +cache_enabled: true + +# Cheetah-language autoinstall templates can import Python modules. While this is a useful feature, it is not safe to +# allow them to import anything they want. This whitelists which modules can be imported through Cheetah. Users can +# expand this as needed but should never allow modules such as subprocess or those that allow access to the filesystem +# as Cheetah templates are evaluated by cobblerd as code. +cheetah_import_whitelist: + - "random" + - "re" + - "time" + - "netaddr" + +# Default "createrepo_flags" to use for new repositories. If you have createrepo >= 0.4.10, consider +# "-c cache --update -C", which can dramatically improve your "cobbler reposync" time. "-s sha" enables working with +# Fedora repos from F11/F12 from EL-4 or EL-5 without python-hashlib installed (which is not available on EL-4) +createrepo_flags: "-c cache -s sha" + +# if no autoinstall template is specified to profile add, use this template +default_autoinstall: /var/lib/cobbler/templates/default.ks + +# configure all installed systems to use these nameservers by default +# unless defined differently in the profile. For DHCP configurations +# you probably do /not/ want to supply this. +default_name_servers: [] +default_name_servers_search: [] + +# if using the authz_ownership module (see the Wiki), objects +# created without specifying an owner are assigned to this +# owner and/or group. Can be a comma seperated list. +default_ownership: + - "admin" + +# Cobbler has various sample automatic installation templates stored +# in /var/lib/cobbler/templates/. This controls +# what install (root) password is set up for those +# systems that reference this variable. The factory +# default is "cobbler" and Cobbler check will warn if +# this is not changed. +# The simplest way to change the password is to run +# openssl passwd -1 +# and put the output between the "" below. +default_password_crypted: "<%= @default_password_crypted %>" + +# the default template type to use in the absence of any +# other detected template. If you do not specify the template +# with '#template=' on the first line of your +# templates/snippets, Cobbler will assume try to use the +# following template engine to parse the templates. +# +# Current valid values are: cheetah, jinja2 +default_template_type: "cheetah" + +# for libvirt based installs in koan, if no virt bridge +# is specified, which bridge do we try? For EL 4/5 hosts +# this should be xenbr0, for all versions of Fedora, try +# "virbr0". This can be overriden on a per-profile +# basis or at the koan command line though this saves +# typing to just set it here to the most common option. +default_virt_bridge: xenbr0 + +# use this as the default disk size for virt guests (GB) +default_virt_file_size: 5 + +# use this as the default memory size for virt guests (MB) +default_virt_ram: 512 + +# if koan is invoked without --virt-type and no virt-type +# is set on the profile/system, what virtualization type +# should be assumed? Values: xenpv, xenfv, qemu, vmware +# (NOTE: this does not change what virt_type is chosen by import) +default_virt_type: xenpv + +# enable gPXE booting? Enabling this option will cause Cobbler +# to copy the undionly.kpxe file to the tftp root directory, +# and if a profile/system is configured to boot via gpxe it will +# chain load off pxelinux.0. +# Default: false +enable_gpxe: false + +# controls whether Cobbler will add each new profile entry to the default +# PXE boot menu. This can be over-ridden on a per-profile +# basis when adding/editing profiles with --enable-menu=false/true. Users +# should ordinarily leave this setting enabled unless they are concerned +# with accidental reinstalls from users who select an entry at the PXE +# boot menu. Adding a password to the boot menus templates +# may also be a good solution to prevent unwanted reinstallations +enable_menu: true + +# change this port if Apache is not running plaintext on port +# 80. Most people can leave this alone. +http_port: 80 + +# kernel options that should be present in every Cobbler installation. +# kernel options can also be applied at the distro/profile/system +# level. +kernel_options: {} + +# configuration options if using the authn_ldap module. See the +# the Wiki for details. This can be ignored if you are not using +# LDAP for WebUI/XMLRPC authentication. +ldap_server: "ldap.example.com" +ldap_base_dn: "DC=example,DC=com" +ldap_port: 389 +ldap_tls: true +ldap_anonymous_bind: true +ldap_search_bind_dn: '' +ldap_search_passwd: '' +ldap_search_prefix: 'uid=' +ldap_tls_cacertfile: '' +ldap_tls_keyfile: '' +ldap_tls_certfile: '' + +# Cobbler has a feature that allows for integration with config management +# systems such as Puppet. The following parameters work in conjunction with +# --mgmt-classes and are described in further detail at: +# https://github.com/cobbler/cobbler/wiki/Using-cobbler-with-a-configuration-management-system +mgmt_classes: [] +mgmt_parameters: + from_cobbler: true + +# if enabled, this setting ensures that puppet is installed during +# machine provision, a client certificate is generated and a +# certificate signing request is made with the puppet master server +puppet_auto_setup: false + +# when puppet starts on a system after installation it needs to have +# its certificate signed by the puppet master server. Enabling the +# following feature will ensure that the puppet server signs the +# certificate after installation if the puppet master server is +# running on the same machine as Cobbler. This requires +# puppet_auto_setup above to be enabled +sign_puppet_certs_automatically: false + +# location of the puppet executable, used for revoking certificates +puppetca_path: "/usr/bin/puppet" + +# when a puppet managed machine is reinstalled it is necessary to +# remove the puppet certificate from the puppet master server before a +# new certificate is signed (see above). Enabling the following +# feature will ensure that the certificate for the machine to be +# installed is removed from the puppet master server if the puppet +# master server is running on the same machine as Cobbler. This +# requires puppet_auto_setup above to be enabled +remove_old_puppet_certs_automatically: false + +# choose a --server argument when running puppetd/puppet agent during autoinstall +#puppet_server: 'puppet' + +# let Cobbler know that you're using a newer version of puppet +# choose version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd' +#puppet_version: 2 + +# choose whether to enable puppet parameterized classes or not. +# puppet versions prior to 2.6.5 do not support parameters +puppet_parameterized_classes: true + +# set to true to enable Cobbler's DHCP management features. +# the choice of DHCP management engine is in /etc/cobbler/modules.conf +manage_dhcp: false + +# set to true to enable Cobbler's DNS management features. +# the choice of DNS mangement engine is in /etc/cobbler/modules.conf +manage_dns: false + +# set to path of bind chroot to create bind-chroot compatible bind +# configuration files. This should be automatically detected. +bind_chroot_path: "" + +# set to the ip address of the master bind DNS server for creating secondary +# bind configuration files +bind_master: 127.0.0.1 + +# set to true to enable Cobbler's TFTP management features. +# the choice of TFTP mangement engine is in /etc/cobbler/modules.conf +manage_tftpd: true + +# This variable contains the location of the tftpboot directory. If this directory is not present Cobbler does not +# start. +# Default: /var/lib/tftpboot +tftpboot_location: "/var/lib/tftpboot" + +# set to true to enable Cobbler's RSYNC management features. +manage_rsync: false + +# if using BIND (named) for DNS management in /etc/cobbler/modules.conf +# and manage_dns is enabled (above), this lists which zones are managed +# See the Wiki (https://github.com/cobbler/cobbler/wiki/Dns-management) for more info +manage_forward_zones: [] +manage_reverse_zones: [] + +# if using Cobbler with manage_dhcp, put the IP address +# of the Cobbler server here so that PXE booting guests can find it +# if you do not set this correctly, this will be manifested in TFTP open timeouts. +next_server: <%= @next_server %> + +# settings for power management features. optional. +# see https://github.com/cobbler/cobbler/wiki/Power-management to learn more +# choices (refer to codes.py): +# apc_snmp bladecenter bullpap drac ether_wake ilo integrity +# ipmilan lpar rsa virsh wti +power_management_default_type: 'ipmilan' + +# if this setting is set to true, Cobbler systems that pxe boot +# will request at the end of their installation to toggle the +# --netboot-enabled record in the Cobbler system record. This eliminates +# the potential for a PXE boot loop if the system is set to PXE +# first in it's BIOS order. Enable this if PXE is first in your BIOS +# boot order, otherwise leave this disabled. See the manpage +# for --netboot-enabled. +pxe_just_once: <%= @pxe_just_once %> + +# if this setting is set to one, triggers will be executed when systems +# will request to toggle the --netboot-enabled record at the end of their installation. +nopxe_with_triggers: true + +# This setting is only used by the code that supports using Spacewalk/Satellite +# authentication within Cobbler Web and Cobbler XMLRPC. +redhat_management_server: "xmlrpc.rhn.redhat.com" + +# if using authn_spacewalk in modules.conf to let Cobbler authenticate +# against Satellite/Spacewalk's auth system, by default it will not allow per user +# access into Cobbler Web and Cobbler XMLRPC. +# in order to permit this, the following setting must be enabled HOWEVER +# doing so will permit all Spacewalk/Satellite users of certain types to edit all +# of Cobbler's configuration. +# these roles are: config_admin and org_admin +# users should turn this on only if they want this behavior and +# do not have a cross-multi-org seperation concern. If you have +# a single org in your satellite, it's probably safe to turn this +# on and then you can use CobblerWeb alongside a Satellite install. +redhat_management_permissive: false + +# specify the default Red Hat authorization key to use to register +# system. If left blank, no registration will be attempted. Similarly +# you can set the --redhat-management-key to blank on any system to +# keep it from trying to register. +redhat_management_key: "" + +# if set to true, allows /usr/bin/cobbler-register (part of the koan package) +# to be used to remotely add new Cobbler system records to Cobbler. +# this effectively allows for registration of new hardware from system +# records. +register_new_installs: false + +# Flags to use for yum's reposync. If your version of yum reposync +# does not support -l, you may need to remove that option. +reposync_flags: "-l -n -d" + +# Flags to use for rysync's reposync. If flag 'a' is used then createrepo +# is not ran after the rsync +reposync_rsync_flags: "-rltDv --copy-unsafe-links" + +# when DHCP and DNS management are enabled, Cobbler sync can automatically +# restart those services to apply changes. The exception for this is +# if using ISC for DHCP, then omapi eliminates the need for a restart. +# omapi, however, is experimental and not recommended for most configurations. +# If DHCP and DNS are going to be managed, but hosted on a box that +# is not on this server, disable restarts here and write some other +# script to ensure that the config files get copied/rsynced to the destination +# box. This can be done by modifying the restart services trigger. +# Note that if manage_dhcp and manage_dns are disabled, the respective +# parameter will have no effect. Most users should not need to change +# this. +restart_dns: true +restart_dhcp: true + +# install triggers are scripts in /var/lib/cobbler/triggers/install +# that are triggered in autoinstall pre and post sections. Any +# executable script in those directories is run. They can be used +# to send email or perform other actions. They are currently +# run as root so if you do not need this functionality you can +# disable it, though this will also disable "cobbler status" which +# uses a logging trigger to audit install progress. +run_install_triggers: true + +# enables a trigger which version controls all changes to /var/lib/cobbler +# when add, edit, or sync events are performed. This can be used +# to revert to previous database versions, generate RSS feeds, or for +# other auditing or backup purposes. "git" and "hg" are currently suported, +# but git is the recommend SCM for use with this feature. +scm_track_enabled: false +scm_track_mode: "git" +scm_track_author: "cobbler " +scm_push_script: "/bin/true" + +# this is the address of the Cobbler server -- as it is used +# by systems during the install process, it must be the address +# or hostname of the system as those systems can see the server. +# if you have a server that appears differently to different subnets +# (dual homed, etc), you need to read the --server-override section +# of the manpage for how that works. +server: <%= @server %> + +# If set to true, all commands will be forced to use the localhost address +# instead of using the above value which can force commands like +# cobbler sync to open a connection to a remote address if one is in the +# configuration and would traceback. +client_use_localhost: false + +# If set to "true", all commands to the API (not directly to the XMLRPC server) will go over HTTPS instead of plaintext. +# Be sure to change the "http_port" setting to the correct value for the web server. +client_use_https: false + +# Should new profiles for virtual machines default to auto booting with the physical host when the physical host +# reboots? This can be overridden on each profile or system object. +virt_auto_boot: true + +# Cobbler's web directory. Don't change this setting -- see the Wiki on "Relocating your Cobbler install" if your "/var" +# partition is not large enough. +webdir: "/var/www/cobbler" + +# Directories that will not get wiped and recreated on a "cobbler sync". +webdir_whitelist: + - misc + - web + - webui + - localmirror + - repo_mirror + - distro_mirror + - images + - links + - pub + - repo_profile + - repo_system + - svc + - rendered + - .link_cache + +# Cobbler's public XMLRPC listens on this port. Change this only +# if absolutely needed, as you'll have to start supplying a new +# port option to koan if it is not the default. +xmlrpc_port: 25151 + +# "cobbler repo add" commands set Cobbler up with repository +# information that can be used during autoinstall and is automatically +# set up in the Cobbler autoinstall templates. By default, these +# are only available at install time. To make these repositories +# usable on installed systems (since Cobbler makes a very convenient +# mirror) set this to true. Most users can safely set this to true. Users +# who have a dual homed Cobbler server, or are installing laptops that +# will not always have access to the Cobbler server may wish to leave +# this as false. In that case, the Cobbler mirrored yum repos are still +# accessable at http://cobbler.example.org/cblr/repo_mirror and yum +# configuration can still be done manually. This is just a shortcut. +yum_post_install_mirror: true + +# the default yum priority for all the distros. This is only used if yum-priorities plugin is used. +# 1=maximum +# Tweak with caution! +yum_distro_priority: 1 + +# Flags to use for yumdownloader. Not all versions may support +# --resolve. +yumdownloader_flags: "--resolve" + +# sort and indent JSON output to make it more human-readable +serializer_pretty_json: false + +# replication rsync options for distros, autoinstalls, snippets set to override default value of "-avzH" +replicate_rsync_options: "-avzH" + +# replication rsync options for repos set to override default value of "-avzH" +replicate_repo_rsync_options: "-avzH" + +# always write DHCP entries, regardless if netboot is enabled +always_write_dhcp_entries: false + +# External proxy - used by: reposync", "signature update" +# Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS) +proxy_url_ext: "" + +# Internal proxy - used by systems to reach Cobbler for templates +# Eg: proxy_url_int: "http://10.0.0.1:8080" +proxy_url_int: "" + +# This is a directory of files that Cobbler uses to include +# files into Jinja2 templates +jinja2_includedir: "/var/lib/cobbler/jinja2" + +# Up to now, cobblerd used $server's IP address instead of the DNS name in autoinstallation +# file settings (pxelinux.cfg files) to save bytes, which seemed required for S/390 systems. +# This behavior can have negative impact on installs with multi-homed Cobbler servers, because +# not all of the IP addresses may be reachable during system install. +# This behavior was now made conditional, with default being "off". +convert_server_to_ip: false + +# Leftover settings +bootloaders_dir: "/var/lib/cobbler/loaders" +buildisodir: "/var/cache/cobbler/buildiso" +cobbler_master: "" +default_virt_disk_driver: "raw" +grubconfig_dir: "/var/lib/cobbler/grub_config" +iso_template_dir: "/etc/cobbler/iso" + +# Puppet +puppet_server: "" +puppet_version: 2 + +# Signatures +signature_path: "/var/lib/cobbler/distro_signatures.json" +signature_url: "https://cobbler.github.io/signatures/3.0.x/latest.json" + +# Include other configuration snippets. Overwriting a key from this file in a childfile will overwrite the value from +# this file. +include: [ "/etc/cobbler/settings.d/*.settings" ] diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp index 438547e..65d8541 100644 --- a/site/roles/manifests/infra/cobbler/server.pp +++ b/site/roles/manifests/infra/cobbler/server.pp @@ -2,4 +2,6 @@ class roles::infra::cobbler::server { include profiles::defaults include profiles::base + include profiles::base::datavol + include profiles::cobbler::server } From d64860f47b7e364a1b27788268df016fbdf5af55 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 24 Mar 2024 18:10:46 +1100 Subject: [PATCH 122/229] feat: add dhcp servers - include puppet-dhcp module - manage dhcp pools - manage dhcp classes (bios/uefi) --- Puppetfile | 1 + .../au/region/drw1/infra/dhcp/server.yaml | 55 +++++++++++++++++++ site/profiles/manifests/dhcp/server.pp | 37 +++++++++++++ site/roles/manifests/infra/dhcp/server.pp | 1 + 4 files changed, 94 insertions(+) create mode 100644 hieradata/country/au/region/drw1/infra/dhcp/server.yaml create mode 100644 site/profiles/manifests/dhcp/server.pp diff --git a/Puppetfile b/Puppetfile index 5701a66..dd723f0 100644 --- a/Puppetfile +++ b/Puppetfile @@ -29,6 +29,7 @@ mod 'puppet-prometheus', '13.4.0' mod 'puppet-grafana', '13.1.0' mod 'puppet-consul', '8.0.0' mod 'puppet-vault', '4.1.0' +mod 'puppet-dhcp', '6.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/country/au/region/drw1/infra/dhcp/server.yaml b/hieradata/country/au/region/drw1/infra/dhcp/server.yaml new file mode 100644 index 0000000..8136905 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/dhcp/server.yaml @@ -0,0 +1,55 @@ +--- +profiles::dhcp::server::ntpservers: + - ntp01.main.unkin.net + - ntp02.main.unkin.net +profiles::dhcp::server::interfaces: + - eth0 +profiles::dhcp::server::default_lease_time: 1200 +profiles::dhcp::server::globaloptions: + - 'arch code 93 = unsigned integer 16' + +profiles::dhcp::server::pools: + syd1-prod: + network: 198.18.15.0 + mask: 255.255.255.0 + range: + - '198.18.15.200 198.18.15.220' + gateway: 198.18.15.254 + nameservers: + - 198.18.17.7 + - 198.18.17.8 + domain_name: main.unkin.net + pxeserver: 198.18.17.48 + syd1-test: + network: 198.18.16.0 + mask: 255.255.255.0 + range: + - '198.18.16.200 198.18.16.220' + gateway: 198.18.16.254 + nameservers: + - 198.18.17.7 + - 198.18.17.8 + domain_name: main.unkin.net + pxeserver: 198.18.17.48 + drw1-prod: + network: 198.18.17.0 + mask: 255.255.255.0 + range: + - '198.18.17.200 198.18.17.220' + gateway: 198.18.17.1 + nameservers: + - 198.18.17.7 + - 198.18.17.8 + domain_name: main.unkin.net + pxeserver: 198.18.17.48 + + # UFI 64-bit +profiles::dhcp::server::classes: + UEFI-64: + parameters: + - 'match if option arch = 00:07 or option arch = 00:09' + - 'filename "/ipxe.efi"' + Legacy: + parameters: + - 'match if option arch = 00:00' + - 'filename "/undionly.kpxe"' diff --git a/site/profiles/manifests/dhcp/server.pp b/site/profiles/manifests/dhcp/server.pp new file mode 100644 index 0000000..a4c6d98 --- /dev/null +++ b/site/profiles/manifests/dhcp/server.pp @@ -0,0 +1,37 @@ +# profiles::dhcp::server +class profiles::dhcp::server ( + Array[Stdlib::Host] $ntpservers = [ + '0.au.pool.ntp.org', + '1.au.pool.ntp.org', + '2.au.pool.ntp.org', + '3.au.pool.ntp.org' + ], + Array[String] $interfaces = ['eth0'], + Integer $default_lease_time = 86400, + Array[String] $globaloptions = [], + Hash $pools = {}, + Hash $classes = {}, +){ + + class { 'dhcp': + service_ensure => running, + interfaces => $interfaces, + ntpservers => $ntpservers, + default_lease_time => $default_lease_time, + globaloptions => $globaloptions + } + + # if pools, import them + $pools.each | $name, $data | { + dhcp::pool { $name: + * => $data, + } + } + + # if classes, import them + $classes.each | $name, $data | { + dhcp::dhcp_class { $name: + * => $data, + } + } +} diff --git a/site/roles/manifests/infra/dhcp/server.pp b/site/roles/manifests/infra/dhcp/server.pp index f7dd3e8..86a3606 100644 --- a/site/roles/manifests/infra/dhcp/server.pp +++ b/site/roles/manifests/infra/dhcp/server.pp @@ -2,4 +2,5 @@ class roles::infra::dhcp::server { include profiles::defaults include profiles::base + include profiles::dhcp::server } From 0ad31f60135ebc8908746226b2e0e028023f0c78 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 31 Mar 2024 15:36:41 +1100 Subject: [PATCH 123/229] feat: add virtual/physical check - add virtual tree to hiera - add virtual/kvm and virtual/physical hiera sources - add lm_sensors to be installed on hardware nodes --- hiera.yaml | 1 + hieradata/virtual/kvm.yaml | 0 hieradata/virtual/physical.yaml | 3 +++ 3 files changed, 4 insertions(+) create mode 100644 hieradata/virtual/kvm.yaml create mode 100644 hieradata/virtual/physical.yaml diff --git a/hiera.yaml b/hiera.yaml index b763ee3..d46d2ee 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -29,6 +29,7 @@ hierarchy: - "roles/%{::enc_role_tier1}/%{::enc_role_tier2}.yaml" - "roles/%{::enc_role_tier1}.eyaml" - "roles/%{::enc_role_tier1}.yaml" + - "virtual/%{facts.virtual}.yaml" - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" - "os/%{facts.os.name}/all_releases.yaml" - "common.eyaml" diff --git a/hieradata/virtual/kvm.yaml b/hieradata/virtual/kvm.yaml new file mode 100644 index 0000000..e69de29 diff --git a/hieradata/virtual/physical.yaml b/hieradata/virtual/physical.yaml new file mode 100644 index 0000000..c932ae7 --- /dev/null +++ b/hieradata/virtual/physical.yaml @@ -0,0 +1,3 @@ +--- +profiles::packages::install: + - lm_sensors From 64563902d48cb83aa6eb172605dc2cd8033e9cec Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 31 Mar 2024 20:21:55 +1100 Subject: [PATCH 124/229] feat: deploy cobbler enc - install python3.11 on all nodes - create python3.11 venv for cobbler-enc - install requirements in cobbler-enc venv - symlink to /usr/local/bin/ --- hieradata/common.yaml | 1 + hieradata/roles/infra/puppet/master.yaml | 6 ++ site/profiles/manifests/puppet/cobbler_enc.pp | 76 +++++++++++++++++++ .../profiles/manifests/puppet/puppetmaster.pp | 3 +- .../templates/puppet/server/cobbler-enc.erb | 46 +++++++++++ 5 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 site/profiles/manifests/puppet/cobbler_enc.pp create mode 100644 site/profiles/templates/puppet/server/cobbler-enc.erb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index b2ad056..5cb9769 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -58,6 +58,7 @@ profiles::packages::install: - pbzip2 - pigz - pv + - python3.11 - rsync - screen - socat diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index f475770..b489b30 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -10,6 +10,12 @@ profiles::puppet::autosign::domains: # profiles::puppet::autosign::nodes: # - 'somenode.main.unkin.net' +profiles::puppet::cobbler_enc::cobbler_scheme: https +profiles::puppet::cobbler_enc::cobbler_hostname: cobbler.main.unkin.net +profiles::puppet::cobbler_enc::version: 'system' +profiles::puppet::cobbler_enc::packages: + - 'requests' + - 'PyYAML' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' diff --git a/site/profiles/manifests/puppet/cobbler_enc.pp b/site/profiles/manifests/puppet/cobbler_enc.pp new file mode 100644 index 0000000..a3e9708 --- /dev/null +++ b/site/profiles/manifests/puppet/cobbler_enc.pp @@ -0,0 +1,76 @@ +# Class: profiles::puppet::cobbler_enc +# +# This will deploy the cobbler-enc tool for puppetmasters +# +# wrapper class for python, pip and venv +class profiles::puppet::cobbler_enc ( + Stdlib::Host $cobbler_hostname, + Enum['http','https'] $cobbler_scheme = 'https', + String $script_name = 'cobbler-enc', + Stdlib::AbsolutePath $base_path = "/opt/${script_name}", + Stdlib::AbsolutePath $venv_path = "${base_path}/venv", + String $owner = 'root', + String $group = 'root', + Boolean $systempkgs = false, + String $version = 'system', + Array[String[1]] $packages = ['sys','requests','pyyaml'], + Stdlib::AbsolutePath $trusted_ca_cert = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' +){ + + # set the cobbler url, required for the erb template + $cobbler_base_url = "${cobbler_scheme}://${cobbler_hostname}" + + if $::facts['python3_version'] { + + $python_version = $version ? { + 'system' => $::facts['python3_version'], + default => $version, + } + + # ensure the base_path exists + file { $base_path: + ensure => directory, + mode => '0755', + owner => $owner, + group => $group, + } + + # create a venv + python::pyvenv { $venv_path : + ensure => present, + version => $python_version, + systempkgs => $systempkgs, + venv_dir => $venv_path, + owner => $owner, + group => $group, + require => File[$base_path], + } + + # install the required pip packages + $packages.each |String $package| { + python::pip { "${venv_path}_${package}": + ensure => present, + pkgname => $package, + virtualenv => $venv_path, + } + } + + # create the script from a template + file { "${base_path}/${script_name}": + ensure => file, + mode => '0755', + content => template("profiles/puppet/server/${script_name}.erb"), + require => [ + Python::Pyvenv[$venv_path], + Package['python3.11'] + ], + } + + # create symbolic link in $PATH + file { "/usr/local/bin/${script_name}": + ensure => 'link', + target => "${base_path}/${script_name}", + require => File["${base_path}/${script_name}"], + } + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index bf7254b..a5b7c74 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -28,6 +28,7 @@ class profiles::puppet::puppetmaster ( include profiles::puppet::r10k include profiles::puppet::g10k include profiles::puppet::enc + include profiles::puppet::cobbler_enc include profiles::puppet::autosign include profiles::puppet::gems include profiles::helpers::certmanager @@ -54,7 +55,7 @@ class profiles::puppet::puppetmaster ( ], server => 'prodinf01n01.main.unkin.net', node_terminus => 'exec', - external_nodes => '/opt/puppetlabs/bin/enc', + external_nodes => '/opt/cobbler-enc/cobbler-enc', autosign => '/etc/puppetlabs/puppet/autosign.conf', default_manifest => '/etc/puppetlabs/code/environments/develop/manifests', default_environment => 'develop', diff --git a/site/profiles/templates/puppet/server/cobbler-enc.erb b/site/profiles/templates/puppet/server/cobbler-enc.erb new file mode 100644 index 0000000..27dd30e --- /dev/null +++ b/site/profiles/templates/puppet/server/cobbler-enc.erb @@ -0,0 +1,46 @@ +#!<%= @venv_path %>/bin/python +""" +External Node Classifier (ENC) for Puppet. + +If the environment specified in the YAML file is 'testing', +the environment is not included in the output. +""" + +import sys +import yaml +import requests + +def fetch_enc_data(cobbler_url: str, hostname: str) -> str: + """ + Fetches and modifies ENC data from a given URL to ensure classes are in list format. + """ + url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}" + try: + response = requests.get(url, verify='<%= @trusted_ca_cert %>') + response.raise_for_status() + except requests.RequestException as e: + sys.exit(f"Request failed: {e}") + + data = yaml.safe_load(response.text) + data["parameters"] = data.get("parameters", {}) + + # Ensure 'classes' is in the desired list format + if "classes" in data: + if isinstance(data["classes"], dict): + data["parameters"]["enc_role"] = list(data["classes"].keys()) + data["classes"] = list(data["classes"].keys()) + else: + data["parameters"]["enc_role"] = list(data["classes"]) + data["classes"] = list(data["classes"]) + + if "environment" in data: + data["parameters"]["enc_env"] = data["environment"] + if data["environment"] == "testing": + del data["environment"] + + return yaml.dump(data) + +if __name__ == "__main__": + if len(sys.argv) != 2: + sys.exit(f"Usage: {sys.argv[0]} ") + print(fetch_enc_data("<%= @cobbler_base_url %>", sys.argv[1])) From 5bde96fb4d24d91ef563c602ee8a541d92060d08 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 4 Apr 2024 00:32:08 +1100 Subject: [PATCH 125/229] feat: change certmanage to approles - created approle 'certmanager' using 'certmanager' policy - update certmanager script to generate token based on roleid --- hieradata/roles/infra/puppet/master.eyaml | 1 + hieradata/roles/infra/puppet/master.yaml | 3 ++- .../templates/helpers/certmanager.erb | 23 +++++++++++++++++-- .../helpers/certmanager_config.yaml.erb | 4 ++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index 2efc6d9..46f1d03 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,2 +1,3 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] +certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index b489b30..b5b6830 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -30,6 +30,7 @@ profiles::puppet::gems::puppet: profiles::helpers::certmanager::vault_config: addr: 'https://198.18.17.39:8200' mount_point: 'pki_int' + approle_path: 'approle' role_name: 'servers_default' output_path: '/tmp/certmanager' - token: "%{lookup('certmanager::vault_token')}" + role_id: "%{lookup('certmanager::role_id')}" diff --git a/site/profiles/templates/helpers/certmanager.erb b/site/profiles/templates/helpers/certmanager.erb index d1d2c0b..7266fde 100644 --- a/site/profiles/templates/helpers/certmanager.erb +++ b/site/profiles/templates/helpers/certmanager.erb @@ -1,4 +1,4 @@ -#!/usr/bin/env <%= @venv_path %>/bin/python +#!<%= @venv_path %>/bin/python import argparse import requests @@ -15,9 +15,28 @@ def load_config(config_path): config = yaml.safe_load(file) return config['vault'] +def authenticate_approle(vault_config): + url = f"{vault_config['addr']}/v1/auth/{vault_config['approle_path']}/login" + payload = { + "role_id": vault_config['role_id'], + } + response = requests.post(url, json=payload, verify=False) + if response.status_code == 200: + auth_response = response.json() + return auth_response['auth']['client_token'] + else: + print(f"Error authenticating with AppRole: {response.text}") + return None + def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_config): + # Authenticate using AppRole and get a token + client_token = authenticate_approle(vault_config) + if not client_token: + print("Failed to authenticate with Vault using AppRole.") + return None + url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/issue/{vault_config['role_name']}" - headers = {'X-Vault-Token': vault_config['token']} + headers = {'X-Vault-Token': client_token} payload = { "common_name": common_name, "alt_names": ",".join(alt_names), diff --git a/site/profiles/templates/helpers/certmanager_config.yaml.erb b/site/profiles/templates/helpers/certmanager_config.yaml.erb index aea4d18..1b3e1ed 100644 --- a/site/profiles/templates/helpers/certmanager_config.yaml.erb +++ b/site/profiles/templates/helpers/certmanager_config.yaml.erb @@ -1,7 +1,7 @@ vault: addr: '<%= @vault_config['addr'] %>' - token: '<%= @vault_config['token'] %>' + role_id: '<%= @vault_config['role_id'] %>' + approle_path: '<%= @vault_config['approle_path'] %>' mount_point: '<%= @vault_config['mount_point'] %>' role_name: '<%= @vault_config['role_name'] %>' output_path: '<%= @vault_config['output_path'] %>' - From 2091f1ada349d67e78eaaba680dc4aac32d0730e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 5 Jan 2024 22:47:37 +1100 Subject: [PATCH 126/229] feat: add haproxy profile - add haproxy server class - add haproxy profile to role - add hiera data for region specific haproxy - add selinux configuration - add certlist management - add default http and https frontends - add default stats listener --- Puppetfile | 2 + hieradata/common.yaml | 9 +++ .../au/region/drw1/infra/halb/haproxy.yaml | 49 +++++++++++++++ hieradata/roles/infra/halb/haproxy.yaml | 40 +++++++++++++ .../manifests/haproxy/balancemember.pp | 19 ++++++ site/profiles/manifests/haproxy/certlist.pp | 18 ++++++ site/profiles/manifests/haproxy/fe_http.pp | 21 +++++++ site/profiles/manifests/haproxy/fe_https.pp | 21 +++++++ site/profiles/manifests/haproxy/listener.pp | 21 +++++++ site/profiles/manifests/haproxy/ls_stats.pp | 19 ++++++ site/profiles/manifests/haproxy/mappings.pp | 9 +++ site/profiles/manifests/haproxy/selinux.pp | 32 ++++++++++ site/profiles/manifests/haproxy/server.pp | 60 +++++++++++++++++++ .../templates/haproxy/certificate.list.erb | 3 + site/roles/manifests/infra/halb/haproxy.pp | 1 + 15 files changed, 324 insertions(+) create mode 100644 hieradata/country/au/region/drw1/infra/halb/haproxy.yaml create mode 100644 hieradata/roles/infra/halb/haproxy.yaml create mode 100644 site/profiles/manifests/haproxy/balancemember.pp create mode 100644 site/profiles/manifests/haproxy/certlist.pp create mode 100644 site/profiles/manifests/haproxy/fe_http.pp create mode 100644 site/profiles/manifests/haproxy/fe_https.pp create mode 100644 site/profiles/manifests/haproxy/listener.pp create mode 100644 site/profiles/manifests/haproxy/ls_stats.pp create mode 100644 site/profiles/manifests/haproxy/mappings.pp create mode 100644 site/profiles/manifests/haproxy/selinux.pp create mode 100644 site/profiles/manifests/haproxy/server.pp create mode 100644 site/profiles/templates/haproxy/certificate.list.erb diff --git a/Puppetfile b/Puppetfile index dd723f0..ab6ee0c 100644 --- a/Puppetfile +++ b/Puppetfile @@ -15,6 +15,7 @@ mod 'puppetlabs-firewall', '6.0.0' mod 'puppetlabs-accounts', '8.1.0' mod 'puppetlabs-mysql', '15.0.0' mod 'puppetlabs-xinetd', '3.4.1' +mod 'puppetlabs-haproxy', '8.0.0' # puppet mod 'puppet-python', '7.0.0' @@ -30,6 +31,7 @@ mod 'puppet-grafana', '13.1.0' mod 'puppet-consul', '8.0.0' mod 'puppet-vault', '4.1.0' mod 'puppet-dhcp', '6.1.0' +mod 'puppet-keepalived', '3.6.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 5cb9769..606c093 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -21,6 +21,15 @@ lookup_options: profiles::yum::global::managed_repos: merge: strategy: deep + profiles::haproxy::server::defaults: + merge: + strategy: deep + profiles::haproxy::server::globals: + merge: + strategy: deep + haproxy::backend: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml new file mode 100644 index 0000000..e8ba37a --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -0,0 +1,49 @@ +--- +haproxy::backend: + be_letsencrypt: + description: Backend for LetsEncrypt Verifications + collect_exported: true + options: + balance: roundrobin + be_default: + description: Backend for unmatched HTTP traffic + collect_exported: true + options: + balance: roundrobin + option: + - httpchk + - forwardfor + http-check: send meth GET uri / + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + +# fe_http +profiles::haproxy::fe_http::bind_addr: 0.0.0.0 +profiles::haproxy::fe_http::bind_port: 80 +profiles::haproxy::fe_http::bind_opts: + - transparent +profiles::haproxy::fe_http::acls: + - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' +profiles::haproxy::fe_http::http_request: + - 'set-header X-Forwarded-Proto https' + - 'set-header X-Real-IP %[src]' + +# fe_https +profiles::haproxy::fe_https::bind_addr: 0.0.0.0 +profiles::haproxy::fe_https::bind_port: 443 +profiles::haproxy::fe_https::bind_opts: + - ssl + - crt-list /etc/haproxy/certificate.list + - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + - force-tlsv12 +profiles::haproxy::fe_https::acls: + - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' +profiles::haproxy::fe_https::http_request: + - 'set-header X-Forwarded-Proto https' + - 'set-header X-Real-IP %[src]' + +profiles::haproxy::certlist::enabled: true +profiles::haproxy::certlist::certificates: + - /etc/pki/tls/vault/certificate.pem diff --git a/hieradata/roles/infra/halb/haproxy.yaml b/hieradata/roles/infra/halb/haproxy.yaml new file mode 100644 index 0000000..f6e352d --- /dev/null +++ b/hieradata/roles/infra/halb/haproxy.yaml @@ -0,0 +1,40 @@ +--- +profiles::haproxy::ls_stats::port: 9090 +profiles::haproxy::ls_stats::user: 'admin' +profiles::selinux::setenforce::mode: permissive + +profiles::haproxy::selinux::ports: + - 9090 +profiles::haproxy::selinux::sebooleans: + - haproxy_connect_any + +profiles::haproxy::server::globals: + stats: + - timeout 30s + - socket /var/lib/haproxy/stats + ca-base: /etc/ssl/certs + crt-base: /etc/ssl/private + ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + ssl-default-bind-options: 'ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3' + ssl-default-server-ciphers: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + ssl-default-server-options: no-sslv3 + tune.ssl.default-dh-param: 2048 + +profiles::haproxy::server::defaults: + mode: http + option: + - httplog + - dontlognull + - http-server-close + - forwardfor except 127.0.0.0/8 + - redispatch + timeout: + - http-request 10s + - queue 1m + - connect 10s + - client 5m + - server 5m + - http-keep-alive 10s + - check 10s + retries: 3 + maxconn: 5000 diff --git a/site/profiles/manifests/haproxy/balancemember.pp b/site/profiles/manifests/haproxy/balancemember.pp new file mode 100644 index 0000000..6acbf84 --- /dev/null +++ b/site/profiles/manifests/haproxy/balancemember.pp @@ -0,0 +1,19 @@ +# profiles::haproxy::balancemember +define profiles::haproxy::balancemember ( + String $service, + Array[Stdlib::Port] $ports, + Array $options = ['check'], +) { + + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + $balancemember_tag = "${service}_${location_environment}" + + @@haproxy::balancermember { $balancemember_tag: + listening_service => $service, + ports => $ports, + server_names => $facts['networking']['hostname'], + ipaddresses => $facts['networking']['ip'], + options => $options, + tag => $balancemember_tag, + } +} diff --git a/site/profiles/manifests/haproxy/certlist.pp b/site/profiles/manifests/haproxy/certlist.pp new file mode 100644 index 0000000..301bd8c --- /dev/null +++ b/site/profiles/manifests/haproxy/certlist.pp @@ -0,0 +1,18 @@ +# profiles::haproxy::certlist +class profiles::haproxy::certlist ( + Boolean $enabled = true, + Stdlib::Absolutepath $path = '/etc/haproxy/certificate.list', + Array[Stdlib::Absolutepath] $certificates = [] +) { + + if $enabled { + file { $path: + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0600', + content => template('profiles/haproxy/certificate.list.erb') + } + } + +} diff --git a/site/profiles/manifests/haproxy/fe_http.pp b/site/profiles/manifests/haproxy/fe_http.pp new file mode 100644 index 0000000..19909c1 --- /dev/null +++ b/site/profiles/manifests/haproxy/fe_http.pp @@ -0,0 +1,21 @@ +# default http frontend +class profiles::haproxy::fe_http ( + Stdlib::IP::Address $bind_addr = $facts['networking']['ip'], + Stdlib::Port $bind_port = 80, + Array $bind_opts = ['transparent'], + Array $acls = [], + Array $http_request = [], +) { + haproxy::frontend { 'fe_http': + description => 'Default HTTP Frontend', + bind => { "${bind_addr}:${bind_port}" => $bind_opts }, + mode => 'http', + options => { + 'acl' => $acls, + 'http-request' => $http_request, + 'use_backend' => [ + '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]', + ], + }, + } +} diff --git a/site/profiles/manifests/haproxy/fe_https.pp b/site/profiles/manifests/haproxy/fe_https.pp new file mode 100644 index 0000000..7e98328 --- /dev/null +++ b/site/profiles/manifests/haproxy/fe_https.pp @@ -0,0 +1,21 @@ +# default https frontend +class profiles::haproxy::fe_https ( + Stdlib::IP::Address $bind_addr = $facts['networking']['ip'], + Stdlib::Port $bind_port = 443, + Array $bind_opts = [], + Array $acls = [], + Array $http_request = [], +) { + haproxy::frontend { 'fe_https': + description => 'Default HTTPS Frontend', + bind => { "${bind_addr}:${bind_port}" => $bind_opts }, + mode => 'http', + options => { + 'acl' => $acls, + 'http-request' => $http_request, + 'use_backend' => [ + '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]', + ], + }, + } +} diff --git a/site/profiles/manifests/haproxy/listener.pp b/site/profiles/manifests/haproxy/listener.pp new file mode 100644 index 0000000..3df3b35 --- /dev/null +++ b/site/profiles/manifests/haproxy/listener.pp @@ -0,0 +1,21 @@ +# profiles::haproxy::listener +define profiles::haproxy::listener ( + Boolean $bind = false, + Boolean $listen = false, + Enum['roundrobin', 'leastconn'] $balance = 'roundrobin', + Array $option = ['tcplog'], + Enum['tcp', 'http'] $mode = 'http', + Stdlib::Port $ports = 443, +) { + + haproxy::listen { 'puppet00': + ipaddress => $facts['networking']['ip'], + ports => $ports, + mode => $mode, + options => { + 'option' => $option, + 'balance' => $balance, + }, + } +} + diff --git a/site/profiles/manifests/haproxy/ls_stats.pp b/site/profiles/manifests/haproxy/ls_stats.pp new file mode 100644 index 0000000..7c8bc9d --- /dev/null +++ b/site/profiles/manifests/haproxy/ls_stats.pp @@ -0,0 +1,19 @@ +# the default status listener +class profiles::haproxy::ls_stats ( + Stdlib::IP::Address $bind_addr = $facts['networking']['ip'], + Stdlib::Port $bind_port = 9090, + Array $bind_opts = [], + String $user = 'admin', + String $pass = 'admin', +) { + haproxy::listen { 'stats': + bind => { "${bind_addr}:${bind_port}" => $bind_opts }, + options => { + 'mode' => 'http', + 'stats' => [ + 'uri /', + "auth ${user}:${pass}", + ], + }, + } +} diff --git a/site/profiles/manifests/haproxy/mappings.pp b/site/profiles/manifests/haproxy/mappings.pp new file mode 100644 index 0000000..ec8a1e4 --- /dev/null +++ b/site/profiles/manifests/haproxy/mappings.pp @@ -0,0 +1,9 @@ +# profiles::haproxy::mappings +class profiles::haproxy::mappings ( + Array $list = [] +) { + haproxy::mapfile { 'domains-to-backends': + ensure => 'present', + mappings => $list, + } +} diff --git a/site/profiles/manifests/haproxy/selinux.pp b/site/profiles/manifests/haproxy/selinux.pp new file mode 100644 index 0000000..a5b7271 --- /dev/null +++ b/site/profiles/manifests/haproxy/selinux.pp @@ -0,0 +1,32 @@ +# profiles::haproxy::selinux +class profiles::haproxy::selinux ( + Array[String] $sebooleans = [], + Array[Stdlib::Port] $ports = [], +) { + + # manage enforcing mode + include profiles::selinux::setenforce + + # manage selinux requirements for haproxy + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # set context for ports + $ports.each |$port| { + selinux::port { "haproxy_port_${port}": + ensure => 'present', + seltype => 'http_port_t', + protocol => 'tcp', + port => $port, + } + } + + # enable sebooleans + $sebooleans.each |$bool| { + selboolean { $bool: + value => on, + persistent => true, + } + } + } +} + diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp new file mode 100644 index 0000000..63e4de7 --- /dev/null +++ b/site/profiles/manifests/haproxy/server.pp @@ -0,0 +1,60 @@ +# configure a haproxy server +class profiles::haproxy::server ( + Hash $globals = {}, + Hash $defaults = {}, +){ + + # default global/defaults arrays + $global_options = { + 'log' => "${facts['networking']['ip']} local0", + 'chroot' => '/var/lib/haproxy', + 'pidfile' => '/var/run/haproxy.pid', + 'maxconn' => '4000', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'stats' => 'socket /var/lib/haproxy/stats', + } + $default_options = { + 'log' => 'global', + 'stats' => 'enable', + 'option' => ['redispatch'], + 'retries' => '3', + 'timeout' => [ + 'http-request 10s', + 'queue 1m', + 'connect 10s', + 'client 1m', + 'server 1m', + 'check 10s', + ], + 'maxconn' => '8000', + } + + # merge the default globals/defaults with those provided as params + $merged_global_options = merge($global_options, $globals) + $merged_default_options = merge($default_options, $defaults) + + # manage selinux + include profiles::haproxy::selinux + + # create the haproxy service/instance + class { 'haproxy': + global_options => $merged_global_options, + defaults_options => $merged_default_options, + require => Class['profiles::haproxy::selinux'] + } + + include profiles::haproxy::certlist # manage the certificate list file + include profiles::haproxy::mappings # manage the domain to backend mappings + include profiles::haproxy::ls_stats # default status listener + include profiles::haproxy::fe_http # default http frontend + include profiles::haproxy::fe_https # default https frontend + + $backends = lookup('haproxy::backend').keys + $backends.each |$backend| { + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + $tag = "${location_environment}_${backend}" + Haproxy::Balancermember <<| tag == $tag |>> + } +} diff --git a/site/profiles/templates/haproxy/certificate.list.erb b/site/profiles/templates/haproxy/certificate.list.erb new file mode 100644 index 0000000..85c8efa --- /dev/null +++ b/site/profiles/templates/haproxy/certificate.list.erb @@ -0,0 +1,3 @@ +<% @certificates.each do |item| %> +<%= item %> +<% end %> diff --git a/site/roles/manifests/infra/halb/haproxy.pp b/site/roles/manifests/infra/halb/haproxy.pp index 81c7455..6b128b4 100644 --- a/site/roles/manifests/infra/halb/haproxy.pp +++ b/site/roles/manifests/infra/halb/haproxy.pp @@ -2,4 +2,5 @@ class roles::infra::halb::haproxy { include profiles::defaults include profiles::base + include profiles::haproxy::server } From 105bf1b09da450edac5d4c1f027722dc7292f534 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 6 Apr 2024 03:38:17 +1100 Subject: [PATCH 127/229] feat: add puppetboard backend - add balancemember to puppetboard nodes - add be_puppetboard to haproxxy - add puppetboard.main.unkin.net to haproxy altnames - add puppetboard to backend mapping - change way backends are registered in haproxy --- .../au/region/drw1/infra/halb/haproxy.yaml | 26 +++++++++++-- site/profiles/manifests/haproxy/server.pp | 14 +++++-- site/profiles/manifests/puppet/puppetboard.pp | 37 ++++++++++++++++--- 3 files changed, 65 insertions(+), 12 deletions(-) diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index e8ba37a..9c4753e 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -1,5 +1,22 @@ --- -haproxy::backend: +# mappings +profiles::haproxy::mappings::list: + - 'puppetboard.main.unkin.net be_puppetboard' + +profiles::haproxy::backends: + be_puppetboard: + description: Backend for Puppetboard + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' be_letsencrypt: description: Backend for LetsEncrypt Verifications collect_exported: true @@ -11,9 +28,8 @@ haproxy::backend: options: balance: roundrobin option: - - httpchk + - httpchk GET / - forwardfor - http-check: send meth GET uri / cookie: SRVNAME insert http-request: - set-header X-Forwarded-Port %[dst_port] @@ -47,3 +63,7 @@ profiles::haproxy::fe_https::http_request: profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: - /etc/pki/tls/vault/certificate.pem + +# additional altnames +profiles::pki::vault::alt_names: + - puppetboard.main.unkin.net diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index 63e4de7..ed185f3 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -51,10 +51,18 @@ class profiles::haproxy::server ( include profiles::haproxy::fe_http # default http frontend include profiles::haproxy::fe_https # default https frontend - $backends = lookup('haproxy::backend').keys - $backends.each |$backend| { + # for each backend: + $backends = lookup('profiles::haproxy::backends') + $backends.each |$backend, $data| { + + # create backend + haproxy::backend { $backend: + * => $data, + } + + # collect exported resources $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" - $tag = "${location_environment}_${backend}" + $tag = "${backend}_${location_environment}" Haproxy::Balancermember <<| tag == $tag |>> } } diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index ec6f164..6a2bbb9 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -121,13 +121,38 @@ class profiles::puppet::puppetboard ( location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static", } + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${nginx_port}}": + service => 'be_puppetboard', + ports => [$nginx_port], + options => [ + "cookie ${facts['networking']['hostname']}", + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } + #@@haproxy::balancermember { "${facts['networking']['fqdn']}_${nginx_port}}": + # listening_service => 'be_puppetboard', + # ports => [$nginx_port], + # server_names => $facts['networking']['hostname'], + # ipaddresses => $facts['networking']['ip'], + # options => [ + # "cookie ${facts['networking']['hostname']}", + # 'check', + # 'inter 2s', + # 'rise 3', + # 'fall 2', + # ] + #} - # if selinux is defined, manage it - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + # if selinux is defined, manage it + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - # call the nginx selinux class - class { 'profiles::selinux::nginx': - require => Class['Nginx'], - } + # call the nginx selinux class + class { 'profiles::selinux::nginx': + require => Class['Nginx'], } + } } From e97d061f46231479194c9cc01a07c5c9c87558d4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 6 Apr 2024 15:45:28 +1100 Subject: [PATCH 128/229] feat: add puppetdbapi to haproxy - add puppetdbapi backend to haproxy - add puppetdbapi altname to the vault certificate - add mapping for hostname to backend --- .../au/region/drw1/infra/halb/haproxy.yaml | 15 +++++++++++++++ site/profiles/manifests/puppet/puppetdb_api.pp | 12 ++++++++++++ 2 files changed, 27 insertions(+) diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index 9c4753e..d67dc86 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -2,6 +2,7 @@ # mappings profiles::haproxy::mappings::list: - 'puppetboard.main.unkin.net be_puppetboard' + - 'puppetdbapi.main.unkin.net be_puppetdbapi' profiles::haproxy::backends: be_puppetboard: @@ -17,6 +18,19 @@ profiles::haproxy::backends: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' + be_puppetdbapi: + description: Backend for the PuppetDB API + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' be_letsencrypt: description: Backend for LetsEncrypt Verifications collect_exported: true @@ -67,3 +81,4 @@ profiles::haproxy::certlist::certificates: # additional altnames profiles::pki::vault::alt_names: - puppetboard.main.unkin.net + - puppetdbapi.main.unkin.net diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index fa51753..37e8f63 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -18,4 +18,16 @@ class profiles::puppet::puppetdb_api ( export_scrape_job => true, } + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080": + service => 'be_puppetdbapi', + ports => [8080], + options => [ + "cookie ${facts['networking']['hostname']}", + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } From c9a1d35af90d41bcae0b229b96fa77d59a229227 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 6 Apr 2024 16:08:05 +1100 Subject: [PATCH 129/229] feat: add cnames to haproxy - manage A records for haproxy - manage cnames for services using haproxy --- .../au/region/drw1/infra/halb/haproxy.yaml | 5 ++++ site/profiles/manifests/haproxy/dns.pp | 27 +++++++++++++++++++ site/profiles/manifests/haproxy/server.pp | 2 ++ 3 files changed, 34 insertions(+) create mode 100644 site/profiles/manifests/haproxy/dns.pp diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index d67dc86..75dcd39 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -82,3 +82,8 @@ profiles::haproxy::certlist::certificates: profiles::pki::vault::alt_names: - puppetboard.main.unkin.net - puppetdbapi.main.unkin.net + +# additional cnames +profiles::haproxy::dns::cnames: + - puppetboard.main.unkin.net + - puppetdbapi.main.unkin.net diff --git a/site/profiles/manifests/haproxy/dns.pp b/site/profiles/manifests/haproxy/dns.pp new file mode 100644 index 0000000..af0e8ac --- /dev/null +++ b/site/profiles/manifests/haproxy/dns.pp @@ -0,0 +1,27 @@ +# profiles::haproxy::dns +class profiles::haproxy::dns ( + Array[Stdlib::Fqdn] $cnames = [], + Integer $order = 10, +){ + + # create an A record for each load balancer in a region + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + profiles::dns::record { "${facts['networking']['fqdn']}_${location_environment}-halb_A": + value => $::facts['networking']['ip'], + type => 'A', + record => "${location_environment}-halb", + zone => $::facts['networking']['domain'], + order => $order, + } + + # export cnames for haproxy applications + $cnames.each |$cname| { + profiles::dns::record { "${::facts['networking']['fqdn']}_${cname}_CNAME": + value => "${location_environment}-halb", + type => 'CNAME', + record => "${cname}.", + zone => $::facts['networking']['domain'], + order => $order, + } + } +} diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index ed185f3..1864727 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -2,6 +2,7 @@ class profiles::haproxy::server ( Hash $globals = {}, Hash $defaults = {}, + Array $cnames = [], ){ # default global/defaults arrays @@ -50,6 +51,7 @@ class profiles::haproxy::server ( include profiles::haproxy::ls_stats # default status listener include profiles::haproxy::fe_http # default http frontend include profiles::haproxy::fe_https # default https frontend + include profiles::haproxy::dns # manage dns for haproxy # for each backend: $backends = lookup('profiles::haproxy::backends') From f79d9de49581c6b55e3e62ff058c3d8eacd1a700 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 6 Apr 2024 18:31:41 +1100 Subject: [PATCH 130/229] feat: update node_lookup - update node_lookup to use new puppetdb URL --- hieradata/common.yaml | 1 - site/profiles/templates/helpers/node_lookup.erb | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 606c093..eab58f7 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -126,7 +126,6 @@ profiles::base::hosts::additional_hosts: hostname: prodinf01n04.main.unkin.net aliases: - prodinf01n04 - - puppetdb - ip: 198.18.17.5 hostname: prodinf01n05.main.unkin.net aliases: diff --git a/site/profiles/templates/helpers/node_lookup.erb b/site/profiles/templates/helpers/node_lookup.erb index 7596821..d12c364 100644 --- a/site/profiles/templates/helpers/node_lookup.erb +++ b/site/profiles/templates/helpers/node_lookup.erb @@ -23,8 +23,8 @@ def build_query(node=None, fact_name=None, match=None, show_role=False): return json.dumps(["and"] + query_filters) def query_puppetdb(query): - url = 'http://puppetdb:8080/pdb/query/v4/facts' - response = requests.get(url, params={'query': query}) + url = 'https://puppetdbapi.main.unkin.net/pdb/query/v4/facts' + response = requests.get(url, params={'query': query}, verify='/etc/pki/tls/cert.pem') process_response(response) def process_response(response): From ed60e180626939fd5eddd822a2d2bb4f24ae04f8 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 6 Apr 2024 19:53:19 +1100 Subject: [PATCH 131/229] feat: update jdk11 for puppetdb - specify the java_bin - specify the java_args --- Puppetfile | 1 + hieradata/roles/infra/puppetdb/api.yaml | 5 +++++ site/profiles/manifests/puppet/puppetdb_api.pp | 9 +++++++++ 3 files changed, 15 insertions(+) create mode 100644 hieradata/roles/infra/puppetdb/api.yaml diff --git a/Puppetfile b/Puppetfile index ab6ee0c..9dc00c7 100644 --- a/Puppetfile +++ b/Puppetfile @@ -16,6 +16,7 @@ mod 'puppetlabs-accounts', '8.1.0' mod 'puppetlabs-mysql', '15.0.0' mod 'puppetlabs-xinetd', '3.4.1' mod 'puppetlabs-haproxy', '8.0.0' +mod 'puppetlabs-java', '10.1.2' # puppet mod 'puppet-python', '7.0.0' diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml new file mode 100644 index 0000000..551007e --- /dev/null +++ b/hieradata/roles/infra/puppetdb/api.yaml @@ -0,0 +1,5 @@ +--- +profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java +profiles::puppet::puppetdb_api::java_args: + '-Xmx': '512m' + '-Xms': '256m' diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index 37e8f63..214f163 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -2,13 +2,22 @@ class profiles::puppet::puppetdb_api ( String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'), String $listen_address = $facts['networking']['ip'], + Stdlib::Absolutepath $java_bin = '/usr/bin/java', + Hash $java_args = {}, ) { + class { 'java': + package => 'java-11-openjdk-devel', + before => Class['puppetdb::server'], + } + class { 'puppetdb::server': database_host => $postgres_host, manage_firewall => false, ssl_listen_address => $listen_address, listen_address => $listen_address, + java_bin => $java_bin, + java_args => $java_args, } contain ::puppetdb::server From 82f2d75888b9cbe6563b2c6f31a42aa94dc471a0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 6 Apr 2024 18:53:53 +1100 Subject: [PATCH 132/229] feat: add frontends, backends, listeners - add a way to define frontends, backends and listeners through hieradata --- .../au/region/drw1/infra/halb/haproxy.yaml | 22 ++++++++++++++++--- site/profiles/manifests/haproxy/backends.pp | 19 ++++++++++++++++ site/profiles/manifests/haproxy/frontends.pp | 14 ++++++++++++ site/profiles/manifests/haproxy/listeners.pp | 19 ++++++++++++++++ site/profiles/manifests/haproxy/mappings.pp | 16 +++++++++----- site/profiles/manifests/haproxy/server.pp | 18 +++------------ 6 files changed, 84 insertions(+), 24 deletions(-) create mode 100644 site/profiles/manifests/haproxy/backends.pp create mode 100644 site/profiles/manifests/haproxy/frontends.pp create mode 100644 site/profiles/manifests/haproxy/listeners.pp diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index 75dcd39..a582f9b 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -1,8 +1,24 @@ --- # mappings -profiles::haproxy::mappings::list: - - 'puppetboard.main.unkin.net be_puppetboard' - - 'puppetdbapi.main.unkin.net be_puppetdbapi' +profiles::haproxy::mappings: + fe_https: + ensure: present + mappings: + - 'puppetboard.main.unkin.net be_puppetboard' + - 'puppetdbapi.main.unkin.net be_puppetdbapi' + +# profiles::haproxy::listeners: +# ls_puppetdbapi_direct: +# collect_exported: false # handled in custom function +# ipaddress: "%{facts.networking.ip}" +# ports: +# - 8081 +# mode: tcp +# options: +# option: +# - tcplog +# - ssl-hello-chk +# balance: roundrobin profiles::haproxy::backends: be_puppetboard: diff --git a/site/profiles/manifests/haproxy/backends.pp b/site/profiles/manifests/haproxy/backends.pp new file mode 100644 index 0000000..a8d1294 --- /dev/null +++ b/site/profiles/manifests/haproxy/backends.pp @@ -0,0 +1,19 @@ +# profiles::haproxy::backends +class profiles::haproxy::backends { + # set location_environment + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + + # for each backend: + $backends = lookup('profiles::haproxy::backends', Hash, 'deep', {}) + $backends.each |$backend, $data| { + + # create backend + haproxy::backend { $backend: + * => $data, + } + + # collect exported resources + $tag = "${backend}_${location_environment}" + Haproxy::Balancermember <<| tag == $tag |>> + } +} diff --git a/site/profiles/manifests/haproxy/frontends.pp b/site/profiles/manifests/haproxy/frontends.pp new file mode 100644 index 0000000..10721db --- /dev/null +++ b/site/profiles/manifests/haproxy/frontends.pp @@ -0,0 +1,14 @@ +# profiles::haproxy::frontends +class profiles::haproxy::frontends { + + # for each frontend: + $frontends = lookup('profiles::haproxy::frontends', Hash, 'deep', {}) + $frontends.each |$frontend, $data| { + + # create frontends + haproxy::frontend { $frontend: + * => $data, + } + + } +} diff --git a/site/profiles/manifests/haproxy/listeners.pp b/site/profiles/manifests/haproxy/listeners.pp new file mode 100644 index 0000000..3fbe07e --- /dev/null +++ b/site/profiles/manifests/haproxy/listeners.pp @@ -0,0 +1,19 @@ +# profiles::haproxy::listeners +class profiles::haproxy::listeners { + # set location_environment + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + + # for each listener: + $listeners = lookup('profiles::haproxy::listeners', Hash, 'deep', {}) + $listeners.each |$listen, $data| { + + # create listener + haproxy::listen { $listen: + * => $data, + } + + # collect exported resources + $tag = "${listen}_${location_environment}" + Haproxy::Balancermember <<| tag == $tag |>> + } +} diff --git a/site/profiles/manifests/haproxy/mappings.pp b/site/profiles/manifests/haproxy/mappings.pp index ec8a1e4..df844df 100644 --- a/site/profiles/manifests/haproxy/mappings.pp +++ b/site/profiles/manifests/haproxy/mappings.pp @@ -1,9 +1,13 @@ # profiles::haproxy::mappings -class profiles::haproxy::mappings ( - Array $list = [] -) { - haproxy::mapfile { 'domains-to-backends': - ensure => 'present', - mappings => $list, +class profiles::haproxy::mappings { + + # for each mapping: + $mappings = lookup('profiles::haproxy::mappings') + $mappings.each |$mapping, $data| { + + # create mapping + haproxy::mapfile { $mapping: + * => $data, + } } } diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index 1864727..fde8f2f 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -2,7 +2,6 @@ class profiles::haproxy::server ( Hash $globals = {}, Hash $defaults = {}, - Array $cnames = [], ){ # default global/defaults arrays @@ -52,19 +51,8 @@ class profiles::haproxy::server ( include profiles::haproxy::fe_http # default http frontend include profiles::haproxy::fe_https # default https frontend include profiles::haproxy::dns # manage dns for haproxy + include profiles::haproxy::frontends # create frontends + include profiles::haproxy::backends # create backends + include profiles::haproxy::listeners # create listeners - # for each backend: - $backends = lookup('profiles::haproxy::backends') - $backends.each |$backend, $data| { - - # create backend - haproxy::backend { $backend: - * => $data, - } - - # collect exported resources - $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" - $tag = "${backend}_${location_environment}" - Haproxy::Balancermember <<| tag == $tag |>> - } } From 114d3fe195a36ed689ede7da841fc4d26b5d8712 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 13 Apr 2024 12:59:22 +1000 Subject: [PATCH 133/229] feat: nginx reverse proxy debian cache - add debian, debian/pool locations to reposyncer - add selinux fcontext rules --- site/profiles/manifests/reposync/webserver.pp | 52 ++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index 12ec17d..b75782d 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -1,6 +1,7 @@ # setup a reposync webserver class profiles::reposync::webserver ( String $www_root = '/data/repos/snap', + String $cache_root = '/data/repos/cache', String $nginx_vhost = 'repos.main.unkin.net', Stdlib::Port $nginx_port = 80, Stdlib::Port $nginx_ssl_port = 443, @@ -77,10 +78,45 @@ class profiles::reposync::webserver ( # merge the hashes conditionally $nginx_parameters = merge($defaults, $extras_hash) + # manage the nginx class + class { 'nginx': + proxy_cache_path => { + "${cache_root}/debian" => 'debian:128m', + }, + proxy_cache_levels => '1:2', + proxy_cache_keys_zone => 'debian:128m', + proxy_cache_max_size => '30000m', + proxy_cache_inactive => '60d', + proxy_temp_path => "${cache_root}/tmp", + } + # create the nginx vhost with the merged parameters - class { 'nginx': } create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + # cache debian packages from upstream + nginx::resource::location { "${nginx_vhost}-debian": + ensure => present, + ssl => true, + ssl_only => false, + location => '/debian', + server => $nginx_vhost, + proxy => 'http://mirror.gsl.icu/debian', + } + + nginx::resource::location { "${nginx_vhost}-debian_pool": + ensure => present, + ssl => true, + ssl_only => false, + location => '/debian/pool', + server => $nginx_vhost, + proxy => 'http://mirror.gsl.icu/debian/pool', + proxy_cache => 'debian', + proxy_cache_valid => [ + '200 302 1440h', + '404 1m' + ], + } + if $favicon { file { "${www_root}/favicon.ico": ensure => 'file', @@ -109,6 +145,13 @@ class profiles::reposync::webserver ( pathspec => "${www_root}(/.*)?", } + # set httpd_sys_rw_content_t to all files under the cache_root + selinux::fcontext { $cache_root: + ensure => 'present', + seltype => 'httpd_sys_rw_content_t', + pathspec => "${cache_root}(/.*)?", + } + # make sure we can connect to port 80 selboolean { 'httpd_can_network_connect': persistent => true, @@ -121,5 +164,12 @@ class profiles::reposync::webserver ( refreshonly => true, subscribe => Selinux::Fcontext[$www_root], } + + exec { "restorecon_${cache_root}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${cache_root}", + refreshonly => true, + subscribe => Selinux::Fcontext[$cache_root], + } } } From d0d67e316aec390a98031d9b824e47ef7b3cef7c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 13 Apr 2024 21:04:08 +1000 Subject: [PATCH 134/229] feat: prepare puppet for debian - set yum::versionlock to be only for redhat family - set puppet-agent require statement to use apt or yum - remove requirement of downloading puppet7-release-$dist.deb - create all paths in $base_path for vault certificate - set correct $PATH for update-ca-certificates - dynamically set debian release name - split packages to install from common.yaml to os-specific - create groups profile to manage local groups - change sysadmin to be a member of admins group - setup admins sudo rules --- hieradata/common.yaml | 21 +++++++++++-- hieradata/os/AlmaLinux/all_releases.yaml | 5 ++- hieradata/os/Debian/all_releases.yaml | 9 ++++-- site/profiles/manifests/accounts/sysadmin.pp | 3 +- site/profiles/manifests/apt/puppet7.pp | 12 +------- site/profiles/manifests/base.pp | 1 + site/profiles/manifests/base/groups.pp | 12 ++++++++ site/profiles/manifests/pki/vault.pp | 17 ++++++++++- site/profiles/manifests/pki/vaultca.pp | 2 +- site/profiles/manifests/puppet/agent.pp | 32 ++++++++++++++------ 10 files changed, 86 insertions(+), 28 deletions(-) create mode 100644 site/profiles/manifests/base/groups.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eab58f7..9d5eab5 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -30,6 +30,12 @@ lookup_options: haproxy::backend: merge: strategy: deep + sudo::configs: + merge: + strategy: deep + profiles::base::groups::local: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' @@ -59,7 +65,6 @@ profiles::packages::install: - iotop - jq - lz4 - - lzo - mtr - ncdu - neovim @@ -79,7 +84,6 @@ profiles::packages::install: - vim - vnstat - wget - - xz - zsh - zstd @@ -111,6 +115,19 @@ profiles::puppet::client::usecacheonfailure: false prometheus::node_exporter::export_scrape_job: true prometheus::systemd_exporter::export_scrape_job: true +profiles::base::groups::local: + admins: + ensure: present + gid: 10000 + allowdupe: false + forcelocal: true + +sudo::configs: + admins: + priority: 10 + content: | + %admins ALL=(ALL) NOPASSWD: ALL + profiles::accounts::sysadmin::sshkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index e883c29..62f35d0 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -7,5 +7,8 @@ profiles::yum::ovirt::baseurl: https://repos.main.unkin.net/centos profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false - profiles::puppet::agent::puppet_version: '7.26.0' + +profiles::packages::install: + - lzo + - xz diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml index aa8a5bf..bfcaaee 100644 --- a/hieradata/os/Debian/all_releases.yaml +++ b/hieradata/os/Debian/all_releases.yaml @@ -1,7 +1,12 @@ # hieradata/os/debian/all_releases.yaml --- -profiles::apt::base::mirrorurl: http://debian.mirror.digitalpacific.com.au/debian +profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian profiles::apt::base::secureurl: http://security.debian.org/debian-security profiles::apt::puppet7::mirror: http://apt.puppetlabs.com profiles::apt::puppet7::repo: puppet7 -profiles::apt::puppet7::dist: bullseye +profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/ + +profiles::packages::install: + - lzop + - python3.11-venv + - xz-utils diff --git a/site/profiles/manifests/accounts/sysadmin.pp b/site/profiles/manifests/accounts/sysadmin.pp index 0c21bf7..f766f31 100644 --- a/site/profiles/manifests/accounts/sysadmin.pp +++ b/site/profiles/manifests/accounts/sysadmin.pp @@ -7,9 +7,10 @@ class profiles::accounts::sysadmin( username => 'sysadmin', uid => 1000, gid => 1000, - groups => ['adm', 'wheel', 'systemd-journal'], + groups => ['adm', 'admins', 'systemd-journal'], sshkeys => $sshkeys, sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'], password => $password, + require => Group['admins'], } } diff --git a/site/profiles/manifests/apt/puppet7.pp b/site/profiles/manifests/apt/puppet7.pp index e9e336f..6424efe 100644 --- a/site/profiles/manifests/apt/puppet7.pp +++ b/site/profiles/manifests/apt/puppet7.pp @@ -30,27 +30,17 @@ class profiles::apt::puppet7 ( Array[String] $managed_repos, String $mirror, String $repo, - String $dist, ) { $codename = $facts['os']['distro']['codename'] if 'puppet7' in $managed_repos { - $puppet_source = "${mirror}/${repo}-release-${dist}.deb" - - # Install the puppet release using dpkg - package { "${repo}-${dist}": - ensure => installed, - name => "${repo}-release", - provider => dpkg, - source => $puppet_source, - } # deb http://apt.puppet.com bullseye puppet7 apt::source { 'puppet7': location => $mirror, repos => $repo, - release => $dist, + release => $codename, include => { 'src' => false, 'deb' => true, diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 647b5ea..65bf0cb 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -34,6 +34,7 @@ class profiles::base ( include profiles::base::motd include profiles::base::scripts include profiles::base::hosts + include profiles::base::groups include profiles::accounts::sysadmin include profiles::ntp::client include profiles::dns::base diff --git a/site/profiles/manifests/base/groups.pp b/site/profiles/manifests/base/groups.pp new file mode 100644 index 0000000..56d9237 --- /dev/null +++ b/site/profiles/manifests/base/groups.pp @@ -0,0 +1,12 @@ +# profiles::base::groups +# simple group management +class profiles::base::groups ( + Hash $local = {}, +) { + $local.each |$group, $data| { + group { $group: + name => $group, + * => $data, + } + } +} diff --git a/site/profiles/manifests/pki/vault.pp b/site/profiles/manifests/pki/vault.pp index 7008085..e680383 100644 --- a/site/profiles/manifests/pki/vault.pp +++ b/site/profiles/manifests/pki/vault.pp @@ -23,12 +23,26 @@ class profiles::pki::vault ( $alt_names_file = "${base_path}/alt_names" # ensure the base directory exists - file { $base_path: + file { '/etc/pki': ensure => directory, owner => 'root', group => 'root', mode => '0755', } + file { '/etc/pki/tls': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + require => File['/etc/pki'] + } + file { $base_path: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + require => File['/etc/pki/tls'] + } # alt_names_file contents $alt_names_content = concat($effective_alt_names, $effective_ip_sans) @@ -40,6 +54,7 @@ class profiles::pki::vault ( group => 'root', mode => '0644', content => join($alt_names_content, "\n"), + require => File[$base_path] } # compare the sorted arrays of altnames from disk (fact) vs what is intended (this run) diff --git a/site/profiles/manifests/pki/vaultca.pp b/site/profiles/manifests/pki/vaultca.pp index 856459f..9ebc067 100644 --- a/site/profiles/manifests/pki/vaultca.pp +++ b/site/profiles/manifests/pki/vaultca.pp @@ -30,7 +30,7 @@ class profiles::pki::vaultca { # Execute the system command to update the CA trust store exec { 'update_ca_trust_store': command => $update_ca_cert_command, - path => ['/bin', '/usr/bin'], + path => ['/bin', '/usr/bin', 'sbin', '/usr/sbin'], refreshonly => true, require => File[$ca_cert_target_path], } diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp index 8cb1696..c911f0d 100644 --- a/site/profiles/manifests/puppet/agent.pp +++ b/site/profiles/manifests/puppet/agent.pp @@ -4,12 +4,6 @@ class profiles::puppet::agent ( String $puppet_version = 'latest', ) { - # Ensure the puppet-agent package is installed and locked to a specific version - package { 'puppet-agent': - ensure => $puppet_version, - require => Class['profiles::yum::puppet7'], - } - # if puppet-version is anything other than latest, set a versionlock $puppet_versionlock_ensure = $puppet_version ? { 'latest' => 'absent', @@ -19,9 +13,29 @@ class profiles::puppet::agent ( 'latest' => undef, default => $puppet_version, } - yum::versionlock{'puppet-agent': - ensure => $puppet_versionlock_ensure, - version => $puppet_versionlock_version, + + case $facts['os']['family'] { + 'RedHat': { + # Ensure the puppet-agent package is installed and locked to a specific version + package { 'puppet-agent': + ensure => $puppet_version, + require => Class['profiles::yum::puppet7'], + } + + # versionlock puppet-agent + yum::versionlock{'puppet-agent': + ensure => $puppet_versionlock_ensure, + version => $puppet_versionlock_version, + } + } + 'Debian': { + # Ensure the puppet-agent package is installed and locked to a specific version + package { 'puppet-agent': + ensure => $puppet_version, + require => Class['profiles::apt::puppet7'], + } + } + default: {} } # Ensure the puppet service is running From 19c8749d9eccee1ae9c0f3971c9cc3eea9301091 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 14 Apr 2024 23:14:23 +1000 Subject: [PATCH 135/229] feat: split lm-sensors for debian/rhel --- hieradata/os/AlmaLinux/all_releases.yaml | 2 ++ hieradata/os/Debian/all_releases.yaml | 2 ++ hieradata/virtual/physical.yaml | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 62f35d0..e1e5192 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -12,3 +12,5 @@ profiles::puppet::agent::puppet_version: '7.26.0' profiles::packages::install: - lzo - xz + +lm-sensors::package: lm_sensors diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml index bfcaaee..221b479 100644 --- a/hieradata/os/Debian/all_releases.yaml +++ b/hieradata/os/Debian/all_releases.yaml @@ -10,3 +10,5 @@ profiles::packages::install: - lzop - python3.11-venv - xz-utils + +lm-sensors::package: lm-sensors diff --git a/hieradata/virtual/physical.yaml b/hieradata/virtual/physical.yaml index c932ae7..75630e7 100644 --- a/hieradata/virtual/physical.yaml +++ b/hieradata/virtual/physical.yaml @@ -1,3 +1,3 @@ --- profiles::packages::install: - - lm_sensors + - "%{hiera('lm-sensors::package')}" From 49b4a65302d6f0345334940a6130f6d0fa06af7f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 20 Apr 2024 00:11:15 +1000 Subject: [PATCH 136/229] feat: node_lookup compatability for Debian --- site/profiles/templates/helpers/node_lookup.erb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/site/profiles/templates/helpers/node_lookup.erb b/site/profiles/templates/helpers/node_lookup.erb index d12c364..248f3e7 100644 --- a/site/profiles/templates/helpers/node_lookup.erb +++ b/site/profiles/templates/helpers/node_lookup.erb @@ -3,6 +3,7 @@ import requests import sys import argparse import json +import os def build_query(node=None, fact_name=None, match=None, show_role=False): query_filters = [] @@ -23,8 +24,16 @@ def build_query(node=None, fact_name=None, match=None, show_role=False): return json.dumps(["and"] + query_filters) def query_puppetdb(query): + # Determine the correct SSL certificate path based on the OS + if os.path.exists('/etc/ssl/certs/ca-certificates.crt'): # Debian/Ubuntu + cert_path = '/etc/ssl/certs/ca-certificates.crt' + elif os.path.exists('/etc/pki/tls/cert.pem'): # RHEL/CentOS + cert_path = '/etc/pki/tls/cert.pem' + else: + raise FileNotFoundError("SSL certificate file not found.") + url = 'https://puppetdbapi.main.unkin.net/pdb/query/v4/facts' - response = requests.get(url, params={'query': query}, verify='/etc/pki/tls/cert.pem') + response = requests.get(url, params={'query': query}, verify=cert_path) process_response(response) def process_response(response): From 80a4cb05443820e6bb3516f790136bd9ae9b1a4e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 20 Apr 2024 00:14:21 +1000 Subject: [PATCH 137/229] feat: debian vaultcert compatability - remove comma from certificate file - add comments identifying each certificate --- site/profiles/templates/pki/vaultcaroot.pem.erb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/site/profiles/templates/pki/vaultcaroot.pem.erb b/site/profiles/templates/pki/vaultcaroot.pem.erb index aacae0e..0a32ae6 100644 --- a/site/profiles/templates/pki/vaultcaroot.pem.erb +++ b/site/profiles/templates/pki/vaultcaroot.pem.erb @@ -1,3 +1,4 @@ +# unkin.net Intermediate Authority -----BEGIN CERTIFICATE----- MIIDrDCCApSgAwIBAgIUAyjDayxDtmvXzttcT1jUg9KU08swDQYJKoZIhvcNAQEL BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDI0NloXDTI5MDIy @@ -20,7 +21,9 @@ val0pncs/2V3TIk1iOXLY7YXDm6x4ND+iUz5rmILs/0q82S3iAbro4IckinfmGjI iUW3GFSva8F6VS49I9pejBFJUQeIILz5jeTEdzG643DnujjjNqw8ad3ivakBYD1G YxGhYmLfh5RmESCeAgBbLQgRa1vNz1YYWhjn4OP0KKs= -----END CERTIFICATE----- -,-----BEGIN CERTIFICATE----- + +# unkin.net +-----BEGIN CERTIFICATE----- MIIDLzCCAhegAwIBAgIUeXJ+O/IJWu4Fl4+KdZl5r166SokwDQYJKoZIhvcNAQEL BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDEwNVoXDTM0MDIy MjExMDEzNFowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF From f04c74bd4d809c854473285395cecc746e699989 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 17 Apr 2024 18:23:33 +1000 Subject: [PATCH 138/229] feat: manage proxmox nodes - change /etc/hosts to meet proxmox requirements - add proxmox node role - add init, params, repo, install, clusterjoin classes --- Puppetfile | 3 +- hieradata/common.eyaml | 1 + hieradata/common.yaml | 1 + .../country/au/region/syd1/infra/proxmox.yaml | 8 ++ .../nodes/prodnxsr0001.main.unkin.net.yaml | 5 ++ .../nodes/prodnxsr0002.main.unkin.net.yaml | 4 + .../nodes/prodnxsr0003.main.unkin.net.yaml | 4 + .../nodes/prodnxsr0004.main.unkin.net.yaml | 2 + .../nodes/prodnxsr0005.main.unkin.net.yaml | 2 + .../nodes/prodnxsr0006.main.unkin.net.yaml | 2 + .../nodes/prodnxsr0007.main.unkin.net.yaml | 2 + .../nodes/prodnxsr0008.main.unkin.net.yaml | 2 + hieradata/roles/infra/proxmox.yaml | 7 ++ modules/libs/lib/facter/is_pveceph_mgr.rb | 10 +++ modules/libs/lib/facter/is_pveceph_mon.rb | 10 +++ modules/libs/lib/facter/pve_ceph_config.rb | 34 +++++++++ .../libs/lib/facter/pve_ceph_initialised.rb | 10 +++ modules/libs/lib/facter/pve_cluster.rb | 28 +++++++ modules/libs/lib/facter/pve_cluster_member.rb | 21 ++++++ modules/libs/lib/facter/pve_nodelist.rb | 35 +++++++++ modules/libs/lib/facter/pve_nodes_active.rb | 17 +++++ site/profiles/manifests/proxmox/ceph.pp | 50 +++++++++++++ .../profiles/manifests/proxmox/clusterinit.pp | 41 ++++++++++ .../profiles/manifests/proxmox/clusterjoin.pp | 74 +++++++++++++++++++ site/profiles/manifests/proxmox/config.pp | 19 +++++ site/profiles/manifests/proxmox/init.pp | 16 ++++ site/profiles/manifests/proxmox/install.pp | 58 +++++++++++++++ site/profiles/manifests/proxmox/params.pp | 42 +++++++++++ site/profiles/manifests/proxmox/repos.pp | 37 ++++++++++ site/profiles/templates/base/hosts.erb | 7 +- .../templates/proxmox/join_pvecluster.erb | 11 +++ .../templates/proxmox/pve_facts.yaml.erb | 2 + site/roles/manifests/infra/proxmox/node.pp | 6 ++ 33 files changed, 564 insertions(+), 7 deletions(-) create mode 100644 hieradata/country/au/region/syd1/infra/proxmox.yaml create mode 100644 hieradata/nodes/prodnxsr0001.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0002.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0003.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0004.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0005.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0006.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0007.main.unkin.net.yaml create mode 100644 hieradata/nodes/prodnxsr0008.main.unkin.net.yaml create mode 100644 hieradata/roles/infra/proxmox.yaml create mode 100644 modules/libs/lib/facter/is_pveceph_mgr.rb create mode 100644 modules/libs/lib/facter/is_pveceph_mon.rb create mode 100644 modules/libs/lib/facter/pve_ceph_config.rb create mode 100644 modules/libs/lib/facter/pve_ceph_initialised.rb create mode 100644 modules/libs/lib/facter/pve_cluster.rb create mode 100644 modules/libs/lib/facter/pve_cluster_member.rb create mode 100644 modules/libs/lib/facter/pve_nodelist.rb create mode 100644 modules/libs/lib/facter/pve_nodes_active.rb create mode 100644 site/profiles/manifests/proxmox/ceph.pp create mode 100644 site/profiles/manifests/proxmox/clusterinit.pp create mode 100644 site/profiles/manifests/proxmox/clusterjoin.pp create mode 100644 site/profiles/manifests/proxmox/config.pp create mode 100644 site/profiles/manifests/proxmox/init.pp create mode 100644 site/profiles/manifests/proxmox/install.pp create mode 100644 site/profiles/manifests/proxmox/params.pp create mode 100644 site/profiles/manifests/proxmox/repos.pp create mode 100644 site/profiles/templates/proxmox/join_pvecluster.erb create mode 100644 site/profiles/templates/proxmox/pve_facts.yaml.erb create mode 100644 site/roles/manifests/infra/proxmox/node.pp diff --git a/Puppetfile b/Puppetfile index 9dc00c7..6d50a38 100644 --- a/Puppetfile +++ b/Puppetfile @@ -7,7 +7,7 @@ mod 'puppetlabs-inifile', '6.0.0' mod 'puppetlabs-concat', '9.0.0' mod 'puppetlabs-vcsrepo', '6.1.0' mod 'puppetlabs-yumrepo_core', '2.0.0' -mod 'puppetlabs-apt', '9.1.0' +mod 'puppetlabs-apt', '9.4.0' mod 'puppetlabs-lvm', '2.1.0' mod 'puppetlabs-puppetdb', '7.13.0' mod 'puppetlabs-postgresql', '9.1.0' @@ -17,6 +17,7 @@ mod 'puppetlabs-mysql', '15.0.0' mod 'puppetlabs-xinetd', '3.4.1' mod 'puppetlabs-haproxy', '8.0.0' mod 'puppetlabs-java', '10.1.2' +mod 'puppetlabs-reboot', '5.0.0' # puppet mod 'puppet-python', '7.0.0' diff --git a/hieradata/common.eyaml b/hieradata/common.eyaml index d6fee43..91e63a8 100644 --- a/hieradata/common.eyaml +++ b/hieradata/common.eyaml @@ -1,2 +1,3 @@ --- profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn] +profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ] diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 9d5eab5..2f4d7dc 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -58,6 +58,7 @@ profiles::packages::install: - ccze - curl - dstat + - expect - gzip - git - htop diff --git a/hieradata/country/au/region/syd1/infra/proxmox.yaml b/hieradata/country/au/region/syd1/infra/proxmox.yaml new file mode 100644 index 0000000..5e07a1c --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/proxmox.yaml @@ -0,0 +1,8 @@ +--- +profiles::proxmox::params::pve_members_role: 'roles::infra::proxmox::node' +profiles::proxmox::params::pve_kernel_version: '1.0.1' +profiles::proxmox::params::pve_kernel_release: '6.5.13-5-pve' +profiles::proxmox::params::pve_ceph_repos: true +profiles::proxmox::params::pve_ceph_release: 'reef' +profiles::proxmox::params::pve_ceph_install: true +profiles::proxmox::params::pve_ceph_network: '10.18.15.1/24' diff --git a/hieradata/nodes/prodnxsr0001.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0001.main.unkin.net.yaml new file mode 100644 index 0000000..13bad49 --- /dev/null +++ b/hieradata/nodes/prodnxsr0001.main.unkin.net.yaml @@ -0,0 +1,5 @@ +--- +profiles::proxmox::params::pve_clusterinit_master: true +profiles::proxmox::params::pve_ceph_mon: true +profiles::proxmox::params::pve_ceph_mgr: true +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0002.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0002.main.unkin.net.yaml new file mode 100644 index 0000000..5fb387e --- /dev/null +++ b/hieradata/nodes/prodnxsr0002.main.unkin.net.yaml @@ -0,0 +1,4 @@ +--- +profiles::proxmox::params::pve_ceph_mon: true +profiles::proxmox::params::pve_ceph_mgr: true +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0003.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0003.main.unkin.net.yaml new file mode 100644 index 0000000..5fb387e --- /dev/null +++ b/hieradata/nodes/prodnxsr0003.main.unkin.net.yaml @@ -0,0 +1,4 @@ +--- +profiles::proxmox::params::pve_ceph_mon: true +profiles::proxmox::params::pve_ceph_mgr: true +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0004.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0004.main.unkin.net.yaml new file mode 100644 index 0000000..342f672 --- /dev/null +++ b/hieradata/nodes/prodnxsr0004.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0005.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0005.main.unkin.net.yaml new file mode 100644 index 0000000..342f672 --- /dev/null +++ b/hieradata/nodes/prodnxsr0005.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0006.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0006.main.unkin.net.yaml new file mode 100644 index 0000000..342f672 --- /dev/null +++ b/hieradata/nodes/prodnxsr0006.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0007.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0007.main.unkin.net.yaml new file mode 100644 index 0000000..342f672 --- /dev/null +++ b/hieradata/nodes/prodnxsr0007.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/nodes/prodnxsr0008.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0008.main.unkin.net.yaml new file mode 100644 index 0000000..342f672 --- /dev/null +++ b/hieradata/nodes/prodnxsr0008.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::proxmox::params::pve_ceph_osd: true diff --git a/hieradata/roles/infra/proxmox.yaml b/hieradata/roles/infra/proxmox.yaml new file mode 100644 index 0000000..7a1b911 --- /dev/null +++ b/hieradata/roles/infra/proxmox.yaml @@ -0,0 +1,7 @@ +--- +sudo::configs: + ceph-smartctl: + priority: 20 + content: | + ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/* + ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/* diff --git a/modules/libs/lib/facter/is_pveceph_mgr.rb b/modules/libs/lib/facter/is_pveceph_mgr.rb new file mode 100644 index 0000000..cb1a243 --- /dev/null +++ b/modules/libs/lib/facter/is_pveceph_mgr.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('is_pveceph_mgr') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + system('pgrep -x ceph-mgr > /dev/null 2>&1') + end +end diff --git a/modules/libs/lib/facter/is_pveceph_mon.rb b/modules/libs/lib/facter/is_pveceph_mon.rb new file mode 100644 index 0000000..e32a312 --- /dev/null +++ b/modules/libs/lib/facter/is_pveceph_mon.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('is_pveceph_mon') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + system('pgrep -x ceph-mon > /dev/null 2>&1') + end +end diff --git a/modules/libs/lib/facter/pve_ceph_config.rb b/modules/libs/lib/facter/pve_ceph_config.rb new file mode 100644 index 0000000..e836a99 --- /dev/null +++ b/modules/libs/lib/facter/pve_ceph_config.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('ceph_global_config') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + config_file = '/etc/pve/ceph.conf' + config_hash = {} + in_global_section = false + + if File.exist?(config_file) + File.readlines(config_file).each do |line| + line.strip! + # Detect the [global] section and set flag + if line == '[global]' + in_global_section = true + next + end + + # Exit the loop once we're out of the global section + break if line.start_with?('[') && in_global_section + + # Parse key-value pairs if we are in the global section + if in_global_section && line.include?('=') + key, value = line.split('=', 2).map(&:strip) + config_hash[key] = value + end + end + end + + config_hash + end +end diff --git a/modules/libs/lib/facter/pve_ceph_initialised.rb b/modules/libs/lib/facter/pve_ceph_initialised.rb new file mode 100644 index 0000000..52c4c4e --- /dev/null +++ b/modules/libs/lib/facter/pve_ceph_initialised.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('pve_ceph_initialised') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + File.exist?('/etc/pve/ceph.conf') + end +end diff --git a/modules/libs/lib/facter/pve_cluster.rb b/modules/libs/lib/facter/pve_cluster.rb new file mode 100644 index 0000000..05efec1 --- /dev/null +++ b/modules/libs/lib/facter/pve_cluster.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('pve_cluster') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + conf_file = '/etc/pve/corosync.conf' + totem_details = {} + in_totem_section = false + + if File.exist?(conf_file) + File.foreach(conf_file) do |line| + if line =~ /^\s*totem\s*\{/ + in_totem_section = true + elsif line =~ /^\s*\}/ && in_totem_section + break + elsif in_totem_section && line =~ /^\s*(\w+):\s*(.+)$/ + key = Regexp.last_match(1).strip + value = Regexp.last_match(2).strip + totem_details[key] = value + end + end + end + + totem_details.empty? ? nil : totem_details + end +end diff --git a/modules/libs/lib/facter/pve_cluster_member.rb b/modules/libs/lib/facter/pve_cluster_member.rb new file mode 100644 index 0000000..602adf8 --- /dev/null +++ b/modules/libs/lib/facter/pve_cluster_member.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('pve_cluster_member') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + if Facter::Util::Resolution.which('pvesh') + cluster_status = `pvesh get /cluster/status --output-format json` + if cluster_status.empty? + false + else + require 'json' + status = JSON.parse(cluster_status) + !status.empty? + end + else + false + end + end +end diff --git a/modules/libs/lib/facter/pve_nodelist.rb b/modules/libs/lib/facter/pve_nodelist.rb new file mode 100644 index 0000000..4e16d81 --- /dev/null +++ b/modules/libs/lib/facter/pve_nodelist.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('pve_nodelist') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + conf_file = '/etc/pve/corosync.conf' + node_list = {} + current_node = nil + # rubocop:disable Metrics/BlockNesting + + if File.exist?(conf_file) + File.foreach(conf_file) do |line| + if line =~ /^\s*node\s*\{/ + current_node = {} + elsif line =~ /^\s*\}/ + if current_node + node_name = current_node['name'] + node_list[node_name] = current_node if node_name + current_node = nil + end + elsif current_node && line =~ /^\s*(\w+):\s*(.+)$/ + key = Regexp.last_match(1).strip + value = Regexp.last_match(2).strip + current_node[key] = value + end + end + end + + # rubocop:enable Metrics/BlockNesting + + node_list.empty? ? nil : node_list + end +end diff --git a/modules/libs/lib/facter/pve_nodes_active.rb b/modules/libs/lib/facter/pve_nodes_active.rb new file mode 100644 index 0000000..fade65d --- /dev/null +++ b/modules/libs/lib/facter/pve_nodes_active.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +require 'facter' + +Facter.add('pve_nodes_active') do + confine enc_role: 'roles::infra::proxmox::node' + setcode do + if Facter::Util::Resolution.which('pvesh') + proxmox_nodes = `pvesh get /nodes --output-format json` + unless proxmox_nodes.empty? + require 'json' + nodes = JSON.parse(proxmox_nodes) + nodes.count + end + end + end +end diff --git a/site/profiles/manifests/proxmox/ceph.pp b/site/profiles/manifests/proxmox/ceph.pp new file mode 100644 index 0000000..3bff1b0 --- /dev/null +++ b/site/profiles/manifests/proxmox/ceph.pp @@ -0,0 +1,50 @@ +# profiles::proxmox::ceph +class profiles::proxmox::ceph { + + # include params class + include profiles::proxmox::params + + # localise some vars + $network = $profiles::proxmox::params::pve_ceph_network + $size = $profiles::proxmox::params::pve_ceph_size + $min_size = $profiles::proxmox::params::pve_ceph_minsize + + # install ceph if it is enabled + if $profiles::proxmox::params::pve_ceph_install { + + # initialise the cluster, but only on the clusterinit node and only if its not already initialised + if $profiles::proxmox::params::pve_clusterinit_master and ! $facts['pve_ceph_initialised']{ + exec { 'pveceph_init': + command => "/usr/bin/pveceph init --network ${network} --size ${size} --min_size ${min_size}", + user => 'root', + } + } + + if $facts['pve_ceph_initialised'] { + + # create monitors + if $profiles::proxmox::params::pve_ceph_mon { + + # only when its not already a monitor + if ! $facts['is_pveceph_mon'] { + exec { 'pveceph_mon': + command => '/usr/bin/pveceph mon create', + user => 'root', + } + } + } + + # create managers + if $profiles::proxmox::params::pve_ceph_mgr { + + # only when its not already a manager + if ! $facts['is_pveceph_mgr'] { + exec { 'pveceph_mgr': + command => '/usr/bin/pveceph mgr create', + user => 'root', + } + } + } + } + } +} diff --git a/site/profiles/manifests/proxmox/clusterinit.pp b/site/profiles/manifests/proxmox/clusterinit.pp new file mode 100644 index 0000000..65189b3 --- /dev/null +++ b/site/profiles/manifests/proxmox/clusterinit.pp @@ -0,0 +1,41 @@ +# profiles::proxmox::clusterinit +class profiles::proxmox::clusterinit { + + # include params class + include profiles::proxmox::params + + # localise some vars + $clusterinit_master = $profiles::proxmox::params::pve_clusterinit_master + $clustername = $profiles::proxmox::params::pve_cluster + $membersrole = $profiles::proxmox::params::pve_members_role + + # if this is the cluster master + if $clusterinit_master { + + # and its not a member of a cluster yet + if ! $facts['pve_cluster_member'] { + + # initialise a cluster + exec {'pve_init_cluster': + command => "/usr/bin/pvecm create ${clustername}", + unless => 'pvecm status', + timeout => 60, + } + } + } + + $servers_array = sort(query_nodes( + "enc_role='${membersrole}' and country='${facts['country']}' and region='${facts['region']}'", + 'networking.fqdn' + )) + + if ! $profiles::proxmox::params::pve_clusterinit_master { + if !empty($servers_array) { + notify { "Cluster ${profiles::proxmox::params::pve_cluster} detected, proceeding to join...": + } + } else { + notify { "No cluster flag found for ${profiles::proxmox::params::pve_cluster}, not attempting to join": + } + } + } +} diff --git a/site/profiles/manifests/proxmox/clusterjoin.pp b/site/profiles/manifests/proxmox/clusterjoin.pp new file mode 100644 index 0000000..7ab3ea5 --- /dev/null +++ b/site/profiles/manifests/proxmox/clusterjoin.pp @@ -0,0 +1,74 @@ +# profiles::proxmox::clusterjoin +class profiles::proxmox::clusterjoin { + + # include params class + include profiles::proxmox::params + + # localise some vars + $clusterinit_master = $profiles::proxmox::params::pve_clusterinit_master + $clustername = $profiles::proxmox::params::pve_cluster + $membersrole = $profiles::proxmox::params::pve_members_role + $root_password = $profiles::proxmox::params::root_password + + # query puppetdb for list of cluster members + $members_array = sort(query_nodes( + "enc_role='${membersrole}' and \ + country='${facts['country']}' and \ + region='${facts['region']}' and \ + pve_cluster.cluster_name='${clustername}'", + 'networking.fqdn' + )) + + # check if the pve kernerl is running + if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release { + + # if this is the cluster master + if $clusterinit_master { + + # there are no cluster members in puppetdb + if empty($members_array) { + + # and this host isnt already in a cluster by itself + if ! $facts['pve_cluster'] { + + # initialise a cluster + exec {'pve_init_cluster': + command => "/usr/bin/pvecm create ${clustername}", + unless => 'pvecm status', + timeout => 60, + } + } + } + } + + # for non-masters + if ! $clusterinit_master { + + # if there are already members of the cluster + if !empty($members_array) { + + # and this host isnt already in a cluster + if ! $facts['pve_cluster'] { + + # create an expect script to join the cluster + file { '/usr/local/bin/join_pvecluster.expect': + ensure => file, + owner => 'root', + mode => '0755', + content => template('profiles/proxmox/join_pvecluster.erb'), + } + + exec { 'pve_join_cluster': + command => "/usr/local/bin/join_pvecluster.expect '${root_password.unwrap}' '${members_array[0]}'", + require => [File['/usr/local/bin/join_pvecluster.expect'], Package['expect']], + unless => "/usr/bin/pvesh nodes | grep -q '${facts['networking']['hostname']}'", + user => 'root', + } + } + } else { + notify { "No initialised cluster found for ${clustername}, not attempting to join": + } + } + } + } +} diff --git a/site/profiles/manifests/proxmox/config.pp b/site/profiles/manifests/proxmox/config.pp new file mode 100644 index 0000000..0edc8d1 --- /dev/null +++ b/site/profiles/manifests/proxmox/config.pp @@ -0,0 +1,19 @@ +# profiles::proxmox::config +class profiles::proxmox::config { + + # include params class + include profiles::proxmox::params + + # localise some vars + $clusterinit_master = $profiles::proxmox::params::pve_clusterinit_master + + # create pve_facts file + file {'/opt/puppetlabs/facter/facts.d/pve_facts.yaml': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0600', + content => template('profiles/proxmox/pve_facts.yaml.erb') + } + +} diff --git a/site/profiles/manifests/proxmox/init.pp b/site/profiles/manifests/proxmox/init.pp new file mode 100644 index 0000000..f7d769f --- /dev/null +++ b/site/profiles/manifests/proxmox/init.pp @@ -0,0 +1,16 @@ +# proxmox:: +class profiles::proxmox::init { + + #include profiles::proxmox::params + include profiles::proxmox::repos + include profiles::proxmox::install + include profiles::proxmox::clusterjoin + include profiles::proxmox::ceph + include profiles::proxmox::config + + Class['profiles::proxmox::repos'] + -> Class['profiles::proxmox::install'] + -> Class['profiles::proxmox::clusterjoin'] + -> Class['profiles::proxmox::ceph'] + -> Class['profiles::proxmox::config'] +} diff --git a/site/profiles/manifests/proxmox/install.pp b/site/profiles/manifests/proxmox/install.pp new file mode 100644 index 0000000..4cfdba2 --- /dev/null +++ b/site/profiles/manifests/proxmox/install.pp @@ -0,0 +1,58 @@ +# profiles::proxmox::install +class profiles::proxmox::install { + + # include params class + include profiles::proxmox::params + + # install the pve kernel + package { 'proxmox-default-kernel': + ensure => $profiles::proxmox::params::pve_kernel_version, + notify => Reboot['after_run'], + require => Apt::Source['proxmox'], + } + + # reboot into the new kernel + reboot { 'after_run': + apply => finished, + } + + if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release { + + # install pve + ensure_packages($profiles::proxmox::params::pve_packages_install, { ensure => 'present', require => Apt::Source['proxmox']}) + + # remove the old linux kernel metapackage + ensure_packages($profiles::proxmox::params::pve_packages_remove, { ensure => 'absent' }) + + # install ceph package if requested + if $profiles::proxmox::params::pve_ceph_install { + ensure_packages($profiles::proxmox::params::pve_packages_ceph, { ensure => 'present', require => Apt::Source['ceph'] }) + } + + # cleanup the old kernel packages + exec { 'remove-linux-kernel-packages': + command => '/usr/bin/apt-get purge -y $(/usr/bin/dpkg --list | /bin/grep "linux-image-6.1" | /usr/bin/awk \'{ print $2 }\')', + onlyif => '/usr/bin/dpkg --list | /bin/grep -q "linux-image-6.1"', + path => ['/usr/bin', '/bin', '/sbin'], + refreshonly => true, + } + + # update grup + exec { 'update-grub': + command => '/usr/sbin/update-grub', + path => ['/usr/bin', '/bin', '/sbin'], + refreshonly => true, + } + + # update grub after removing kernel packages only + Exec['remove-linux-kernel-packages'] ~> Exec['update-grub'] + + # prepare for SDN + file_line { 'source-network-interfaces-d': + path => '/etc/network/interfaces', + line => 'source /etc/network/interfaces.d/*', + match => '^source /etc/network/interfaces.d/\*$', + append_on_no_match => true, + } + } +} diff --git a/site/profiles/manifests/proxmox/params.pp b/site/profiles/manifests/proxmox/params.pp new file mode 100644 index 0000000..2a4844e --- /dev/null +++ b/site/profiles/manifests/proxmox/params.pp @@ -0,0 +1,42 @@ +# profiles::proxmox::params +class profiles::proxmox::params ( + Sensitive[String] $root_password = Sensitive(lookup('profiles::accounts::root::password')), + String $pve_members_role = 'roles::infra::proxmox::node', + String $pve_kernel_version = '1.0.1', + String $pve_kernel_release = '6.5.13-5-pve', + String $pve_cluster = "${::facts['country']}-${::facts['region']}", + Boolean $pve_clusterinit_master = false, + Boolean $pve_ceph_repos = false, + Boolean $pve_ceph_install = false, + Boolean $pve_ceph_mon = false, + Boolean $pve_ceph_mgr = false, + Boolean $pve_ceph_osd = false, + String $pve_ceph_release = 'quincy', + Integer $pve_ceph_size = 3, + Integer $pve_ceph_minsize = 2, + Variant[ + Undef, + Stdlib::IP::Address::V4::CIDR + ] $pve_ceph_network = undef, + + Array $pve_packages_install = [ + 'proxmox-ve', + 'postfix', + 'open-iscsi', + 'frr-pythontools' + ], + Array $pve_packages_remove = [ + 'os-prober', + 'linux-image-amd64' + ], + Array $pve_packages_ceph = [ + 'ceph', + 'ceph-common', + 'ceph-fuse', + 'ceph-mds', + 'ceph-volume', + 'gdisk', + 'nvme-cli' + ] +){ +} diff --git a/site/profiles/manifests/proxmox/repos.pp b/site/profiles/manifests/proxmox/repos.pp new file mode 100644 index 0000000..0378fa4 --- /dev/null +++ b/site/profiles/manifests/proxmox/repos.pp @@ -0,0 +1,37 @@ +# profiles::proxmox::repos +class profiles::proxmox::repos { + + # include params class + include profiles::proxmox::params + + $codename = $facts['os']['distro']['codename'] + + exec { 'download-proxmox-gpg-key': + command => "/usr/bin/wget https://enterprise.proxmox.com/debian/proxmox-release-${codename}.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-${codename}.gpg", + creates => "/etc/apt/trusted.gpg.d/proxmox-release-${codename}.gpg", + path => ['/usr/bin', '/bin'], + require => File['/etc/apt/trusted.gpg.d/'], + } + + file { '/etc/apt/trusted.gpg.d/': + ensure => 'directory', + } + + apt::source { 'proxmox': + location => 'http://download.proxmox.com/debian/pve', + repos => 'pve-no-subscription', + include => { + src => false, + }, + } + + if $profiles::proxmox::params::pve_ceph_repos { + apt::source { 'ceph': + location => "http://download.proxmox.com/debian/ceph-${profiles::proxmox::params::pve_ceph_release}", + repos => 'no-subscription', + include => { + src => false, + }, + } + } +} diff --git a/site/profiles/templates/base/hosts.erb b/site/profiles/templates/base/hosts.erb index 45bf0d2..c41ef08 100644 --- a/site/profiles/templates/base/hosts.erb +++ b/site/profiles/templates/base/hosts.erb @@ -1,15 +1,10 @@ # /etc/hosts file managed by Puppet # The following lines are desirable for IPv4 capable hosts -127.0.0.1 <%= @fqdn %> <%= @hostname %> +<%= @facts['networking']['ip'] %> <%= @fqdn %> <%= @hostname %> 127.0.0.1 localhost.localdomain localhost 127.0.0.1 localhost4.localdomain4 localhost4 -# The following lines are desirable for IPv6 capable hosts -::1 <%= @fqdn %> <%= @hostname %> -::1 localhost.localdomain localhost -::1 localhost6.localdomain6 localhost6 - <% @additional_hosts.each do |host| -%> <%= host['ip'] %> <%= host['hostname'] %> <%= host['aliases'].join(' ') if host['aliases'] %> <% end -%> diff --git a/site/profiles/templates/proxmox/join_pvecluster.erb b/site/profiles/templates/proxmox/join_pvecluster.erb new file mode 100644 index 0000000..378b95d --- /dev/null +++ b/site/profiles/templates/proxmox/join_pvecluster.erb @@ -0,0 +1,11 @@ +#!/usr/bin/expect -f +set timeout -1 +set password [lindex $argv 0] +set ip [lindex $argv 1] + +spawn pvecm add $ip +expect "Please enter superuser (root) password for" +send "$password\r" +expect "The authenticity of host" +send "yes\r" +expect eof diff --git a/site/profiles/templates/proxmox/pve_facts.yaml.erb b/site/profiles/templates/proxmox/pve_facts.yaml.erb new file mode 100644 index 0000000..7b3362e --- /dev/null +++ b/site/profiles/templates/proxmox/pve_facts.yaml.erb @@ -0,0 +1,2 @@ +--- +pve_clusterinit_master: <%= @clusterinit_master %> diff --git a/site/roles/manifests/infra/proxmox/node.pp b/site/roles/manifests/infra/proxmox/node.pp new file mode 100644 index 0000000..62bc14f --- /dev/null +++ b/site/roles/manifests/infra/proxmox/node.pp @@ -0,0 +1,6 @@ +# manage the installation of a proxmox node +class roles::infra::proxmox::node { + include profiles::defaults + include profiles::base + include profiles::proxmox::init +} From 9c6dee7609dba963ed9b7278cab788229b231460 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 21 Apr 2024 15:15:00 +1000 Subject: [PATCH 139/229] feat: manage timezone per region - add timezone module - set per-region timezone setting - setup hiera_classes, set to deep merge, and set to include all in base profile --- Puppetfile | 1 + hieradata/common.yaml | 6 ++++++ hieradata/country/au/region/drw1.yaml | 2 ++ hieradata/country/au/region/syd1.yaml | 2 ++ site/profiles/manifests/base.pp | 3 +++ 5 files changed, 14 insertions(+) create mode 100644 hieradata/country/au/region/drw1.yaml create mode 100644 hieradata/country/au/region/syd1.yaml diff --git a/Puppetfile b/Puppetfile index 6d50a38..5c887fc 100644 --- a/Puppetfile +++ b/Puppetfile @@ -38,6 +38,7 @@ mod 'puppet-keepalived', '3.6.0' # other mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' +mod 'ghoneycutt-timezone', '4.0.0' mod 'dalen-puppetdbquery', '3.0.1' mod 'markt-galera', '3.1.0' mod 'kogitoapp-minio', '1.1.4' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 2f4d7dc..185780a 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -1,5 +1,8 @@ --- lookup_options: + hiera_classes: + merge: + strategy: deep profiles::packages::install: merge: strategy: deep @@ -39,6 +42,9 @@ lookup_options: facts_path: '/opt/puppetlabs/facter/facts.d' +hiera_classes: + - timezone + profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - 0.pool.ntp.org diff --git a/hieradata/country/au/region/drw1.yaml b/hieradata/country/au/region/drw1.yaml new file mode 100644 index 0000000..703d863 --- /dev/null +++ b/hieradata/country/au/region/drw1.yaml @@ -0,0 +1,2 @@ +--- +timezone::timezone: 'Australia/Darwin' diff --git a/hieradata/country/au/region/syd1.yaml b/hieradata/country/au/region/syd1.yaml new file mode 100644 index 0000000..2a744b7 --- /dev/null +++ b/hieradata/country/au/region/syd1.yaml @@ -0,0 +1,2 @@ +--- +timezone::timezone: 'Australia/Sydney' diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 65bf0cb..fb463d6 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -60,4 +60,7 @@ class profiles::base ( if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { include profiles::qemu::agent } + + # include classes from hiera + lookup('hiera_classes', Array[String], 'unique').include } From bc4246dd0511b73a9b1a921a530a636ea556e2c7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 21 Apr 2024 22:55:06 +1000 Subject: [PATCH 140/229] feat: add new syd1 prod networks --- .../au/region/drw1/infra/dhcp/server.yaml | 22 ++++++++++++ hieradata/roles/infra/dns/master.yaml | 34 +++++++++++++----- hieradata/roles/infra/dns/resolver.yaml | 35 +++++++++++++++++++ hieradata/roles/infra/ntp/server.yaml | 2 ++ hieradata/roles/infra/puppet/master.yaml | 2 ++ modules/libs/lib/facter/subnet_facts.rb | 2 ++ 6 files changed, 89 insertions(+), 8 deletions(-) diff --git a/hieradata/country/au/region/drw1/infra/dhcp/server.yaml b/hieradata/country/au/region/drw1/infra/dhcp/server.yaml index 8136905..ca98e40 100644 --- a/hieradata/country/au/region/drw1/infra/dhcp/server.yaml +++ b/hieradata/country/au/region/drw1/infra/dhcp/server.yaml @@ -31,6 +31,28 @@ profiles::dhcp::server::pools: - 198.18.17.8 domain_name: main.unkin.net pxeserver: 198.18.17.48 + syd1-prod1: + network: 198.18.13.0 + mask: 255.255.255.0 + range: + - '198.18.13.200 198.18.13.220' + gateway: 198.18.13.254 + nameservers: + - 198.18.17.7 + - 198.18.17.8 + domain_name: main.unkin.net + pxeserver: 198.18.17.48 + syd1-prod2: + network: 198.18.14.0 + mask: 255.255.255.0 + range: + - '198.18.14.200 198.18.14.220' + gateway: 198.18.14.254 + nameservers: + - 198.18.17.7 + - 198.18.17.8 + domain_name: main.unkin.net + pxeserver: 198.18.17.48 drw1-prod: network: 198.18.17.0 mask: 255.255.255.0 diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml index ef7d4c4..84ed6cc 100644 --- a/hieradata/roles/infra/dns/master.yaml +++ b/hieradata/roles/infra/dns/master.yaml @@ -6,6 +6,10 @@ profiles::dns::master::nameservers: profiles::dns::master::acls: acl-main.unkin.net: addresses: + - 198.18.13.0/24 + - 198.18.14.0/24 + - 198.18.15.0/24 + - 198.18.16.0/24 - 198.18.17.0/24 profiles::dns::master::zones: @@ -15,33 +19,47 @@ profiles::dns::master::zones: dynamic: false ns_notify: true source: '/var/named/sources/main.unkin.net.conf' - 17.18.198.in-addr.arpa: - domain: '17.18.198.in-addr.arpa' + 13.18.198.in-addr.arpa: + domain: '13.18.198.in-addr.arpa' zone_type: 'master' dynamic: false ns_notify: true - source: '/var/named/sources/17.18.198.in-addr.arpa.conf' - 16.18.198.in-addr.arpa: - domain: '16.18.198.in-addr.arpa' + source: '/var/named/sources/13.18.198.in-addr.arpa.conf' + 14.18.198.in-addr.arpa: + domain: '14.18.198.in-addr.arpa' zone_type: 'master' dynamic: false ns_notify: true - source: '/var/named/sources/16.18.198.in-addr.arpa.conf' + source: '/var/named/sources/14.18.198.in-addr.arpa.conf' 15.18.198.in-addr.arpa: domain: '15.18.198.in-addr.arpa' zone_type: 'master' dynamic: false ns_notify: true source: '/var/named/sources/15.18.198.in-addr.arpa.conf' + 16.18.198.in-addr.arpa: + domain: '16.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/16.18.198.in-addr.arpa.conf' + 17.18.198.in-addr.arpa: + domain: '17.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/17.18.198.in-addr.arpa.conf' profiles::dns::master::views: master-zones: recursion: false zones: - main.unkin.net - - 17.18.198.in-addr.arpa - - 16.18.198.in-addr.arpa + - 13.18.198.in-addr.arpa + - 14.18.198.in-addr.arpa - 15.18.198.in-addr.arpa + - 16.18.198.in-addr.arpa + - 17.18.198.in-addr.arpa match_clients: - acl-main.unkin.net diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index b949c1a..18008a4 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -3,6 +3,9 @@ profiles::dns::resolver::acls: acl-main.unkin.net: addresses: - 198.18.21.160/27 + - 198.18.21.192/27 + - 198.18.13.0/24 + - 198.18.14.0/24 - 198.18.15.0/24 - 198.18.16.0/24 - 198.18.17.0/24 @@ -21,6 +24,34 @@ profiles::dns::resolver::zones: forwarders: - 10.10.8.1 forward: 'only' + 13.18.198.in-addr.arpa-forward: + domain: '13.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 14.18.198.in-addr.arpa-forward: + domain: '14.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 15.18.198.in-addr.arpa-forward: + domain: '15.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 16.18.198.in-addr.arpa-forward: + domain: '16.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' 17.18.198.in-addr.arpa-forward: domain: '17.18.198.in-addr.arpa' zone_type: 'forward' @@ -35,6 +66,10 @@ profiles::dns::resolver::views: zones: - main.unkin.net-forward - prod.unkin.net-forward + - 13.18.198.in-addr.arpa-forward + - 14.18.198.in-addr.arpa-forward + - 15.18.198.in-addr.arpa-forward + - 16.18.198.in-addr.arpa-forward - 17.18.198.in-addr.arpa-forward match_clients: - acl-main.unkin.net diff --git a/hieradata/roles/infra/ntp/server.yaml b/hieradata/roles/infra/ntp/server.yaml index fddfc78..839e32d 100644 --- a/hieradata/roles/infra/ntp/server.yaml +++ b/hieradata/roles/infra/ntp/server.yaml @@ -1,6 +1,8 @@ --- profiles::ntp::client::client_only: false profiles::ntp::server::allowquery: + - '198.18.13.0/24' + - '198.18.14.0/24' - '198.18.15.0/24' - '198.18.16.0/24' - '198.18.17.0/24' diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index b5b6830..9d5468b 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -1,5 +1,7 @@ --- profiles::puppet::autosign::subnet_ranges: + - '198.18.13.0/24' + - '198.18.14.0/24' - '198.18.15.0/24' - '198.18.16.0/24' - '198.18.17.0/24' diff --git a/modules/libs/lib/facter/subnet_facts.rb b/modules/libs/lib/facter/subnet_facts.rb index bbe7125..458c8e0 100644 --- a/modules/libs/lib/facter/subnet_facts.rb +++ b/modules/libs/lib/facter/subnet_facts.rb @@ -5,6 +5,8 @@ require 'ipaddr' # a class that creates facts based on the subnet class SubnetAttributes SUBNET_TO_ATTRIBUTES = { + '198.18.13.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, + '198.18.14.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, '198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, '198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' }, '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' }, From df56213b188c2a3107987fc79f522d6f31b8a2a1 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 22 Apr 2024 18:51:20 +1000 Subject: [PATCH 141/229] fix: enable repos before installing packages --- site/profiles/manifests/base.pp | 21 +++++++-------------- site/profiles/manifests/base/repos.pp | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 site/profiles/manifests/base/repos.pp diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index fb463d6..5d30011 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -6,20 +6,6 @@ class profiles::base ( # install the vault ca first include profiles::pki::vaultca - # manage package repositories - case $facts['os']['family'] { - 'RedHat': { - include profiles::yum::global - include profiles::firewall::firewalld - } - 'Debian': { - include profiles::apt::global - } - default: { - fail("Unsupported OS family ${facts['os']['family']}") - } - } - # manage the puppet agent include profiles::puppet::agent @@ -29,6 +15,7 @@ class profiles::base ( } # include the base profiles + include profiles::base::repos include profiles::packages include profiles::base::facts include profiles::base::motd @@ -63,4 +50,10 @@ class profiles::base ( # include classes from hiera lookup('hiera_classes', Array[String], 'unique').include + + # specifc ordering constraints + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::packages'] + } diff --git a/site/profiles/manifests/base/repos.pp b/site/profiles/manifests/base/repos.pp new file mode 100644 index 0000000..8d3223f --- /dev/null +++ b/site/profiles/manifests/base/repos.pp @@ -0,0 +1,16 @@ +# profiles::base::repos +class profiles::base::repos { + # manage package repositories + case $facts['os']['family'] { + 'RedHat': { + include profiles::yum::global + include profiles::firewall::firewalld + } + 'Debian': { + include profiles::apt::global + } + default: { + fail("Unsupported OS family ${facts['os']['family']}") + } + } +} From bb8bf202ac043a586c0a8cea05291f697ea45c7b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 21:11:56 +1000 Subject: [PATCH 142/229] feat: sort nameserver/search_domains - ensure the list doesnt change every puppet run --- site/profiles/manifests/dns/base.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index 6bd2458..671bf3d 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -24,8 +24,8 @@ class profiles::dns::base ( # include resolvconf class class { 'profiles::dns::resolvconf': - nameservers => $nameserver_array, - search_domains => $search_array, + nameservers => sort($nameserver_array), + search_domains => sort($search_array), } # export dns records for client From dbe11323c5246ac7db6e41d79e49f1bc073bcc1e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 22:39:33 +1000 Subject: [PATCH 143/229] feat: enable selecting nameserver by fact - enable selecting nameservers to use by region, country or all - set default for nameservers to be region --- hieradata/common.yaml | 1 + site/profiles/manifests/dns/base.pp | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 185780a..9dd7df2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -57,6 +57,7 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' +profiles::dns::base::use_ns: 'region' profiles::packages::install: - bash-completion diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index 671bf3d..e22e964 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -3,16 +3,24 @@ class profiles::dns::base ( String $ns_role = undef, Array $search = [], Array $nameservers = ['8.8.8.8', '1.1.1.1'], + Enum[ + 'all', + 'region', + 'country' + ] $use_ns = 'all', ){ # install bind_utils include bind::updater # if ns_role is set, find all hosts matching that enc_role - if $ns_role == undef { - $nameserver_array = $nameservers - }else{ - $nameserver_array = query_nodes("enc_role='${ns_role}'", 'networking.ip') + $nameserver_array = $ns_role ? { + undef => $nameservers, + default => $use_ns ? { + 'all' => query_nodes("enc_role='${ns_role}'", 'networking.ip'), + 'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.ip'), + 'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.ip'), + } } # if search is undef, fallback to domainname from facts From 7b316c6b0b762aae2c1ec47d38060f31daf5bf7b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 23:57:01 +1000 Subject: [PATCH 144/229] feat: sort ntpservers, select ntp to use - sort the ntpservers array so it doesnt change each run of puppet - allow the selection of all, region or country specific ntp servers --- hieradata/common.yaml | 1 + site/profiles/manifests/ntp/client.pp | 21 ++++++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 185780a..2781951 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -46,6 +46,7 @@ hiera_classes: - timezone profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' +profiles::ntp::client::use_ntp: 'region' profiles::ntp::client::peers: - 0.pool.ntp.org - 1.pool.ntp.org diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp index e3c90a7..c09cff2 100644 --- a/site/profiles/manifests/ntp/client.pp +++ b/site/profiles/manifests/ntp/client.pp @@ -11,6 +11,11 @@ class profiles::ntp::client ( 'running', 'stopped' ] $wait_ensure = 'running', + Enum[ + 'all', + 'region', + 'country' + ] $use_ntp = 'all', Boolean $client_only = true, ) { @@ -18,23 +23,25 @@ class profiles::ntp::client ( # through the profiles::ntp::server class. if $client_only { - # if ntp_role is set, find all hosts matching that enc_role - if $ntp_role == undef { - $ntpserver_array = $peers - }else{ - $ntpserver_array = query_nodes("enc_role='${ntp_role}'", 'networking.fqdn') + $ntpserver_array = $ntp_role ? { + undef => $peers, + default => $use_ntp ? { + 'all' => query_nodes("enc_role='${ntp_role}'", 'networking.fqdn'), + 'region' => query_nodes("enc_role='${ntp_role}' and region=${facts['region']}", 'networking.fqdn'), + 'country' => query_nodes("enc_role='${ntp_role}' and country=${facts['country']}", 'networking.fqdn'), + } } # Define the client configuration based on OS family if $facts['os']['family'] == 'RedHat' { class { 'chrony': - servers => $ntpserver_array, + servers => sort($ntpserver_array), wait_enable => $wait_enable, wait_ensure => $wait_ensure, } } else { class { 'chrony': - servers => $ntpserver_array, + servers => sort($ntpserver_array), } } } From 3810385fcd89b443e6f0a260e91670806c747ee0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 18:13:56 +1000 Subject: [PATCH 145/229] feat: install ksm for proxmox --- site/profiles/manifests/proxmox/params.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/proxmox/params.pp b/site/profiles/manifests/proxmox/params.pp index 2a4844e..d520f45 100644 --- a/site/profiles/manifests/proxmox/params.pp +++ b/site/profiles/manifests/proxmox/params.pp @@ -23,7 +23,8 @@ class profiles::proxmox::params ( 'proxmox-ve', 'postfix', 'open-iscsi', - 'frr-pythontools' + 'frr-pythontools', + 'ksm-control-daemon' ], Array $pve_packages_remove = [ 'os-prober', From f8fd6700dabe4fc7a6ed2ce7ef63710b51e08c44 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 22:39:33 +1000 Subject: [PATCH 146/229] feat: enable selecting nameserver by fact - enable selecting nameservers to use by region, country or all - set default for nameservers to be region --- hieradata/common.yaml | 1 + site/profiles/manifests/dns/base.pp | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 185780a..9dd7df2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -57,6 +57,7 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' +profiles::dns::base::use_ns: 'region' profiles::packages::install: - bash-completion diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index 6bd2458..dcb43af 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -3,16 +3,24 @@ class profiles::dns::base ( String $ns_role = undef, Array $search = [], Array $nameservers = ['8.8.8.8', '1.1.1.1'], + Enum[ + 'all', + 'region', + 'country' + ] $use_ns = 'all', ){ # install bind_utils include bind::updater # if ns_role is set, find all hosts matching that enc_role - if $ns_role == undef { - $nameserver_array = $nameservers - }else{ - $nameserver_array = query_nodes("enc_role='${ns_role}'", 'networking.ip') + $nameserver_array = $ns_role ? { + undef => $nameservers, + default => $use_ns ? { + 'all' => query_nodes("enc_role='${ns_role}'", 'networking.ip'), + 'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.ip'), + 'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.ip'), + } } # if search is undef, fallback to domainname from facts From b8d799e8e950f4f38db090d53c5ee6e0c3731640 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 18:41:12 +1000 Subject: [PATCH 147/229] feat: select nameserver in soa based on role - find all dns servers in $ns_use (region/country/all), - or use the current node as the only nameserver --- hieradata/roles/infra/dns/master.yaml | 6 ++---- site/profiles/manifests/dns/master.pp | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml index 84ed6cc..e9b81b7 100644 --- a/hieradata/roles/infra/dns/master.yaml +++ b/hieradata/roles/infra/dns/master.yaml @@ -1,8 +1,6 @@ --- -profiles::dns::master::nameservers: - - prodinf01n23.main.unkin.net - - prodinf01n24.main.unkin.net - +profiles::dns::master::ns_role: roles::infra::dns::master +profiles::dns::master::use_ns: region profiles::dns::master::acls: acl-main.unkin.net: addresses: diff --git a/site/profiles/manifests/dns/master.pp b/site/profiles/manifests/dns/master.pp index a66b665..440325e 100644 --- a/site/profiles/manifests/dns/master.pp +++ b/site/profiles/manifests/dns/master.pp @@ -1,6 +1,5 @@ # profiles::dns::master authoritative service class profiles::dns::master ( - Array[String] $nameservers, Stdlib::AbsolutePath $basedir, Hash $acls = {}, Hash $zones = {}, @@ -13,8 +12,27 @@ class profiles::dns::master ( String $owner = 'root', String $group = 'named', Boolean $dnssec = false, + Variant[String, Undef] $ns_role = undef, + Enum['all', 'region', 'country'] $use_ns = 'all', ){ + # if ns_role is set, find all hosts matching that enc_role, otherwise use the current host + $nameservers_array = $ns_role ? { + undef => [$facts['networking']['fqdn']], + default => $use_ns ? { + 'all' => query_nodes("enc_role='${ns_role}'", 'networking.fqdn'), + 'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.fqdn'), + 'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.fqdn'), + } + } + + # if nameservers is empty, use the current host, otherwise use nameservers_array as nameservers + $nameservers = empty($nameservers_array) ? { + true => [$facts['networking']['fqdn']], + false => $nameservers_array, + default => [$facts['networking']['fqdn']], + } + class {'profiles::dns::server': acls => $acls, zones => $zones, @@ -37,7 +55,7 @@ class profiles::dns::master ( profiles::dns::zone { $name: zone => $data['domain'], basedir => $basedir, - nameservers => $nameservers, + nameservers => sort($nameservers), owner => $owner, group => $group, before => Bind::Zone[$name] From 89fcfe38ea05f0ddb2dbc180a5cc254fa8212ad2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 19:31:18 +1000 Subject: [PATCH 148/229] feat: add syd1 consul cluster --- hieradata/country/au/region/syd1/infra/storage/consul.eyaml | 4 ++++ hieradata/country/au/region/syd1/infra/storage/consul.yaml | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 hieradata/country/au/region/syd1/infra/storage/consul.eyaml create mode 100644 hieradata/country/au/region/syd1/infra/storage/consul.yaml diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml new file mode 100644 index 0000000..948b16f --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml @@ -0,0 +1,4 @@ +--- +profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] +profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] +profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.yaml b/hieradata/country/au/region/syd1/infra/storage/consul.yaml new file mode 100644 index 0000000..fef2905 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/storage/consul.yaml @@ -0,0 +1,3 @@ +--- +profiles::consul::server::bootstrap_count: 3 +profiles::consul::server::raft_multiplier: 10 From e0dbecbfa0d1f33b8288aba004b6b273fbe1207c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 23:30:27 +1000 Subject: [PATCH 149/229] feat: moved enc_role and enc_env to ruby facts --- modules/libs/lib/facter/enc_env.rb | 13 +++++++++ modules/libs/lib/facter/enc_role.rb | 13 +++++++++ site/profiles/manifests/base/facts.pp | 28 +++++++++++++------ .../base/facts/custom_facts.yaml.erb | 3 ++ 4 files changed, 48 insertions(+), 9 deletions(-) create mode 100644 modules/libs/lib/facter/enc_env.rb create mode 100644 modules/libs/lib/facter/enc_role.rb create mode 100644 site/profiles/templates/base/facts/custom_facts.yaml.erb diff --git a/modules/libs/lib/facter/enc_env.rb b/modules/libs/lib/facter/enc_env.rb new file mode 100644 index 0000000..2975c45 --- /dev/null +++ b/modules/libs/lib/facter/enc_env.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +Facter.add('enc_env') do + setcode do + require 'yaml' + # Check if the YAML file exists + if File.exist?('/root/.cache/custom_facts.yaml') + data = YAML.load_file('/root/.cache/custom_facts.yaml') + # Use safe navigation to return 'enc_env' or nil + data&.dig('enc_env') + end + end +end diff --git a/modules/libs/lib/facter/enc_role.rb b/modules/libs/lib/facter/enc_role.rb new file mode 100644 index 0000000..979b4bf --- /dev/null +++ b/modules/libs/lib/facter/enc_role.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +Facter.add('enc_role') do + setcode do + require 'yaml' + # Check if the YAML file exists + if File.exist?('/root/.cache/custom_facts.yaml') + data = YAML.load_file('/root/.cache/custom_facts.yaml') + # Use safe navigation to return 'enc_role' or nil + data&.dig('enc_role') + end + end +end diff --git a/site/profiles/manifests/base/facts.pp b/site/profiles/manifests/base/facts.pp index e234625..aa89994 100644 --- a/site/profiles/manifests/base/facts.pp +++ b/site/profiles/manifests/base/facts.pp @@ -12,18 +12,28 @@ class profiles::base::facts { mode => '0755', } - # facts to create + # cleanup old facts files $fact_list = [ 'enc_role', 'enc_env' ] - - # Manage the external fact file with content from the template $fact_list.each | String $item | { file { "${facts_d_path}/${item}.txt": - ensure => file, - owner => 'root', - group => 'root', - mode => '0644', - content => template("profiles/base/facts/${item}.erb"), - require => File[$facts_d_path], + ensure => absent, } } + + # ensure the path to the custom store exists + file { '/root/.cache': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0750', + } + + # create the file that will be read + file { '/root/.cache/custom_facts.yaml': + ensure => absent, + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/base/facts/custom_facts.yaml.erb'), + } } diff --git a/site/profiles/templates/base/facts/custom_facts.yaml.erb b/site/profiles/templates/base/facts/custom_facts.yaml.erb new file mode 100644 index 0000000..e4b3895 --- /dev/null +++ b/site/profiles/templates/base/facts/custom_facts.yaml.erb @@ -0,0 +1,3 @@ +--- +enc_role: <%= @enc_role[0] %> +enc_env: <%= @enc_env %> From 5f6ba933933b4e2cb002216e0be358b3e83b2cc3 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 23:34:21 +1000 Subject: [PATCH 150/229] fix: absent to file, for custom_facts.yaml --- site/profiles/manifests/base/facts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/base/facts.pp b/site/profiles/manifests/base/facts.pp index aa89994..5344d19 100644 --- a/site/profiles/manifests/base/facts.pp +++ b/site/profiles/manifests/base/facts.pp @@ -30,7 +30,7 @@ class profiles::base::facts { # create the file that will be read file { '/root/.cache/custom_facts.yaml': - ensure => absent, + ensure => file, owner => 'root', group => 'root', mode => '0644', From b6d3fc26de18dff3efe616d822b4504821ce5f47 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 23:51:26 +1000 Subject: [PATCH 151/229] fix: enable new consul clusters to be started - wait for the enc_role fact to be correct, as this is required to find all keys in hiera --- site/profiles/manifests/consul/server.pp | 111 ++++++++++++----------- 1 file changed, 60 insertions(+), 51 deletions(-) diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index 83dac9f..295fa54 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -1,10 +1,16 @@ # profiles::consul::server class profiles::consul::server ( - String $gossip_key, - String $primary_datacenter, - Hash $acl, - Hash $ports, - Hash $addresses, + Variant[ + Undef, + String + ] $gossip_key = undef, + Variant[ + Undef, + String + ] $primary_datacenter = undef, + Hash $acl = {}, + Hash $ports = {}, + Hash $addresses = {}, Boolean $members_lookup = false, String $members_role = undef, Array $consul_servers = [], @@ -39,57 +45,60 @@ class profiles::consul::server ( Boolean $disable_update_check = true, ) { - # set a datacentre/cluster name - $consul_cluster = "${::facts['country']}-${::facts['region']}" + # wait for all attributes to be ready + if $facts['enc_role'] == $members_role { + # set a datacentre/cluster name + $consul_cluster = "${::facts['country']}-${::facts['region']}" - # if lookup is enabled, find all the hosts in the specified role and create the servers_array - if $members_lookup { + # if lookup is enabled, find all the hosts in the specified role and create the servers_array + if $members_lookup { - # check that the role is also set - unless !($members_role == undef) { - fail("members_role must be provided for ${title} when members_lookup is True") + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $consul_servers } - # if it is, find hosts, sort them so they dont cause changes every run - $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + # if $data_dir starts with /data, ensure the data mount exists + if ($data_dir.stdlib::start_with('/data') and $::facts['mountpoints']['/data']) or ! $data_dir.stdlib::start_with('/data') { - # else use provided array from params - }else{ - $servers_array = $consul_servers - } - - # if $data_dir starts with /data, ensure the data mount exists - if ($data_dir.stdlib::start_with('/data') and $::facts['mountpoints']['/data']) or ! $data_dir.stdlib::start_with('/data') { - - # install consul - class { 'consul': - install_method => $install_method, - manage_repo => $manage_repo, - package_name => $package_name, - package_ensure => $package_ensure, - bin_dir => $bin_dir, - config_hash => { - 'primary_datacenter' => $primary_datacenter, - 'acl' => $acl, - 'ports' => $ports, - 'addresses' => $addresses, - 'disable_remote_exec' => $disable_remote_exec, - 'disable_update_check' => $disable_update_check, - 'domain' => $domain, - 'bootstrap_expect' => $bootstrap_count, - 'client_addr' => '0.0.0.0', - 'data_dir' => $data_dir, - 'datacenter' => $consul_cluster, - 'log_level' => 'INFO', - 'node_name' => $::facts['networking']['fqdn'], - 'server' => true, - 'ui' => $enable_ui, - 'ui_config' => { 'enabled' => $enable_ui_config }, - 'performance' => { 'raft_multiplier' => $raft_multiplier }, - 'bind_addr' => $::facts['networking']['ip'], - 'advertise_addr' => $::facts['networking']['ip'], - 'retry_join' => $servers_array - }, + # install consul + class { 'consul': + install_method => $install_method, + manage_repo => $manage_repo, + package_name => $package_name, + package_ensure => $package_ensure, + bin_dir => $bin_dir, + config_hash => { + 'primary_datacenter' => $primary_datacenter, + 'acl' => $acl, + 'ports' => $ports, + 'addresses' => $addresses, + 'disable_remote_exec' => $disable_remote_exec, + 'disable_update_check' => $disable_update_check, + 'domain' => $domain, + 'bootstrap_expect' => $bootstrap_count, + 'client_addr' => '0.0.0.0', + 'data_dir' => $data_dir, + 'datacenter' => $consul_cluster, + 'log_level' => 'INFO', + 'node_name' => $::facts['networking']['fqdn'], + 'server' => true, + 'ui' => $enable_ui, + 'ui_config' => { 'enabled' => $enable_ui_config }, + 'performance' => { 'raft_multiplier' => $raft_multiplier }, + 'bind_addr' => $::facts['networking']['ip'], + 'advertise_addr' => $::facts['networking']['ip'], + 'retry_join' => $servers_array + }, + } } } From 3ca92ee1f3941194ad853889d09793f532be0865 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 23:55:50 +1000 Subject: [PATCH 152/229] fix: consul members role key - moved members_role for consul to common yaml --- hieradata/common.yaml | 1 + hieradata/roles/infra/storage/consul.yaml | 1 - site/profiles/manifests/consul/server.pp | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index b487c13..4b54a2b 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -59,6 +59,7 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' profiles::dns::base::use_ns: 'region' +profiles::consul::server::members_role: roles::infra::storage::consul profiles::packages::install: - bash-completion diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index e3eb0fd..855a0f1 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -1,5 +1,4 @@ --- -profiles::consul::server::members_role: roles::infra::storage::consul profiles::consul::server::members_lookup: true profiles::consul::server::data_dir: /data/consul profiles::consul::server::primary_datacenter: 'au-drw1' diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index 295fa54..9dbffc0 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -47,6 +47,7 @@ class profiles::consul::server ( # wait for all attributes to be ready if $facts['enc_role'] == $members_role { + # set a datacentre/cluster name $consul_cluster = "${::facts['country']}-${::facts['region']}" From a7e9f1590e323898cf6abf42d4d95fdb2b2f01cc Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 25 Apr 2024 00:07:51 +1000 Subject: [PATCH 153/229] fix: move primary_datacenter to region/role - set syd1 as primary consul datacentre - add consul.service.consul zone - add nginx reverse proxy for consul webui - set dns zones/acls/views/keys to be deep merged from hiera - update default token - add consul/consul.service.consul/consul.main.unkin.net to vault cert --- hieradata/common.yaml | 24 +++++ .../au/region/drw1/infra/dns/resolver.yaml | 44 +++++++++ .../au/region/drw1/infra/storage/consul.yaml | 1 + .../au/region/syd1/infra/dns/resolver.yaml | 44 +++++++++ .../au/region/syd1/infra/storage/consul.eyaml | 2 +- .../au/region/syd1/infra/storage/consul.yaml | 1 + hieradata/roles/infra/dns/resolver.yaml | 91 ++++++++++------- hieradata/roles/infra/storage/consul.yaml | 7 +- site/profiles/manifests/consul/nginx.pp | 97 +++++++++++++++++++ site/profiles/manifests/consul/server.pp | 6 +- 10 files changed, 276 insertions(+), 41 deletions(-) create mode 100644 hieradata/country/au/region/drw1/infra/dns/resolver.yaml create mode 100644 hieradata/country/au/region/syd1/infra/dns/resolver.yaml create mode 100644 site/profiles/manifests/consul/nginx.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 4b54a2b..c1c6138 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -39,6 +39,30 @@ lookup_options: profiles::base::groups::local: merge: strategy: deep + profiles::dns::resolver::zones: + merge: + strategy: deep + profiles::dns::resolver::acls: + merge: + strategy: deep + profiles::dns::resolver::views: + merge: + strategy: deep + profiles::dns::resolver::keys: + merge: + strategy: deep + profiles::dns::master::zones: + merge: + strategy: deep + profiles::dns::master::acls: + merge: + strategy: deep + profiles::dns::master::views: + merge: + strategy: deep + profiles::dns::master::keys: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml new file mode 100644 index 0000000..49afb06 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml @@ -0,0 +1,44 @@ +--- +profiles::dns::resolver::zones: + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 13.18.198.in-addr.arpa-forward: + domain: '13.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 14.18.198.in-addr.arpa-forward: + domain: '14.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 15.18.198.in-addr.arpa-forward: + domain: '15.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 16.18.198.in-addr.arpa-forward: + domain: '16.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 17.18.198.in-addr.arpa-forward: + domain: '17.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.yaml b/hieradata/country/au/region/drw1/infra/storage/consul.yaml index fef2905..11b6a2f 100644 --- a/hieradata/country/au/region/drw1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/drw1/infra/storage/consul.yaml @@ -1,3 +1,4 @@ --- profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 +profiles::consul::server::primary_datacenter: 'au-drw1' diff --git a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml new file mode 100644 index 0000000..ddde7f5 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml @@ -0,0 +1,44 @@ +--- +profiles::dns::resolver::zones: + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 13.18.198.in-addr.arpa-forward: + domain: '13.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 14.18.198.in-addr.arpa-forward: + domain: '14.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 15.18.198.in-addr.arpa-forward: + domain: '15.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 16.18.198.in-addr.arpa-forward: + domain: '16.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 17.18.198.in-addr.arpa-forward: + domain: '17.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml index 948b16f..3d28bc6 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml @@ -1,4 +1,4 @@ --- profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] -profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] +profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=] diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.yaml b/hieradata/country/au/region/syd1/infra/storage/consul.yaml index fef2905..4bd8c14 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.yaml @@ -1,3 +1,4 @@ --- profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 +profiles::consul::server::primary_datacenter: 'au-syd1' diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index 18008a4..6be9009 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -2,6 +2,7 @@ profiles::dns::resolver::acls: acl-main.unkin.net: addresses: + - 10.10.8.1/32 - 198.18.21.160/27 - 198.18.21.192/27 - 198.18.13.0/24 @@ -11,53 +12,62 @@ profiles::dns::resolver::acls: - 198.18.17.0/24 profiles::dns::resolver::zones: - main.unkin.net-forward: - domain: 'main.unkin.net' + 8.10.10.in-addr.arpa-forward: + domain: '8.10.10.in-addr.arpa' zone_type: 'forward' forwarders: - - 198.18.17.23 - - 198.18.17.24 + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + 16.10.10.in-addr.arpa-forward: + domain: '16.10.10.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + 20.10.10.in-addr.arpa-forward: + domain: '20.10.10.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + unkin.net-forward: + domain: 'unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + dmz.unkin.net-forward: + domain: 'dmz.unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + network.unkin.net-forward: + domain: 'network.unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 forward: 'only' prod.unkin.net-forward: domain: 'prod.unkin.net' zone_type: 'forward' forwarders: - - 10.10.8.1 + - 10.10.16.32 + - 10.10.16.33 forward: 'only' - 13.18.198.in-addr.arpa-forward: - domain: '13.18.198.in-addr.arpa' + consul.service.consul-forward: + domain: 'consul.service.consul' zone_type: 'forward' forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 14.18.198.in-addr.arpa-forward: - domain: '14.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 15.18.198.in-addr.arpa-forward: - domain: '15.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 16.18.198.in-addr.arpa-forward: - domain: '16.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 17.18.198.in-addr.arpa-forward: - domain: '17.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 + - 198.18.13.19 + - 198.18.13.20 + - 198.18.13.21 forward: 'only' profiles::dns::resolver::views: @@ -65,11 +75,18 @@ profiles::dns::resolver::views: recursion: true zones: - main.unkin.net-forward + - unkin.net-forward + - dmz.unkin.net-forward + - network.unkin.net-forward - prod.unkin.net-forward + - consul.service.consul-forward - 13.18.198.in-addr.arpa-forward - 14.18.198.in-addr.arpa-forward - 15.18.198.in-addr.arpa-forward - 16.18.198.in-addr.arpa-forward - 17.18.198.in-addr.arpa-forward + - 8.10.10.in-addr.arpa-forward + - 16.10.10.in-addr.arpa-forward + - 20.10.10.in-addr.arpa-forward match_clients: - acl-main.unkin.net diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 855a0f1..1aef9be 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -1,7 +1,6 @@ --- profiles::consul::server::members_lookup: true profiles::consul::server::data_dir: /data/consul -profiles::consul::server::primary_datacenter: 'au-drw1' profiles::consul::server::addresses: dns: "%{::networking.ip}" http: "%{::networking.ip}" @@ -19,3 +18,9 @@ profiles::consul::server::acl: tokens: initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}" default: "%{alias('profiles::consul::server::acl_tokens_default')}" + +# additional altnames +profiles::pki::vault::alt_names: + - consul.main.unkin.net + - consul.service.consul + - consul diff --git a/site/profiles/manifests/consul/nginx.pp b/site/profiles/manifests/consul/nginx.pp new file mode 100644 index 0000000..59d5fad --- /dev/null +++ b/site/profiles/manifests/consul/nginx.pp @@ -0,0 +1,97 @@ +# profiles::consul::nginx +class profiles::consul::nginx ( + String $nginx_vhost = 'consul.service.consul', + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault' +) { + + # set the server_names + $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'consul', 'consul.main.unkin.net'] + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + 'proxy' => "http://${facts['networking']['ip']}:8500/", + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include 'nginx' + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # manage selinux + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # make sure nginx can reverse proxy + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + + } +} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index 9dbffc0..97137a4 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -102,10 +102,12 @@ class profiles::consul::server ( } } } - - # consul before dnsmasq + # consul before extra services if defined(Class['consul']) { + # setup nginx + include profiles::consul::nginx + # get the dns port from the $ports hash, otherwise use the default $dns_port = pick($ports['dns'], 8600) From f536d190342ee9b2a8375c6f04c66bdc3a2b3593 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Apr 2024 01:16:05 +1000 Subject: [PATCH 154/229] feat: generate consul policy/tokens - generate policy/token to add nodes - generate policy/token for all nodes - add base::root profile to manage aspects of the root user --- hieradata/common.eyaml | 4 ++ hieradata/common.yaml | 1 + .../au/region/syd1/infra/storage/consul.eyaml | 2 - site/profiles/manifests/base.pp | 2 + site/profiles/manifests/base/root.pp | 13 +++++ site/profiles/manifests/consul/client.pp | 53 +++++++++++++++++++ site/profiles/manifests/consul/policies.pp | 23 ++++++++ site/profiles/manifests/consul/server.pp | 4 +- site/profiles/manifests/consul/tokens.pp | 13 +++++ 9 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 site/profiles/manifests/base/root.pp create mode 100644 site/profiles/manifests/consul/client.pp create mode 100644 site/profiles/manifests/consul/policies.pp create mode 100644 site/profiles/manifests/consul/tokens.pp diff --git a/hieradata/common.eyaml b/hieradata/common.eyaml index 91e63a8..bf97631 100644 --- a/hieradata/common.eyaml +++ b/hieradata/common.eyaml @@ -1,3 +1,7 @@ --- profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn] profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ] +profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAS7pNFRX4onccFaR87zB/eFFORuF22j6xqjyeAqqjgEduYhkt6w5kkz+YfUoHUesU0Q6F2p6HrCSZ8yAsx5M25NCiud9P4hIpjKmOZ4zCNO7uhATh4AQDYw3BrdRwfO+c6jOl5wOiNLCfDBJ0sFT3akCvcuPS1xIoRJq4Gyn+uCbOsMbvSl25ld2xKt1/cqs8gc1d8mkpjwWto7t+qZSUFMCehTbehH3G4a3Q5rvfBoNwv42Wbs676BDcCurDaAzHNqE7pDbOWhGuVOBl+q+BU0Ri/CRkGcTViN9fr8Dc9SveVC6EPsMbw+05/8/NlfzQse3KAwQ34nR9tR2PQw5qEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7LywscQtF7cG2nomfEsu9gDDVqJBFP1jAX2eGZ2crYS5gnBcsRwhc0HNo2/WWdhZprMW+vEJOOGXDelI53NxA3o0=] +profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=] +profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] +profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=] diff --git a/hieradata/common.yaml b/hieradata/common.yaml index c1c6138..9fa4d12 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -84,6 +84,7 @@ profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' profiles::dns::base::use_ns: 'region' profiles::consul::server::members_role: roles::infra::storage::consul +profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc' profiles::packages::install: - bash-completion diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml index 3d28bc6..fd508a6 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml @@ -1,4 +1,2 @@ --- profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] -profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] -profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=] diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 5d30011..a387570 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -22,6 +22,7 @@ class profiles::base ( include profiles::base::scripts include profiles::base::hosts include profiles::base::groups + include profiles::base::root include profiles::accounts::sysadmin include profiles::ntp::client include profiles::dns::base @@ -29,6 +30,7 @@ class profiles::base ( include profiles::cloudinit::init include profiles::metrics::default include profiles::helpers::node_lookup + include profiles::consul::client # include the python class class { 'python': diff --git a/site/profiles/manifests/base/root.pp b/site/profiles/manifests/base/root.pp new file mode 100644 index 0000000..d53951e --- /dev/null +++ b/site/profiles/manifests/base/root.pp @@ -0,0 +1,13 @@ +# manage the root user +class profiles::base::root { + + # TODO + # for now, add some root directories + + file {'/root/.config': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0600', + } +} diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp new file mode 100644 index 0000000..edfd1ec --- /dev/null +++ b/site/profiles/manifests/consul/client.pp @@ -0,0 +1,53 @@ +# profiles::consul::client +class profiles::consul::client ( + String $secret_id_salt = '', + Stdlib::Fqdn $consul_hostname = 'consul.service.consul', + Enum['http','https'] $consul_protocol = 'http', + Stdlib::Port $consul_port = 8500, + String $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), +) { + + # Create ACL policy that allows nodes to update themselves and read others + consul_policy { $facts['networking']['hostname']: + description => "${facts['networking']['fqdn']} puppet-generated-policy", + rules => [ + { + 'resource' => 'node', + 'segment' => $facts['networking']['hostname'], + 'disposition' => 'write' + }, + { + 'resource' => 'node', + 'segment' => '', + 'disposition' => 'read' + } + ], + acl_api_token => $consul_api_token, + hostname => $consul_hostname, + protocol => $consul_protocol, + port => $consul_port, + } + + consul_token { $facts['networking']['hostname']: + accessor_id => fqdn_uuid($facts['networking']['fqdn']), + description => "${facts['networking']['fqdn']} puppet-generated-token", + policies_by_name => [$facts['networking']['hostname']], + acl_api_token => $consul_api_token, + secret_id => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}"), + hostname => $consul_hostname, + protocol => $consul_protocol, + port => $consul_port, + + } + + # ensure the consul token is saved for the root user + file {'/root/.config/consul_node_token': + ensure => file, + owner => 'root', + group => 'root', + mode => '0600', + content => Sensitive(fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")), + require => File['/root/.config'], + } + +} diff --git a/site/profiles/manifests/consul/policies.pp b/site/profiles/manifests/consul/policies.pp new file mode 100644 index 0000000..df1bf2a --- /dev/null +++ b/site/profiles/manifests/consul/policies.pp @@ -0,0 +1,23 @@ +# profiles::consul::policies +class profiles::consul::policies ( + String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), +) { + + consul_policy { 'node_editor': + description => 'Policy to read/write all nodes puppet-generated-policy', + rules => [ + { + 'resource' => 'node', + 'segment' => '', + 'disposition' => 'write' + }, + { + 'resource' => 'node', + 'segment' => '', + 'disposition' => 'read' + } + ], + acl_api_token => $root_api_token, + hostname => $facts['networking']['ip'], + } +} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index 97137a4..b3ec8c7 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -105,8 +105,10 @@ class profiles::consul::server ( # consul before extra services if defined(Class['consul']) { - # setup nginx + # include nginx, policies and tokens include profiles::consul::nginx + include profiles::consul::policies + include profiles::consul::tokens # get the dns port from the $ports hash, otherwise use the default $dns_port = pick($ports['dns'], 8600) diff --git a/site/profiles/manifests/consul/tokens.pp b/site/profiles/manifests/consul/tokens.pp new file mode 100644 index 0000000..c471783 --- /dev/null +++ b/site/profiles/manifests/consul/tokens.pp @@ -0,0 +1,13 @@ +# profiles::consul::tokens +class profiles::consul::tokens ( + String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), +){ + + consul_token { 'node_editor': + accessor_id => lookup('profiles::consul::token::node_editor::accessor_id'), + policies_by_name => ['node_editor'], + acl_api_token => $root_api_token, + secret_id => lookup('profiles::consul::token::node_editor::secret_id'), + hostname => $facts['networking']['ip'], + } +} From 3001bc32f2ae5e0cd26e98c236f1df54b26f9f3e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 27 Apr 2024 20:39:14 +1000 Subject: [PATCH 155/229] feat: add sydney vault cluster - separate yaml between multiple regions - add nginx frontend to vault --- .../au/region/drw1/infra/storage/vault.eyaml | 7 ++ .../au/region/drw1/infra/storage/vault.yaml | 2 + .../au/region/syd1/infra/storage/vault.eyaml | 7 ++ .../au/region/syd1/infra/storage/vault.yaml | 2 + hieradata/roles/infra/storage/vault.yaml | 7 +- site/profiles/manifests/vault/nginx.pp | 97 +++++++++++++++++++ site/profiles/manifests/vault/server.pp | 3 +- 7 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 hieradata/country/au/region/drw1/infra/storage/vault.eyaml create mode 100644 hieradata/country/au/region/drw1/infra/storage/vault.yaml create mode 100644 hieradata/country/au/region/syd1/infra/storage/vault.eyaml create mode 100644 hieradata/country/au/region/syd1/infra/storage/vault.yaml create mode 100644 site/profiles/manifests/vault/nginx.pp diff --git a/hieradata/country/au/region/drw1/infra/storage/vault.eyaml b/hieradata/country/au/region/drw1/infra/storage/vault.eyaml new file mode 100644 index 0000000..11fff31 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/storage/vault.eyaml @@ -0,0 +1,7 @@ +--- +vault::unseal_keys: + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHfDhuu2C5ZEALdJlmOqWukEiAQQiVJ7KjpSRuf9h7RYwR+u8UNdcJYK1xFvYwmUczw6hkST/Zr06T4JwavpAHHuaRbyl8N1qZjlwt4MO5CPUTBT8k+EOaocF2byUXpYBThETjLB+WNLJAU3Dq8JboekCJ2F1Zjd8Mmdtu1C3Ip5ii5iVGbQShxDSPsdjtk8Q49lUKj61tLyuvadcTcxllHyXs6siWl7atBfIS6OX5KgA66VJhxOeoyyBaiqSSu7OqqZa2siYGTvjJS3UFDf8J+itsJJ1+0KUtkl07PvItkIruSAlHZGagVPrizAyEx1j4hFvVTGHac86bcV/5M9z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDCjxoJHSXr/4XvXaxVbUGOgDCQ4DL05Qnw3+3qHWZRKvNChHgrhRPi2HmkiGni+A4ZVF9LHs+mF8TQ/t3Q1DrSy3I=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoapLUNj1f+7BEvjzR9CO0Qz3LhI5M326BVliikRY7hpL2+0CnTOlR9K3YapD83LtpuiNbXqbk1mhi44ak0CTet8yz0ZH/BPkVYgV2Ll9ISdN4Knnnlf2Ljt/gHGf03jiUKwfXxu87LfvCySAMgzYonQ90cfIDc+XH6CoQv27WM3U1q79RcWl/w9Z/XwJiKyANSCXfBT16+RawrzmVo+zWbteqx09MfOHr7Q36VwOqjJaO94A/Dj3m/YJIOhmYXd52h+am6Kc1Q9dnzycKZYoKYOv+qi+bY4frx9sRvBxoGDGMb1mXTDSPeIT6NXbMCIsTsmYxjxAvBET72oKWXJUcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDy/pkTHpz4F9l1J6cKW4A9gDD873VdHr3ArjpE1R82wS5brCbBe7ntEuNFQMbnFPvOXwI4EaYV3IMRNv6Lzk6BBSI=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAVKVb6/nhbgEx6b2b90gfuXbZglZpoJjQtyzDQtCZzcZxh/xVFjwUy1XX/3+dueazFd5Ge5NnqQdxs/h5MBSjexHJhEm3fmA+gnns8sdYX5SDJSnhYvS1cB/wmfHuvkj3ZhIFxg0jlPlKz24QST99ouxKI2c490ByIbcFCr+A5GWnO7D/kf1Y+M0Sg2YiPE4zqF2zx1sgOfaV2xvQbRqqSjDPim/mYff95AtWwN9KbcAvc/7vDi4PrHR8GY9RXhI8FBEvelAT0H0NmnaCw4TvWXF/YxztlG9E55G3MsFyVAQJT7Dl8w4w5nk4AJJBMaXlO2s4AWD4Y+MVQh62hjqgHjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBptatyhSChU/V0R+IVd5hRgDCmA07/V4UBz1nVMc2vZm2KvnUOPofO74hwkkoxOnk6O2h6arbw8GNHj7WxeHXoXPk=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOGvhPhbKt8hkYTif5C+IE7iqcoeXm68BeUzlzE9qAY7lzQoAENauDKoIgoQT0hA7zrKZXPTUDrcw8SdxNp7Zo/Dr44urdr4LiT+QZwYTE09Xn8yIA3ij1XnXQ5bYP70TycuOjpVT0BKK+qSkklfd7IAw76AnUWF1D6P9MjT+shOmVNHQQSRrL2JLNppetQRCyOEMzkeDI/58/ohexvyUcY8WT4YMNhl/IrNBdcJ3xOwnJqEAXSUTre15T2I+7f+prhj4cS2V9qd0ZwUXSueL38EIMKwmq1ugb+zm8UYzqfKpRk/1THqT8T/r8B4PR2QxtiwtzLk388ag1mqQ/jHL9zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAlKLuJOARFD1vt/R9gfp4LgDA0irHwG41ByRyYcKT87ra9tsdhb+i9ugnNRbFQ1UPTk7bFwS3HUteEJwNzcNIwFXY=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEQvjVATvI+UVWrowTWSxtluiPrfa8akOSgr+MdcAh5Mgypw6RUeVJ2Sh8jekePZOO7Y0IQSfyNWOFAsaxBgeG7aEu6loFwxcSzrilg9c/2bV7Ybxr5saDViTjHO+UOYPPVRsJKeYvWd+vTdM+J7Eg3LGwzdLqyYu824affGm41KsSJdtxbNC1EzR+AOEU7SO8FkDIUZl2ekwz+3FfBX5TyXywlZGrbS7DkABB1jrO/JJtgnRu4D1AgUWjSJINXKyi9Xf91ZUyYCbVJ1asmRhOcCDcRigs82CF6nWbsSad80Z/ZoGVGYSlCsSXd4t8iEujCzeTkfBRK6Azr71f0zbBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAeR7zOfSz3Sd19UkcmdMJLgDBiPUNdk6zh2inhCqms/qnt7BqDBAYEzHuzbsM3U3PO+UIeJdym51cu3YKw3MkVuyw=] diff --git a/hieradata/country/au/region/drw1/infra/storage/vault.yaml b/hieradata/country/au/region/drw1/infra/storage/vault.yaml new file mode 100644 index 0000000..2d3ed4e --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/storage/vault.yaml @@ -0,0 +1,2 @@ +--- +profiles::vault::server::primary_datacenter: 'au-drw1' diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.eyaml b/hieradata/country/au/region/syd1/infra/storage/vault.eyaml new file mode 100644 index 0000000..74c3111 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/storage/vault.eyaml @@ -0,0 +1,7 @@ +--- +vault::unseal_keys: + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEABDaLiGSq+xu4DjB/MygqwyVX2cRBlypzRTdijD0Q/Pk/KF4X/6dP1jFVH1hQOI4/oxfsv13PaLFFh/mHgh/WGtwsDKoc20KgUR9N5wvA6p83OLBfuueFFiFM6myh1uzcwgCETGAyGbIy3+Zm2KECfQGJVvcVVEvlCTdqSq8VRMpaxlVrjFA/A/JVI8Gcscuv/44SVAeQi0xsCt0e+HwiaBYq7b+bUjDIR3cHJq1/WZx9mY1rVlOK2385AXhZbN0yi3J+18TYY1ngNq4ag+8T5oFUNfvd66rjFE7sXVKwUCZ64vEVOO08E06rQmv9LHT6DLwPucWIp5AZ8Dc59yWBGzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBmNT7lhDBPD628O6AMkH15gDDuoa6S9NGknF8IOhFVUUSxODg/VCKI43Z9IXBgv3iboD1Q+Dhfje6Vmiyi1sukLRw=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdpCkAgYhBO6psgTovA9cD0NEu3QxwT14KSzmxr37aHuhSBoh3tIX9asLvR3AduGbDRNI+eTGohSmQRMraTOFWHcTpVv1GShG/KD/wKwW9BGlNze/MwEuoV/OeFcrjfYbsSA338IMgWbG5+MfEduZGxWKIT5F5D14vx6pb9V7bYvbH9jKwSOwWry/RfWkEvMhMZSjFxtRrlMQqj7yqjs9RjauWXctYt4Rx9jK+I+ghWjjV26Q3Pust3OxYCJfCffZ0tpW6YikkGd1Qtq3kuPeh72YU1kYmuQIsDpcgwIuJIMJy2ekteQ/14JtIqN43OvXW5CVrmBemF0AK059LQ96WDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCDOOqa8oCU1St/MStiB/dngDCUp3/Vs0caWnMBi6z0oQ8FhfQR7zPSH8666bXh1U1ETCVL+B1c0NKLiig/3I4ncaQ=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALAt+ASQS+MoaVoMTBGadYksrKq7REP3OchGXMZL97xdfRVtxaV75/HMES13q4B2dewJzBhpvgTBy9lqPCHXk7PXAkGv0YP2gbj3FXuzlXtZtXD0QHv1SY9assGABCQMdQY+DlZasGIRer/RzOLXpi3zSLlHVFu6dLndKhVs7B6RXgPMnf5Xo0yRijTKHRh8G2oizOxN7X0g5RNZAfAXN+gbDXF/KzpCM8Hox0+6UgJs9ghL7hH8c5Z8odJZcfNuqg87ELSp2XAvpC4jO4KC8VkcT0lIuDgYafyRZcWT4O8Zx6FNvSnDWEdtWHfOUYIg0RTXQ0OR0p28PzS8+0Fhh8TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXnDOd5VnrCXt3QIM9BCsIgDD3P5XS+w/EV85vkp9SciOtH95jZ1M0tt7uwA76Bsk69O5qxEbNlv40ZUOC1i02Z4w=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlBQxsb/TK3gdOmohjoRs5ICN9PjQJvIxW5co7NDsynU6kT6jBinokhbfCRt2RpTUeZqRC2eodMxZSQrkqkMaAbkwSVnMLWzK5444VwT9OrSSwQ0NfT2CuGW9/Vb/XbGy4jwlwGlG23Zf6GptdwxKq1PaJb5FGgUcTXB1XUsDPwLRqpduH4JTdi7BIovOFzsz/hLkaAvrx3BD1ls+21oJpHiGGoomSoTki0tv9Yq2mgB3sn5/P4hIs2vA5gGKTE74nd71hGCg6LBQT9q29cuiM367qebKcSH+nzUlJXYvTxbJiMrs3k5K8IdPd7ocxn1iIuxprSVe6cxEPeoyUIm2dzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCSHy2XB/CfyCxkgWoLNPWRgDB23dqS9tTUKvXffAAucl5pttdtg5PUknvs7uiOndQDY5J3R0b5hapS186njvlsrW0=] + - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAY3xFtGYy4lQDhHa/t4qri4TJ2/nWAg+EP+tAP4P/9a1er2mR2WkSZD6zBpDMBwN73V0b7XNgAV1W3lPi3XsJlzjhE27a2qBGzoXXekkW5+C65hrVfcPrATos4vpY+ly7ldu6gsZgaE5TlRVt6BE/joi2U5+PfzICOG1Zwpb6/aPdW9UhNPLIRVmAVZBTdnh2qXbYhg/IpUeuX1CSK8F7ptryGXO/aiL4adSYluJkgDtjFplP0yy4IRe7PztnBb2w1XsgIL3SodyhT64OqvoIQd7g6lKwvPmpBJB/VqHwoQDw/GvZg8/BN9514hNpwYsZNIpvtJRE8HX7QJ28mv7TzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBClVGY4pKZs+wNZ9dIPRSZVgDAW1mDpEnYXfciwNU/aUpZyo2GkTC2DUsNwFtKlgG1aICTfCjLOUhBzcON+Tfhq+7c=] diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml new file mode 100644 index 0000000..2feaac4 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml @@ -0,0 +1,2 @@ +--- +profiles::vault::server::primary_datacenter: 'au-syd1' diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index df6387a..59dfa34 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -2,7 +2,12 @@ profiles::vault::server::members_role: roles::infra::storage::vault profiles::vault::server::members_lookup: true profiles::vault::server::data_dir: /data/vault -profiles::vault::server::primary_datacenter: 'au-drw1' profiles::vault::server::manage_storage_dir: true profiles::vault::server::tls_disable: false vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vault_1.15.5_linux_amd64.zip + +# additional altnames +profiles::pki::vault::alt_names: + - vault.main.unkin.net + - vault.service.consul + - vault diff --git a/site/profiles/manifests/vault/nginx.pp b/site/profiles/manifests/vault/nginx.pp new file mode 100644 index 0000000..d095db4 --- /dev/null +++ b/site/profiles/manifests/vault/nginx.pp @@ -0,0 +1,97 @@ +# profiles::vault::nginx +class profiles::vault::nginx ( + String $nginx_vhost = 'vault.service.consul', + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault' +) { + + # set the server_names + $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'vault', 'vault.main.unkin.net'] + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + 'proxy' => "http://${facts['networking']['ip']}:8200/", + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include 'nginx' + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # manage selinux + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # make sure nginx can reverse proxy + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + + } +} diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index 2d00013..5d10f89 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -89,7 +89,8 @@ class profiles::vault::server ( ] } - # include unseal class + # include classes to manage vault include profiles::vault::unseal + include profiles::vault::nginx } } From 6fc5829fcecc5d669d38dead9c9991b048a3f454 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 00:15:03 +1000 Subject: [PATCH 156/229] feat: simple nginx proxy - merge consul/vault nginx proxy into single class - replace nginx proxy classes for consul/vault with simpleproxy class --- hieradata/roles/infra/storage/consul.yaml | 8 ++ hieradata/roles/infra/storage/vault.yaml | 8 ++ site/profiles/manifests/consul/nginx.pp | 97 ---------------- site/profiles/manifests/consul/server.pp | 2 +- site/profiles/manifests/nginx/simpleproxy.pp | 116 +++++++++++++++++++ site/profiles/manifests/vault/nginx.pp | 97 ---------------- site/profiles/manifests/vault/server.pp | 2 +- 7 files changed, 134 insertions(+), 196 deletions(-) delete mode 100644 site/profiles/manifests/consul/nginx.pp create mode 100644 site/profiles/manifests/nginx/simpleproxy.pp delete mode 100644 site/profiles/manifests/vault/nginx.pp diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 1aef9be..723f60c 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -24,3 +24,11 @@ profiles::pki::vault::alt_names: - consul.main.unkin.net - consul.service.consul - consul + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'consul.service.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - consul + - consul.main.unkin.net +profiles::nginx::simpleproxy::proxy_port: 8500 +profiles::nginx::simpleproxy::proxy_path: '/' diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index 59dfa34..8785f7c 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -11,3 +11,11 @@ profiles::pki::vault::alt_names: - vault.main.unkin.net - vault.service.consul - vault + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - vault + - vault.main.unkin.net +profiles::nginx::simpleproxy::proxy_port: 8200 +profiles::nginx::simpleproxy::proxy_path: '/' diff --git a/site/profiles/manifests/consul/nginx.pp b/site/profiles/manifests/consul/nginx.pp deleted file mode 100644 index 59d5fad..0000000 --- a/site/profiles/manifests/consul/nginx.pp +++ /dev/null @@ -1,97 +0,0 @@ -# profiles::consul::nginx -class profiles::consul::nginx ( - String $nginx_vhost = 'consul.service.consul', - Stdlib::Port $nginx_port = 80, - Stdlib::Port $nginx_ssl_port = 443, - Enum['http','https','both'] $nginx_listen_mode = 'https', - Enum['puppet', 'vault'] $nginx_cert_type = 'vault' -) { - - # set the server_names - $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'consul', 'consul.main.unkin.net'] - - # select the certificates to use based on cert type - case $nginx_cert_type { - 'puppet': { - $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" - $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" - } - 'vault': { - $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' - $selected_ssl_key = '/etc/pki/tls/vault/private.key' - } - default: { - # enum param prevents this ever being reached - } - } - - # set variables based on the listen_mode - case $nginx_listen_mode { - 'http': { - $enable_ssl = false - $ssl_cert = undef - $ssl_key = undef - $listen_port = $nginx_port - $listen_ssl_port = undef - $extras_hash = {} - } - 'https': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_ssl_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - 'both': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - default: { - # enum param prevents this ever being reached - } - } - - # define the default parameters for the nginx server - $defaults = { - 'listen_port' => $listen_port, - 'server_name' => $server_names, - 'use_default_location' => true, - 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", - 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", - 'autoindex' => 'on', - 'ssl' => $enable_ssl, - 'ssl_cert' => $ssl_cert, - 'ssl_key' => $ssl_key, - 'ssl_port' => $listen_ssl_port, - 'proxy' => "http://${facts['networking']['ip']}:8500/", - } - - # merge the hashes conditionally - $nginx_parameters = merge($defaults, $extras_hash) - - # manage the nginx class - include 'nginx' - - # create the nginx vhost with the merged parameters - create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) - - # manage selinux - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - # make sure nginx can reverse proxy - selboolean { 'httpd_can_network_connect': - persistent => true, - value => 'on', - } - - } -} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index b3ec8c7..e2e9d06 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -106,7 +106,7 @@ class profiles::consul::server ( if defined(Class['consul']) { # include nginx, policies and tokens - include profiles::consul::nginx + include profiles::nginx::simpleproxy include profiles::consul::policies include profiles::consul::tokens diff --git a/site/profiles/manifests/nginx/simpleproxy.pp b/site/profiles/manifests/nginx/simpleproxy.pp new file mode 100644 index 0000000..28d6c1e --- /dev/null +++ b/site/profiles/manifests/nginx/simpleproxy.pp @@ -0,0 +1,116 @@ +# profiles::nginx:simpleproxy +# +# only one simpleproxy per host, for anything more advanced, use nginx class +class profiles::nginx::simpleproxy ( + Stdlib::Fqdn $nginx_vhost = 'localhost', + Array[Stdlib::Host] $nginx_aliases = [], + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault', + Enum['http','https'] $proxy_scheme = 'http', + Stdlib::Port $proxy_port = 80, + Stdlib::Host $proxy_host = $facts['networking']['ip'], + String $proxy_path = '/', +) { + + # if nginx_version isnt set, install nginx + if ! $facts['nginx_version'] { + package {'nginx': + ensure => 'present', + } + + # else, configure simple proxy + }else{ + + # build the proxyurl from proxy_* variables + $proxyurl = "${proxy_scheme}://${proxy_host}:${proxy_port}${proxy_path}" + + # set the server_names + $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + 'proxy' => $proxyurl, + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include 'nginx' + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # manage selinux + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # make sure nginx can reverse proxy + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + } + } +} diff --git a/site/profiles/manifests/vault/nginx.pp b/site/profiles/manifests/vault/nginx.pp deleted file mode 100644 index d095db4..0000000 --- a/site/profiles/manifests/vault/nginx.pp +++ /dev/null @@ -1,97 +0,0 @@ -# profiles::vault::nginx -class profiles::vault::nginx ( - String $nginx_vhost = 'vault.service.consul', - Stdlib::Port $nginx_port = 80, - Stdlib::Port $nginx_ssl_port = 443, - Enum['http','https','both'] $nginx_listen_mode = 'https', - Enum['puppet', 'vault'] $nginx_cert_type = 'vault' -) { - - # set the server_names - $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'vault', 'vault.main.unkin.net'] - - # select the certificates to use based on cert type - case $nginx_cert_type { - 'puppet': { - $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" - $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" - } - 'vault': { - $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' - $selected_ssl_key = '/etc/pki/tls/vault/private.key' - } - default: { - # enum param prevents this ever being reached - } - } - - # set variables based on the listen_mode - case $nginx_listen_mode { - 'http': { - $enable_ssl = false - $ssl_cert = undef - $ssl_key = undef - $listen_port = $nginx_port - $listen_ssl_port = undef - $extras_hash = {} - } - 'https': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_ssl_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - 'both': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - default: { - # enum param prevents this ever being reached - } - } - - # define the default parameters for the nginx server - $defaults = { - 'listen_port' => $listen_port, - 'server_name' => $server_names, - 'use_default_location' => true, - 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", - 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", - 'autoindex' => 'on', - 'ssl' => $enable_ssl, - 'ssl_cert' => $ssl_cert, - 'ssl_key' => $ssl_key, - 'ssl_port' => $listen_ssl_port, - 'proxy' => "http://${facts['networking']['ip']}:8200/", - } - - # merge the hashes conditionally - $nginx_parameters = merge($defaults, $extras_hash) - - # manage the nginx class - include 'nginx' - - # create the nginx vhost with the merged parameters - create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) - - # manage selinux - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - # make sure nginx can reverse proxy - selboolean { 'httpd_can_network_connect': - persistent => true, - value => 'on', - } - - } -} diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index 5d10f89..6aeaf6a 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -91,6 +91,6 @@ class profiles::vault::server ( # include classes to manage vault include profiles::vault::unseal - include profiles::vault::nginx + include profiles::nginx::simpleproxy } } From 4453c8604a395693feb3f9e735af4d7255fbc973 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 00:49:57 +1000 Subject: [PATCH 157/229] fix: fix proxyurl for vault - change to http:// - change to localhost --- hieradata/roles/infra/storage/vault.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index 8785f7c..1209319 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -17,5 +17,7 @@ profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul' profiles::nginx::simpleproxy::nginx_aliases: - vault - vault.main.unkin.net +profiles::nginx::simpleproxy::proxy_scheme: 'http' +profiles::nginx::simpleproxy::proxy_host: '127.0.0.1' profiles::nginx::simpleproxy::proxy_port: 8200 profiles::nginx::simpleproxy::proxy_path: '/' From bf44c8f7b7a0c85d161c544e26f0cfd5154b6604 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 01:03:57 +1000 Subject: [PATCH 158/229] feat: deploy consul agent - install the consul agent on all nodes, except consul servers --- hieradata/common.yaml | 2 ++ site/profiles/manifests/consul/client.pp | 39 ++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 9fa4d12..8be8ee2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -85,6 +85,8 @@ profiles::dns::base::ns_role: 'roles::infra::dns::resolver' profiles::dns::base::use_ns: 'region' profiles::consul::server::members_role: roles::infra::storage::consul profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc' +profiles::consul::client::members_lookup: true +profiles::consul::client::members_role: roles::infra::storage::consul profiles::packages::install: - bash-completion diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index edfd1ec..684c7b5 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -5,8 +5,47 @@ class profiles::consul::client ( Enum['http','https'] $consul_protocol = 'http', Stdlib::Port $consul_port = 8500, String $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), + Boolean $members_lookup = false, + String $members_role = undef, + Array $consul_servers = [], + Stdlib::Absolutepath $data_dir = '/opt/consul', ) { + if $facts['enc_role'] != $members_role { + + # set a datacentre/cluster name + $consul_cluster = "${::facts['country']}-${::facts['region']}" + + # if lookup is enabled, find all the hosts in the specified role and create the servers_array + if $members_lookup { + + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $consul_servers + } + + # deploy the consul agent + class { 'consul': + config_hash => { + 'data_dir' => $data_dir, + 'datacenter' => $consul_cluster, + 'log_level' => 'INFO', + 'node_name' => $facts['networking']['fqdn'], + 'retry_join' => $servers_array, + 'bind_addr' => $::facts['networking']['ip'], + 'advertise_addr' => $::facts['networking']['ip'], + }, + } + } + # Create ACL policy that allows nodes to update themselves and read others consul_policy { $facts['networking']['hostname']: description => "${facts['networking']['fqdn']} puppet-generated-policy", From 0f0d392fb4f472740c57480caf453a6d50a72675 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 01:03:57 +1000 Subject: [PATCH 159/229] feat: deploy consul agent - install the consul agent on all nodes, except consul servers --- hieradata/common.yaml | 2 ++ site/profiles/manifests/consul/client.pp | 39 ++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 9fa4d12..8be8ee2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -85,6 +85,8 @@ profiles::dns::base::ns_role: 'roles::infra::dns::resolver' profiles::dns::base::use_ns: 'region' profiles::consul::server::members_role: roles::infra::storage::consul profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc' +profiles::consul::client::members_lookup: true +profiles::consul::client::members_role: roles::infra::storage::consul profiles::packages::install: - bash-completion diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index edfd1ec..684c7b5 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -5,8 +5,47 @@ class profiles::consul::client ( Enum['http','https'] $consul_protocol = 'http', Stdlib::Port $consul_port = 8500, String $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), + Boolean $members_lookup = false, + String $members_role = undef, + Array $consul_servers = [], + Stdlib::Absolutepath $data_dir = '/opt/consul', ) { + if $facts['enc_role'] != $members_role { + + # set a datacentre/cluster name + $consul_cluster = "${::facts['country']}-${::facts['region']}" + + # if lookup is enabled, find all the hosts in the specified role and create the servers_array + if $members_lookup { + + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $consul_servers + } + + # deploy the consul agent + class { 'consul': + config_hash => { + 'data_dir' => $data_dir, + 'datacenter' => $consul_cluster, + 'log_level' => 'INFO', + 'node_name' => $facts['networking']['fqdn'], + 'retry_join' => $servers_array, + 'bind_addr' => $::facts['networking']['ip'], + 'advertise_addr' => $::facts['networking']['ip'], + }, + } + } + # Create ACL policy that allows nodes to update themselves and read others consul_policy { $facts['networking']['hostname']: description => "${facts['networking']['fqdn']} puppet-generated-policy", From 43afc23535013fd7e4de47b829420098d7dfcb0f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 14:06:49 +1000 Subject: [PATCH 160/229] feat: deploy consul services - add vault.service.consul --- hieradata/common.yaml | 9 +++++++++ .../au/region/syd1/infra/storage/vault.yaml | 16 ++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 8be8ee2..301a017 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -63,6 +63,15 @@ lookup_options: profiles::dns::master::keys: merge: strategy: deep + consul::services: + merge: + strategy: deep + consul::watch: + merge: + strategy: deep + consul::check: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml index 2feaac4..28f1a9d 100644 --- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml @@ -1,2 +1,18 @@ --- profiles::vault::server::primary_datacenter: 'au-syd1' +consul::services: + vault: + service_name: 'vault' + tags: + - 'https' + - 'secure' + address: "%{facts.networking.ip}" # Dynamically set from the networking facts + port: 443 + checks: + - check_id: 'vault_https_check' + name: 'Vault HTTPS Check' + http: "https://%{facts.networking.fqdn}:443/v1/sys/health" + method: 'GET' + tls_skip_verify: true # Set to false in production for security + interval: '10s' + timeout: '1s' From 199e35840f5640a5ecb98b6cd696b43bca8dc40c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 00:49:57 +1000 Subject: [PATCH 161/229] fix: fix proxyurl for vault - change to http:// - change to localhost --- hieradata/roles/infra/storage/vault.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index 8785f7c..1209319 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -17,5 +17,7 @@ profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul' profiles::nginx::simpleproxy::nginx_aliases: - vault - vault.main.unkin.net +profiles::nginx::simpleproxy::proxy_scheme: 'http' +profiles::nginx::simpleproxy::proxy_host: '127.0.0.1' profiles::nginx::simpleproxy::proxy_port: 8200 profiles::nginx::simpleproxy::proxy_path: '/' From dff3f932977e325e69c2b774eeba7091ead22653 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 15:39:03 +1000 Subject: [PATCH 162/229] feat: change forwarded domain for consul - change forward lookup zone for consul from consul.service.consul -> service.consul --- hieradata/roles/infra/dns/resolver.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index 6be9009..ceb8863 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -61,8 +61,8 @@ profiles::dns::resolver::zones: - 10.10.16.32 - 10.10.16.33 forward: 'only' - consul.service.consul-forward: - domain: 'consul.service.consul' + service.consul-forward: + domain: 'service.consul' zone_type: 'forward' forwarders: - 198.18.13.19 @@ -79,7 +79,7 @@ profiles::dns::resolver::views: - dmz.unkin.net-forward - network.unkin.net-forward - prod.unkin.net-forward - - consul.service.consul-forward + - service.consul-forward - 13.18.198.in-addr.arpa-forward - 14.18.198.in-addr.arpa-forward - 15.18.198.in-addr.arpa-forward From 8df927de18e83e610d43833617b1e9e9b4ce9b25 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 14:52:38 +1000 Subject: [PATCH 163/229] feat: add node_token to agent config - move policy rules to hiera array[hash] - add node_token to agent as the default token --- hieradata/common.yaml | 14 ++++++++++++++ .../au/region/syd1/infra/storage/vault.yaml | 10 +++++++--- site/profiles/manifests/consul/client.pp | 19 +++++++------------ 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 301a017..8dd6df7 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -72,6 +72,9 @@ lookup_options: consul::check: merge: strategy: deep + profiles::consul::client::node_rules: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' @@ -96,6 +99,17 @@ profiles::consul::server::members_role: roles::infra::storage::consul profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc' profiles::consul::client::members_lookup: true profiles::consul::client::members_role: roles::infra::storage::consul +profiles::consul::client::node_rules: + - resource: node + segment: "%{facts.networking.hostname}" + disposition: write + - resource: node + segment: "%{facts.networking.fqdn}" + disposition: write + - resource: node + segment: '' + disposition: read + profiles::packages::install: - bash-completion diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml index 28f1a9d..d66aeea 100644 --- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml @@ -6,13 +6,17 @@ consul::services: tags: - 'https' - 'secure' - address: "%{facts.networking.ip}" # Dynamically set from the networking facts + address: "%{facts.networking.ip}" port: 443 checks: - - check_id: 'vault_https_check' + - id: 'vault_https_check' name: 'Vault HTTPS Check' http: "https://%{facts.networking.fqdn}:443/v1/sys/health" method: 'GET' - tls_skip_verify: true # Set to false in production for security + tls_skip_verify: true interval: '10s' timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: vault + disposition: write diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index 684c7b5..4524b87 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -9,6 +9,7 @@ class profiles::consul::client ( String $members_role = undef, Array $consul_servers = [], Stdlib::Absolutepath $data_dir = '/opt/consul', + Array[Hash] $node_rules = [], ) { if $facts['enc_role'] != $members_role { @@ -42,6 +43,11 @@ class profiles::consul::client ( 'retry_join' => $servers_array, 'bind_addr' => $::facts['networking']['ip'], 'advertise_addr' => $::facts['networking']['ip'], + 'acl' => { + tokens => { + default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}") + } + } }, } } @@ -49,18 +55,7 @@ class profiles::consul::client ( # Create ACL policy that allows nodes to update themselves and read others consul_policy { $facts['networking']['hostname']: description => "${facts['networking']['fqdn']} puppet-generated-policy", - rules => [ - { - 'resource' => 'node', - 'segment' => $facts['networking']['hostname'], - 'disposition' => 'write' - }, - { - 'resource' => 'node', - 'segment' => '', - 'disposition' => 'read' - } - ], + rules => $node_rules, acl_api_token => $consul_api_token, hostname => $consul_hostname, protocol => $consul_protocol, From 220ac182f41049e611f34448b10503dee5126e72 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 19:27:32 +1000 Subject: [PATCH 164/229] feat: sydney haproxy cluster - add au-syd1 halb cluster - add http-response to frontends - manage haproxy after enc_role is correct --- .../au/region/drw1/infra/halb/haproxy.yaml | 5 + .../au/region/syd1/infra/halb/haproxy.yaml | 93 +++++++++++++++++++ .../manifests/haproxy/balancemember.pp | 2 +- site/profiles/manifests/haproxy/fe_http.pp | 10 +- site/profiles/manifests/haproxy/fe_https.pp | 10 +- site/profiles/manifests/haproxy/server.pp | 43 +++++---- site/profiles/manifests/proxmox/init.pp | 1 + site/profiles/manifests/proxmox/params.pp | 3 +- site/profiles/manifests/proxmox/weblb.pp | 21 +++++ 9 files changed, 160 insertions(+), 28 deletions(-) create mode 100644 hieradata/country/au/region/syd1/infra/halb/haproxy.yaml create mode 100644 site/profiles/manifests/proxmox/weblb.pp diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index a582f9b..017eb4d 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -1,6 +1,11 @@ --- # mappings profiles::haproxy::mappings: + fe_http: + ensure: present + mappings: + - 'puppetboard.main.unkin.net be_puppetboard' + - 'puppetdbapi.main.unkin.net be_puppetdbapi' fe_https: ensure: present mappings: diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml new file mode 100644 index 0000000..5bcf4c8 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml @@ -0,0 +1,93 @@ +--- +# mappings +profiles::haproxy::mappings: + fe_http: + ensure: present + mappings: + - 'au-syd1-pve.main.unkin.net be_ausyd1pve' + fe_https: + ensure: present + mappings: + - 'au-syd1-pve.main.unkin.net be_ausyd1pve' + +# profiles::haproxy::listeners: +# ls_puppetdbapi_direct: +# collect_exported: false # handled in custom function +# ipaddress: "%{facts.networking.ip}" +# ports: +# - 8081 +# mode: tcp +# options: +# option: +# - tcplog +# - ssl-hello-chk +# balance: roundrobin + +profiles::haproxy::backends: + be_ausyd1pve: + description: Backend for au-syd1 pve cluster + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + be_letsencrypt: + description: Backend for LetsEncrypt Verifications + collect_exported: true + options: + balance: roundrobin + be_default: + description: Backend for unmatched HTTP traffic + collect_exported: true + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + +# fe_http +profiles::haproxy::fe_http::bind_addr: 0.0.0.0 +profiles::haproxy::fe_http::bind_port: 80 +profiles::haproxy::fe_http::bind_opts: + - transparent +profiles::haproxy::fe_http::acls: + - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' +profiles::haproxy::fe_http::http_request: + - 'set-header X-Forwarded-Proto https' + - 'set-header X-Real-IP %[src]' + +# fe_https +profiles::haproxy::fe_https::bind_addr: 0.0.0.0 +profiles::haproxy::fe_https::bind_port: 443 +profiles::haproxy::fe_https::bind_opts: + - ssl + - crt-list /etc/haproxy/certificate.list + - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + - force-tlsv12 +profiles::haproxy::fe_https::acls: + - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' +profiles::haproxy::fe_https::http_request: + - 'set-header X-Forwarded-Proto https' + - 'set-header X-Real-IP %[src]' + +profiles::haproxy::certlist::enabled: true +profiles::haproxy::certlist::certificates: + - /etc/pki/tls/vault/certificate.pem + +# additional altnames +profiles::pki::vault::alt_names: + - au-syd1-pve.main.unkin.net + +# additional cnames +profiles::haproxy::dns::cnames: + - au-syd1-pve.main.unkin.net diff --git a/site/profiles/manifests/haproxy/balancemember.pp b/site/profiles/manifests/haproxy/balancemember.pp index 6acbf84..a477a91 100644 --- a/site/profiles/manifests/haproxy/balancemember.pp +++ b/site/profiles/manifests/haproxy/balancemember.pp @@ -8,7 +8,7 @@ define profiles::haproxy::balancemember ( $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" $balancemember_tag = "${service}_${location_environment}" - @@haproxy::balancermember { $balancemember_tag: + @@haproxy::balancermember { $title: listening_service => $service, ports => $ports, server_names => $facts['networking']['hostname'], diff --git a/site/profiles/manifests/haproxy/fe_http.pp b/site/profiles/manifests/haproxy/fe_http.pp index 19909c1..1d91f11 100644 --- a/site/profiles/manifests/haproxy/fe_http.pp +++ b/site/profiles/manifests/haproxy/fe_http.pp @@ -5,16 +5,18 @@ class profiles::haproxy::fe_http ( Array $bind_opts = ['transparent'], Array $acls = [], Array $http_request = [], + Array $http_response = [], ) { haproxy::frontend { 'fe_http': description => 'Default HTTP Frontend', bind => { "${bind_addr}:${bind_port}" => $bind_opts }, mode => 'http', options => { - 'acl' => $acls, - 'http-request' => $http_request, - 'use_backend' => [ - '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]', + 'acl' => $acls, + 'http-request' => $http_request, + 'http-response' => $http_response, + 'use_backend' => [ + '%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]', ], }, } diff --git a/site/profiles/manifests/haproxy/fe_https.pp b/site/profiles/manifests/haproxy/fe_https.pp index 7e98328..e7c9b0f 100644 --- a/site/profiles/manifests/haproxy/fe_https.pp +++ b/site/profiles/manifests/haproxy/fe_https.pp @@ -5,16 +5,18 @@ class profiles::haproxy::fe_https ( Array $bind_opts = [], Array $acls = [], Array $http_request = [], + Array $http_response = [], ) { haproxy::frontend { 'fe_https': description => 'Default HTTPS Frontend', bind => { "${bind_addr}:${bind_port}" => $bind_opts }, mode => 'http', options => { - 'acl' => $acls, - 'http-request' => $http_request, - 'use_backend' => [ - '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]', + 'acl' => $acls, + 'http-request' => $http_request, + 'http-response' => $http_response, + 'use_backend' => [ + '%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]', ], }, } diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index fde8f2f..0a27fea 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -35,24 +35,31 @@ class profiles::haproxy::server ( $merged_global_options = merge($global_options, $globals) $merged_default_options = merge($default_options, $defaults) - # manage selinux - include profiles::haproxy::selinux + # wait until enc_role matches haproxy enc_role + if $facts['enc_role'] == 'roles::infra::halb::haproxy' { - # create the haproxy service/instance - class { 'haproxy': - global_options => $merged_global_options, - defaults_options => $merged_default_options, - require => Class['profiles::haproxy::selinux'] + # manage selinux + include profiles::haproxy::selinux + + # create the haproxy service/instance + class { 'haproxy': + global_options => $merged_global_options, + defaults_options => $merged_default_options, + require => Class['profiles::haproxy::selinux'] + } + + include profiles::haproxy::certlist # manage the certificate list file + include profiles::haproxy::mappings # manage the domain to backend mappings + include profiles::haproxy::ls_stats # default status listener + include profiles::haproxy::fe_http # default http frontend + include profiles::haproxy::fe_https # default https frontend + include profiles::haproxy::dns # manage dns for haproxy + include profiles::haproxy::frontends # create frontends + include profiles::haproxy::backends # create backends + include profiles::haproxy::listeners # create listeners + + Class['profiles::haproxy::certlist'] + -> Class['profiles::haproxy::dns'] + -> Class['profiles::haproxy::mappings'] } - - include profiles::haproxy::certlist # manage the certificate list file - include profiles::haproxy::mappings # manage the domain to backend mappings - include profiles::haproxy::ls_stats # default status listener - include profiles::haproxy::fe_http # default http frontend - include profiles::haproxy::fe_https # default https frontend - include profiles::haproxy::dns # manage dns for haproxy - include profiles::haproxy::frontends # create frontends - include profiles::haproxy::backends # create backends - include profiles::haproxy::listeners # create listeners - } diff --git a/site/profiles/manifests/proxmox/init.pp b/site/profiles/manifests/proxmox/init.pp index f7d769f..1d90b3d 100644 --- a/site/profiles/manifests/proxmox/init.pp +++ b/site/profiles/manifests/proxmox/init.pp @@ -7,6 +7,7 @@ class profiles::proxmox::init { include profiles::proxmox::clusterjoin include profiles::proxmox::ceph include profiles::proxmox::config + include profiles::proxmox::weblb Class['profiles::proxmox::repos'] -> Class['profiles::proxmox::install'] diff --git a/site/profiles/manifests/proxmox/params.pp b/site/profiles/manifests/proxmox/params.pp index d520f45..17e69ce 100644 --- a/site/profiles/manifests/proxmox/params.pp +++ b/site/profiles/manifests/proxmox/params.pp @@ -38,6 +38,7 @@ class profiles::proxmox::params ( 'ceph-volume', 'gdisk', 'nvme-cli' - ] + ], + Stdlib::Port $pve_webport = 8006, ){ } diff --git a/site/profiles/manifests/proxmox/weblb.pp b/site/profiles/manifests/proxmox/weblb.pp new file mode 100644 index 0000000..2f6f4e5 --- /dev/null +++ b/site/profiles/manifests/proxmox/weblb.pp @@ -0,0 +1,21 @@ +# profiles::proxmox::weblb +class profiles::proxmox::weblb { + + # include params class + include profiles::proxmox::params + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${profiles::proxmox::params::pve_webport}}": + service => "be_${facts['country']}${facts['region']}pve", + ports => [$profiles::proxmox::params::pve_webport], + options => [ + "cookie ${facts['networking']['hostname']}", + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } +} From 86974926115ff1f05a1aad6f2aa3961555af050f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Apr 2024 22:19:44 +1000 Subject: [PATCH 165/229] feat: haproxy refactor - configure deep merging in hiera - move fe_http and fe_https to hiera - configure pve backends for standard and api traffic --- hieradata/common.yaml | 12 +++ .../au/region/drw1/infra/halb/haproxy.yaml | 42 --------- .../au/region/syd1/infra/halb/haproxy.yaml | 88 ++++++++----------- hieradata/roles/infra/halb/haproxy.yaml | 51 +++++++++++ site/profiles/manifests/haproxy/fe_http.pp | 23 ----- site/profiles/manifests/haproxy/fe_https.pp | 23 ----- site/profiles/manifests/haproxy/listener.pp | 21 ----- site/profiles/manifests/haproxy/server.pp | 2 - site/profiles/manifests/proxmox/weblb.pp | 14 ++- 9 files changed, 113 insertions(+), 163 deletions(-) delete mode 100644 site/profiles/manifests/haproxy/fe_http.pp delete mode 100644 site/profiles/manifests/haproxy/fe_https.pp delete mode 100644 site/profiles/manifests/haproxy/listener.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index f5422e6..4d7b5d0 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -30,6 +30,18 @@ lookup_options: profiles::haproxy::server::globals: merge: strategy: deep + profiles::haproxy::server::frontends: + merge: + strategy: deep + profiles::haproxy::server::backends: + merge: + strategy: deep + profiles::haproxy::server::mappings: + merge: + strategy: deep + profiles::haproxy::server::listeners: + merge: + strategy: deep haproxy::backend: merge: strategy: deep diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index 017eb4d..20a8e44 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -52,48 +52,6 @@ profiles::haproxy::backends: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' - be_letsencrypt: - description: Backend for LetsEncrypt Verifications - collect_exported: true - options: - balance: roundrobin - be_default: - description: Backend for unmatched HTTP traffic - collect_exported: true - options: - balance: roundrobin - option: - - httpchk GET / - - forwardfor - cookie: SRVNAME insert - http-request: - - set-header X-Forwarded-Port %[dst_port] - - add-header X-Forwarded-Proto https if { dst_port 443 } - -# fe_http -profiles::haproxy::fe_http::bind_addr: 0.0.0.0 -profiles::haproxy::fe_http::bind_port: 80 -profiles::haproxy::fe_http::bind_opts: - - transparent -profiles::haproxy::fe_http::acls: - - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' -profiles::haproxy::fe_http::http_request: - - 'set-header X-Forwarded-Proto https' - - 'set-header X-Real-IP %[src]' - -# fe_https -profiles::haproxy::fe_https::bind_addr: 0.0.0.0 -profiles::haproxy::fe_https::bind_port: 443 -profiles::haproxy::fe_https::bind_opts: - - ssl - - crt-list /etc/haproxy/certificate.list - - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - - force-tlsv12 -profiles::haproxy::fe_https::acls: - - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' -profiles::haproxy::fe_https::http_request: - - 'set-header X-Forwarded-Proto https' - - 'set-header X-Real-IP %[src]' profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml index 5bcf4c8..c7877aa 100644 --- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml @@ -4,81 +4,65 @@ profiles::haproxy::mappings: fe_http: ensure: present mappings: - - 'au-syd1-pve.main.unkin.net be_ausyd1pve' + - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' + - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' fe_https: ensure: present mappings: - - 'au-syd1-pve.main.unkin.net be_ausyd1pve' + - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' + - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' -# profiles::haproxy::listeners: -# ls_puppetdbapi_direct: -# collect_exported: false # handled in custom function -# ipaddress: "%{facts.networking.ip}" -# ports: -# - 8081 -# mode: tcp -# options: -# option: -# - tcplog -# - ssl-hello-chk -# balance: roundrobin +profiles::haproxy::frontends: + fe_http: + options: + use_backend: + - "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]" + fe_https: + options: + acl: + - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net' + - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' + use_backend: + - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" + http-request: + - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets' + http-response: + - 'set-header X-Frame-Options DENY if acl_ausyd1pve' + - 'set-header X-Content-Type-Options nosniff' + - 'set-header X-XSS-Protection 1;mode=block' profiles::haproxy::backends: - be_ausyd1pve: - description: Backend for au-syd1 pve cluster + be_ausyd1pve_web: + description: Backend for au-syd1 pve cluster (Web) collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - cookie: SRVNAME insert + - http-keep-alive + - prefer-last-server + cookie: SRVNAME insert indirect nocache + http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' - be_letsencrypt: - description: Backend for LetsEncrypt Verifications - collect_exported: true - options: - balance: roundrobin - be_default: - description: Backend for unmatched HTTP traffic - collect_exported: true + be_ausyd1pve_api: + description: Backend for au-syd1 pve cluster (API only) + collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - cookie: SRVNAME insert + - http-keep-alive + - prefer-last-server + http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } - -# fe_http -profiles::haproxy::fe_http::bind_addr: 0.0.0.0 -profiles::haproxy::fe_http::bind_port: 80 -profiles::haproxy::fe_http::bind_opts: - - transparent -profiles::haproxy::fe_http::acls: - - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' -profiles::haproxy::fe_http::http_request: - - 'set-header X-Forwarded-Proto https' - - 'set-header X-Real-IP %[src]' - -# fe_https -profiles::haproxy::fe_https::bind_addr: 0.0.0.0 -profiles::haproxy::fe_https::bind_port: 443 -profiles::haproxy::fe_https::bind_opts: - - ssl - - crt-list /etc/haproxy/certificate.list - - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - - force-tlsv12 -profiles::haproxy::fe_https::acls: - - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' -profiles::haproxy::fe_https::http_request: - - 'set-header X-Forwarded-Proto https' - - 'set-header X-Real-IP %[src]' + redirect: 'scheme https if !{ ssl_fc }' profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: @@ -87,7 +71,9 @@ profiles::haproxy::certlist::certificates: # additional altnames profiles::pki::vault::alt_names: - au-syd1-pve.main.unkin.net + - au-syd1-pve-api.main.unkin.net # additional cnames profiles::haproxy::dns::cnames: - au-syd1-pve.main.unkin.net + - au-syd1-pve-api.main.unkin.net diff --git a/hieradata/roles/infra/halb/haproxy.yaml b/hieradata/roles/infra/halb/haproxy.yaml index f6e352d..cd212ad 100644 --- a/hieradata/roles/infra/halb/haproxy.yaml +++ b/hieradata/roles/infra/halb/haproxy.yaml @@ -9,6 +9,9 @@ profiles::haproxy::selinux::sebooleans: - haproxy_connect_any profiles::haproxy::server::globals: + log: + - /dev/log local0 + - /dev/log local1 notice stats: - timeout 30s - socket /var/lib/haproxy/stats @@ -38,3 +41,51 @@ profiles::haproxy::server::defaults: - check 10s retries: 3 maxconn: 5000 + +profiles::haproxy::frontends: + fe_http: + description: 'Global HTTP Frontend' + bind: + 0.0.0.0:80: + - transparent + mode: 'http' + options: + acl: + - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' + http-request: + - 'set-header X-Forwarded-Proto https' + - 'set-header X-Real-IP %[src]' + fe_https: + description: 'Global HTTPS Frontend' + bind: + 0.0.0.0:443: + - ssl + - crt-list /etc/haproxy/certificate.list + - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + - force-tlsv12 + mode: 'http' + options: + acl: + - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' + http-request: + - 'set-header X-Forwarded-Proto https' + - 'set-header X-Real-IP %[src]' + +profiles::haproxy::backends: + be_letsencrypt: + description: Backend for LetsEncrypt Verifications + collect_exported: true + options: + balance: roundrobin + be_default: + description: Backend for unmatched HTTP traffic + collect_exported: true + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } diff --git a/site/profiles/manifests/haproxy/fe_http.pp b/site/profiles/manifests/haproxy/fe_http.pp deleted file mode 100644 index 1d91f11..0000000 --- a/site/profiles/manifests/haproxy/fe_http.pp +++ /dev/null @@ -1,23 +0,0 @@ -# default http frontend -class profiles::haproxy::fe_http ( - Stdlib::IP::Address $bind_addr = $facts['networking']['ip'], - Stdlib::Port $bind_port = 80, - Array $bind_opts = ['transparent'], - Array $acls = [], - Array $http_request = [], - Array $http_response = [], -) { - haproxy::frontend { 'fe_http': - description => 'Default HTTP Frontend', - bind => { "${bind_addr}:${bind_port}" => $bind_opts }, - mode => 'http', - options => { - 'acl' => $acls, - 'http-request' => $http_request, - 'http-response' => $http_response, - 'use_backend' => [ - '%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]', - ], - }, - } -} diff --git a/site/profiles/manifests/haproxy/fe_https.pp b/site/profiles/manifests/haproxy/fe_https.pp deleted file mode 100644 index e7c9b0f..0000000 --- a/site/profiles/manifests/haproxy/fe_https.pp +++ /dev/null @@ -1,23 +0,0 @@ -# default https frontend -class profiles::haproxy::fe_https ( - Stdlib::IP::Address $bind_addr = $facts['networking']['ip'], - Stdlib::Port $bind_port = 443, - Array $bind_opts = [], - Array $acls = [], - Array $http_request = [], - Array $http_response = [], -) { - haproxy::frontend { 'fe_https': - description => 'Default HTTPS Frontend', - bind => { "${bind_addr}:${bind_port}" => $bind_opts }, - mode => 'http', - options => { - 'acl' => $acls, - 'http-request' => $http_request, - 'http-response' => $http_response, - 'use_backend' => [ - '%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]', - ], - }, - } -} diff --git a/site/profiles/manifests/haproxy/listener.pp b/site/profiles/manifests/haproxy/listener.pp deleted file mode 100644 index 3df3b35..0000000 --- a/site/profiles/manifests/haproxy/listener.pp +++ /dev/null @@ -1,21 +0,0 @@ -# profiles::haproxy::listener -define profiles::haproxy::listener ( - Boolean $bind = false, - Boolean $listen = false, - Enum['roundrobin', 'leastconn'] $balance = 'roundrobin', - Array $option = ['tcplog'], - Enum['tcp', 'http'] $mode = 'http', - Stdlib::Port $ports = 443, -) { - - haproxy::listen { 'puppet00': - ipaddress => $facts['networking']['ip'], - ports => $ports, - mode => $mode, - options => { - 'option' => $option, - 'balance' => $balance, - }, - } -} - diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index 0a27fea..3ac313e 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -51,8 +51,6 @@ class profiles::haproxy::server ( include profiles::haproxy::certlist # manage the certificate list file include profiles::haproxy::mappings # manage the domain to backend mappings include profiles::haproxy::ls_stats # default status listener - include profiles::haproxy::fe_http # default http frontend - include profiles::haproxy::fe_https # default https frontend include profiles::haproxy::dns # manage dns for haproxy include profiles::haproxy::frontends # create frontends include profiles::haproxy::backends # create backends diff --git a/site/profiles/manifests/proxmox/weblb.pp b/site/profiles/manifests/proxmox/weblb.pp index 2f6f4e5..a1bd2c0 100644 --- a/site/profiles/manifests/proxmox/weblb.pp +++ b/site/profiles/manifests/proxmox/weblb.pp @@ -6,7 +6,7 @@ class profiles::proxmox::weblb { # export haproxy balancemember profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${profiles::proxmox::params::pve_webport}}": - service => "be_${facts['country']}${facts['region']}pve", + service => "be_${facts['country']}${facts['region']}pve_web", ports => [$profiles::proxmox::params::pve_webport], options => [ "cookie ${facts['networking']['hostname']}", @@ -18,4 +18,16 @@ class profiles::proxmox::weblb { 'fall 2', ] } + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${profiles::proxmox::params::pve_webport}_api2}": + service => "be_${facts['country']}${facts['region']}pve_api", + ports => [$profiles::proxmox::params::pve_webport], + options => [ + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } From 95135fb58a125bd63362fb95348823e6d77bffb0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 1 May 2024 21:58:10 +1000 Subject: [PATCH 166/229] fix: add use_backend for drw1 haproxy --- .../au/region/drw1/infra/halb/haproxy.yaml | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index 20a8e44..2ac28f7 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -12,18 +12,15 @@ profiles::haproxy::mappings: - 'puppetboard.main.unkin.net be_puppetboard' - 'puppetdbapi.main.unkin.net be_puppetdbapi' -# profiles::haproxy::listeners: -# ls_puppetdbapi_direct: -# collect_exported: false # handled in custom function -# ipaddress: "%{facts.networking.ip}" -# ports: -# - 8081 -# mode: tcp -# options: -# option: -# - tcplog -# - ssl-hello-chk -# balance: roundrobin +profiles::haproxy::frontends: + fe_http: + options: + use_backend: + - "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]" + fe_https: + options: + use_backend: + - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" profiles::haproxy::backends: be_puppetboard: From 56b23620b73391bacf312b28678d91204b6a9a09 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 2 May 2024 22:33:17 +1000 Subject: [PATCH 167/229] refactor: reoganise the puppetserver profile - manage puppetserver package - set order for puppetserver classes - for profiles::puppet::server class: - set param types using stdlib where possible - set default values for all params - move configuration data to hieradata - wait for enc_role fact to match role - exclude puppet::client from puppermaster nodes --- hieradata/common.yaml | 11 ++++ .../au/region/drw1/infra/puppet/master.yaml | 4 ++ .../au/region/syd1/infra/puppet/master.yaml | 4 ++ .../nodes/prodinf01n01.main.unkin.net.yaml | 4 ++ hieradata/roles/infra/puppet.yaml | 3 + site/profiles/manifests/puppet/client.pp | 20 +++--- .../profiles/manifests/puppet/puppetmaster.pp | 63 ++++++++----------- site/profiles/manifests/puppet/server.pp | 41 ++++++------ 8 files changed, 86 insertions(+), 64 deletions(-) create mode 100644 hieradata/country/au/region/drw1/infra/puppet/master.yaml create mode 100644 hieradata/country/au/region/syd1/infra/puppet/master.yaml create mode 100644 hieradata/nodes/prodinf01n01.main.unkin.net.yaml create mode 100644 hieradata/roles/infra/puppet.yaml diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 4d7b5d0..71eefa0 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -87,6 +87,9 @@ lookup_options: profiles::consul::client::node_rules: merge: strategy: deep + profiles::puppet::server::dns_alt_names: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' @@ -237,3 +240,11 @@ profiles::base::hosts::additional_hosts: aliases: - prodinf01n22 - repos.main.unkin.net + +profiles::puppet::server::dns_alt_names: + - "%{facts.networking.fqdn}" + - "%{facts.networking.hostname}" + - puppetmaster.main.unkin.net + - puppet.main.unkin.net + - puppetmaster + - puppet diff --git a/hieradata/country/au/region/drw1/infra/puppet/master.yaml b/hieradata/country/au/region/drw1/infra/puppet/master.yaml new file mode 100644 index 0000000..1b3d42c --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/puppet/master.yaml @@ -0,0 +1,4 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca diff --git a/hieradata/country/au/region/syd1/infra/puppet/master.yaml b/hieradata/country/au/region/syd1/infra/puppet/master.yaml new file mode 100644 index 0000000..1b3d42c --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/puppet/master.yaml @@ -0,0 +1,4 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml new file mode 100644 index 0000000..1b3d42c --- /dev/null +++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml @@ -0,0 +1,4 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca diff --git a/hieradata/roles/infra/puppet.yaml b/hieradata/roles/infra/puppet.yaml new file mode 100644 index 0000000..6ae5977 --- /dev/null +++ b/hieradata/roles/infra/puppet.yaml @@ -0,0 +1,3 @@ +--- +profiles::packages::install: + - puppetserver diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index 973f621..e0f1dd2 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -14,14 +14,18 @@ class profiles::puppet::client ( Boolean $usecacheonfailure = false, ) { - # Assuming you want to manage puppet.conf with this profile - file { '/etc/puppetlabs/puppet/puppet.conf': - ensure => 'present', - content => template('profiles/puppet/client/puppet.conf.erb'), - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['puppet'], + # dont manage puppet.conf if this is a puppetmaster + if $facts['enc_role'] != 'roles::infra::puppet::master' { + + # Assuming you want to manage puppet.conf with this profile + file { '/etc/puppetlabs/puppet/puppet.conf': + ensure => 'present', + content => template('profiles/puppet/client/puppet.conf.erb'), + owner => 'root', + group => 'root', + mode => '0644', + notify => Service['puppet'], + } } } diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index a5b7c74..ec2a695 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -23,45 +23,34 @@ # Limitations: # This is designed to work on Unix-like systems. class profiles::puppet::puppetmaster ( - String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), + Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef), ) { - include profiles::puppet::r10k - include profiles::puppet::g10k - include profiles::puppet::enc - include profiles::puppet::cobbler_enc - include profiles::puppet::autosign - include profiles::puppet::gems - include profiles::helpers::certmanager - class { 'puppetdb::master::config': - puppetdb_server => $puppetdb_host, - manage_storeconfigs => false, + if $facts['enc_role'] == 'roles::infra::puppet::master' { + + include profiles::puppet::r10k + include profiles::puppet::g10k + include profiles::puppet::enc + include profiles::puppet::cobbler_enc + include profiles::puppet::autosign + include profiles::puppet::gems + include profiles::helpers::certmanager + include profiles::puppet::server + + class { 'puppetdb::master::config': + puppetdb_server => $puppetdb_host, + manage_storeconfigs => false, + } + + Package['puppetserver'] + -> Class['profiles::puppet::gems'] + -> Class['profiles::puppet::r10k'] + -> Class['profiles::puppet::g10k'] + -> Class['profiles::puppet::enc'] + -> Class['profiles::puppet::cobbler_enc'] + -> Class['profiles::puppet::autosign'] + -> Class['puppetdb::master::config'] + -> Class['profiles::puppet::server'] } - class { 'profiles::puppet::server': - vardir => '/opt/puppetlabs/server/data/puppetserver', - logdir => '/var/log/puppetlabs/puppetserver', - rundir => '/var/run/puppetlabs/puppetserver', - pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', - codedir => '/etc/puppetlabs/code', - dns_alt_names => [ - 'prodinf01n01.main.unkin.net', - 'puppet.main.unkin.net', - 'puppetca.main.unkin.net', - 'puppetmaster.main.unkin.net', - 'puppet', - 'puppetca', - 'puppetmaster', - ], - server => 'prodinf01n01.main.unkin.net', - node_terminus => 'exec', - external_nodes => '/opt/cobbler-enc/cobbler-enc', - autosign => '/etc/puppetlabs/puppet/autosign.conf', - default_manifest => '/etc/puppetlabs/code/environments/develop/manifests', - default_environment => 'develop', - storeconfigs => true, - storeconfigs_backend => 'puppetdb', - reports => 'puppetdb', - usecacheonfailure => false, - } } diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 4930582..ecf1f97 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -9,28 +9,31 @@ # pidfile - File path for the PID file. # codedir - Directory path for code data. # dns_alt_names - Array of alternate DNS names for the server. -# server - Server's name. +# agent_server - Server name for the puppet agent on the master. # node_terminus - Node terminus. # external_nodes - Path to the external node classifier script. # autosign - Path to the autosign script. # class profiles::puppet::server ( - String $vardir, - String $logdir, - String $rundir, - String $pidfile, - String $codedir, - Array[String[1]] $dns_alt_names, - String $server, - String $node_terminus, - String $external_nodes, - String $autosign, - String $default_manifest, - String $default_environment, - Boolean $storeconfigs, - String $storeconfigs_backend, - String $reports, - Boolean $usecacheonfailure, + Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver', + Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver', + Stdlib::Absolutepath $rundir = '/var/run/puppetlabs/puppetserver', + Stdlib::Absolutepath $pidfile = '/var/run/puppetlabs/puppetserver/puppetserver.pid', + Stdlib::Absolutepath $codedir = '/etc/puppetlabs/code', + Array[String] $dns_alt_names = [ + $facts['networking']['fqdn'], + $facts['networking']['hostname'], + ], + Stdlib::Fqdn $agent_server = 'puppetmaster', + String $node_terminus = 'exec', + String $external_nodes = '/opt/cobbler-enc/cobbler-enc', + String $default_environment = 'develop', + Stdlib::Absolutepath $autosign = '/etc/puppetlabs/puppet/autosign.conf', + Stdlib::Absolutepath $default_manifest = "${codedir}/environments/${default_environment}/manifests", + Boolean $storeconfigs = true, + String $storeconfigs_backend = 'puppetdb', + String $reports = 'puppetdb', + Boolean $usecacheonfailure = false, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -44,8 +47,8 @@ class profiles::puppet::server ( 'rundir' => $rundir, 'pidfile' => $pidfile, 'codedir' => $codedir, - 'dns_alt_names' => join($dns_alt_names, ','), - 'server' => $server, + 'dns_alt_names' => join(sort($dns_alt_names), ','), + 'server' => $agent_server, 'node_terminus' => $node_terminus, 'external_nodes' => $external_nodes, 'autosign' => $autosign, From a429255c635b7e92b6537e664764a9d0666c4342 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 May 2024 20:07:02 +1000 Subject: [PATCH 168/229] feat: puppet server agent - add [agent] settings for puppetservers --- site/profiles/manifests/puppet/server.pp | 44 ++++++++++++------- .../templates/puppet/server/puppet.conf.epp | 9 +++- 2 files changed, 37 insertions(+), 16 deletions(-) diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index ecf1f97..7cf2731 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -15,25 +15,32 @@ # autosign - Path to the autosign script. # class profiles::puppet::server ( - Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver', - Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver', - Stdlib::Absolutepath $rundir = '/var/run/puppetlabs/puppetserver', - Stdlib::Absolutepath $pidfile = '/var/run/puppetlabs/puppetserver/puppetserver.pid', - Stdlib::Absolutepath $codedir = '/etc/puppetlabs/code', - Array[String] $dns_alt_names = [ + Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver', + Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver', + Stdlib::Absolutepath $rundir = '/var/run/puppetlabs/puppetserver', + Stdlib::Absolutepath $pidfile = '/var/run/puppetlabs/puppetserver/puppetserver.pid', + Stdlib::Absolutepath $codedir = '/etc/puppetlabs/code', + Array[String] $dns_alt_names = [ $facts['networking']['fqdn'], $facts['networking']['hostname'], ], - Stdlib::Fqdn $agent_server = 'puppetmaster', - String $node_terminus = 'exec', - String $external_nodes = '/opt/cobbler-enc/cobbler-enc', - String $default_environment = 'develop', - Stdlib::Absolutepath $autosign = '/etc/puppetlabs/puppet/autosign.conf', + Stdlib::Fqdn $agent_server = 'puppetmaster', + Stdlib::Fqdn $report_server = $agent_server, + Stdlib::Fqdn $ca_server = 'puppetca', + String $node_terminus = 'exec', + String $external_nodes = '/opt/cobbler-enc/cobbler-enc', + String $default_environment = 'develop', + String $environment = 'develop', + Stdlib::Absolutepath $autosign = '/etc/puppetlabs/puppet/autosign.conf', Stdlib::Absolutepath $default_manifest = "${codedir}/environments/${default_environment}/manifests", - Boolean $storeconfigs = true, - String $storeconfigs_backend = 'puppetdb', - String $reports = 'puppetdb', - Boolean $usecacheonfailure = false, + String $reports = 'puppetdb', + Boolean $storeconfigs = true, + String $storeconfigs_backend = 'puppetdb', + Boolean $usecacheonfailure = false, + Boolean $report = true, + Integer $runinterval = 1800, + Integer $runtimeout = 3600, + Boolean $show_diff = true, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -49,6 +56,13 @@ class profiles::puppet::server ( 'codedir' => $codedir, 'dns_alt_names' => join(sort($dns_alt_names), ','), 'server' => $agent_server, + 'ca_server' => $ca_server, + 'environment' => $environment, + 'report' => $report, + 'runinterval' => $runinterval, + 'runtimeout' => $runtimeout, + 'show_diff' => $show_diff, + 'report_server' => $report_server, 'node_terminus' => $node_terminus, 'external_nodes' => $external_nodes, 'autosign' => $autosign, diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp index 226346d..dbb93ee 100644 --- a/site/profiles/templates/puppet/server/puppet.conf.epp +++ b/site/profiles/templates/puppet/server/puppet.conf.epp @@ -10,9 +10,16 @@ dns_alt_names = <%= $dns_alt_names %> [agent] server = <%= $server %> +ca_server = <%= $ca_server %> +environment = <%= $environment %> +report = <%= $report %> +report_server = <%= $report_server %> +runinterval = <%= $runinterval %> +runtimeout = <%= $runtimeout %> +show_diff = <%= $show_diff %> [master] -node_terminus = exec +node_terminus = <%= $node_terminus %> external_nodes = <%= $external_nodes %> autosign = <%= $autosign %> default_manifest = <%= $default_manifest %> From 052b07be8358e9d64e134a353f487c5211c37fb6 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 May 2024 20:48:20 +1000 Subject: [PATCH 169/229] chore: remove excessive comments - remove the excessive comments and notes at the top of the puppet classes --- site/profiles/manifests/puppet/autosign.pp | 29 ------------------- site/profiles/manifests/puppet/enc.pp | 29 ------------------- site/profiles/manifests/puppet/g10k.pp | 25 ---------------- .../profiles/manifests/puppet/puppetmaster.pp | 20 ------------- site/profiles/manifests/puppet/r10k.pp | 29 ------------------- site/profiles/manifests/puppet/server.pp | 13 --------- 6 files changed, 145 deletions(-) diff --git a/site/profiles/manifests/puppet/autosign.pp b/site/profiles/manifests/puppet/autosign.pp index 0c75d25..b154aea 100644 --- a/site/profiles/manifests/puppet/autosign.pp +++ b/site/profiles/manifests/puppet/autosign.pp @@ -4,35 +4,6 @@ # based on specified subnet ranges and domain patterns. # It is useful in environments where nodes are dynamically provisioned and # require automatic certificate signing without manual intervention. -# -# Parameters: -# - `subnet_ranges`: An array of IP subnet ranges in CIDR notation. -# Nodes with IP addresses within these ranges will have their -# certificates autosigned. -# Default: [] -# Example: ['198.18.17.0/24'] -# -# - `domains`: An array of domain patterns. -# Nodes with hostnames matching these patterns will have their -# certificates autosigned. -# Default: [] -# Example: ['*.main.unkin.net', '*.secondary.unkin.net'] -# -# - `nodes`: An array of specific node names. -# Nodes with hostnames matching these will have their -# certificates autosigned. -# Default: [] -# Example: ['somenode.main.unkin.net', 'othernode.secondary.unkin.net'] -# Usage: -# -# To include this class with custom parameters: -# class { 'profiles::puppet::autosign': -# subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'], -# domains => ['*.main.unkin.net', '*.dev.unkin.net'], -# nodes => ['somenode.main.unkin.net', 'othernode.dev.unkin.net'], -# } -# -# Alternatively, configure subnet ranges and domains through Hiera. class profiles::puppet::autosign ( Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges = [], Array[String[1]] $domains = [], diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp index b0a4a49..fcfeec7 100644 --- a/site/profiles/manifests/puppet/enc.pp +++ b/site/profiles/manifests/puppet/enc.pp @@ -4,35 +4,6 @@ # systemd service and timer to keep the repository updated every minute. # The Git package is installed if not present, and the repository at the given # location will always reflect the state of the remote Git repository. -# -# Parameters: -# - enc_repo: The URL of the Git repository to clone. -# -# Actions: -# - Ensures the Git package is installed. -# - Ensures the /opt/puppetlabs/enc directory is a clone of the given Git repository. -# - Creates a helper script '/opt/puppetlabs/bin/git_update' for updating the Git repository. -# - Creates a systemd service and timer that runs the git update script every minute. -# -# Usage: -# Directly include the class in your node definitions or classify your nodes -# using an ENC or Hiera. -# Example: -# node 'puppet.example.com' { -# class { 'profiles::puppet::enc': -# enc_repo => 'https://github.com/user/repo.git', -# } -# } -# -# Requirements: -# - The 'puppet-vcsrepo' module should be installed on your puppetmaster. -# - The 'puppet-systemd' module should be installed on your puppetmaster. -# - '/opt/puppetlabs/bin/' directory must exist and be writable. -# - Puppet master must have access to the specified Git URL. -# -# Limitations: -# This is designed to work on Unix-like systems only. -# class profiles::puppet::enc ( String $repo, String $release = 'master', diff --git a/site/profiles/manifests/puppet/g10k.pp b/site/profiles/manifests/puppet/g10k.pp index eddb6f1..3a2af5e 100644 --- a/site/profiles/manifests/puppet/g10k.pp +++ b/site/profiles/manifests/puppet/g10k.pp @@ -5,31 +5,6 @@ # The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'. # Additionally, it creates a helper script to easily run g10k with the appropriate configuration. # It also creates a systemd service and timer that runs the g10k script every minute. -# -# Parameters: None -# -# Actions: -# - Downloads the latest g10k release from GitHub. -# - Extracts the download and places the executable in '/opt/puppetlabs/bin'. -# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k. -# - Creates a systemd service and timer that runs the g10k script every minute. -# -# Usage: -# Directly including the class in your node definitions or classify your nodes -# using an ENC or Hiera. -# Example: -# node 'puppet.example.com' { -# include profiles::puppet::g10k -# } -# -# Requirements: -# - The 'puppet-archive' module should be installed in your puppetmaster. -# - The 'puppet-systemd' module should be installed on your puppetmaster. -# - '/opt/puppetlabs/bin/' directory must exist and be writable. -# - Puppet master must have access to the GitHub URL. -# -# Limitations: -# This is designed to work on Unix-like systems only. class profiles::puppet::g10k ( String $bin_path, String $cfg_path, diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index ec2a695..7229d64 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -2,26 +2,6 @@ # # This class manages the puppetmaster using the ghoneycutt-puppet module. # It manages the server settings in the puppet.conf file. -# -# Parameters: None -# -# Actions: -# - Sets up the server, main, agent, and master sections in the puppet.conf file -# -# Usage: -# Directly include the class in your node definitions or classify your nodes -# using an ENC or Hiera. -# Example: -# node 'puppet.example.com' { -# include profiles::puppet::puppetmaster -# } -# -# Requirements: -# - The 'ghoneycutt/puppet' module should be installed in your Puppet master. -# - Puppet master must have access to the necessary directories. -# -# Limitations: -# This is designed to work on Unix-like systems. class profiles::puppet::puppetmaster ( Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef), ) { diff --git a/site/profiles/manifests/puppet/r10k.pp b/site/profiles/manifests/puppet/r10k.pp index baa16d5..e366953 100644 --- a/site/profiles/manifests/puppet/r10k.pp +++ b/site/profiles/manifests/puppet/r10k.pp @@ -4,35 +4,6 @@ # systemd service and timer to keep the repository updated every minute. # The Git package is installed if not present, and the repository at the given # location will always reflect the state of the remote Git repository. -# -# Parameters: -# - r10k_repo: The URL of the Git repository to clone. -# -# Actions: -# - Ensures the Git package is installed. -# - Ensures the /etc/puppetlabs/r10k directory is a clone of the given Git repository. -# - Creates a helper script '/opt/puppetlabs/bin/puppet-r10k' for updating the Git repository. -# - Creates a systemd service and timer that runs the git update script every minute. -# -# Usage: -# Directly include the class in your node definitions or classify your nodes -# using an enc or Hiera. -# Example: -# node 'puppet.example.com' { -# class { 'profiles::puppet::r10k': -# r10k_repo => 'https://github.com/user/repo.git', -# } -# } -# -# Requirements: -# - The 'puppet-vcsrepo' module should be installed on your puppetmaster. -# - The 'puppet-systemd' module should be installed on your puppetmaster. -# - '/opt/puppetlabs/bin/' directory must exist and be writable. -# - Puppet master must have access to the specified Git URL. -# -# Limitations: -# This is designed to work on Unix-like systems only. -# class profiles::puppet::r10k ( String $r10k_repo, ){ diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 7cf2731..771d41a 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -1,19 +1,6 @@ # Class: profiles::puppet::server # # This class manages Puppet server's configuration and service. -# -# Parameters: -# vardir - Directory path for variable data. -# logdir - Directory path for logs. -# rundir - Directory path for run-time data. -# pidfile - File path for the PID file. -# codedir - Directory path for code data. -# dns_alt_names - Array of alternate DNS names for the server. -# agent_server - Server name for the puppet agent on the master. -# node_terminus - Node terminus. -# external_nodes - Path to the external node classifier script. -# autosign - Path to the autosign script. -# class profiles::puppet::server ( Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver', Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver', From df8a55c3ddb1228ba5d8d98b6c9dda656ac88595 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 May 2024 21:29:25 +1000 Subject: [PATCH 170/229] feat: manage puppetca - manage the puppet ca.cfg - distribute the crl.pem from the puppetca to masters --- .../nodes/prodinf01n01.main.unkin.net.yaml | 3 ++ site/profiles/manifests/puppet/puppetca.pp | 35 +++++++++++++++++++ .../profiles/manifests/puppet/puppetmaster.pp | 1 + .../templates/puppet/puppet_ca.cfg.erb | 10 ++++++ 4 files changed, 49 insertions(+) create mode 100644 site/profiles/manifests/puppet/puppetca.pp create mode 100644 site/profiles/templates/puppet/puppet_ca.cfg.erb diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml index 1b3d42c..d998612 100644 --- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml +++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml @@ -2,3 +2,6 @@ profiles::puppet::server::dns_alt_names: - puppetca.main.unkin.net - puppetca + +profiles::puppet::puppetca::is_puppetca: true +profiles::puppet::puppetca::allow_subject_alt_names: true diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp new file mode 100644 index 0000000..1e75240 --- /dev/null +++ b/site/profiles/manifests/puppet/puppetca.pp @@ -0,0 +1,35 @@ +# Class: profiles::puppet::puppetca +# +# This class manages Puppet CA +class profiles::puppet::puppetca ( + Boolean $allow_subject_alt_names = false, + Boolean $allow_authorization_extensions = false, + Boolean $enable_infra_crl = false, + Boolean $is_puppetca = false, +) { + + # manage the ca.cfg file + file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/puppet/puppet_ca.cfg.erb'), + notify => Service['puppetserver'], + } + + # manage the crl file + if $is_puppetca { + # export the puppet crl.pem + @@file { '/etc/puppetlabs/puppet/ssl/crl.pem': + ensure => file, + content => file('/etc/puppetlabs/puppet/ssl/crl.pem'), + tag => 'crl_pem_export', + } + }else{ + # import the puppet crl.pem + File <<| tag == 'crl_pem_export' |>> { + require => Service['puppetserver'], + } + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 7229d64..73f46c0 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -16,6 +16,7 @@ class profiles::puppet::puppetmaster ( include profiles::puppet::gems include profiles::helpers::certmanager include profiles::puppet::server + include profiles::puppet::puppetca class { 'puppetdb::master::config': puppetdb_server => $puppetdb_host, diff --git a/site/profiles/templates/puppet/puppet_ca.cfg.erb b/site/profiles/templates/puppet/puppet_ca.cfg.erb new file mode 100644 index 0000000..a119784 --- /dev/null +++ b/site/profiles/templates/puppet/puppet_ca.cfg.erb @@ -0,0 +1,10 @@ +certificate-authority: { + # allow CA to sign certificate requests that have subject alternative names. + allow-subject-alt-names: <%= @allow_subject_alt_names %> + + # allow CA to sign certificate requests that have authorization extensions. + allow-authorization-extensions: <%= @allow_authorization_extensions %> + + # enable the separate CRL for Puppet infrastructure nodes + enable-infra-crl: <%= @enable_infra_crl %> +} From 6020143f7687fd0532a99fb9dea5fa1f165f3883 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 May 2024 23:06:19 +1000 Subject: [PATCH 171/229] feat: consul multi-datacentre joining - add method to join multiple consul datacentres - set syd1 as the primary datacentre - use default token from au-syd1 cluster in all locations - add replication token --- hieradata/common.eyaml | 1 + .../au/region/drw1/infra/storage/consul.eyaml | 4 ++-- .../au/region/drw1/infra/storage/consul.yaml | 5 ++++- .../au/region/syd1/infra/storage/consul.yaml | 3 +++ hieradata/roles/infra/storage/consul.yaml | 1 + site/profiles/manifests/consul/server.pp | 20 ++++++++++++++++++- 6 files changed, 30 insertions(+), 4 deletions(-) diff --git a/hieradata/common.eyaml b/hieradata/common.eyaml index bf97631..a0d629d 100644 --- a/hieradata/common.eyaml +++ b/hieradata/common.eyaml @@ -5,3 +5,4 @@ profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCC profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=] profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=] +profiles::consul::server::acl_tokens_replication: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzTIxbaAR/TZYnC671aBhiahsfwf3ieyeSHpD5hQm40sMEF/fXlEDijq9i2ykPikm94074j1Uo4HNzv/V9GTf0NSC/64t61jJ/Ya3QKa5f/36+DcRj3lcETsSIyhWwmU+E+zkY8I2r68MtXAuvSoMSMZdpgWSkPx/3FFgZlrsg//bzDu69jS9cx4UK582N3A6QN4Uy/qwYtJcm+2iTQlqqgGRWGqnSgTirxhegxPbJGWTDoAEpAL4/DyF5/hqcUn6mgoSfAsHF3loPHOqN30lG+9o0THWJ9B8Gf4W/1X2UWA/avmUnqBnumGoz0p7AYdNgpW+qLl2rk4lyGYa4kvQjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD9KSLH3Pn/1EIzgVJM+8VOgDDpKWzHfSVsfUMyTD0XIRPGclTdmxqCnsdhKNqmUfSjkYIf2nI9rQtSK6n42TYuO4k=] diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.eyaml b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml index 948b16f..33b5046 100644 --- a/hieradata/country/au/region/drw1/infra/storage/consul.eyaml +++ b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml @@ -1,4 +1,4 @@ --- profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] -profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] -profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] +#profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] +#profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.yaml b/hieradata/country/au/region/drw1/infra/storage/consul.yaml index 11b6a2f..b44e321 100644 --- a/hieradata/country/au/region/drw1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/drw1/infra/storage/consul.yaml @@ -1,4 +1,7 @@ --- profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 -profiles::consul::server::primary_datacenter: 'au-drw1' +profiles::consul::server::primary_datacenter: 'au-syd1' +profiles::consul::server::join_remote_regions: true +profiles::consul::server::remote_regions: + - syd1 diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.yaml b/hieradata/country/au/region/syd1/infra/storage/consul.yaml index 4bd8c14..52a084f 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.yaml @@ -2,3 +2,6 @@ profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 profiles::consul::server::primary_datacenter: 'au-syd1' +profiles::consul::server::join_remote_regions: true +profiles::consul::server::remote_regions: + - drw1 diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 723f60c..7d3d0f9 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -18,6 +18,7 @@ profiles::consul::server::acl: tokens: initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}" default: "%{alias('profiles::consul::server::acl_tokens_default')}" + replication: "%{alias('profiles::consul::server::acl_tokens_replication')}" # additional altnames profiles::pki::vault::alt_names: diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index e2e9d06..942850b 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -43,6 +43,8 @@ class profiles::consul::server ( Stdlib::Absolutepath $bin_dir = '/usr/bin', Boolean $disable_remote_exec = true, Boolean $disable_update_check = true, + Boolean $join_remote_regions = false, + Array[String] $remote_regions = [], ) { # wait for all attributes to be ready @@ -62,6 +64,21 @@ class profiles::consul::server ( # if it is, find hosts, sort them so they dont cause changes every run $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + if $join_remote_regions { + # get all nodes in the members_role for each other region + $region_to_servers = $remote_regions.reduce({}) |$memo, $region| { + $servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn')) + $memo + { $region => $servers } + } + + # sort and flatten the regions into a single array of fqdns + $remote_servers_array = sort(flatten($region_to_servers.values)) + + } else { + # else just send an empty array + $remote_servers_array = [] + } + # else use provided array from params }else{ $servers_array = $consul_servers @@ -97,7 +114,8 @@ class profiles::consul::server ( 'performance' => { 'raft_multiplier' => $raft_multiplier }, 'bind_addr' => $::facts['networking']['ip'], 'advertise_addr' => $::facts['networking']['ip'], - 'retry_join' => $servers_array + 'retry_join' => $servers_array, + 'retry_join_wan' => $remote_servers_array, }, } } From 8a241d6b96745fcf88259a8964c7dcff92a420e7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 May 2024 15:46:47 +1000 Subject: [PATCH 172/229] feat: add prepared_query capabilities to consul - add prepared query for: - vault - puppet - puppetca --- hieradata/common.yaml | 3 +++ hieradata/roles/infra/storage/consul.yaml | 20 +++++++++++++++++++ .../manifests/consul/prepared_query.pp | 14 +++++++++++++ site/profiles/manifests/consul/server.pp | 1 + 4 files changed, 38 insertions(+) create mode 100644 site/profiles/manifests/consul/prepared_query.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 4d7b5d0..ef0a1f5 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -87,6 +87,9 @@ lookup_options: profiles::consul::client::node_rules: merge: strategy: deep + profiles::consul::prepared_query::rules: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 7d3d0f9..08819e8 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -33,3 +33,23 @@ profiles::nginx::simpleproxy::nginx_aliases: - consul.main.unkin.net profiles::nginx::simpleproxy::proxy_port: 8500 profiles::nginx::simpleproxy::proxy_path: '/' + +profiles::consul::prepared_query::rules: + vault: + ensure: 'present' + service_name: 'vault' + service_failover_n: 3 + service_only_passing: true + ttl: 10 + puppet: + ensure: 'present' + service_name: 'puppet' + service_failover_n: 3 + service_only_passing: true + ttl: 10 + puppetca: + ensure: 'present' + service_name: 'puppetca' + service_failover_n: 3 + service_only_passing: true + ttl: 10 diff --git a/site/profiles/manifests/consul/prepared_query.pp b/site/profiles/manifests/consul/prepared_query.pp new file mode 100644 index 0000000..16df79f --- /dev/null +++ b/site/profiles/manifests/consul/prepared_query.pp @@ -0,0 +1,14 @@ +# profile::consul::prepared_query +class profiles::consul::prepared_query ( + String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), + Hash $rules = {}, +) { + + $rules.each | $rule, $data | { + consul_prepared_query { $rule: + acl_api_token => $root_api_token, + hostname => $facts['networking']['ip'], + * => $data, + } + } +} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index 942850b..f71c567 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -127,6 +127,7 @@ class profiles::consul::server ( include profiles::nginx::simpleproxy include profiles::consul::policies include profiles::consul::tokens + include profiles::consul::prepared_query # get the dns port from the $ports hash, otherwise use the default $dns_port = pick($ports['dns'], 8600) From fe296d52d9b8596c77ca60109d166791e9853aa7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 May 2024 22:16:20 +1000 Subject: [PATCH 173/229] feat: manage puppet/puppetca consul services - add puppet service - add puppetca service - add ability to write to puppet/puppetca service in consul - add puppet.(query,service).consul to dns_alt_names of all masters - add puppetca.(query,service).consul to dns_alt_names of puppetca --- hieradata/common.yaml | 8 ----- .../nodes/prodinf01n01.main.unkin.net.yaml | 2 ++ hieradata/roles/infra/puppet/master.yaml | 34 +++++++++++++++++++ site/profiles/manifests/puppet/puppetca.pp | 21 ++++++++++++ 4 files changed, 57 insertions(+), 8 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 71eefa0..42b8e47 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -240,11 +240,3 @@ profiles::base::hosts::additional_hosts: aliases: - prodinf01n22 - repos.main.unkin.net - -profiles::puppet::server::dns_alt_names: - - "%{facts.networking.fqdn}" - - "%{facts.networking.hostname}" - - puppetmaster.main.unkin.net - - puppet.main.unkin.net - - puppetmaster - - puppet diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml index d998612..a909eb0 100644 --- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml +++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml @@ -1,6 +1,8 @@ --- profiles::puppet::server::dns_alt_names: - puppetca.main.unkin.net + - puppetca.service.consul + - puppetca.query.consul - puppetca profiles::puppet::puppetca::is_puppetca: true diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 9d5468b..4f3b6d8 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -36,3 +36,37 @@ profiles::helpers::certmanager::vault_config: role_name: 'servers_default' output_path: '/tmp/certmanager' role_id: "%{lookup('certmanager::role_id')}" + +profiles::puppet::server::dns_alt_names: + - "%{facts.networking.fqdn}" + - "%{facts.networking.hostname}" + - puppetmaster.main.unkin.net + - puppet.main.unkin.net + - puppet.service.consul + - puppet.query.consul + - puppetmaster + - puppet + +consul::services: + puppet: + service_name: 'puppet' + tags: + - 'puppet' + - 'master' + address: "%{facts.networking.ip}" + port: 8140 + checks: + - id: 'puppet_https_check' + name: 'Puppet HTTPS Check' + http: "https://%{facts.networking.fqdn}:8140/status/v1/simple" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: puppet + disposition: write + - resource: service + segment: puppetca + disposition: write diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp index 1e75240..e94ecad 100644 --- a/site/profiles/manifests/puppet/puppetca.pp +++ b/site/profiles/manifests/puppet/puppetca.pp @@ -32,4 +32,25 @@ class profiles::puppet::puppetca ( require => Service['puppetserver'], } } + + # register the PuppetCA service with consul + if $is_puppetca { + consul::service { 'puppetca': + service_name => 'puppetca', + tags => ['ca', 'puppet', 'ssl'], + address => $facts['networking']['ip'], + port => 8140, + checks => [ + { + id => 'puppetca_https_check', + name => 'PuppetCA HTTPS Check', + http => "https://${facts['networking']['fqdn']}:8140/status/v1/simple", + method => 'GET', + tls_skip_verify => true, + interval => '10s', + timeout => '1s', + } + ], + } + } } From 51bd1796ad27eda104b611f0f666efe72be8855e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 May 2024 16:27:32 +1000 Subject: [PATCH 174/229] feat: per-datacentre consul dns - change forwarding for consul to be per-datacentre to local consul - change domain from service.consul -> consul so query.consul can be resolved --- .../country/au/region/drw1/infra/dns/resolver.yaml | 8 ++++++++ .../country/au/region/syd1/infra/dns/resolver.yaml | 8 ++++++++ hieradata/roles/infra/dns/resolver.yaml | 10 +--------- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml index 49afb06..157667c 100644 --- a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml +++ b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml @@ -42,3 +42,11 @@ profiles::dns::resolver::zones: - 198.18.17.23 - 198.18.17.24 forward: 'only' + consul-forward: + domain: 'consul' + zone_type: 'forward' + forwarders: + - 198.18.17.34 + - 198.18.17.35 + - 198.18.17.36 + forward: 'only' diff --git a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml index ddde7f5..088f065 100644 --- a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml +++ b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml @@ -42,3 +42,11 @@ profiles::dns::resolver::zones: - 198.18.13.14 - 198.18.13.15 forward: 'only' + consul-forward: + domain: 'consul' + zone_type: 'forward' + forwarders: + - 198.18.13.19 + - 198.18.13.20 + - 198.18.13.21 + forward: 'only' diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index ceb8863..10751b9 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -61,14 +61,6 @@ profiles::dns::resolver::zones: - 10.10.16.32 - 10.10.16.33 forward: 'only' - service.consul-forward: - domain: 'service.consul' - zone_type: 'forward' - forwarders: - - 198.18.13.19 - - 198.18.13.20 - - 198.18.13.21 - forward: 'only' profiles::dns::resolver::views: openforwarder: @@ -79,7 +71,7 @@ profiles::dns::resolver::views: - dmz.unkin.net-forward - network.unkin.net-forward - prod.unkin.net-forward - - service.consul-forward + - consul-forward - 13.18.198.in-addr.arpa-forward - 14.18.198.in-addr.arpa-forward - 15.18.198.in-addr.arpa-forward From f1ff7cb73619bccf4a60a13eba48f97a0bb453ab Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 May 2024 22:28:26 +1000 Subject: [PATCH 175/229] feat: distribute eyaml pub/priv key - distribute the private/public pem for eyaml via eyaml --- hieradata/roles/infra/puppet/master.eyaml | 2 + site/profiles/manifests/puppet/eyaml.pp | 41 +++++++++++++++++++ .../profiles/manifests/puppet/puppetmaster.pp | 1 + 3 files changed, 44 insertions(+) create mode 100644 site/profiles/manifests/puppet/eyaml.pp diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index 46f1d03..8f8fdd4 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,3 +1,5 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] +profiles::puppet::eyaml::publickey: ENC[PKCS7,MIIFjQYJKoZIhvcNAQcDoIIFfjCCBXoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAizhVN1svMJqLlkDWcm/qhMNajKL9G7GvBxG04dOdYLUu99wgmIlD1vetNIoJrQ6defmVuMMzT3IxzIDrRf8QEVL7hstIFoGlhv0ObBewjLJY34v3B7Sxj0nv8XPTLd8Q6LZQb+KSo0SLQxbjEw60qAl5DbDqXUNOx2OIV3yP1IaCzzi6llb1ZOWPcBESt6HEnLzqkwzEK+2/QGBOMqChP1EP7JHFrWQw5YYCLUcYCLVts1K57Q7ThFwckUA0v8Vh9HdlZqA0XPxKyVK7nfw/Y1CpwRTwZ8GYnry1/iLNYjFGkDU0V5pf+ZhlZfIChVccma9NCSlQtA+7DikNcpLTfTCCBE4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJQ4jJz/oSqW79tDOSv2pWCAggQgvi+p2P7tkIY4c0yNEIFjnXa3Imopg4bZ29TQJnPLAqVM7Bexh0XhxAjWk8YFvxQ0Yio+3JKlvqlsFVpecumV6NHwVPe521Hl7l88eRvgCHBC3tVm98+N2A0GdGbT+begqsj0nPTDScixJE79dGZK6/qgf3NuYPCj+drFwWrDuZXpIYMHJcOrVhqlg4RFW4ZYUxbsAC2eNFXUF0bYpKej3voCnlj/o6RxLEC/Gv2T66e9sFjeANo9W84uAfZ1t4cweVzYh1h6Yiw+0ewWA6ndg8thgr2Uk9JdpjXzS0QTtElGmNv+tZmCH45o0HUunPZs0gkn5unT0pzZosqgSeu0HdHcsImJpuJVRIVjAXypku7LtBKnP3VA5iXi2lld/suEOeeU18Aw3pxFQrKV3cexiWLa4mpKn8JR1HBxw4NcLj3/fes41fxW0zLyY8m4MksaIpc4BXz33uup5rHdVblbD1raZJPAg7k8KufStsRBmeokdysF+PJebrCfTH8goR3BWGfCVWQEoDjB2wAhVTQKuzAh3d51k+s4uvJchNBDgfGt/s9hdBFU/VQTZUyOoSEOwxB1857sOF3iPLM1233XEhZd2AOl4h5xy1z3+aSOG0jiihWt6QdosUig/IHxyO4gWaEO37iaLlF0ZVSJKjOV/IBCHJAaAG476uSNv+kTKgvu0PQtIfcKHpa1ppHi96fO8FKX76l26VoGKf/kMi6bWdTObYZnyiN7fz342ewMpwu70wQQWo33riK0hhF6bRu40J/KmgoUaUz3jSnErv+EeeREYww5SSNlMhpQNBNj+WfEDRC4Zx9VsF1cjtTY1um0kYdoyTHBLH6V1oAEiFIScHqkW1zKVAEiBh2v6C1U3fwAzOyAbnDlBrsuhnVxbJa8O1d5yw+U2py6xdC3Wq6FsAP9kdfDu+mjNDOwwJWZa8iTj3NHum1G6xklF2JHtmp2p1gY0e/JCETIk5Xh1okf404F9Xi+CWvlmlPXie9SdwgyJWpXOM60pJN2iMOFKPGn4chppMka38HakDKbdNNTELxNE+/yVECT0uQ8iBvETX1FU+y4LpGFghmwAIiKB1HZXx/0Gof0+txj/p9AgnpeVvDbq4iiZOulcu2BepsrFDg2zNLollfhAo+6QvElpk2MI1yHrg3OaTt7U8JV1dxHyIWjbtRvbiiS1E6mKGiOpkIQd/IHBjkujvEd7LVeE721HrLdGRaTR9QJfTR8jPZGHMlZa14a2pcxliyYd9RFSVOkVZH2LetuSWStQ1gPdBEeKDSWyFBA0Rxzlw2Sl25MJ4PAIpimyUYrnxTa2XgHyavMa0kjVAhX15+ywze2ypOVnB9/q3L3M5JCq+eaOBicJQiERX4h7Yj499S9Y/2nxk2DOUxi965BDIZGSG3/qOtl] +profiles::puppet::eyaml::privatekey: ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkH2q64bYf5Es/YNK6c6d5t9PYcbc9NGzC6F2AzjWeLV9rdT+DBNmhPeyHN4jR6edzLRaNL+u3cuur3mTxwSJcEXdyHQSbXJLlGpd9CPEjuerqdsXkFvamP//nHjwvSosBUo4PKtllphX0XHP6JS0Mm+nukv0YyDk+63+cETuyP5M1FVsLSK8ZWblOn1uBgNhhjGZF5nNeayjJKloWdVY8+pS8L6/y0QprF05oLDvI0JgK9wud8NID+LCNtb2Z5/mq2ScpMB/r/ji/oPHs40zhANqOiAuy/sUWwIivdB2iKKvcLfJ8tbtCanXuQxboqnulL1+C87Y4m1rmk4cNtKU3DCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEELXUERpdYNf8m2IXbCw/MxiAggaQ187hqDCftN9RvnFRHnlHyPZijykRgs558tdh0yA8GscJ9vim8kxQXrxM6gqAGgmV7xYnpyK0pvEn0/6cEFkcBkpkQOtlyil+4WB9bcLJIF4LzPut0pz4Eq/6zMSM9PGWCRFe3ufkdoDq5M1SlHa/Aoi/LwNu5EFFlFZeeDiZyUMupLJUHbTQ+wt2JgQLfpBzeCGb5BRLvSPH0+Y7ShwHgp2ZCtxc/tT5cdQq5a3+tt9ZYSy5Hj+c8I2WBPm3wghA7QULCB1+42K4A8BJ7HQucaT1mRMc0QnCt68xQkhBulxGnADPaRAWICmuAF2KBv/eS74TdYj3z0OCSZW5k1wDBz8FCSIodn2a1LgBMrFRCAS2fwRn7Hc0yguCRl9ppERW+8K3pg7aAiBqJbeTwQN/VICNan92y+cbUndO9a/U16zKD4SxfW8PMwSu/qz6i45gUjQ83THjwNAE6el0lYFYivBsEEg66Sqo2cXtPQlAdB8lOsS34TQq21zipikgAAii0mGoH738t2CYL6tMUGthpcfXLioU0AhXjLVED1PIpmWxieFENWO8SUx3NjXyoefBVQrzc1PPAgeVGSaOBoJSN7xNx3/RQhWck0240DZmi+41z5CF1z91eZY+ZJYa/SaHVWWZ7GgQDEXGnWKQkMZce6RK0qw0/8B0x5O6aIlBrB7aSVQIkDLSUw8bq7N5dAeKXLu+2QHhG1yl+Bmn1xDMILFphJNT2ZNXkoSd0r1WUePWBEFCOBPsu3cHaK9DZiXSdfJ3dY+1NYuVZDQshQ1Fe4IKpHm/0mtz60DjrTTaJ3kAsPLCpeFGJ+1U/TdO+IgPAsiHUIaDRtv19ZeH7/Pa/kAceIe16F8CRNkzJ62D8CH4RYEXxTJ7oogYbhsw+5WQ3ZGzJHNvxcX4EVofjIsr2uIQEAVTu9VSDY2LyihJBEs0EBw25dai52u2g1Jjtteod9p6B+rwrcVGKAzdEo7nF9qK6+dS8VlfFbmbU1/ulIpM0hUr3ZFsUSv1qUGqUmYdgndvE0+gHop71fsnQRmT9wTdQlUs7RC0+BPWvf7eGljJT+omDwv+wSShikWku9ZSk58HqZ74f2RizxL7Ny8SWCkOf1u+Gi8kalMhr+1p8e39S6WTws8rJHxIQrzfY7aqZwYIZzLl4JMnqBvbkUlCEKNHmVAVt6AgPGfTmoEzSgulHEMCETuBQl4dS8mtFvWRKCy0jC2fAUfIAoihoh/2g3MTbKQCM3aSHrqyPTAduN2VkQwTM4JmgU6YYWy4kXjPWsgEm+FjqOKQqd5Q5bwIOoFLSVQgrTtoKVUXzK8VbTDNDhLj+LggB9MMncr5X44LkdtrktYWeQ1CbBGYUTNHyXxT2nbJm7DJos4zjSIqnkSiR2VyRAkxF9TSXjnZwtsziXC4gdonjA+ImV5aUvL5aTO2zbTYQOqgrauS/SWS4tXbZ4Thw86d2zbO32Kvuu4bfHVTN087eiRuiFmjtz43PwBRMxjABLDe/ZRUHLDomAVydTS98aIswUb33jHoPtEkz4bWEtZlhwrqguvPzLSJT1SNZnDhNsdzO96GDB2vtvXmIiQq+/8jh0LKIoOCFWKsFfB0GrkZZvLnF6oQQ/MiYNNY1TLnHMAg2uSF+ap/g8QRvfE5FX2UquYE1ATeD+8iRw0g2crNXGVRynBo6ESd5O+zwcMitO/Re9tQM4rfNj83VgWeSUNLxhOZmbYs0hDEbS0lXIWa1NbASuXWk/FBXzr8X/ZdlZPWAMWe3J9Bqh6e1FhgGD6ZZmSTYxHzlz5TNCf+aMqnJRb5eyN+UM5iWgW/VpAlKWMl98c1lsKwccAS/SH2zugKwBT8Bf/4wnbpHrZe817vVF7raVcaYvNnYTzdSQCcnvRK/D40sqleOhtfX/vdjOFWfoukbEJnXNytkTZeKrBm83z6tmYe4siQdfn4X9/lGNWEDyjYiJX8czH6yMlRW+FposOpE4Y9Dgs694iPHmYt1/1VbuW240uG6VT/d+OjSD5L6JfTT47pghoWTl0dQGbKd3kmoku7C7ll5etCdz5UIY2JOmS1gx6NgvsElJyflgQHgXLiSKpB0iSZ7zTRKlBmRG7uiU582nkbXHQ7BwZkP3nq95bgtCmk+0pvioYYg/jK8hvuiv+b8Ez2pHaTLabn/jYww8ewIZz0W5mWgcCDwdebtP2CCSnB2IPjyzAh2TW8JTljeoJAe9ai+iqiX4400R2hXZl6KMpC] diff --git a/site/profiles/manifests/puppet/eyaml.pp b/site/profiles/manifests/puppet/eyaml.pp new file mode 100644 index 0000000..093e9c2 --- /dev/null +++ b/site/profiles/manifests/puppet/eyaml.pp @@ -0,0 +1,41 @@ +# profiles::puppet::eyaml +class profiles::puppet::eyaml ( + String $privatekey = '', + String $publickey = '', +) { + + # create the /var/lib/puppet/keys directory + file { '/var/lib/puppet': + ensure => 'directory', + owner => 'puppet', + group => 'root', + mode => '0755', + } + file { '/var/lib/puppet/keys': + ensure => 'directory', + owner => 'puppet', + group => 'root', + mode => '0755', + require => File['/var/lib/puppet'] + } + # manage the eyaml private key + file { '/var/lib/puppet/keys/private_key.pkcs7.pem': + ensure => 'file', + owner => 'puppet', + group => 'root', + mode => '0400', + content => Sensitive($privatekey), + before => Service['puppetserver'], + require => File['/var/lib/puppet/keys'], + } + # manage the eyaml private key + file { '/var/lib/puppet/keys/public_key.pkcs7.pem': + ensure => 'file', + owner => 'puppet', + group => 'root', + mode => '0400', + content => Sensitive($publickey), + before => Service['puppetserver'], + require => File['/var/lib/puppet/keys'], + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 73f46c0..79ce387 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -17,6 +17,7 @@ class profiles::puppet::puppetmaster ( include profiles::helpers::certmanager include profiles::puppet::server include profiles::puppet::puppetca + include profiles::puppet::eyaml class { 'puppetdb::master::config': puppetdb_server => $puppetdb_host, From 6335167e3a768c5cba4e44c1085bc4fe54374fa6 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 5 May 2024 16:47:39 +1000 Subject: [PATCH 176/229] feat: change clients to use puppet.query.consul - change all clients/servers to use puppet from consul service mesh --- hieradata/common.yaml | 2 ++ hieradata/roles/infra/puppet/master.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 42b8e47..555a2b3 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -180,6 +180,8 @@ profiles::packages::remove: profiles::base::scripts::scripts: puppet: puppetwrapper.py +profiles::puppet::client::server: 'puppet.query.consul' +profiles::puppet::client::ca_server: 'puppetca.query.consul' profiles::puppet::client::environment: 'develop' profiles::puppet::client::runinterval: 1800 profiles::puppet::client::runtimeout: 3600 diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 4f3b6d8..07ae874 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -37,6 +37,9 @@ profiles::helpers::certmanager::vault_config: output_path: '/tmp/certmanager' role_id: "%{lookup('certmanager::role_id')}" +profiles::puppet::server::agent_server: 'puppet.query.consul' +profiles::puppet::server::report_server: 'puppet.query.consul' +profiles::puppet::server::ca_server: 'puppetca.query.consul' profiles::puppet::server::dns_alt_names: - "%{facts.networking.fqdn}" - "%{facts.networking.hostname}" From e9c7fbc2b5cb9160cad67c1b239dbdcae5b90314 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 5 May 2024 18:58:52 +1000 Subject: [PATCH 177/229] feat: update puppetdb_api for multi-zone - wait for the enc_role fact to be updated and match - move puppetdb db/api host values to common.yaml - add vault cert altnames for consul query/service addresses - add consul services/rules/checks --- hieradata/common.yaml | 3 + hieradata/roles/infra.yaml | 2 - hieradata/roles/infra/puppetdb/api.yaml | 29 +++++++++ .../profiles/manifests/puppet/puppetdb_api.pp | 59 ++++++++++--------- 4 files changed, 63 insertions(+), 30 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 555a2b3..6baf98e 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -188,6 +188,9 @@ profiles::puppet::client::runtimeout: 3600 profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false +profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net +profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net + prometheus::node_exporter::export_scrape_job: true prometheus::systemd_exporter::export_scrape_job: true diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml index 3192355..8c2ae06 100644 --- a/hieradata/roles/infra.yaml +++ b/hieradata/roles/infra.yaml @@ -2,7 +2,5 @@ profiles::packages::install: - policycoreutils -profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net -profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net puppetdb::master::config::create_puppet_service_resource: false #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml index 551007e..b6f77cc 100644 --- a/hieradata/roles/infra/puppetdb/api.yaml +++ b/hieradata/roles/infra/puppetdb/api.yaml @@ -3,3 +3,32 @@ profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java profiles::puppet::puppetdb_api::java_args: '-Xmx': '512m' '-Xms': '256m' + +# additional altnames +profiles::pki::vault::alt_names: + - puppetdbapi.main.unkin.net + - puppetdbapi.service.consul + - puppetdbapi.query.consul + - puppetdbapi + +consul::services: + puppetdbapi: + service_name: 'puppetdbapi' + tags: + - 'puppet' + - 'puppetdb' + - 'puppetdbapi' + address: "%{facts.networking.ip}" + port: 8080 + checks: + - id: 'puppetdbapi_http_check' + name: 'PuppetDB API HTTP Check' + http: "http://%{facts.networking.fqdn}:8080" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: puppetdbapi + disposition: write diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index 214f163..e02db38 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -6,37 +6,40 @@ class profiles::puppet::puppetdb_api ( Hash $java_args = {}, ) { - class { 'java': - package => 'java-11-openjdk-devel', - before => Class['puppetdb::server'], - } + # wait for enc_role to match the required role + if $facts['enc_role'] == 'roles::infra::puppetdb::api' { + class { 'java': + package => 'java-11-openjdk-devel', + before => Class['puppetdb::server'], + } - class { 'puppetdb::server': - database_host => $postgres_host, - manage_firewall => false, - ssl_listen_address => $listen_address, - listen_address => $listen_address, - java_bin => $java_bin, - java_args => $java_args, - } + class { 'puppetdb::server': + database_host => $postgres_host, + manage_firewall => false, + ssl_listen_address => $listen_address, + listen_address => $listen_address, + java_bin => $java_bin, + java_args => $java_args, + } - contain ::puppetdb::server + contain ::puppetdb::server - class { 'prometheus::puppetdb_exporter': - puppetdb_url => "http://${listen_address}:8080/pdb/query", - export_scrape_job => true, - } + class { 'prometheus::puppetdb_exporter': + puppetdb_url => "http://${listen_address}:8080/pdb/query", + export_scrape_job => true, + } - # export haproxy balancemember - profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080": - service => 'be_puppetdbapi', - ports => [8080], - options => [ - "cookie ${facts['networking']['hostname']}", - 'check', - 'inter 2s', - 'rise 3', - 'fall 2', - ] + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080": + service => 'be_puppetdbapi', + ports => [8080], + options => [ + "cookie ${facts['networking']['hostname']}", + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } } From c2e413c0fb3a05bd832fb19d8d924f8cabf055a5 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 May 2024 21:49:41 +1000 Subject: [PATCH 178/229] chore: move dhcp hieradata to hieradata/role --- .../{country/au/region/drw1 => roles}/infra/dhcp/server.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename hieradata/{country/au/region/drw1 => roles}/infra/dhcp/server.yaml (100%) diff --git a/hieradata/country/au/region/drw1/infra/dhcp/server.yaml b/hieradata/roles/infra/dhcp/server.yaml similarity index 100% rename from hieradata/country/au/region/drw1/infra/dhcp/server.yaml rename to hieradata/roles/infra/dhcp/server.yaml From 8de1ed9766e92f357b3ad20cf93d03e9043d7eaa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 May 2024 22:07:39 +1000 Subject: [PATCH 179/229] feat: dhcp wait for enc_role fact --- site/profiles/manifests/dhcp/server.pp | 36 ++++++++++++++------------ 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/site/profiles/manifests/dhcp/server.pp b/site/profiles/manifests/dhcp/server.pp index a4c6d98..726ff19 100644 --- a/site/profiles/manifests/dhcp/server.pp +++ b/site/profiles/manifests/dhcp/server.pp @@ -13,25 +13,27 @@ class profiles::dhcp::server ( Hash $classes = {}, ){ - class { 'dhcp': - service_ensure => running, - interfaces => $interfaces, - ntpservers => $ntpservers, - default_lease_time => $default_lease_time, - globaloptions => $globaloptions - } - - # if pools, import them - $pools.each | $name, $data | { - dhcp::pool { $name: - * => $data, + if $facts['enc_role'] == 'roles::infra::dhcp::server' { + class { 'dhcp': + service_ensure => running, + interfaces => $interfaces, + ntpservers => $ntpservers, + default_lease_time => $default_lease_time, + globaloptions => $globaloptions } - } - # if classes, import them - $classes.each | $name, $data | { - dhcp::dhcp_class { $name: - * => $data, + # if pools, import them + $pools.each | $name, $data | { + dhcp::pool { $name: + * => $data, + } + } + + # if classes, import them + $classes.each | $name, $data | { + dhcp::dhcp_class { $name: + * => $data, + } } } } From 72077d64a2815a1fd9f0db6785a4e0a168027c4c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 7 May 2024 22:37:16 +1000 Subject: [PATCH 180/229] refactor: reconfigure cobbler to module style - split params into class - split class into individual functions --- hieradata/roles/infra/cobbler/server.eyaml | 2 +- hieradata/roles/infra/cobbler/server.yaml | 2 +- site/profiles/manifests/cobbler/config.pp | 75 ++++++++++++ site/profiles/manifests/cobbler/init.pp | 17 +++ site/profiles/manifests/cobbler/install.pp | 9 ++ site/profiles/manifests/cobbler/ipxebins.pp | 2 + site/profiles/manifests/cobbler/params.pp | 24 ++++ site/profiles/manifests/cobbler/selinux.pp | 37 ++++++ site/profiles/manifests/cobbler/server.pp | 119 ------------------- site/profiles/manifests/cobbler/service.pp | 17 +++ site/roles/manifests/infra/cobbler/server.pp | 2 +- 11 files changed, 184 insertions(+), 122 deletions(-) create mode 100644 site/profiles/manifests/cobbler/config.pp create mode 100644 site/profiles/manifests/cobbler/init.pp create mode 100644 site/profiles/manifests/cobbler/install.pp create mode 100644 site/profiles/manifests/cobbler/params.pp create mode 100644 site/profiles/manifests/cobbler/selinux.pp delete mode 100644 site/profiles/manifests/cobbler/server.pp create mode 100644 site/profiles/manifests/cobbler/service.pp diff --git a/hieradata/roles/infra/cobbler/server.eyaml b/hieradata/roles/infra/cobbler/server.eyaml index 9f6f432..6ccffe3 100644 --- a/hieradata/roles/infra/cobbler/server.eyaml +++ b/hieradata/roles/infra/cobbler/server.eyaml @@ -1,2 +1,2 @@ --- -profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] +profiles::cobbler::params::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml index 4aaea83..9fac228 100644 --- a/hieradata/roles/infra/cobbler/server.yaml +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -14,4 +14,4 @@ profiles::packages::install: profiles::pki::vault::alt_names: - cobbler.main.unkin.net -profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net' +profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' diff --git a/site/profiles/manifests/cobbler/config.pp b/site/profiles/manifests/cobbler/config.pp new file mode 100644 index 0000000..9b5c2af --- /dev/null +++ b/site/profiles/manifests/cobbler/config.pp @@ -0,0 +1,75 @@ +# profiles::cobbler::config +class profiles::cobbler::config { + + include profiles::cobbler::params + + $default_password_crypted = $profiles::cobbler::params::default_password_crypted + $httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate + $httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey + $pxe_just_once = $profiles::cobbler::params::pxe_just_once + $service_cname = $profiles::cobbler::params::service_cname + $next_server = $profiles::cobbler::params::next_server + $server = $profiles::cobbler::params::server + + # manage the cobbler settings file + file { '/etc/cobbler/settings.yaml': + ensure => 'file', + content => template('profiles/cobbler/settings.yaml.erb'), + group => 'apache', + owner => 'root', + mode => '0640', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the debmirror config to meet cobbler requirements + file { '/etc/debmirror.conf': + ensure => 'file', + content => template('profiles/cobbler/debmirror.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['debmirror'], + } + + # manage the httpd ssl configuration + file { '/etc/httpd/conf.d/ssl.conf': + ensure => 'file', + content => template('profiles/cobbler/httpd_ssl.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['httpd'], + notify => Service['httpd'], + } + + # fix permissions in /var/lib/cobbler/web.ss + file {'/var/lib/cobbler/web.ss': + ensure => 'file', + group => 'root', + owner => 'apache', + mode => '0660', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the main ipxe menu script + file { '/var/lib/tftpboot/main.ipxe': + ensure => 'file', + content => template('profiles/cobbler/main.ipxe.erb'), + owner => 'root', + group => 'root', + mode => '0644', + require => Package['cobbler'], + } + + # export cnames for cobbler + #profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": + # value => $::facts['networking']['hostname'], + # type => 'CNAME', + # record => "${service_cname}.", + # zone => $::facts['networking']['domain'], + # order => 10, + #} + +} diff --git a/site/profiles/manifests/cobbler/init.pp b/site/profiles/manifests/cobbler/init.pp new file mode 100644 index 0000000..24b1555 --- /dev/null +++ b/site/profiles/manifests/cobbler/init.pp @@ -0,0 +1,17 @@ +# profiles::cobbler::init +class profiles::cobbler::init ( +) { + # wait for enc_role to be populated, needed for hieradata to match + if $facts['enc_role'] == 'roles::infra::cobbler::server' { + include profiles::cobbler::config + include profiles::cobbler::install + include profiles::cobbler::ipxebins + include profiles::cobbler::selinux + include profiles::cobbler::service + + Class['profiles::cobbler::install'] + -> Class['profiles::cobbler::config'] + -> Class['profiles::cobbler::ipxebins'] + -> Class['profiles::cobbler::selinux'] + } +} diff --git a/site/profiles/manifests/cobbler/install.pp b/site/profiles/manifests/cobbler/install.pp new file mode 100644 index 0000000..df41ed6 --- /dev/null +++ b/site/profiles/manifests/cobbler/install.pp @@ -0,0 +1,9 @@ +# profiles::cobbler::install +class profiles::cobbler::install { + + include profiles::cobbler::params + + $packages = $profiles::cobbler::params::packages + + ensure_packages($packages, { ensure => 'present' }) +} diff --git a/site/profiles/manifests/cobbler/ipxebins.pp b/site/profiles/manifests/cobbler/ipxebins.pp index 125c353..1fc0bf9 100644 --- a/site/profiles/manifests/cobbler/ipxebins.pp +++ b/site/profiles/manifests/cobbler/ipxebins.pp @@ -1,6 +1,8 @@ # profiles::cobbler::ipxebins class profiles::cobbler::ipxebins { + include profiles::cobbler::params + # download the custom undionly.kpxe file # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1 exec { 'download_undionly_kpxe': diff --git a/site/profiles/manifests/cobbler/params.pp b/site/profiles/manifests/cobbler/params.pp new file mode 100644 index 0000000..ca5ddfd --- /dev/null +++ b/site/profiles/manifests/cobbler/params.pp @@ -0,0 +1,24 @@ +# profiles::cobbler::params +class profiles::cobbler::params ( + Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', + Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', + Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', + Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'], + String $default_password_crypted = 'changeme', + String $server = $::facts['networking']['ip'], + String $next_server = $::facts['networking']['ip'], + Boolean $pxe_just_once = true, + Array $packages = [ + 'cobbler', + 'cobbler3.2-web', + 'httpd', + 'syslinux', + 'dnf-plugins-core', + 'debmirror', + 'pykickstart', + 'fence-agents', + 'selinux-policy-devel', + 'ipxe-bootimgs', + ] +){ +} diff --git a/site/profiles/manifests/cobbler/selinux.pp b/site/profiles/manifests/cobbler/selinux.pp new file mode 100644 index 0000000..a8b0d61 --- /dev/null +++ b/site/profiles/manifests/cobbler/selinux.pp @@ -0,0 +1,37 @@ +# profiles::cobbler::selinux +class profiles::cobbler::selinux inherits profiles::cobbler::params { + + include profiles::cobbler::params + + $tftpboot_path = $profiles::cobbler::params::tftpboot_path + + # manage selinux requirements for cobbler + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + $enable_sebooleans = [ + 'httpd_can_network_connect_cobbler', + 'httpd_serve_cobbler_files', + 'cobbler_can_network_connect' + ] + + $enable_sebooleans.each |$bool| { + selboolean { $bool: + value => on, + persistent => true, + } + } + + selinux::fcontext { $tftpboot_path: + ensure => 'present', + seltype => 'cobbler_var_lib_t', + pathspec => "${tftpboot_path}(/.*)?", + } + + exec { "restorecon_${tftpboot_path}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${tftpboot_path}", + refreshonly => true, + subscribe => Selinux::Fcontext[$tftpboot_path], + } + } +} diff --git a/site/profiles/manifests/cobbler/server.pp b/site/profiles/manifests/cobbler/server.pp deleted file mode 100644 index 3dba1dc..0000000 --- a/site/profiles/manifests/cobbler/server.pp +++ /dev/null @@ -1,119 +0,0 @@ -# profiles::cobbler::server -class profiles::cobbler::server ( - Stdlib::Fqdn $service_cname, - String $default_password_crypted, - Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', - Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', - Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', - String $server = $::facts['networking']['ip'], - String $next_server = $::facts['networking']['ip'], - Boolean $pxe_just_once = true, -) { - - include profiles::cobbler::ipxebins - - # manage the cobbler settings file - file { '/etc/cobbler/settings.yaml': - ensure => 'file', - content => template('profiles/cobbler/settings.yaml.erb'), - group => 'apache', - owner => 'root', - mode => '0640', - require => Package['cobbler'], - notify => Service['cobblerd'], - } - - # fix permissions in /var/lib/cobbler/web.ss - file {'/var/lib/cobbler/web.ss': - ensure => 'file', - group => 'root', - owner => 'apache', - mode => '0660', - require => Package['cobbler'], - notify => Service['cobblerd'], - } - - # manage the debmirror config to meet cobbler requirements - file { '/etc/debmirror.conf': - ensure => 'file', - content => template('profiles/cobbler/debmirror.conf.erb'), - group => 'root', - owner => 'root', - mode => '0644', - require => Package['debmirror'], - } - - # manage the httpd ssl configuration - file { '/etc/httpd/conf.d/ssl.conf': - ensure => 'file', - content => template('profiles/cobbler/httpd_ssl.conf.erb'), - group => 'root', - owner => 'root', - mode => '0644', - require => Package['httpd'], - notify => Service['httpd'], - } - - # manage the main ipxe menu script - file { '/var/lib/tftpboot/main.ipxe': - ensure => 'file', - content => template('profiles/cobbler/main.ipxe.erb'), - owner => 'root', - group => 'root', - mode => '0644', - require => Package['cobbler'], - } - - # ensure cobblerd is running - service {'cobblerd': - ensure => 'running', - enable => true, - require => File['/etc/cobbler/settings.yaml'], - } - - # ensure httpd is running - service {'httpd': - ensure => 'running', - enable => true, - require => File['/etc/httpd/conf.d/ssl.conf'], - } - - # export cnames for cobbler - profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": - value => $::facts['networking']['hostname'], - type => 'CNAME', - record => "${service_cname}.", - zone => $::facts['networking']['domain'], - order => 10, - } - - # manage selinux requirements for cobbler - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - $enable_sebooleans = [ - 'httpd_can_network_connect_cobbler', - 'httpd_serve_cobbler_files', - 'cobbler_can_network_connect' - ] - - $enable_sebooleans.each |$bool| { - selboolean { $bool: - value => on, - persistent => true, - } - } - - selinux::fcontext { $tftpboot_path: - ensure => 'present', - seltype => 'cobbler_var_lib_t', - pathspec => "${tftpboot_path}(/.*)?", - } - - exec { "restorecon_${tftpboot_path}": - path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], - command => "restorecon -Rv ${tftpboot_path}", - refreshonly => true, - subscribe => Selinux::Fcontext[$tftpboot_path], - } - } -} diff --git a/site/profiles/manifests/cobbler/service.pp b/site/profiles/manifests/cobbler/service.pp new file mode 100644 index 0000000..63b2645 --- /dev/null +++ b/site/profiles/manifests/cobbler/service.pp @@ -0,0 +1,17 @@ +# profiles::cobbler::service +class profiles::cobbler::service inherits profiles::cobbler::params { + + # ensure cobblerd is running + service {'cobblerd': + ensure => 'running', + enable => true, + require => File['/etc/cobbler/settings.yaml'], + } + + # ensure httpd is running + service {'httpd': + ensure => 'running', + enable => true, + require => File['/etc/httpd/conf.d/ssl.conf'], + } +} diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp index 65d8541..0c515d3 100644 --- a/site/roles/manifests/infra/cobbler/server.pp +++ b/site/roles/manifests/infra/cobbler/server.pp @@ -3,5 +3,5 @@ class roles::infra::cobbler::server { include profiles::defaults include profiles::base include profiles::base::datavol - include profiles::cobbler::server + include profiles::cobbler::init } From fee0bde60401bd670f6eb274cb9f553f79a8e971 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 9 May 2024 19:47:01 +1000 Subject: [PATCH 181/229] feat: complete cobbler automation - add facts to manage the /var/www/cobbler and /data/cobbler directories - move /var/www/cobbler -> /data/cobbler - create symlink from /var/www/cobbler -> /data/cobbler - ensure that cobbler nodes are set to permissive selinux mode --- hieradata/common.yaml | 1 + hieradata/roles/infra/cobbler/server.yaml | 1 + .../lib/facter/cobbler_data_dir_exists.rb | 8 ++++++ .../libs/lib/facter/cobbler_var_www_exists.rb | 8 ++++++ .../libs/lib/facter/cobbler_var_www_islink.rb | 8 ++++++ site/profiles/manifests/cobbler/install.pp | 25 +++++++++++++++++++ site/profiles/manifests/cobbler/selinux.pp | 11 ++++++++ 7 files changed, 62 insertions(+) create mode 100644 modules/libs/lib/facter/cobbler_data_dir_exists.rb create mode 100644 modules/libs/lib/facter/cobbler_var_www_exists.rb create mode 100644 modules/libs/lib/facter/cobbler_var_www_islink.rb diff --git a/hieradata/common.yaml b/hieradata/common.yaml index cc16e0e..80e79a1 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -98,6 +98,7 @@ facts_path: '/opt/puppetlabs/facter/facts.d' hiera_classes: - timezone + - profiles::selinux::setenforce profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::use_ntp: 'region' diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml index 9fac228..98511cb 100644 --- a/hieradata/roles/infra/cobbler/server.yaml +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -15,3 +15,4 @@ profiles::pki::vault::alt_names: - cobbler.main.unkin.net profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' +profiles::selinux::setenforce::mode: permissive diff --git a/modules/libs/lib/facter/cobbler_data_dir_exists.rb b/modules/libs/lib/facter/cobbler_data_dir_exists.rb new file mode 100644 index 0000000..d716b35 --- /dev/null +++ b/modules/libs/lib/facter/cobbler_data_dir_exists.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add('cobbler_data_dir_exists') do + confine enc_role: 'roles::infra::cobbler::server' + setcode do + File.exist?('/data/cobbler') + end +end diff --git a/modules/libs/lib/facter/cobbler_var_www_exists.rb b/modules/libs/lib/facter/cobbler_var_www_exists.rb new file mode 100644 index 0000000..aa445b8 --- /dev/null +++ b/modules/libs/lib/facter/cobbler_var_www_exists.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add('cobbler_var_www_exists') do + confine enc_role: 'roles::infra::cobbler::server' + setcode do + File.exist?('/var/www/cobbler') + end +end diff --git a/modules/libs/lib/facter/cobbler_var_www_islink.rb b/modules/libs/lib/facter/cobbler_var_www_islink.rb new file mode 100644 index 0000000..13d9c6e --- /dev/null +++ b/modules/libs/lib/facter/cobbler_var_www_islink.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add('cobbler_var_www_islink') do + confine enc_role: 'roles::infra::cobbler::server' + setcode do + File.exist?('/var/www/cobbler') and File.symlink?('/var/www/cobbler') + end +end diff --git a/site/profiles/manifests/cobbler/install.pp b/site/profiles/manifests/cobbler/install.pp index df41ed6..f6bb8d6 100644 --- a/site/profiles/manifests/cobbler/install.pp +++ b/site/profiles/manifests/cobbler/install.pp @@ -6,4 +6,29 @@ class profiles::cobbler::install { $packages = $profiles::cobbler::params::packages ensure_packages($packages, { ensure => 'present' }) + + # move the /var/www/cobbler directory to /data/cobbler + if ! $facts['cobbler_var_www_islink'] and ! $facts['cobbler_data_exists'] { + exec {'move_cobbler_data': + command => 'mv /var/www/cobbler /data/cobbler', + onlyif => 'test -d /var/www/cobbler', + path => ['/bin', '/usr/bin'], + before => Service['cobblerd'], + } + file { '/var/www/cobbler': + ensure => 'link', + target => '/data/cobbler', + require => Exec['move_cobbler_data'], + before => Service['httpd'], + notify => Service['httpd'], + } + } + if ! $facts['cobbler_var_www_exists'] and $facts['cobbler_data_exists'] { + file { '/var/www/cobbler': + ensure => 'link', + target => '/data/cobbler', + before => Service['httpd'], + notify => Service['httpd'], + } + } } diff --git a/site/profiles/manifests/cobbler/selinux.pp b/site/profiles/manifests/cobbler/selinux.pp index a8b0d61..df8dab5 100644 --- a/site/profiles/manifests/cobbler/selinux.pp +++ b/site/profiles/manifests/cobbler/selinux.pp @@ -26,6 +26,11 @@ class profiles::cobbler::selinux inherits profiles::cobbler::params { seltype => 'cobbler_var_lib_t', pathspec => "${tftpboot_path}(/.*)?", } + selinux::fcontext { '/data/cobbler': + ensure => 'present', + seltype => 'cobbler_var_lib_t', + pathspec => '/data/cobbler(/.*)?', + } exec { "restorecon_${tftpboot_path}": path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], @@ -33,5 +38,11 @@ class profiles::cobbler::selinux inherits profiles::cobbler::params { refreshonly => true, subscribe => Selinux::Fcontext[$tftpboot_path], } + exec { 'restorecon_/data/cobbler': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => 'restorecon -Rv /data/cobbler', + refreshonly => true, + subscribe => Selinux::Fcontext['/data/cobbler'], + } } } From a05f81799d0e4040f6a76d6edfc926aa0e37c14e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 14:36:28 +1000 Subject: [PATCH 182/229] fix: export cobbler DNS if is_cobbler_master - set prodinf01n48 as primary cobbler node - ensure the cobbler DNS record is created --- .../nodes/prodinf01n48.main.unkin.net.yaml | 2 ++ site/profiles/manifests/cobbler/config.pp | 18 ++++++++++-------- site/profiles/manifests/cobbler/params.pp | 1 + 3 files changed, 13 insertions(+), 8 deletions(-) create mode 100644 hieradata/nodes/prodinf01n48.main.unkin.net.yaml diff --git a/hieradata/nodes/prodinf01n48.main.unkin.net.yaml b/hieradata/nodes/prodinf01n48.main.unkin.net.yaml new file mode 100644 index 0000000..f7ad64b --- /dev/null +++ b/hieradata/nodes/prodinf01n48.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::cobbler::params::is_cobbler_master: true diff --git a/site/profiles/manifests/cobbler/config.pp b/site/profiles/manifests/cobbler/config.pp index 9b5c2af..90aee5d 100644 --- a/site/profiles/manifests/cobbler/config.pp +++ b/site/profiles/manifests/cobbler/config.pp @@ -7,6 +7,7 @@ class profiles::cobbler::config { $httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate $httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey $pxe_just_once = $profiles::cobbler::params::pxe_just_once + $is_cobbler_master = $profiles::cobbler::params::is_cobbler_master $service_cname = $profiles::cobbler::params::service_cname $next_server = $profiles::cobbler::params::next_server $server = $profiles::cobbler::params::server @@ -64,12 +65,13 @@ class profiles::cobbler::config { } # export cnames for cobbler - #profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": - # value => $::facts['networking']['hostname'], - # type => 'CNAME', - # record => "${service_cname}.", - # zone => $::facts['networking']['domain'], - # order => 10, - #} - + if $is_cobbler_master { + profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": + value => $::facts['networking']['hostname'], + type => 'CNAME', + record => "${service_cname}.", + zone => $::facts['networking']['domain'], + order => 10, + } + } } diff --git a/site/profiles/manifests/cobbler/params.pp b/site/profiles/manifests/cobbler/params.pp index ca5ddfd..877f986 100644 --- a/site/profiles/manifests/cobbler/params.pp +++ b/site/profiles/manifests/cobbler/params.pp @@ -8,6 +8,7 @@ class profiles::cobbler::params ( String $server = $::facts['networking']['ip'], String $next_server = $::facts['networking']['ip'], Boolean $pxe_just_once = true, + Boolean $is_cobbler_master = false, Array $packages = [ 'cobbler', 'cobbler3.2-web', From a618962d077e656662933e228f314fe088395a3f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 15:22:16 +1000 Subject: [PATCH 183/229] fix: move selinux profile to cobbler - only import the selinux enforce profile in cobbler --- hieradata/common.yaml | 1 - hieradata/roles/infra/cobbler/server.yaml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 80e79a1..cc16e0e 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -98,7 +98,6 @@ facts_path: '/opt/puppetlabs/facter/facts.d' hiera_classes: - timezone - - profiles::selinux::setenforce profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::use_ntp: 'region' diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml index 98511cb..6709152 100644 --- a/hieradata/roles/infra/cobbler/server.yaml +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -16,3 +16,6 @@ profiles::pki::vault::alt_names: profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' profiles::selinux::setenforce::mode: permissive + +hiera_classes: + - profiles::selinux::setenforce From 6633f07d8b08487d9c96008a498757eb9f7d4233 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 15:30:01 +1000 Subject: [PATCH 184/229] feat: install policycoreutils - install policycoreutils on all almalinux releases --- hieradata/os/AlmaLinux/all_releases.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index e1e5192..9edbf92 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -12,5 +12,6 @@ profiles::puppet::agent::puppet_version: '7.26.0' profiles::packages::install: - lzo - xz + - policycoreutils lm-sensors::package: lm_sensors From 9edd0603678bbeaab0c602f7503afc7c99de2f61 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 21:45:24 +1000 Subject: [PATCH 185/229] feat: deep merge /etc/hosts - allow managing /etc/hosts on multiple levels of hiera --- hieradata/common.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index cc16e0e..dcc73a2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -93,6 +93,9 @@ lookup_options: profiles::puppet::server::dns_alt_names: merge: strategy: deep + profiles::base::hosts::additional_hosts: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' From 4171427e7b81c2589279600f27f3851aa7f2445b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 21:46:20 +1000 Subject: [PATCH 186/229] feat: add edgecache role - add edge-caching role - add mirror for debian, almalinux and epel repositories - export service as edgecache in consul --- hieradata/roles/infra/storage/edgecache.yaml | 76 +++++++++++ site/profiles/manifests/edgecache/init.pp | 12 ++ site/profiles/manifests/edgecache/nginx.pp | 119 ++++++++++++++++++ site/profiles/manifests/edgecache/params.pp | 13 ++ site/profiles/manifests/edgecache/selinux.pp | 56 +++++++++ .../manifests/infra/storage/edgecache.pp | 7 ++ 6 files changed, 283 insertions(+) create mode 100644 hieradata/roles/infra/storage/edgecache.yaml create mode 100644 site/profiles/manifests/edgecache/init.pp create mode 100644 site/profiles/manifests/edgecache/nginx.pp create mode 100644 site/profiles/manifests/edgecache/params.pp create mode 100644 site/profiles/manifests/edgecache/selinux.pp create mode 100644 site/roles/manifests/infra/storage/edgecache.pp diff --git a/hieradata/roles/infra/storage/edgecache.yaml b/hieradata/roles/infra/storage/edgecache.yaml new file mode 100644 index 0000000..af26945 --- /dev/null +++ b/hieradata/roles/infra/storage/edgecache.yaml @@ -0,0 +1,76 @@ +--- +consul::services: + puppet: + service_name: 'edgecache' + tags: + - 'cache' + - 'edge' + address: "%{facts.networking.ip}" + port: 443 + checks: + - id: 'edgecache_https_check' + name: 'EdgeCache HTTPS Check' + http: "https://%{facts.networking.fqdn}" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: edgecache + disposition: write + +# additional altnames +profiles::pki::vault::alt_names: + - edgecache.service.consul + - edgecache.query.consul + +profiles::edgecache::params::nginx_listen_mode: both +profiles::edgecache::params::nginx_cert_type: vault +profiles::edgecache::params::nginx_aliases: + - edgecache.service.consul + - edgecache.query.consul +profiles::edgecache::params::directories: + /data/edgecache: { owner: root, group: root } + /data/edgecache/pub: { owner: nginx, group: nginx } + /data/edgecache/pub/almalinux: { owner: nginx, group: nginx } + /data/edgecache/pub/debian: { owner: nginx, group: nginx } + /data/edgecache/pub/epel: { owner: nginx, group: nginx } + +profiles::edgecache::params::mirrors: + debian: + ensure: present + location: /debian + proxy: http://mirror.gsl.icu + debian_pool: + ensure: present + location: /debian/pool + proxy: http://mirror.gsl.icu + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + almalinux_repodata: + ensure: present + location: '~* ^/almalinux/.*/repodata/' + proxy: http://gsl-syd.mm.fcix.net + almalinux_data: + ensure: present + location: /almalinux + proxy: http://gsl-syd.mm.fcix.net + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + epel_repodata: + ensure: present + location: '~* ^/epel/.*/repodata/' + proxy: http://gsl-syd.mm.fcix.net + epel_data: + ensure: present + location: /epel + proxy: http://gsl-syd.mm.fcix.net + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' diff --git a/site/profiles/manifests/edgecache/init.pp b/site/profiles/manifests/edgecache/init.pp new file mode 100644 index 0000000..1112530 --- /dev/null +++ b/site/profiles/manifests/edgecache/init.pp @@ -0,0 +1,12 @@ +# profiles::edgecache::init +class profiles::edgecache::init { + + if $facts['enc_role'] == 'roles::infra::storage::edgecache' { + + include profiles::edgecache::nginx + include profiles::edgecache::selinux + + Class['profiles::edgecache::nginx'] + -> Class['profiles::edgecache::selinux'] + } +} diff --git a/site/profiles/manifests/edgecache/nginx.pp b/site/profiles/manifests/edgecache/nginx.pp new file mode 100644 index 0000000..6849e22 --- /dev/null +++ b/site/profiles/manifests/edgecache/nginx.pp @@ -0,0 +1,119 @@ +# profiles::edgecache::nginx +class profiles::edgecache::nginx { + + include profiles::edgecache::params + + $data_root = $profiles::edgecache::params::data_root + $nginx_vhost = $profiles::edgecache::params::nginx_vhost + $nginx_aliases = $profiles::edgecache::params::nginx_aliases + $nginx_port = $profiles::edgecache::params::nginx_port + $nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port + $nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode + $nginx_cert_type = $profiles::edgecache::params::nginx_cert_type + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # set the server_names + $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'www_root' => "${data_root}/pub", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + } + + # ensure the requires directories exist + $profiles::edgecache::params::directories.each |$name,$data| { + file { $name: + ensure => 'directory', + before => Class['nginx'], + mode => '0775', + * => $data, + } + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + class { 'nginx': + proxy_cache_path => { + "${data_root}/cache" => 'cache:128m', + }, + proxy_cache_levels => '1:2', + proxy_cache_keys_zone => 'cache:128m', + proxy_cache_max_size => '30000m', + proxy_cache_inactive => '60d', + proxy_temp_path => "${data_root}/cache_tmp", + } + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # create location mirrors + $profiles::edgecache::params::mirrors.each |$name, $data| { + nginx::resource::location { "${nginx_vhost}_${name}": + server => $nginx_vhost, + ssl => true, + ssl_only => false, + * => $data, + } + } +} diff --git a/site/profiles/manifests/edgecache/params.pp b/site/profiles/manifests/edgecache/params.pp new file mode 100644 index 0000000..0250e22 --- /dev/null +++ b/site/profiles/manifests/edgecache/params.pp @@ -0,0 +1,13 @@ +# profiles::edgecache::params +class profiles::edgecache::params ( + Stdlib::Absolutepath $data_root = '/data/edgecache', + Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'], + Array[Stdlib::Host] $nginx_aliases = [], + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'http', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault', + Hash $directories = {}, + Hash $mirrors = {}, +){ +} diff --git a/site/profiles/manifests/edgecache/selinux.pp b/site/profiles/manifests/edgecache/selinux.pp new file mode 100644 index 0000000..c3b502b --- /dev/null +++ b/site/profiles/manifests/edgecache/selinux.pp @@ -0,0 +1,56 @@ +# profiles::edgecache::selinux +class profiles::edgecache::selinux { + + include profiles::edgecache::params + + $data_root = $profiles::edgecache::params::data_root + + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # set httpd_sys_content_t to all files under the www_root + selinux::fcontext { "${data_root}/pub": + ensure => 'present', + seltype => 'httpd_sys_content_t', + pathspec => "${data_root}/pub(/.*)?", + } + + # set httpd_sys_rw_content_t to all files under the cache_root + selinux::fcontext { "${data_root}/cache": + ensure => 'present', + seltype => 'httpd_sys_rw_content_t', + pathspec => "${data_root}/cache(/.*)?", + } + selinux::fcontext { "${data_root}/cache_tmp": + ensure => 'present', + seltype => 'httpd_sys_rw_content_t', + pathspec => "${data_root}/cache_tmp(/.*)?", + } + + # make sure we can connect to other hosts + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + + exec { "restorecon_${data_root}/pub": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/pub", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/pub"], + } + + exec { "restorecon_${data_root}/cache": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/cache", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/cache"], + } + + exec { "restorecon_${data_root}/cache_tmp": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/cache_tmp", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/cache_tmp"], + } + } +} diff --git a/site/roles/manifests/infra/storage/edgecache.pp b/site/roles/manifests/infra/storage/edgecache.pp new file mode 100644 index 0000000..4ed8bf7 --- /dev/null +++ b/site/roles/manifests/infra/storage/edgecache.pp @@ -0,0 +1,7 @@ +# a role to deploy an edgecache +class roles::infra::storage::edgecache { + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::edgecache::init +} From cb54cd2dba2e7352ffd2a3bcad96839979edceeb Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 21:47:14 +1000 Subject: [PATCH 187/229] feat: add edgecache prepared_query - add edgecache as a prepared_query in consul --- hieradata/roles/infra/storage/consul.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 08819e8..036e177 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -53,3 +53,9 @@ profiles::consul::prepared_query::rules: service_failover_n: 3 service_only_passing: true ttl: 10 + edgecache: + ensure: 'present' + service_name: 'edgecache' + service_failover_n: 3 + service_only_passing: true + ttl: 10 From 3e233ea6883224604d8b02226be1c43b50cd13eb Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 21:50:02 +1000 Subject: [PATCH 188/229] feat: change cobbler master - promote ausyd1nxvm1017 --- ...n48.main.unkin.net.yaml => aysyd1nxvm1017.main.unkin.net.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename hieradata/nodes/{prodinf01n48.main.unkin.net.yaml => aysyd1nxvm1017.main.unkin.net.yaml} (100%) diff --git a/hieradata/nodes/prodinf01n48.main.unkin.net.yaml b/hieradata/nodes/aysyd1nxvm1017.main.unkin.net.yaml similarity index 100% rename from hieradata/nodes/prodinf01n48.main.unkin.net.yaml rename to hieradata/nodes/aysyd1nxvm1017.main.unkin.net.yaml From dca99d27163a39b87def6177c18e9c33caf4d136 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 22:05:21 +1000 Subject: [PATCH 189/229] chore: move pxeboot to syd1 cobbler - update nameservers for syd1 to use local dns resolvers - update pxeserver to au-syd1 cobbler --- hieradata/roles/infra/dhcp/server.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/hieradata/roles/infra/dhcp/server.yaml b/hieradata/roles/infra/dhcp/server.yaml index ca98e40..a186d6c 100644 --- a/hieradata/roles/infra/dhcp/server.yaml +++ b/hieradata/roles/infra/dhcp/server.yaml @@ -16,10 +16,10 @@ profiles::dhcp::server::pools: - '198.18.15.200 198.18.15.220' gateway: 198.18.15.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 syd1-test: network: 198.18.16.0 mask: 255.255.255.0 @@ -27,10 +27,10 @@ profiles::dhcp::server::pools: - '198.18.16.200 198.18.16.220' gateway: 198.18.16.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 syd1-prod1: network: 198.18.13.0 mask: 255.255.255.0 @@ -38,10 +38,10 @@ profiles::dhcp::server::pools: - '198.18.13.200 198.18.13.220' gateway: 198.18.13.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 syd1-prod2: network: 198.18.14.0 mask: 255.255.255.0 @@ -49,10 +49,10 @@ profiles::dhcp::server::pools: - '198.18.14.200 198.18.14.220' gateway: 198.18.14.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 drw1-prod: network: 198.18.17.0 mask: 255.255.255.0 @@ -63,7 +63,7 @@ profiles::dhcp::server::pools: - 198.18.17.7 - 198.18.17.8 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 # UFI 64-bit profiles::dhcp::server::classes: From 4a1848db38e0def0f841d3e93e534bc61b58b00d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 May 2024 23:09:30 +1000 Subject: [PATCH 190/229] fix: cobbler host - fixed name of cobbler host in yaml --- ...017.main.unkin.net.yaml => ausyd1nxvm1017.main.unkin.net.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename hieradata/nodes/{aysyd1nxvm1017.main.unkin.net.yaml => ausyd1nxvm1017.main.unkin.net.yaml} (100%) diff --git a/hieradata/nodes/aysyd1nxvm1017.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml similarity index 100% rename from hieradata/nodes/aysyd1nxvm1017.main.unkin.net.yaml rename to hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml From bed0ef3c79ebef7c3a7a49f28512527d3799e9dd Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 May 2024 15:02:04 +1000 Subject: [PATCH 191/229] feat: improve first run on el8 - change defaults for yumrepo resources --- site/profiles/manifests/defaults.pp | 11 +++++++++-- site/profiles/manifests/yum/global.pp | 14 +++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp index 1db27c8..c0b94a8 100644 --- a/site/profiles/manifests/defaults.pp +++ b/site/profiles/manifests/defaults.pp @@ -8,7 +8,9 @@ class profiles::defaults { } Package { - ensure => present, + ensure => present, + require => Class['profiles::base::repos'] + } File { @@ -29,6 +31,11 @@ class profiles::defaults { } Yumrepo { - require => Class['profiles::pki::vaultca'], + ensure => 'present', + enabled => 1, + gpgcheck => 1, + mirrorlist => 'absent', + require => Class['profiles::pki::vaultca'], + notify => Exec['dnf_makecache'], } } diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 2296b7f..44c393c 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -52,13 +52,6 @@ class profiles::yum::global ( }, } - Yumrepo { - ensure => 'present', - enabled => 1, - gpgcheck => 1, - mirrorlist => 'absent', - } - resources { 'yumrepo': purge => $purge, } @@ -102,6 +95,13 @@ class profiles::yum::global ( require => Class['profiles::pki::vaultca'], } + # makecache if changes made to repos + exec {'dnf_makecache': + command => 'dnf makecache -q', + path => ['/usr/bin', '/bin'], + refreshonly => true, + } + # setup dnf-autoupdate include profiles::yum::autoupdater From 2aa5ead9d1917f2d5235b5b3ed8e7bb9a697f7df Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 May 2024 15:21:34 +1000 Subject: [PATCH 192/229] feat: prepare syd1 mariadb cluster - update role to wait for enc_role - move hiera data to country/region/role specific location --- hieradata/country/au/region/syd1/infra/sql/galera.yaml | 4 ++++ hieradata/roles/infra/sql/galera.yaml | 3 --- site/profiles/manifests/sql/galera_member.pp | 3 ++- site/roles/manifests/infra/sql/galera.pp | 5 ++++- 4 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 hieradata/country/au/region/syd1/infra/sql/galera.yaml diff --git a/hieradata/country/au/region/syd1/infra/sql/galera.yaml b/hieradata/country/au/region/syd1/infra/sql/galera.yaml new file mode 100644 index 0000000..9c4119c --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/sql/galera.yaml @@ -0,0 +1,4 @@ +--- +profiles::sql::galera_member::cluster_name: au-syd1 +profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net +profiles::sql::galera_member::innodb_buffer_pool_size: 256M diff --git a/hieradata/roles/infra/sql/galera.yaml b/hieradata/roles/infra/sql/galera.yaml index f6965e6..28f9034 100644 --- a/hieradata/roles/infra/sql/galera.yaml +++ b/hieradata/roles/infra/sql/galera.yaml @@ -1,11 +1,8 @@ --- -profiles::sql::galera_member::cluster_name: galera01 -profiles::sql::galera_member::galera_master: prodinf01n29.main.unkin.net profiles::sql::galera_member::configure_firewall: false profiles::sql::galera_member::wsrep_sst_method: rsync profiles::sql::galera_member::galera_members_lookup: true profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera profiles::sql::galera_member::datadir: /data/mariadb -profiles::sql::galera_member::innodb_buffer_pool_size: 256M profiles::sql::galera_member::innodb_file_per_table: 1 profiles::sql::galera_member::package_name: mariadb-galera-server diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp index 66f189c..a55d5fd 100644 --- a/site/profiles/manifests/sql/galera_member.pp +++ b/site/profiles/manifests/sql/galera_member.pp @@ -47,7 +47,7 @@ class profiles::sql::galera_member ( } # if it is, find hosts, sort them so they dont cause changes every run - $servers_array = sort(query_nodes("enc_role='${galera_members_role}'", 'networking.fqdn')) + $servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn')) # else use provided array from params }else{ @@ -211,4 +211,5 @@ class profiles::sql::galera_member ( }else{ notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.") } + } diff --git a/site/roles/manifests/infra/sql/galera.pp b/site/roles/manifests/infra/sql/galera.pp index a116c8c..207aed6 100644 --- a/site/roles/manifests/infra/sql/galera.pp +++ b/site/roles/manifests/infra/sql/galera.pp @@ -3,5 +3,8 @@ class roles::infra::sql::galera { include profiles::defaults include profiles::base include profiles::base::datavol - include profiles::sql::galera_member + + if $facts['enc_role'] == 'roles::infra::sql::galera' { + include profiles::sql::galera_member + } } From 5774ebd614fd3daa3de761a382e2390959fbca13 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 May 2024 16:24:53 +1000 Subject: [PATCH 193/229] feat: manage pgsql settings for puppetdb - deep merge postgresql_config_entries in common.yaml - add postgresql_config_entries into a new hieradata/roles/infra/puppetdb/sql.yaml - set puppetdb role to import the options --- hieradata/common.yaml | 3 +++ hieradata/roles/infra/puppetdb/sql.yaml | 4 ++++ site/profiles/manifests/puppet/puppetdb_sql.pp | 8 ++++++++ 3 files changed, 15 insertions(+) create mode 100644 hieradata/roles/infra/puppetdb/sql.yaml diff --git a/hieradata/common.yaml b/hieradata/common.yaml index dcc73a2..096a830 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -96,6 +96,9 @@ lookup_options: profiles::base::hosts::additional_hosts: merge: strategy: deep + postgresql_config_entries: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml new file mode 100644 index 0000000..0d6409a --- /dev/null +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -0,0 +1,4 @@ +--- +postgresql_config_entries: + max_connections: 300 + shared_buffers: '256MB' diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp index 2d80d30..5afa9a5 100644 --- a/site/profiles/manifests/puppet/puppetdb_sql.pp +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -24,4 +24,12 @@ class profiles::puppet::puppetdb_sql ( contain ::puppetdb::database::postgresql + # create the postgresql::server::config_entry resources + $pg_config_entries = lookup('postgresql_config_entries', Hash[String, Data], 'hash', {}) + $pg_config_entries.each |String $key, Data $value| { + postgresql::server::config_entry { $key: + ensure => 'present', + value => $value, + } + } } From 81e4dffa36741a95e9e55d1ff0cde0bc46e2b671 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 May 2024 19:56:46 +1000 Subject: [PATCH 194/229] feat: mariadb improvements - add bind-address to local_ip - add consul service --- hieradata/roles/infra/sql/galera.yaml | 19 +++++++++++++++++++ site/profiles/manifests/sql/galera_member.pp | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/hieradata/roles/infra/sql/galera.yaml b/hieradata/roles/infra/sql/galera.yaml index 28f9034..64df7d9 100644 --- a/hieradata/roles/infra/sql/galera.yaml +++ b/hieradata/roles/infra/sql/galera.yaml @@ -6,3 +6,22 @@ profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera profiles::sql::galera_member::datadir: /data/mariadb profiles::sql::galera_member::innodb_file_per_table: 1 profiles::sql::galera_member::package_name: mariadb-galera-server + +consul::services: + puppet: + service_name: "mariadb-%{lookup('profiles::sql::galera_member::cluster_name')}" + tags: + - 'database' + - 'mariadb' + address: "%{facts.networking.ip}" + port: 3306 + checks: + - id: 'mariadb_tcp_check' + name: 'MariaDB TCP Check' + tcp: "%{facts.networking.ip}:3306" + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: "mariadb-%{lookup('profiles::sql::galera_member::cluster_name')}" + disposition: write diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp index a55d5fd..24fab57 100644 --- a/site/profiles/manifests/sql/galera_member.pp +++ b/site/profiles/manifests/sql/galera_member.pp @@ -103,7 +103,8 @@ class profiles::sql::galera_member ( 'binlog_format' => 'ROW', 'default-storage-engine' => 'innodb', 'query_cache_size' => '0', - 'query_cache_type' => '0' + 'query_cache_type' => '0', + 'bind-address' => $local_ip, } } $default_override_options_galera = { From 8f4799ce2a6f2a47b180f29a223a1072b2ccc079 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 14:51:37 +1000 Subject: [PATCH 195/229] feat: update consul service service - change edgecache service name from puppet -> edgecache --- hieradata/roles/infra/storage/edgecache.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/storage/edgecache.yaml b/hieradata/roles/infra/storage/edgecache.yaml index af26945..67e6b28 100644 --- a/hieradata/roles/infra/storage/edgecache.yaml +++ b/hieradata/roles/infra/storage/edgecache.yaml @@ -1,6 +1,6 @@ --- consul::services: - puppet: + edgecache: service_name: 'edgecache' tags: - 'cache' From 96407798460b67937148f1be3028b11db2d6915e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 May 2024 19:56:46 +1000 Subject: [PATCH 196/229] feat: mariadb improvements - add bind-address to local_ip - add consul service --- hieradata/roles/infra/sql/galera.yaml | 19 +++++++++++++++++++ site/profiles/manifests/sql/galera_member.pp | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/hieradata/roles/infra/sql/galera.yaml b/hieradata/roles/infra/sql/galera.yaml index 28f9034..084072a 100644 --- a/hieradata/roles/infra/sql/galera.yaml +++ b/hieradata/roles/infra/sql/galera.yaml @@ -6,3 +6,22 @@ profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera profiles::sql::galera_member::datadir: /data/mariadb profiles::sql::galera_member::innodb_file_per_table: 1 profiles::sql::galera_member::package_name: mariadb-galera-server + +consul::services: + mariadb: + service_name: "mariadb-%{facts.environment}" + tags: + - 'database' + - 'mariadb' + address: "%{facts.networking.ip}" + port: 3306 + checks: + - id: 'mariadb_tcp_check' + name: 'MariaDB TCP Check' + tcp: "%{facts.networking.ip}:3306" + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: "mariadb-%{facts.environment}" + disposition: write diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp index a55d5fd..24fab57 100644 --- a/site/profiles/manifests/sql/galera_member.pp +++ b/site/profiles/manifests/sql/galera_member.pp @@ -103,7 +103,8 @@ class profiles::sql::galera_member ( 'binlog_format' => 'ROW', 'default-storage-engine' => 'innodb', 'query_cache_size' => '0', - 'query_cache_type' => '0' + 'query_cache_type' => '0', + 'bind-address' => $local_ip, } } $default_override_options_galera = { From 6f9a606549914727d4881bda80f6f9cf51842b5b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 16:19:23 +1000 Subject: [PATCH 197/229] feat: configure edgecache for postgresql - add fact to record system resolvers - add resolvers feature in /etc/nginx/conf.d/resolvers.conf - add rewrite rules for postgres/yum/repodata --- hieradata/roles/infra/storage/edgecache.yaml | 31 ++++++++++++++++++++ modules/libs/lib/facter/nameservers.rb | 9 ++++++ site/profiles/manifests/edgecache/nginx.pp | 12 +++++++- site/profiles/manifests/edgecache/params.pp | 2 ++ 4 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 modules/libs/lib/facter/nameservers.rb diff --git a/hieradata/roles/infra/storage/edgecache.yaml b/hieradata/roles/infra/storage/edgecache.yaml index 67e6b28..40b0146 100644 --- a/hieradata/roles/infra/storage/edgecache.yaml +++ b/hieradata/roles/infra/storage/edgecache.yaml @@ -25,6 +25,8 @@ profiles::pki::vault::alt_names: - edgecache.service.consul - edgecache.query.consul +profiles::edgecache::params::nginx_resolvers_enable: true +profiles::edgecache::params::nginx_resolvers_ipv4only: true profiles::edgecache::params::nginx_listen_mode: both profiles::edgecache::params::nginx_cert_type: vault profiles::edgecache::params::nginx_aliases: @@ -36,6 +38,9 @@ profiles::edgecache::params::directories: /data/edgecache/pub/almalinux: { owner: nginx, group: nginx } /data/edgecache/pub/debian: { owner: nginx, group: nginx } /data/edgecache/pub/epel: { owner: nginx, group: nginx } + /data/edgecache/pub/postgres: { owner: nginx, group: nginx } + /data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx } + /data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx } profiles::edgecache::params::mirrors: debian: @@ -74,3 +79,29 @@ profiles::edgecache::params::mirrors: proxy_cache_valid: - '200 302 1440h' - '404 1m' + postgres_yum_repodata: + ensure: present + location: '~* ^/postgres/yum/.*/repodata/' + rewrite_rules: + - '^/postgres/yum/(.*)$ /pub/repos/yum/$1 break' + proxy: https://download.postgresql.org + postgres_yum_data: + ensure: present + location: /postgres/yum + proxy: https://download.postgresql.org/pub/repos/yum + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + postgres_apt: + ensure: present + location: /postgres/apt + proxy: https://download.postgresql.org/pub/repos/apt + postgres_apt_pool: + ensure: present + location: /postgres/apt/pool + proxy: https://download.postgresql.org/pub/repos/apt/pool + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' diff --git a/modules/libs/lib/facter/nameservers.rb b/modules/libs/lib/facter/nameservers.rb new file mode 100644 index 0000000..8ece095 --- /dev/null +++ b/modules/libs/lib/facter/nameservers.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +Facter.add(:nameservers) do + confine kernel: 'Linux' + setcode do + nameservers = File.readlines('/etc/resolv.conf').grep(/^nameserver\s+(\S+)/) { Regexp.last_match(1) } + nameservers + end +end diff --git a/site/profiles/manifests/edgecache/nginx.pp b/site/profiles/manifests/edgecache/nginx.pp index 6849e22..30e2c69 100644 --- a/site/profiles/manifests/edgecache/nginx.pp +++ b/site/profiles/manifests/edgecache/nginx.pp @@ -10,6 +10,8 @@ class profiles::edgecache::nginx { $nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port $nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode $nginx_cert_type = $profiles::edgecache::params::nginx_cert_type + $nginx_resolvers_enable = $profiles::edgecache::params::nginx_resolvers_enable + $nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only # select the certificates to use based on cert type case $nginx_cert_type { @@ -61,13 +63,21 @@ class profiles::edgecache::nginx { } } + if $nginx_resolvers_ipv4only and $nginx_resolvers_enable { + $resolvers = $facts['nameservers'].join(' ') + file { '/etc/nginx/conf.d/resolvers.conf': + ensure => file, + content => "resolver ${resolvers} ipv4=on;\n", + } + } + # set the server_names $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) # define the default parameters for the nginx server $defaults = { 'listen_port' => $listen_port, - 'server_name' => $server_names, + 'server_name' => $server_names, 'use_default_location' => true, 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", diff --git a/site/profiles/manifests/edgecache/params.pp b/site/profiles/manifests/edgecache/params.pp index 0250e22..0766ea7 100644 --- a/site/profiles/manifests/edgecache/params.pp +++ b/site/profiles/manifests/edgecache/params.pp @@ -7,6 +7,8 @@ class profiles::edgecache::params ( Stdlib::Port $nginx_ssl_port = 443, Enum['http','https','both'] $nginx_listen_mode = 'http', Enum['puppet', 'vault'] $nginx_cert_type = 'vault', + Boolean $nginx_resolvers_enable = false, + Boolean $nginx_resolvers_ipv4only = false, Hash $directories = {}, Hash $mirrors = {}, ){ From 150d5b97a9a668b89f55ec404867b60fd789e5ea Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 17:23:00 +1000 Subject: [PATCH 198/229] feat: cleanup excessive comments --- site/profiles/manifests/yum/base.pp | 26 ----------------- site/profiles/manifests/yum/epel.pp | 23 --------------- site/profiles/manifests/yum/global.pp | 39 +------------------------- site/profiles/manifests/yum/puppet7.pp | 27 ------------------ 4 files changed, 1 insertion(+), 114 deletions(-) diff --git a/site/profiles/manifests/yum/base.pp b/site/profiles/manifests/yum/base.pp index df86cd0..47eb2b9 100644 --- a/site/profiles/manifests/yum/base.pp +++ b/site/profiles/manifests/yum/base.pp @@ -2,32 +2,6 @@ # # This class manages the 'base', extras' and 'appstream' yum # repositories for a system, based on the provided list of managed repositories. -# -# Parameters: -# ----------- -# - $managed_repos: An array containing the names of the repositories to be -# managed. This can include 'base', 'extras', -# and 'appstream'. -# -# - $baseurl: The base URL for the yum repositories. This should be the root -# URL of your yum mirror server. -# -# Actions: -# -------- -# - Sets up the 'base', extras', and 'appstream' yum repositories -# as specified in the $managed_repos parameter, all using the provided baseurl. -# -# - Each repo configuration includes the baseurl parameterized with the OS -# release version and architecture, and specifies the GPG key. -# -# Example usage: -# -------------- -# To use this class with the default parameters: -# class { 'profiles::yum::base': -# managed_repos => ['base', 'extras', 'appstream'], -# baseurl => 'http://mylocalmirror.com/yum', -# } -# class profiles::yum::base ( Array[String] $managed_repos, String $baseurl, diff --git a/site/profiles/manifests/yum/epel.pp b/site/profiles/manifests/yum/epel.pp index 575e099..b6c9f43 100644 --- a/site/profiles/manifests/yum/epel.pp +++ b/site/profiles/manifests/yum/epel.pp @@ -1,29 +1,6 @@ # Class: profiles::yum::epel # # This class manages the EPEL yum repository for the system. -# -# Parameters: -# ----------- -# - $baseurl: The base URL for the EPEL yum repository. This should be the root -# URL of your EPEL mirror server. -# -# Actions: -# -------- -# - Checks the OS release version. -# -# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository -# -# - If the release version is not supported, it raises an error. -# -# Example usage: -# -------------- -# To use this class with the default parameters: -# include profiles::yum::epel -# -# To specify a custom base URL: -# class { 'profiles::yum::epel': -# baseurl => 'http://mylocalmirror.com/yum', -# } class profiles::yum::epel ( Array[String] $managed_repos, String $baseurl, diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 44c393c..6aaf807 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -1,45 +1,8 @@ # Class: profiles::yum::global # # This class manages global YUM configurations and optionally includes the -# base and EPEL yum repository profiles based on the content of the +# base and EPEL yum repository profiles based on the content of the # $managed_repos parameter, which is an array of repository names. -# -# Parameters: -# ----------- -# - $managed_repos: An array of repository names that the Puppet agent should -# manage. This parameter is mandatory and the class will -# fail if it is not provided via hieradata. -# Example: ['base', 'updates', 'extras', 'appstream'] -# -# Actions: -# -------- -# - Configures global YUM settings, including keeping the kernel development -# packages and cleaning old kernels. -# -# - Establishes default parameters for any YUM repositories managed by Puppet. -# This includes the repository file location, the repository description, -# and enabling the repository and GPG checks. -# -# - Depending on the content of the $managed_repos parameter, it includes the -# profiles::yum::base and/or profiles::yum::epel classes. -# -# - Manages all .repo files under /etc/yum.repos.d. All the repositories listed -# in $managed_repos will have their corresponding .repo files preserved. Any -# .repo file that is not listed in $managed_repos will be removed. -# -# - Creates and maintains a /etc/yum.repos.d/.managed file that lists all the -# .repo files that should be managed by Puppet. -# -# Example usage: -# -------------- -# To use this class, include the class and configure hieradata: -# include profiles::yum::global -# -# profiles::yum::managed_repos: -# - 'base' -# - 'extras' -# - 'appstream' -# class profiles::yum::global ( Array[String] $managed_repos, Boolean $purge = true, diff --git a/site/profiles/manifests/yum/puppet7.pp b/site/profiles/manifests/yum/puppet7.pp index 1d6c802..ffcbbf4 100644 --- a/site/profiles/manifests/yum/puppet7.pp +++ b/site/profiles/manifests/yum/puppet7.pp @@ -1,33 +1,6 @@ # Class: profiles::yum::epel # # This class manages the puppet7 yum repository for the system. -# -# Parameters: -# ----------- -# - $baseurl: The base URL for the puppet7 yum repository. This should be the root -# URL of your puppet7 mirror server. -# -# Actions: -# -------- -# - Checks the OS release version. -# -# - If the release version is 7, 8, or 9, it sets up the 'puppet7' yum repository -# and installs the puppet7 release RPM from the provided baseurl. -# -# - If the release version is not supported, it raises an error. -# -# - The repo configuration includes the baseurl parameterized with the OS -# release version and architecture, and specifies the GPG key. -# -# Example usage: -# -------------- -# To use this class with the default parameters: -# include profiles::yum::puppet7 -# -# To specify a custom base URL: -# class { 'profiles::yum::puppet7': -# baseurl => 'http://mylocalmirror.com/yum', -# } class profiles::yum::puppet7 ( Array[String] $managed_repos, String $baseurl = 'http://repos.main.unkin.net/puppet7', From da2e98ed4d54d9c459ccea99b225e4a7ef6d0a5e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 18:53:48 +1000 Subject: [PATCH 199/229] feat: add centos mirror to edgecache - add centos repo to edgecache --- hieradata/roles/infra/storage/edgecache.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hieradata/roles/infra/storage/edgecache.yaml b/hieradata/roles/infra/storage/edgecache.yaml index 67e6b28..5af178a 100644 --- a/hieradata/roles/infra/storage/edgecache.yaml +++ b/hieradata/roles/infra/storage/edgecache.yaml @@ -33,6 +33,7 @@ profiles::edgecache::params::nginx_aliases: profiles::edgecache::params::directories: /data/edgecache: { owner: root, group: root } /data/edgecache/pub: { owner: nginx, group: nginx } + /data/edgecache/pub/centos: { owner: nginx, group: nginx } /data/edgecache/pub/almalinux: { owner: nginx, group: nginx } /data/edgecache/pub/debian: { owner: nginx, group: nginx } /data/edgecache/pub/epel: { owner: nginx, group: nginx } @@ -50,6 +51,18 @@ profiles::edgecache::params::mirrors: proxy_cache_valid: - '200 302 1440h' - '404 1m' + centos_repodata: + ensure: present + location: '~* ^/centos/.*/repodata/' + proxy: http://gsl-syd.mm.fcix.net + centos_data: + ensure: present + location: /centos + proxy: http://gsl-syd.mm.fcix.net + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' almalinux_repodata: ensure: present location: '~* ^/almalinux/.*/repodata/' From 5f9480f186e3b1dd9fc0fc5009fce40302483c81 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 17:59:27 +1000 Subject: [PATCH 200/229] feat: direct yumrepo config - deep merge yumrepo resources - convert repos to direct yumrepo in hieradata - change from repos.main.unkin.net to edgecache.query.consul - create all yumrepo resources from $profiles::yum::global::repos --- hieradata/common.yaml | 3 ++ hieradata/os/AlmaLinux/all_releases.yaml | 49 +++++++++++++++++++++++ hieradata/roles/infra/ovirt/engine.yaml | 50 ++++++++++++++++++++++++ hieradata/roles/infra/ovirt/node.yaml | 50 ++++++++++++++++++++++++ site/profiles/manifests/yum/global.pp | 44 ++------------------- 5 files changed, 156 insertions(+), 40 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 096a830..bfbbd03 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -99,6 +99,9 @@ lookup_options: postgresql_config_entries: merge: strategy: deep + profiles::yum::global::repos: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 9edbf92..b0016ba 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -15,3 +15,52 @@ profiles::packages::install: - policycoreutils lm-sensors::package: lm_sensors + +profiles::yum::global::repos: + baseos: + name: baseos + descr: baseos repository + target: /etc/yum.repos.d/almalinux.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + extras: + name: extras + descr: extras repository + target: /etc/yum.repos.d/almalinux.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + appstream: + name: appstream + descr: appstream repository + target: /etc/yum.repos.d/almalinux.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + powertools: + name: powertools + descr: powertools repository + target: /etc/yum.repos.d/almalinux.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + highavailability: + name: highavailability + descr: highavailability repository + target: /etc/yum.repos.d/almalinux.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + epel: + name: epel + descr: epel repository + target: /etc/yum.repos.d/epel.repo + baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture} + gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major} + puppet: + name: puppet + descr: puppet repository + target: /etc/yum.repos.d/puppet.repo + baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture} + gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406 + unkin: + name: unkin + descr: unkin repository + target: /etc/yum.repos.d/unkin.repo + baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os diff --git a/hieradata/roles/infra/ovirt/engine.yaml b/hieradata/roles/infra/ovirt/engine.yaml index 44c4baa..7abde8c 100644 --- a/hieradata/roles/infra/ovirt/engine.yaml +++ b/hieradata/roles/infra/ovirt/engine.yaml @@ -8,3 +8,53 @@ profiles::yum::global::managed_repos: - 'opstools-collectd-5' - 'storage-gluster-10' - 'virt-ovirt-45' + +profiles::yum::global::repos: + centos_8_advanced_virtualization: + name: 'virt-advanced-virtualization' + descr: 'CentOS Advanced Virtualization' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_ceph_pacific: + name: 'storage-ceph-pacific' + descr: 'CentOS Ceph Pacific' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' + centos_8_rabbitmq_38: + name: 'messaging-rabbitmq-38' + descr: 'CentOS RabbitMQ 38' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging' + centos_8_nfv_openvswitch: + name: 'nfv-openvswitch-2' + descr: 'CentOS NFV OpenvSwitch' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV' + centos_8_openstack_xena: + name: 'cloud-openstack-xena' + descr: 'CentOS OpenStack Xena' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud' + centos_8_opstools: + name: 'opstools-collectd-5' + descr: 'CentOS OpsTools - collectd' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools' + centos_8_ovirt45: + name: 'virt-ovirt-45' + descr: 'CentOS oVirt 4.5' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_stream_gluster10: + name: 'storage-gluster-10' + descr: 'CentOS oVirt 4.5 - Glusterfs 10' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' diff --git a/hieradata/roles/infra/ovirt/node.yaml b/hieradata/roles/infra/ovirt/node.yaml index 847efc6..da74b08 100644 --- a/hieradata/roles/infra/ovirt/node.yaml +++ b/hieradata/roles/infra/ovirt/node.yaml @@ -15,3 +15,53 @@ sudo::purge_ignore: - '50_vdsm' - '50_vdsm_hook_ovirt_provider_ovn_hook' - '60_ovirt-ha' + +profiles::yum::global::repos: + centos_8_advanced_virtualization: + name: 'virt-advanced-virtualization' + descr: 'CentOS Advanced Virtualization' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_ceph_pacific: + name: 'storage-ceph-pacific' + descr: 'CentOS Ceph Pacific' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' + centos_8_rabbitmq_38: + name: 'messaging-rabbitmq-38' + descr: 'CentOS RabbitMQ 38' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging' + centos_8_nfv_openvswitch: + name: 'nfv-openvswitch-2' + descr: 'CentOS NFV OpenvSwitch' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV' + centos_8_openstack_xena: + name: 'cloud-openstack-xena' + descr: 'CentOS OpenStack Xena' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud' + centos_8_opstools: + name: 'opstools-collectd-5' + descr: 'CentOS OpsTools - collectd' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools' + centos_8_ovirt45: + name: 'virt-ovirt-45' + descr: 'CentOS oVirt 4.5' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_stream_gluster10: + name: 'storage-gluster-10' + descr: 'CentOS oVirt 4.5 - Glusterfs 10' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 6aaf807..98a90d4 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -4,8 +4,8 @@ # base and EPEL yum repository profiles based on the content of the # $managed_repos parameter, which is an array of repository names. class profiles::yum::global ( - Array[String] $managed_repos, - Boolean $purge = true, + Hash $repos = {}, + Boolean $purge = true, ){ class { 'yum': keep_kernel_devel => true, @@ -19,44 +19,8 @@ class profiles::yum::global ( purge => $purge, } - # Generate the content for the .managed file - $managed_file_content = $managed_repos.map |$repo_name| { "${repo_name}.repo" }.join("\n") - - # Create the .managed file - file { '/etc/yum.repos.d/.managed': - ensure => file, - content => $managed_file_content, - } - - # Setup base repos - class { 'profiles::yum::base': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup epel if included in managed_repos - class { 'profiles::yum::epel': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup puppet7 if included in managed_repos - class { 'profiles::yum::puppet7': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup unkin repo if included in managed_repos - class { 'profiles::yum::unkin': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup ovirt repo if included in managed_repos - class { 'profiles::yum::ovirt': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } + # create repos + create_resources('yumrepo', $repos) # makecache if changes made to repos exec {'dnf_makecache': From fd466fccccdbca925b2bfec2930705e3f8453596 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 19:20:50 +1000 Subject: [PATCH 201/229] feat: cleanup old repo management - change profiles::puppet::agent to require Yumrepo['puppet'] - remove managed repos hieradata - remove profiles::yum::* classes that are not required - remove missed rebase comment --- hieradata/os/AlmaLinux/AlmaLinux8.yaml | 9 ---- hieradata/os/AlmaLinux/AlmaLinux9.yaml | 6 --- hieradata/os/AlmaLinux/all_releases.yaml | 4 -- hieradata/roles/infra/ovirt/engine.yaml | 10 ---- hieradata/roles/infra/ovirt/node.yaml | 9 ---- site/profiles/manifests/puppet/agent.pp | 2 +- site/profiles/manifests/yum/base.pp | 66 ------------------------ site/profiles/manifests/yum/epel.pp | 25 --------- site/profiles/manifests/yum/global.pp | 4 -- site/profiles/manifests/yum/mariadb.pp | 25 --------- site/profiles/manifests/yum/ovirt.pp | 48 ----------------- site/profiles/manifests/yum/puppet7.pp | 21 -------- site/profiles/manifests/yum/unkin.pp | 23 --------- 13 files changed, 1 insertion(+), 251 deletions(-) delete mode 100644 site/profiles/manifests/yum/base.pp delete mode 100644 site/profiles/manifests/yum/epel.pp delete mode 100644 site/profiles/manifests/yum/mariadb.pp delete mode 100644 site/profiles/manifests/yum/ovirt.pp delete mode 100644 site/profiles/manifests/yum/puppet7.pp delete mode 100644 site/profiles/manifests/yum/unkin.pp diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index e0b4a27..7861fca 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -1,11 +1,2 @@ # hieradata/os/AlmaLinux/AlmaLinux8.yaml --- -profiles::yum::global::managed_repos: - - 'base' - - 'appstream' - - 'epel' - - 'powertools' - - 'highavailability' - - 'puppet7' - - 'yum.postgresql.org' - - 'unkin' diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index c6e95cc..03c8c55 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -1,8 +1,2 @@ # hieradata/os/AlmaLinux/AlmaLinux9.yaml --- -profiles::yum::global::managed_repos: - - 'base' - - 'appstream' - - 'epel' - - 'puppet7' - - 'yum.postgresql.org' diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index b0016ba..3665900 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -1,9 +1,5 @@ # hieradata/os/almalinux/all_releases.yaml --- -profiles::yum::base::baseurl: https://repos.main.unkin.net/almalinux -profiles::yum::epel::baseurl: https://repos.main.unkin.net/epel -profiles::yum::unkin::baseurl: https://repos.main.unkin.net/unkin -profiles::yum::ovirt::baseurl: https://repos.main.unkin.net/centos profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false diff --git a/hieradata/roles/infra/ovirt/engine.yaml b/hieradata/roles/infra/ovirt/engine.yaml index 7abde8c..b2a934d 100644 --- a/hieradata/roles/infra/ovirt/engine.yaml +++ b/hieradata/roles/infra/ovirt/engine.yaml @@ -1,14 +1,4 @@ --- -profiles::yum::global::managed_repos: - - 'virt-advanced-virtualization' - - 'storage-ceph-pacific' - - 'cloud-openstack-xena' - - 'messaging-rabbitmq-38' - - 'nfv-openvswitch-2' - - 'opstools-collectd-5' - - 'storage-gluster-10' - - 'virt-ovirt-45' - profiles::yum::global::repos: centos_8_advanced_virtualization: name: 'virt-advanced-virtualization' diff --git a/hieradata/roles/infra/ovirt/node.yaml b/hieradata/roles/infra/ovirt/node.yaml index da74b08..762c1aa 100644 --- a/hieradata/roles/infra/ovirt/node.yaml +++ b/hieradata/roles/infra/ovirt/node.yaml @@ -1,15 +1,6 @@ --- profiles::firewall::firewalld::ensure_package: 'installed' profiles::firewall::firewalld::ensure_service: 'running' -profiles::yum::global::managed_repos: - - 'virt-advanced-virtualization' - - 'storage-ceph-pacific' - - 'cloud-openstack-xena' - - 'messaging-rabbitmq-38' - - 'nfv-openvswitch-2' - - 'opstools-collectd-5' - - 'storage-gluster-10' - - 'virt-ovirt-45' sudo::purge_ignore: - '50_vdsm' diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp index c911f0d..76164c1 100644 --- a/site/profiles/manifests/puppet/agent.pp +++ b/site/profiles/manifests/puppet/agent.pp @@ -19,7 +19,7 @@ class profiles::puppet::agent ( # Ensure the puppet-agent package is installed and locked to a specific version package { 'puppet-agent': ensure => $puppet_version, - require => Class['profiles::yum::puppet7'], + require => Yumrepo['puppet'], } # versionlock puppet-agent diff --git a/site/profiles/manifests/yum/base.pp b/site/profiles/manifests/yum/base.pp deleted file mode 100644 index 47eb2b9..0000000 --- a/site/profiles/manifests/yum/base.pp +++ /dev/null @@ -1,66 +0,0 @@ -# Class: profiles::yum::base -# -# This class manages the 'base', extras' and 'appstream' yum -# repositories for a system, based on the provided list of managed repositories. -class profiles::yum::base ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['full'] - $basearch = $facts['os']['architecture'] - - if 'base' in $managed_repos { - yumrepo { 'base': - name => 'base', - descr => 'base repository', - target => '/etc/yum.repos.d/base.repo', - baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'extras' in $managed_repos { - yumrepo { 'extras': - name => 'extras', - descr => 'extras repository', - target => '/etc/yum.repos.d/extras.repo', - baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'appstream' in $managed_repos { - yumrepo { 'appstream': - name => 'appstream', - descr => 'appstream repository', - target => '/etc/yum.repos.d/appstream.repo', - baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'powertools' in $managed_repos { - yumrepo { 'powertools': - name => 'powertools', - descr => 'powertools repository', - target => '/etc/yum.repos.d/powertools.repo', - baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'highavailability' in $managed_repos { - yumrepo { 'highavailability': - name => 'highavailability', - descr => 'highavailability repository', - target => '/etc/yum.repos.d/highavailability.repo', - baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } -} diff --git a/site/profiles/manifests/yum/epel.pp b/site/profiles/manifests/yum/epel.pp deleted file mode 100644 index b6c9f43..0000000 --- a/site/profiles/manifests/yum/epel.pp +++ /dev/null @@ -1,25 +0,0 @@ -# Class: profiles::yum::epel -# -# This class manages the EPEL yum repository for the system. -class profiles::yum::epel ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - if 'epel' in $managed_repos { - yumrepo { 'epel': - name => 'epel', - descr => 'epel repository', - target => '/etc/yum.repos.d/epel.repo', - baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/RPM-GPG-KEY-EPEL-${release}", - } - } -} diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 98a90d4..2f515ab 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -1,8 +1,4 @@ # Class: profiles::yum::global -# -# This class manages global YUM configurations and optionally includes the -# base and EPEL yum repository profiles based on the content of the -# $managed_repos parameter, which is an array of repository names. class profiles::yum::global ( Hash $repos = {}, Boolean $purge = true, diff --git a/site/profiles/manifests/yum/mariadb.pp b/site/profiles/manifests/yum/mariadb.pp deleted file mode 100644 index 3c6c4e6..0000000 --- a/site/profiles/manifests/yum/mariadb.pp +++ /dev/null @@ -1,25 +0,0 @@ -# Class: profiles::yum::mariadb -# -# This class manages the mariadb yum repository for the system. -# -class profiles::yum::mariadb ( - String $baseurl = 'https://repos.main.unkin.net', - String $version = '11.2', - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - yumrepo { 'mariadb': - name => 'mariadb', - descr => 'mariadb repository', - target => '/etc/yum.repos.d/mariadb.repo', - baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB", - require => Class['profiles::pki::vaultca'], - } -} diff --git a/site/profiles/manifests/yum/ovirt.pp b/site/profiles/manifests/yum/ovirt.pp deleted file mode 100644 index d04b145..0000000 --- a/site/profiles/manifests/yum/ovirt.pp +++ /dev/null @@ -1,48 +0,0 @@ -# Class: profiles::yum::ovirt -class profiles::yum::ovirt ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - $centos_nonstream = [ - 'virt-advanced-virtualization', - 'storage-ceph-pacific' - ] - $centos_stream = [ - 'cloud-openstack-xena', - 'messaging-rabbitmq-38', - 'nfv-openvswitch-2', - 'opstools-collectd-5', - 'storage-gluster-10', - 'virt-ovirt-45' - ] - $centos_nonstream.each |$name| { - if $name in $managed_repos { - yumrepo { $name: - name => $name, - descr => $name, - target => '/etc/yum.repos.d/ovirt.repo', - baseurl => "${baseurl}/${release}/${name}-20240311/${basearch}/os/", - gpgcheck => false, - } - } - } - $centos_stream.each |$name| { - if $name in $managed_repos { - yumrepo { $name: - name => $name, - descr => $name, - target => '/etc/yum.repos.d/ovirt.repo', - baseurl => "${baseurl}/${release}-stream/${name}-20240311/${basearch}/os/", - gpgcheck => false, - } - } - } -} diff --git a/site/profiles/manifests/yum/puppet7.pp b/site/profiles/manifests/yum/puppet7.pp deleted file mode 100644 index ffcbbf4..0000000 --- a/site/profiles/manifests/yum/puppet7.pp +++ /dev/null @@ -1,21 +0,0 @@ -# Class: profiles::yum::epel -# -# This class manages the puppet7 yum repository for the system. -class profiles::yum::puppet7 ( - Array[String] $managed_repos, - String $baseurl = 'http://repos.main.unkin.net/puppet7', -) { - $releasever = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - if 'puppet7' in $managed_repos { - yumrepo { 'puppet7': - name => 'puppet7', - descr => 'puppet7 repository', - target => '/etc/yum.repos.d/puppet7.repo', - baseurl => "${baseurl}/el/${releasever}-daily/${basearch}/os/", - gpgkey => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406', - #gpgkey => "${baseurl}/el/${releasever}-daily/${basearch}/os/RPM-GPG-KEY-puppet", - } - } -} diff --git a/site/profiles/manifests/yum/unkin.pp b/site/profiles/manifests/yum/unkin.pp deleted file mode 100644 index be5be37..0000000 --- a/site/profiles/manifests/yum/unkin.pp +++ /dev/null @@ -1,23 +0,0 @@ -# Class: profiles::yum::unkin -class profiles::yum::unkin ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - if 'unkin' in $managed_repos { - yumrepo { 'unkin': - name => 'unkin', - descr => 'unkin repository', - target => '/etc/yum.repos.d/unkin.repo', - baseurl => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/", - gpgcheck => false, - } - } -} From dde8d5978dffeb4cff187cf1253b5bb3e69d2307 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 21:24:07 +1000 Subject: [PATCH 202/229] feat: firstrun improvements - add fact to detect firstrun - run a limited subset of classes on firstrun - firstrun: includes: - vault ca certificates - yum/apt repositories - fast-install packages with an exec --- modules/libs/lib/facter/firstrun.rb | 8 ++ site/profiles/manifests/base.pp | 109 ++++++++++--------- site/profiles/manifests/firstrun/complete.pp | 11 ++ site/profiles/manifests/firstrun/init.pp | 19 ++++ site/profiles/manifests/firstrun/packages.pp | 27 +++++ 5 files changed, 122 insertions(+), 52 deletions(-) create mode 100644 modules/libs/lib/facter/firstrun.rb create mode 100644 site/profiles/manifests/firstrun/complete.pp create mode 100644 site/profiles/manifests/firstrun/init.pp create mode 100644 site/profiles/manifests/firstrun/packages.pp diff --git a/modules/libs/lib/facter/firstrun.rb b/modules/libs/lib/facter/firstrun.rb new file mode 100644 index 0000000..012aafc --- /dev/null +++ b/modules/libs/lib/facter/firstrun.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add(:firstrun) do + confine kernel: 'Linux' + setcode do + File.exist?('/root/.cache/puppet_firstrun_complete') ? false : true + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index a387570..13f6b10 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -3,59 +3,64 @@ class profiles::base ( Array $puppet_servers, ) { - # install the vault ca first - include profiles::pki::vaultca + # run a limited set of classes on the first run aimed at bootstrapping the new node + if $facts['firstrun'] { + include profiles::firstrun::init + }else{ - # manage the puppet agent - include profiles::puppet::agent + # install the vault ca first + include profiles::pki::vaultca - # manage puppet clients - if ! member($puppet_servers, $trusted['certname']) { - include profiles::puppet::client + # manage the puppet agent + include profiles::puppet::agent + + # manage puppet clients + if ! member($puppet_servers, $trusted['certname']) { + include profiles::puppet::client + } + + # include the base profiles + include profiles::base::repos + include profiles::packages + include profiles::base::facts + include profiles::base::motd + include profiles::base::scripts + include profiles::base::hosts + include profiles::base::groups + include profiles::base::root + include profiles::accounts::sysadmin + include profiles::ntp::client + include profiles::dns::base + include profiles::pki::vault + include profiles::cloudinit::init + include profiles::metrics::default + include profiles::helpers::node_lookup + include profiles::consul::client + + # include the python class + class { 'python': + manage_python_package => true, + manage_venv_package => true, + manage_pip_package => true, + use_epel => false, + } + + # all hosts will have sudo applied + class { 'sudo': + secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' + } + + # manage virtualised guest agents + if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { + include profiles::qemu::agent + } + + # include classes from hiera + lookup('hiera_classes', Array[String], 'unique').include + + # specifc ordering constraints + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::packages'] } - - # include the base profiles - include profiles::base::repos - include profiles::packages - include profiles::base::facts - include profiles::base::motd - include profiles::base::scripts - include profiles::base::hosts - include profiles::base::groups - include profiles::base::root - include profiles::accounts::sysadmin - include profiles::ntp::client - include profiles::dns::base - include profiles::pki::vault - include profiles::cloudinit::init - include profiles::metrics::default - include profiles::helpers::node_lookup - include profiles::consul::client - - # include the python class - class { 'python': - manage_python_package => true, - manage_venv_package => true, - manage_pip_package => true, - use_epel => false, - } - - # all hosts will have sudo applied - class { 'sudo': - secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' - } - - # manage virtualised guest agents - if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { - include profiles::qemu::agent - } - - # include classes from hiera - lookup('hiera_classes', Array[String], 'unique').include - - # specifc ordering constraints - Class['profiles::pki::vaultca'] - -> Class['profiles::base::repos'] - -> Class['profiles::packages'] - } diff --git a/site/profiles/manifests/firstrun/complete.pp b/site/profiles/manifests/firstrun/complete.pp new file mode 100644 index 0000000..3c6342d --- /dev/null +++ b/site/profiles/manifests/firstrun/complete.pp @@ -0,0 +1,11 @@ +# profiles::firstrun::complete +class profiles::firstrun::complete { + + file {'/root/.cache/puppet_firstrun_complete': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0750', + content => 'firstrun completed', + } +} diff --git a/site/profiles/manifests/firstrun/init.pp b/site/profiles/manifests/firstrun/init.pp new file mode 100644 index 0000000..6b6fd3a --- /dev/null +++ b/site/profiles/manifests/firstrun/init.pp @@ -0,0 +1,19 @@ +# profiles::firstrun::init +class profiles::firstrun::init { + + # include the required CA certificates + include profiles::pki::vaultca + + # fast install packages on the first run + include profiles::base::repos + include profiles::firstrun::packages + + # mark the firstrun as done + include profiles::firstrun::complete + + + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::firstrun::packages'] + -> Class['profiles::firstrun::complete'] +} diff --git a/site/profiles/manifests/firstrun/packages.pp b/site/profiles/manifests/firstrun/packages.pp new file mode 100644 index 0000000..5bcc6d4 --- /dev/null +++ b/site/profiles/manifests/firstrun/packages.pp @@ -0,0 +1,27 @@ +# profiles::firstrun::packages +class profiles::firstrun::packages { + # include the correct package repositories, define the install_packages exec + case $facts['os']['family'] { + 'RedHat': { + include profiles::yum::global + $install_command = 'dnf install -y' + } + 'Debian': { + include profiles::apt::global + $install_command = 'apt-get install -y' + } + default: { + fail("Unsupported OS family ${facts['os']['family']}") + } + } + + # get all the packages to install, and convert into a space separated list + $packages = hiera_array('profiles::packages::install', []) + $package_list = $packages.join(' ') + + # install all the packages + exec { 'install_packages': + command => "${install_command} ${package_list}", + path => ['/bin', '/usr/bin'], + } +} From 2abbfe8feb87134535dec887ab8291d0bd1c7057 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 22:11:01 +1000 Subject: [PATCH 203/229] feat: update all roles for firstrun - ensure the firstrun is processed before role specific class profiles --- site/roles/manifests/base.pp | 9 +++++++-- site/roles/manifests/infra/cobbler/server.pp | 12 ++++++++---- site/roles/manifests/infra/db/redis.pp | 10 +++++++--- site/roles/manifests/infra/dhcp/server.pp | 11 ++++++++--- site/roles/manifests/infra/dns/master.pp | 5 +++++ site/roles/manifests/infra/dns/resolver.pp | 5 +++++ site/roles/manifests/infra/halb/haproxy.pp | 11 ++++++++--- site/roles/manifests/infra/metrics/grafana.pp | 9 +++++++-- site/roles/manifests/infra/metrics/prometheus.pp | 13 +++++++++---- site/roles/manifests/infra/ntp/server.pp | 11 ++++++++--- site/roles/manifests/infra/ovirt/engine.pp | 9 +++++++-- site/roles/manifests/infra/ovirt/node.pp | 11 ++++++++--- site/roles/manifests/infra/proxmox/node.pp | 5 +++++ site/roles/manifests/infra/puppet/master.pp | 5 +++++ site/roles/manifests/infra/puppetboard/server.pp | 5 +++++ site/roles/manifests/infra/puppetdb/api.pp | 5 +++++ site/roles/manifests/infra/puppetdb/sql.pp | 5 +++++ site/roles/manifests/infra/reposync/syncer.pp | 13 +++++++++---- site/roles/manifests/infra/sql/galera.pp | 15 ++++++++++----- site/roles/manifests/infra/storage/consul.pp | 14 +++++++++----- site/roles/manifests/infra/storage/edgecache.pp | 13 +++++++++---- site/roles/manifests/infra/storage/minio.pp | 11 ++++++++--- site/roles/manifests/infra/storage/vault.pp | 13 +++++++++---- 23 files changed, 166 insertions(+), 54 deletions(-) diff --git a/site/roles/manifests/base.pp b/site/roles/manifests/base.pp index d6a7fa2..371974f 100644 --- a/site/roles/manifests/base.pp +++ b/site/roles/manifests/base.pp @@ -1,6 +1,11 @@ # a role to deploy the base system # work in progress class roles::base { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp index 0c515d3..5ffd2a6 100644 --- a/site/roles/manifests/infra/cobbler/server.pp +++ b/site/roles/manifests/infra/cobbler/server.pp @@ -1,7 +1,11 @@ # cobbler server profile class roles::infra::cobbler::server { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::cobbler::init + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::base + include profiles::base::datavol + include profiles::cobbler::init + } } diff --git a/site/roles/manifests/infra/db/redis.pp b/site/roles/manifests/infra/db/redis.pp index fda1b3a..af3bfce 100644 --- a/site/roles/manifests/infra/db/redis.pp +++ b/site/roles/manifests/infra/db/redis.pp @@ -1,6 +1,10 @@ - # a role to deploy a redis node class roles::infra::db::redis { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/dhcp/server.pp b/site/roles/manifests/infra/dhcp/server.pp index 86a3606..1a27e17 100644 --- a/site/roles/manifests/infra/dhcp/server.pp +++ b/site/roles/manifests/infra/dhcp/server.pp @@ -1,6 +1,11 @@ # dhcp server profile class roles::infra::dhcp::server { - include profiles::defaults - include profiles::base - include profiles::dhcp::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::dhcp::server + } } diff --git a/site/roles/manifests/infra/dns/master.pp b/site/roles/manifests/infra/dns/master.pp index e5d50de..fbf5192 100644 --- a/site/roles/manifests/infra/dns/master.pp +++ b/site/roles/manifests/infra/dns/master.pp @@ -2,7 +2,12 @@ # defines a dns server with master-only zones # class roles::infra::dns::master { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::dns::master + } } diff --git a/site/roles/manifests/infra/dns/resolver.pp b/site/roles/manifests/infra/dns/resolver.pp index 606ca9f..3277cad 100644 --- a/site/roles/manifests/infra/dns/resolver.pp +++ b/site/roles/manifests/infra/dns/resolver.pp @@ -2,7 +2,12 @@ # defines a dns server with forward-only zones # class roles::infra::dns::resolver { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::dns::resolver + } } diff --git a/site/roles/manifests/infra/halb/haproxy.pp b/site/roles/manifests/infra/halb/haproxy.pp index 6b128b4..87a2d41 100644 --- a/site/roles/manifests/infra/halb/haproxy.pp +++ b/site/roles/manifests/infra/halb/haproxy.pp @@ -1,6 +1,11 @@ # a role to deploy a haproxy node class roles::infra::halb::haproxy { - include profiles::defaults - include profiles::base - include profiles::haproxy::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::haproxy::server + } } diff --git a/site/roles/manifests/infra/metrics/grafana.pp b/site/roles/manifests/infra/metrics/grafana.pp index db6f757..2f99f8d 100644 --- a/site/roles/manifests/infra/metrics/grafana.pp +++ b/site/roles/manifests/infra/metrics/grafana.pp @@ -1,5 +1,10 @@ # a role to deploy a grafana service class roles::infra::metrics::grafana { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/metrics/prometheus.pp b/site/roles/manifests/infra/metrics/prometheus.pp index d3dd8ea..1b2ee1c 100644 --- a/site/roles/manifests/infra/metrics/prometheus.pp +++ b/site/roles/manifests/infra/metrics/prometheus.pp @@ -1,7 +1,12 @@ # a role to deploy a prometheus server class roles::infra::metrics::prometheus { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::metrics::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::metrics::server + } } diff --git a/site/roles/manifests/infra/ntp/server.pp b/site/roles/manifests/infra/ntp/server.pp index cfc685d..4ff34f3 100644 --- a/site/roles/manifests/infra/ntp/server.pp +++ b/site/roles/manifests/infra/ntp/server.pp @@ -1,6 +1,11 @@ # a role to deploy a ntp server class roles::infra::ntp::server { - include profiles::defaults - include profiles::base - include profiles::ntp::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::ntp::server + } } diff --git a/site/roles/manifests/infra/ovirt/engine.pp b/site/roles/manifests/infra/ovirt/engine.pp index f437516..1e998f3 100644 --- a/site/roles/manifests/infra/ovirt/engine.pp +++ b/site/roles/manifests/infra/ovirt/engine.pp @@ -1,5 +1,10 @@ # role to manage ovirt management engine nodes class roles::infra::ovirt::engine { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/ovirt/node.pp b/site/roles/manifests/infra/ovirt/node.pp index 5182092..026a25f 100644 --- a/site/roles/manifests/infra/ovirt/node.pp +++ b/site/roles/manifests/infra/ovirt/node.pp @@ -1,6 +1,11 @@ # role to manage ovirt hypervisor nodes class roles::infra::ovirt::node { - include profiles::defaults - include profiles::base - include profiles::ovirt::node + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::ovirt::node + } } diff --git a/site/roles/manifests/infra/proxmox/node.pp b/site/roles/manifests/infra/proxmox/node.pp index 62bc14f..ccf41b6 100644 --- a/site/roles/manifests/infra/proxmox/node.pp +++ b/site/roles/manifests/infra/proxmox/node.pp @@ -1,6 +1,11 @@ # manage the installation of a proxmox node class roles::infra::proxmox::node { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::proxmox::init + } } diff --git a/site/roles/manifests/infra/puppet/master.pp b/site/roles/manifests/infra/puppet/master.pp index 01e8877..c29ab7a 100644 --- a/site/roles/manifests/infra/puppet/master.pp +++ b/site/roles/manifests/infra/puppet/master.pp @@ -1,7 +1,12 @@ # a role to deploy the puppetmaster # work in progress class roles::infra::puppet::master { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetmaster } +} diff --git a/site/roles/manifests/infra/puppetboard/server.pp b/site/roles/manifests/infra/puppetboard/server.pp index 4742810..e2d772d 100644 --- a/site/roles/manifests/infra/puppetboard/server.pp +++ b/site/roles/manifests/infra/puppetboard/server.pp @@ -1,6 +1,11 @@ # a role to deploy the puppetboard class roles::infra::puppetboard::server { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetboard } +} diff --git a/site/roles/manifests/infra/puppetdb/api.pp b/site/roles/manifests/infra/puppetdb/api.pp index 65bee4c..7d50c47 100644 --- a/site/roles/manifests/infra/puppetdb/api.pp +++ b/site/roles/manifests/infra/puppetdb/api.pp @@ -1,6 +1,11 @@ # a role to deploy the puppetdb api service class roles::infra::puppetdb::api { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetdb_api } +} diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp index 97ebc96..7f13859 100644 --- a/site/roles/manifests/infra/puppetdb/sql.pp +++ b/site/roles/manifests/infra/puppetdb/sql.pp @@ -1,6 +1,11 @@ # a role to deploy the puppetdb postgresql service class roles::infra::puppetdb::sql { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetdb_sql } +} diff --git a/site/roles/manifests/infra/reposync/syncer.pp b/site/roles/manifests/infra/reposync/syncer.pp index 8c5a613..9c41fe3 100644 --- a/site/roles/manifests/infra/reposync/syncer.pp +++ b/site/roles/manifests/infra/reposync/syncer.pp @@ -1,7 +1,12 @@ # a role to deploy a packagerepo class roles::infra::reposync::syncer { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::reposync::syncer + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::reposync::syncer + } } diff --git a/site/roles/manifests/infra/sql/galera.pp b/site/roles/manifests/infra/sql/galera.pp index 207aed6..2628f81 100644 --- a/site/roles/manifests/infra/sql/galera.pp +++ b/site/roles/manifests/infra/sql/galera.pp @@ -1,10 +1,15 @@ # a role to deploy a mariadb galera node class roles::infra::sql::galera { - include profiles::defaults - include profiles::base - include profiles::base::datavol + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol - if $facts['enc_role'] == 'roles::infra::sql::galera' { - include profiles::sql::galera_member + if $facts['enc_role'] == 'roles::infra::sql::galera' { + include profiles::sql::galera_member + } } } diff --git a/site/roles/manifests/infra/storage/consul.pp b/site/roles/manifests/infra/storage/consul.pp index e47a108..143b167 100644 --- a/site/roles/manifests/infra/storage/consul.pp +++ b/site/roles/manifests/infra/storage/consul.pp @@ -1,8 +1,12 @@ - # a role to deploy a consul node class roles::infra::storage::consul { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::consul::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::consul::server + } } diff --git a/site/roles/manifests/infra/storage/edgecache.pp b/site/roles/manifests/infra/storage/edgecache.pp index 4ed8bf7..7d9d655 100644 --- a/site/roles/manifests/infra/storage/edgecache.pp +++ b/site/roles/manifests/infra/storage/edgecache.pp @@ -1,7 +1,12 @@ # a role to deploy an edgecache class roles::infra::storage::edgecache { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::edgecache::init + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::edgecache::init + } } diff --git a/site/roles/manifests/infra/storage/minio.pp b/site/roles/manifests/infra/storage/minio.pp index 72411e8..d436e8e 100644 --- a/site/roles/manifests/infra/storage/minio.pp +++ b/site/roles/manifests/infra/storage/minio.pp @@ -1,6 +1,11 @@ # a role to deploy a minio node class roles::infra::storage::minio { - include profiles::defaults - include profiles::base - include profiles::minio::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::minio::server + } } diff --git a/site/roles/manifests/infra/storage/vault.pp b/site/roles/manifests/infra/storage/vault.pp index fce67af..9e11b14 100644 --- a/site/roles/manifests/infra/storage/vault.pp +++ b/site/roles/manifests/infra/storage/vault.pp @@ -1,7 +1,12 @@ # a role to deploy a vault node class roles::infra::storage::vault { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::vault::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::vault::server + } } From 65bd2ae8d558b71d900c2b573486e0bbe029087a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 22:46:27 +1000 Subject: [PATCH 204/229] fix: repo target changes - use per-repo target files --- hieradata/os/AlmaLinux/all_releases.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 3665900..c383966 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -16,31 +16,31 @@ profiles::yum::global::repos: baseos: name: baseos descr: baseos repository - target: /etc/yum.repos.d/almalinux.repo + target: /etc/yum.repos.d/baseos.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} extras: name: extras descr: extras repository - target: /etc/yum.repos.d/almalinux.repo + target: /etc/yum.repos.d/extras.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} appstream: name: appstream descr: appstream repository - target: /etc/yum.repos.d/almalinux.repo + target: /etc/yum.repos.d/appstream.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} powertools: name: powertools descr: powertools repository - target: /etc/yum.repos.d/almalinux.repo + target: /etc/yum.repos.d/powertools.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} highavailability: name: highavailability descr: highavailability repository - target: /etc/yum.repos.d/almalinux.repo + target: /etc/yum.repos.d/highavailability.repo baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} epel: From 598a8c0f52a05b800c932f4d28b6898594258bdc Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 19 May 2024 22:52:52 +1000 Subject: [PATCH 205/229] feat: firstrun optimisations - download gpg keys if gpgkey is defined - ensure the profiles::defaults is called first --- site/profiles/manifests/firstrun/complete.pp | 8 ++++++++ site/profiles/manifests/firstrun/init.pp | 3 ++- site/profiles/manifests/yum/global.pp | 16 ++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/firstrun/complete.pp b/site/profiles/manifests/firstrun/complete.pp index 3c6342d..b79eaf2 100644 --- a/site/profiles/manifests/firstrun/complete.pp +++ b/site/profiles/manifests/firstrun/complete.pp @@ -1,11 +1,19 @@ # profiles::firstrun::complete class profiles::firstrun::complete { + file { '/root/.cache': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + } + file {'/root/.cache/puppet_firstrun_complete': ensure => 'file', owner => 'root', group => 'root', mode => '0750', content => 'firstrun completed', + require => File['/root/.cache'], } } diff --git a/site/profiles/manifests/firstrun/init.pp b/site/profiles/manifests/firstrun/init.pp index 6b6fd3a..c4845e1 100644 --- a/site/profiles/manifests/firstrun/init.pp +++ b/site/profiles/manifests/firstrun/init.pp @@ -12,7 +12,8 @@ class profiles::firstrun::init { include profiles::firstrun::complete - Class['profiles::pki::vaultca'] + Class['profiles::defaults'] + -> Class['profiles::pki::vaultca'] -> Class['profiles::base::repos'] -> Class['profiles::firstrun::packages'] -> Class['profiles::firstrun::complete'] diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 2f515ab..a9fbef5 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -11,10 +11,26 @@ class profiles::yum::global ( }, } + # purge all yum repos not defined by puppet resources { 'yumrepo': purge => $purge, } + # download all gpg keys if a repo defines it + $repos.each |$name, $repo| { + if $repo['gpgkey'] { + $key_url = $repo['gpgkey'] + $key_file = "/etc/pki/rpm-gpg/${name}-gpg-key" + + exec { "download_gpg_key_${name}": + command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}", + path => ['/bin', 'usr/bin'], + creates => $key_file, + before => Yumrepo[$name], + } + } + } + # create repos create_resources('yumrepo', $repos) From 6035af37a1d23312178167e0f1b4cd88a0daf4ee Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 May 2024 21:37:00 +1000 Subject: [PATCH 206/229] feat: increase puppetdb api Xmx - change java args to use 2048mb of memory --- hieradata/roles/infra/puppetdb/api.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml index 551007e..dc7465d 100644 --- a/hieradata/roles/infra/puppetdb/api.yaml +++ b/hieradata/roles/infra/puppetdb/api.yaml @@ -1,5 +1,5 @@ --- profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java profiles::puppet::puppetdb_api::java_args: - '-Xmx': '512m' + '-Xmx': '2048m' '-Xms': '256m' From 39aa6e114eb97c82ba6b2431609abe71e897b4fb Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 20 May 2024 21:07:37 +1000 Subject: [PATCH 207/229] feat: puppetdb sql updates - add consul support - enable local script checks in consul agents - add a test DB/User for consult to verify the psql instance is running - manage the postgresql repo and gpg key --- hieradata/roles/infra/puppetdb/sql.eyaml | 1 + hieradata/roles/infra/puppetdb/sql.yaml | 35 +++++++++++++++++++ site/profiles/manifests/consul/client.pp | 17 ++++----- .../profiles/manifests/puppet/puppetdb_sql.pp | 24 +++++++++++-- .../puppetdb/check_consul_postgresql.erb | 2 ++ site/roles/manifests/infra/puppetdb/sql.pp | 4 ++- 6 files changed, 71 insertions(+), 12 deletions(-) create mode 100644 hieradata/roles/infra/puppetdb/sql.eyaml create mode 100644 site/profiles/templates/puppetdb/check_consul_postgresql.erb diff --git a/hieradata/roles/infra/puppetdb/sql.eyaml b/hieradata/roles/infra/puppetdb/sql.eyaml new file mode 100644 index 0000000..c1c2c5d --- /dev/null +++ b/hieradata/roles/infra/puppetdb/sql.eyaml @@ -0,0 +1 @@ +profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==] diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml index 0d6409a..838300d 100644 --- a/hieradata/roles/infra/puppetdb/sql.yaml +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -2,3 +2,38 @@ postgresql_config_entries: max_connections: 300 shared_buffers: '256MB' + +consul::services: + puppetdbsql: + service_name: 'puppetdbsql' + tags: + - 'puppet' + - 'puppetdb' + - 'database' + address: "%{facts.networking.ip}" + port: 5432 + checks: + - id: 'psql-check' + name: 'PostgreSQL Health Check' + args: + - '/usr/local/bin/check_consul_postgresql' + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: puppetdbsql + disposition: write + +profiles::yum::global::repos: + postgresql-15: + name: postgresql-15 + descr: postgresql-15 repository + target: /etc/yum.repos.d/postgresql.repo + baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} + gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL + postgresql-common: + name: postgresql-common + descr: postgresql-common repository + target: /etc/yum.repos.d/postgresql.repo + baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} + gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index 4524b87..d1d82d8 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -36,14 +36,15 @@ class profiles::consul::client ( # deploy the consul agent class { 'consul': config_hash => { - 'data_dir' => $data_dir, - 'datacenter' => $consul_cluster, - 'log_level' => 'INFO', - 'node_name' => $facts['networking']['fqdn'], - 'retry_join' => $servers_array, - 'bind_addr' => $::facts['networking']['ip'], - 'advertise_addr' => $::facts['networking']['ip'], - 'acl' => { + 'data_dir' => $data_dir, + 'datacenter' => $consul_cluster, + 'log_level' => 'INFO', + 'node_name' => $facts['networking']['fqdn'], + 'retry_join' => $servers_array, + 'bind_addr' => $::facts['networking']['ip'], + 'advertise_addr' => $::facts['networking']['ip'], + 'enable_script_checks' => true, + 'acl' => { tokens => { default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}") } diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp index 5afa9a5..096fb7b 100644 --- a/site/profiles/manifests/puppet/puppetdb_sql.pp +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -2,6 +2,7 @@ class profiles::puppet::puppetdb_sql ( String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), String $listen_address = $facts['networking']['ip'], + String $consul_test_db_pass = '', ) { # disable the postgresql dnf module for el8+ @@ -17,9 +18,11 @@ class profiles::puppet::puppetdb_sql ( # Install and configure PostgreSQL for PuppetDB class { 'puppetdb::database::postgresql': - listen_addresses => $listen_address, - postgres_version => '15', - puppetdb_server => $puppetdb_host, + listen_addresses => $listen_address, + postgres_version => '15', + puppetdb_server => $puppetdb_host, + manage_package_repo => false, + require => [ Yumrepo['postgresql-15'],Yumrepo['postgresql-common'] ], } contain ::puppetdb::database::postgresql @@ -32,4 +35,19 @@ class profiles::puppet::puppetdb_sql ( value => $value, } } + + # create consul database + user to test the host is responsive + postgresql::server::db { 'consul_test_db': + user => 'consul_test_user', + password => postgresql::postgresql_password('consul_test_user', Sensitive($consul_test_db_pass) ), + } + + file { '/usr/local/bin/check_consul_postgresql': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0755', + content => template('profiles/puppetdb/check_consul_postgresql.erb'), + before => Class['profiles::consul::client'], + } } diff --git a/site/profiles/templates/puppetdb/check_consul_postgresql.erb b/site/profiles/templates/puppetdb/check_consul_postgresql.erb new file mode 100644 index 0000000..9d651d7 --- /dev/null +++ b/site/profiles/templates/puppetdb/check_consul_postgresql.erb @@ -0,0 +1,2 @@ +#!/usr/bin/bash +PGPASSWORD=<%= @consul_test_db_pass %> /usr/bin/psql -U consul_test_user -d consul_test_db -h <%= @facts['networking']['ip'] %> -p 5432 -c "SELECT 1" diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp index 7f13859..872e9b4 100644 --- a/site/roles/manifests/infra/puppetdb/sql.pp +++ b/site/roles/manifests/infra/puppetdb/sql.pp @@ -6,6 +6,8 @@ class roles::infra::puppetdb::sql { }else{ include profiles::defaults include profiles::base - include profiles::puppet::puppetdb_sql + if $facts['enc_role'] == 'roles::infra::puppetdb::sql' { + include profiles::puppet::puppetdb_sql + } } } From 9e3b680b0b73739dc8be9ce9089e2b11b518d7ea Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 May 2024 22:11:51 +1000 Subject: [PATCH 208/229] feat: add prepared query for puppetdbapi - merge to develop - add prepared query for puppetdbapi --- hieradata/roles/infra/storage/consul.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 036e177..07bf60a 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -59,3 +59,9 @@ profiles::consul::prepared_query::rules: service_failover_n: 3 service_only_passing: true ttl: 10 + puppetdbapi: + ensure: 'present' + service_name: 'puppetdbapi' + service_failover_n: 3 + service_only_passing: true + ttl: 10 From 770c8cc159ef877bdf5c442c5ab478e27975a442 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 May 2024 22:18:32 +1000 Subject: [PATCH 209/229] feat: update hiera key for puppetdb api/sql - changed to use puppetdbapi and puppetdbsql hiera keys - updated all classes that referenced old values --- hieradata/common.yaml | 5 +++-- site/profiles/manifests/puppet/puppetboard.pp | 2 +- site/profiles/manifests/puppet/puppetdb_api.pp | 2 +- site/profiles/manifests/puppet/puppetdb_sql.pp | 2 +- site/profiles/manifests/puppet/puppetmaster.pp | 2 +- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index b909823..89259fc 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -200,8 +200,9 @@ profiles::puppet::client::runtimeout: 3600 profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false -profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net -profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net +# puppetdb +puppetdbapi: prodinf01n04.main.unkin.net +puppetdbsql: prodinf01n05.main.unkin.net prometheus::node_exporter::export_scrape_job: true prometheus::systemd_exporter::export_scrape_job: true diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 6a2bbb9..4130e73 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -8,7 +8,7 @@ class profiles::puppet::puppetboard ( Integer $reports_count = 40, Boolean $offline_mode = true, String $default_environment = '*', - String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), + String $puppetdb_host = lookup('puppetdbapi'), Stdlib::AbsolutePath $basedir = '/opt/puppetboard', Stdlib::Absolutepath $virtualenv_dir = "${basedir}/venv", Stdlib::Absolutepath $settings_file = "${basedir}/settings.py", diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index e02db38..8c2177e 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -1,6 +1,6 @@ # configure the puppetdb api service class profiles::puppet::puppetdb_api ( - String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'), + String $postgres_host = lookup('puppetdbsql'), String $listen_address = $facts['networking']['ip'], Stdlib::Absolutepath $java_bin = '/usr/bin/java', Hash $java_args = {}, diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp index 5afa9a5..1765003 100644 --- a/site/profiles/manifests/puppet/puppetdb_sql.pp +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -1,6 +1,6 @@ # configure the puppetdb sql service class profiles::puppet::puppetdb_sql ( - String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), + String $puppetdb_host = lookup('puppetdbsql'), String $listen_address = $facts['networking']['ip'], ) { diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index 79ce387..6ce7ca5 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -3,7 +3,7 @@ # This class manages the puppetmaster using the ghoneycutt-puppet module. # It manages the server settings in the puppet.conf file. class profiles::puppet::puppetmaster ( - Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef), + Optional[Stdlib::Fqdn] $puppetdb_host = lookup('puppetdbapi', Optional[Stdlib::Fqdn], 'first', undef), ) { if $facts['enc_role'] == 'roles::infra::puppet::master' { From 25cbff46560a317a9d18be3cad6f3d19f23653a0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 May 2024 21:58:50 +1000 Subject: [PATCH 210/229] feat: set syd1 puppetdb hosts - change syd1 puppetdb hosts to use consul serivce/query addresses --- hieradata/country/au/region/syd1.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hieradata/country/au/region/syd1.yaml b/hieradata/country/au/region/syd1.yaml index 2a744b7..6298c19 100644 --- a/hieradata/country/au/region/syd1.yaml +++ b/hieradata/country/au/region/syd1.yaml @@ -1,2 +1,4 @@ --- timezone::timezone: 'Australia/Sydney' +puppetdbapi: puppetdbapi.query.consul +puppetdbsql: puppetdbsql.service.au-syd1.consul From 349547c4bcd3ffb71049633cb4b068b255f18332 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 May 2024 22:51:54 +1000 Subject: [PATCH 211/229] feat: puppetboard on consul - updated nginx param types - add nginx aliases, merge with vhost, use as server_names - add additional vault alt-names - add prepared query for puppetboard --- .../region/syd1/infra/puppetboard/server.yaml | 5 ++++ hieradata/roles/infra/puppetboard/server.yaml | 27 +++++++++++++++++++ hieradata/roles/infra/storage/consul.yaml | 6 +++++ site/profiles/manifests/puppet/puppetboard.pp | 9 ++++--- 4 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 hieradata/country/au/region/syd1/infra/puppetboard/server.yaml create mode 100644 hieradata/roles/infra/puppetboard/server.yaml diff --git a/hieradata/country/au/region/syd1/infra/puppetboard/server.yaml b/hieradata/country/au/region/syd1/infra/puppetboard/server.yaml new file mode 100644 index 0000000..cbc7f43 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/puppetboard/server.yaml @@ -0,0 +1,5 @@ +--- +profiles::puppet::puppetboard::nginx_aliases: + - puppetboard.service.consul + - puppetboard.query.consul + - "%{facts.networking.fqdn}" diff --git a/hieradata/roles/infra/puppetboard/server.yaml b/hieradata/roles/infra/puppetboard/server.yaml new file mode 100644 index 0000000..d74c880 --- /dev/null +++ b/hieradata/roles/infra/puppetboard/server.yaml @@ -0,0 +1,27 @@ +--- +# additional altnames +profiles::pki::vault::alt_names: + - puppetboard.main.unkin.net + - puppetboard.service.consul + - puppetboard.query.consul + +consul::services: + puppetboard: + service_name: 'puppetboard' + tags: + - 'puppet' + - 'puppetboard' + address: "%{facts.networking.ip}" + port: 80 + checks: + - id: 'puppetboard_http_check' + name: 'Puppetboard HTTP Check' + http: "http://%{facts.networking.fqdn}:80" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: puppetboard + disposition: write diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 07bf60a..ae60829 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -65,3 +65,9 @@ profiles::consul::prepared_query::rules: service_failover_n: 3 service_only_passing: true ttl: 10 + puppetboard: + ensure: 'present' + service_name: 'puppetboard' + service_failover_n: 3 + service_only_passing: true + ttl: 10 diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 4130e73..08b49aa 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -18,8 +18,9 @@ class profiles::puppet::puppetboard ( String $gunicorn_bind_prefix = 'http://', Integer $gunicorn_workers = 1, Integer $gunicorn_threads = 4, - String $nginx_vhost = 'puppetboard.main.unkin.net', - Integer $nginx_port = 80, + Stdlib::Port $nginx_port = 80, + Stdlib::Host $nginx_vhost = 'puppetboard.main.unkin.net', + Array[Stdlib::Host] $nginx_aliases = [], #String[1] $secret_key = "${fqdn_rand_string(32)}", ) { @@ -98,10 +99,12 @@ class profiles::puppet::puppetboard ( # ensure the nginx service is managed class { 'nginx': } + $nginx_server_names = unique([$nginx_vhost] + $nginx_aliases) + # create the nginx vhost nginx::resource::server { $nginx_vhost: listen_port => $nginx_port, - server_name => [$nginx_vhost], + server_name => $nginx_server_names, proxy => "${gunicorn_bind_prefix}${gunicorn_bind}", proxy_set_header => [ 'Host $http_host', From 0901595de97b4409f2a83ca4bdda77fe225632ba Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 22 May 2024 23:05:34 +1000 Subject: [PATCH 212/229] feat: puppet::client multiple altnames - puppet clients can not request multiple dns alt_names - set puppetdbapi hosts to request multiple certificates --- hieradata/common.yaml | 5 +++++ hieradata/roles/infra/puppetdb/api.yaml | 5 +++++ site/profiles/manifests/puppet/client.pp | 5 ++++- site/profiles/templates/puppet/client/puppet.conf.erb | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 89259fc..66fddb6 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -93,6 +93,9 @@ lookup_options: profiles::puppet::server::dns_alt_names: merge: strategy: deep + profiles::puppet::client::dns_alt_names: + merge: + strategy: deep profiles::base::hosts::additional_hosts: merge: strategy: deep @@ -199,6 +202,8 @@ profiles::puppet::client::runinterval: 1800 profiles::puppet::client::runtimeout: 3600 profiles::puppet::client::show_diff: true profiles::puppet::client::usecacheonfailure: false +profiles::puppet::client::dns_alt_names: + - "%{trusted.certname}" # puppetdb puppetdbapi: prodinf01n04.main.unkin.net diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml index ae31065..784200a 100644 --- a/hieradata/roles/infra/puppetdb/api.yaml +++ b/hieradata/roles/infra/puppetdb/api.yaml @@ -4,6 +4,11 @@ profiles::puppet::puppetdb_api::java_args: '-Xmx': '2048m' '-Xms': '256m' +profiles::puppet::client::dns_alt_names: + - puppetdbapi.main.unkin.net + - puppetdbapi.service.consul + - puppetdbapi.query.consul + # additional altnames profiles::pki::vault::alt_names: - puppetdbapi.main.unkin.net diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index e0f1dd2..aa3444c 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -4,7 +4,7 @@ # # site/profile/manifests/puppet/client.pp class profiles::puppet::client ( - String $dns_alt_names = $trusted['certname'], + Array $dns_alt_names = [$trusted['certname']], String $server = 'puppetmaster', String $ca_server = 'puppetca', String $environment = 'develop', @@ -17,6 +17,9 @@ class profiles::puppet::client ( # dont manage puppet.conf if this is a puppetmaster if $facts['enc_role'] != 'roles::infra::puppet::master' { + + $dns_alt_names_string = join(sort($dns_alt_names), ',') + # Assuming you want to manage puppet.conf with this profile file { '/etc/puppetlabs/puppet/puppet.conf': ensure => 'present', diff --git a/site/profiles/templates/puppet/client/puppet.conf.erb b/site/profiles/templates/puppet/client/puppet.conf.erb index e7a86c6..40874c6 100644 --- a/site/profiles/templates/puppet/client/puppet.conf.erb +++ b/site/profiles/templates/puppet/client/puppet.conf.erb @@ -1,5 +1,5 @@ [main] -dns_alt_names = <%= @dns_alt_names %> +dns_alt_names = <%= @dns_alt_names_string %> [agent] server = <%= @server %> From cbf3f0e6942dc04a387117179b9749b254f314af Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 24 May 2024 23:06:18 +1000 Subject: [PATCH 213/229] feat: change drw1 puppetdb -> syd1 --- hieradata/common.yaml | 4 ++-- hieradata/country/au/region/syd1.yaml | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 66fddb6..3cbabe2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -206,8 +206,8 @@ profiles::puppet::client::dns_alt_names: - "%{trusted.certname}" # puppetdb -puppetdbapi: prodinf01n04.main.unkin.net -puppetdbsql: prodinf01n05.main.unkin.net +puppetdbapi: puppetdbapi.query.consul +puppetdbsql: puppetdbsql.service.au-syd1.consul prometheus::node_exporter::export_scrape_job: true prometheus::systemd_exporter::export_scrape_job: true diff --git a/hieradata/country/au/region/syd1.yaml b/hieradata/country/au/region/syd1.yaml index 6298c19..2a744b7 100644 --- a/hieradata/country/au/region/syd1.yaml +++ b/hieradata/country/au/region/syd1.yaml @@ -1,4 +1,2 @@ --- timezone::timezone: 'Australia/Sydney' -puppetdbapi: puppetdbapi.query.consul -puppetdbsql: puppetdbsql.service.au-syd1.consul From c883bc8c91ae5434cf57215b5de74b1a02d0f034 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 24 May 2024 23:27:07 +1000 Subject: [PATCH 214/229] feat: added country-region altnames - add puppetboard.service.au-{syd1|drw1}.consul to: - vault pki cert - nginx server aliases --- .../country/au/region/syd1/infra/puppetboard/server.yaml | 5 ----- hieradata/roles/infra/puppetboard/server.yaml | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) delete mode 100644 hieradata/country/au/region/syd1/infra/puppetboard/server.yaml diff --git a/hieradata/country/au/region/syd1/infra/puppetboard/server.yaml b/hieradata/country/au/region/syd1/infra/puppetboard/server.yaml deleted file mode 100644 index cbc7f43..0000000 --- a/hieradata/country/au/region/syd1/infra/puppetboard/server.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -profiles::puppet::puppetboard::nginx_aliases: - - puppetboard.service.consul - - puppetboard.query.consul - - "%{facts.networking.fqdn}" diff --git a/hieradata/roles/infra/puppetboard/server.yaml b/hieradata/roles/infra/puppetboard/server.yaml index d74c880..d835603 100644 --- a/hieradata/roles/infra/puppetboard/server.yaml +++ b/hieradata/roles/infra/puppetboard/server.yaml @@ -1,9 +1,17 @@ --- +# additional servername aliases +profiles::puppet::puppetboard::nginx_aliases: + - puppetboard.service.consul + - puppetboard.query.consul + - "puppetboard.service.%{facts.country}-%{facts.region}.consul" + - "%{facts.networking.fqdn}" + # additional altnames profiles::pki::vault::alt_names: - puppetboard.main.unkin.net - puppetboard.service.consul - puppetboard.query.consul + - "puppetboard.service.%{facts.country}-%{facts.region}.consul" consul::services: puppetboard: From 0a49092f521976543ee6bac2769d0cac8eda51ad Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 25 May 2024 14:18:56 +1000 Subject: [PATCH 215/229] chore: add syd1 vault ca/int certs - deploy syd1 vault ca certificates --- .../templates/pki/vaultcaroot.pem.erb | 50 ++++++++++++++++++- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/site/profiles/templates/pki/vaultcaroot.pem.erb b/site/profiles/templates/pki/vaultcaroot.pem.erb index 0a32ae6..8a92884 100644 --- a/site/profiles/templates/pki/vaultcaroot.pem.erb +++ b/site/profiles/templates/pki/vaultcaroot.pem.erb @@ -1,4 +1,4 @@ -# unkin.net Intermediate Authority +# unkin.net Intermediate Authority drw1 -----BEGIN CERTIFICATE----- MIIDrDCCApSgAwIBAgIUAyjDayxDtmvXzttcT1jUg9KU08swDQYJKoZIhvcNAQEL BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDI0NloXDTI5MDIy @@ -22,7 +22,31 @@ iUW3GFSva8F6VS49I9pejBFJUQeIILz5jeTEdzG643DnujjjNqw8ad3ivakBYD1G YxGhYmLfh5RmESCeAgBbLQgRa1vNz1YYWhjn4OP0KKs= -----END CERTIFICATE----- -# unkin.net +# unkin.net Intermediate Authority syd1 +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy +NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo +b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s +E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z +vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc +sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx +VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0 +xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT +mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc +v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr +aHR0cHM6Ly92YXVsdC5zZXJ2dWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV +HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br +aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5 +muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03 +4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U +DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU +eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN +Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw== +-----END CERTIFICATE----- + +# unkin.net drw1 -----BEGIN CERTIFICATE----- MIIDLzCCAhegAwIBAgIUeXJ+O/IJWu4Fl4+KdZl5r166SokwDQYJKoZIhvcNAQEL BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDEwNVoXDTM0MDIy @@ -43,3 +67,25 @@ c9sb9NXMFTsFkuCrkF5iLmeDZgmgyJNXkzFEh3TPeL15jKBXSJOHsBe8j3E3VMWS YOL0pDU1XzfJedKGzX3LxvK6aUuBbtgaf/PW3IYX3KToolqfB30H2AO6Q/3LBl8M aN8H -----END CERTIFICATE----- + +# unkin.net syd1 +-----BEGIN CERTIFICATE----- +MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy +NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m +2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v +Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK +8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd +lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i +tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B +Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp +r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R +BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1 +UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe +xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1 +zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p +UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US +EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb +4gqd +-----END CERTIFICATE----- From 2c3aa2bbdc5207aa4df03c7ffe8829d1d4d4ecf3 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 25 May 2024 14:34:56 +1000 Subject: [PATCH 216/229] feat: vault certmanager tokens - move vault certmanager tokens to drw1/syd1 specific eyaml - add syd1 certmanger token for syd1 vault --- hieradata/country/au/region/drw1/infra/puppet/master.eyaml | 3 +++ hieradata/country/au/region/syd1/infra/puppet/master.eyaml | 3 +++ hieradata/roles/infra/puppet/master.eyaml | 2 -- 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 hieradata/country/au/region/drw1/infra/puppet/master.eyaml create mode 100644 hieradata/country/au/region/syd1/infra/puppet/master.eyaml diff --git a/hieradata/country/au/region/drw1/infra/puppet/master.eyaml b/hieradata/country/au/region/drw1/infra/puppet/master.eyaml new file mode 100644 index 0000000..46f1d03 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/puppet/master.eyaml @@ -0,0 +1,3 @@ +--- +certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] +certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] diff --git a/hieradata/country/au/region/syd1/infra/puppet/master.eyaml b/hieradata/country/au/region/syd1/infra/puppet/master.eyaml new file mode 100644 index 0000000..a6c1883 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/puppet/master.eyaml @@ -0,0 +1,3 @@ +--- +certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=] +certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=] diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index 8f8fdd4..07427fe 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,5 +1,3 @@ --- -certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] -certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] profiles::puppet::eyaml::publickey: ENC[PKCS7,MIIFjQYJKoZIhvcNAQcDoIIFfjCCBXoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAizhVN1svMJqLlkDWcm/qhMNajKL9G7GvBxG04dOdYLUu99wgmIlD1vetNIoJrQ6defmVuMMzT3IxzIDrRf8QEVL7hstIFoGlhv0ObBewjLJY34v3B7Sxj0nv8XPTLd8Q6LZQb+KSo0SLQxbjEw60qAl5DbDqXUNOx2OIV3yP1IaCzzi6llb1ZOWPcBESt6HEnLzqkwzEK+2/QGBOMqChP1EP7JHFrWQw5YYCLUcYCLVts1K57Q7ThFwckUA0v8Vh9HdlZqA0XPxKyVK7nfw/Y1CpwRTwZ8GYnry1/iLNYjFGkDU0V5pf+ZhlZfIChVccma9NCSlQtA+7DikNcpLTfTCCBE4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJQ4jJz/oSqW79tDOSv2pWCAggQgvi+p2P7tkIY4c0yNEIFjnXa3Imopg4bZ29TQJnPLAqVM7Bexh0XhxAjWk8YFvxQ0Yio+3JKlvqlsFVpecumV6NHwVPe521Hl7l88eRvgCHBC3tVm98+N2A0GdGbT+begqsj0nPTDScixJE79dGZK6/qgf3NuYPCj+drFwWrDuZXpIYMHJcOrVhqlg4RFW4ZYUxbsAC2eNFXUF0bYpKej3voCnlj/o6RxLEC/Gv2T66e9sFjeANo9W84uAfZ1t4cweVzYh1h6Yiw+0ewWA6ndg8thgr2Uk9JdpjXzS0QTtElGmNv+tZmCH45o0HUunPZs0gkn5unT0pzZosqgSeu0HdHcsImJpuJVRIVjAXypku7LtBKnP3VA5iXi2lld/suEOeeU18Aw3pxFQrKV3cexiWLa4mpKn8JR1HBxw4NcLj3/fes41fxW0zLyY8m4MksaIpc4BXz33uup5rHdVblbD1raZJPAg7k8KufStsRBmeokdysF+PJebrCfTH8goR3BWGfCVWQEoDjB2wAhVTQKuzAh3d51k+s4uvJchNBDgfGt/s9hdBFU/VQTZUyOoSEOwxB1857sOF3iPLM1233XEhZd2AOl4h5xy1z3+aSOG0jiihWt6QdosUig/IHxyO4gWaEO37iaLlF0ZVSJKjOV/IBCHJAaAG476uSNv+kTKgvu0PQtIfcKHpa1ppHi96fO8FKX76l26VoGKf/kMi6bWdTObYZnyiN7fz342ewMpwu70wQQWo33riK0hhF6bRu40J/KmgoUaUz3jSnErv+EeeREYww5SSNlMhpQNBNj+WfEDRC4Zx9VsF1cjtTY1um0kYdoyTHBLH6V1oAEiFIScHqkW1zKVAEiBh2v6C1U3fwAzOyAbnDlBrsuhnVxbJa8O1d5yw+U2py6xdC3Wq6FsAP9kdfDu+mjNDOwwJWZa8iTj3NHum1G6xklF2JHtmp2p1gY0e/JCETIk5Xh1okf404F9Xi+CWvlmlPXie9SdwgyJWpXOM60pJN2iMOFKPGn4chppMka38HakDKbdNNTELxNE+/yVECT0uQ8iBvETX1FU+y4LpGFghmwAIiKB1HZXx/0Gof0+txj/p9AgnpeVvDbq4iiZOulcu2BepsrFDg2zNLollfhAo+6QvElpk2MI1yHrg3OaTt7U8JV1dxHyIWjbtRvbiiS1E6mKGiOpkIQd/IHBjkujvEd7LVeE721HrLdGRaTR9QJfTR8jPZGHMlZa14a2pcxliyYd9RFSVOkVZH2LetuSWStQ1gPdBEeKDSWyFBA0Rxzlw2Sl25MJ4PAIpimyUYrnxTa2XgHyavMa0kjVAhX15+ywze2ypOVnB9/q3L3M5JCq+eaOBicJQiERX4h7Yj499S9Y/2nxk2DOUxi965BDIZGSG3/qOtl] profiles::puppet::eyaml::privatekey: ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkH2q64bYf5Es/YNK6c6d5t9PYcbc9NGzC6F2AzjWeLV9rdT+DBNmhPeyHN4jR6edzLRaNL+u3cuur3mTxwSJcEXdyHQSbXJLlGpd9CPEjuerqdsXkFvamP//nHjwvSosBUo4PKtllphX0XHP6JS0Mm+nukv0YyDk+63+cETuyP5M1FVsLSK8ZWblOn1uBgNhhjGZF5nNeayjJKloWdVY8+pS8L6/y0QprF05oLDvI0JgK9wud8NID+LCNtb2Z5/mq2ScpMB/r/ji/oPHs40zhANqOiAuy/sUWwIivdB2iKKvcLfJ8tbtCanXuQxboqnulL1+C87Y4m1rmk4cNtKU3DCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEELXUERpdYNf8m2IXbCw/MxiAggaQ187hqDCftN9RvnFRHnlHyPZijykRgs558tdh0yA8GscJ9vim8kxQXrxM6gqAGgmV7xYnpyK0pvEn0/6cEFkcBkpkQOtlyil+4WB9bcLJIF4LzPut0pz4Eq/6zMSM9PGWCRFe3ufkdoDq5M1SlHa/Aoi/LwNu5EFFlFZeeDiZyUMupLJUHbTQ+wt2JgQLfpBzeCGb5BRLvSPH0+Y7ShwHgp2ZCtxc/tT5cdQq5a3+tt9ZYSy5Hj+c8I2WBPm3wghA7QULCB1+42K4A8BJ7HQucaT1mRMc0QnCt68xQkhBulxGnADPaRAWICmuAF2KBv/eS74TdYj3z0OCSZW5k1wDBz8FCSIodn2a1LgBMrFRCAS2fwRn7Hc0yguCRl9ppERW+8K3pg7aAiBqJbeTwQN/VICNan92y+cbUndO9a/U16zKD4SxfW8PMwSu/qz6i45gUjQ83THjwNAE6el0lYFYivBsEEg66Sqo2cXtPQlAdB8lOsS34TQq21zipikgAAii0mGoH738t2CYL6tMUGthpcfXLioU0AhXjLVED1PIpmWxieFENWO8SUx3NjXyoefBVQrzc1PPAgeVGSaOBoJSN7xNx3/RQhWck0240DZmi+41z5CF1z91eZY+ZJYa/SaHVWWZ7GgQDEXGnWKQkMZce6RK0qw0/8B0x5O6aIlBrB7aSVQIkDLSUw8bq7N5dAeKXLu+2QHhG1yl+Bmn1xDMILFphJNT2ZNXkoSd0r1WUePWBEFCOBPsu3cHaK9DZiXSdfJ3dY+1NYuVZDQshQ1Fe4IKpHm/0mtz60DjrTTaJ3kAsPLCpeFGJ+1U/TdO+IgPAsiHUIaDRtv19ZeH7/Pa/kAceIe16F8CRNkzJ62D8CH4RYEXxTJ7oogYbhsw+5WQ3ZGzJHNvxcX4EVofjIsr2uIQEAVTu9VSDY2LyihJBEs0EBw25dai52u2g1Jjtteod9p6B+rwrcVGKAzdEo7nF9qK6+dS8VlfFbmbU1/ulIpM0hUr3ZFsUSv1qUGqUmYdgndvE0+gHop71fsnQRmT9wTdQlUs7RC0+BPWvf7eGljJT+omDwv+wSShikWku9ZSk58HqZ74f2RizxL7Ny8SWCkOf1u+Gi8kalMhr+1p8e39S6WTws8rJHxIQrzfY7aqZwYIZzLl4JMnqBvbkUlCEKNHmVAVt6AgPGfTmoEzSgulHEMCETuBQl4dS8mtFvWRKCy0jC2fAUfIAoihoh/2g3MTbKQCM3aSHrqyPTAduN2VkQwTM4JmgU6YYWy4kXjPWsgEm+FjqOKQqd5Q5bwIOoFLSVQgrTtoKVUXzK8VbTDNDhLj+LggB9MMncr5X44LkdtrktYWeQ1CbBGYUTNHyXxT2nbJm7DJos4zjSIqnkSiR2VyRAkxF9TSXjnZwtsziXC4gdonjA+ImV5aUvL5aTO2zbTYQOqgrauS/SWS4tXbZ4Thw86d2zbO32Kvuu4bfHVTN087eiRuiFmjtz43PwBRMxjABLDe/ZRUHLDomAVydTS98aIswUb33jHoPtEkz4bWEtZlhwrqguvPzLSJT1SNZnDhNsdzO96GDB2vtvXmIiQq+/8jh0LKIoOCFWKsFfB0GrkZZvLnF6oQQ/MiYNNY1TLnHMAg2uSF+ap/g8QRvfE5FX2UquYE1ATeD+8iRw0g2crNXGVRynBo6ESd5O+zwcMitO/Re9tQM4rfNj83VgWeSUNLxhOZmbYs0hDEbS0lXIWa1NbASuXWk/FBXzr8X/ZdlZPWAMWe3J9Bqh6e1FhgGD6ZZmSTYxHzlz5TNCf+aMqnJRb5eyN+UM5iWgW/VpAlKWMl98c1lsKwccAS/SH2zugKwBT8Bf/4wnbpHrZe817vVF7raVcaYvNnYTzdSQCcnvRK/D40sqleOhtfX/vdjOFWfoukbEJnXNytkTZeKrBm83z6tmYe4siQdfn4X9/lGNWEDyjYiJX8czH6yMlRW+FposOpE4Y9Dgs694iPHmYt1/1VbuW240uG6VT/d+OjSD5L6JfTT47pghoWTl0dQGbKd3kmoku7C7ll5etCdz5UIY2JOmS1gx6NgvsElJyflgQHgXLiSKpB0iSZ7zTRKlBmRG7uiU582nkbXHQ7BwZkP3nq95bgtCmk+0pvioYYg/jK8hvuiv+b8Ez2pHaTLabn/jYww8ewIZz0W5mWgcCDwdebtP2CCSnB2IPjyzAh2TW8JTljeoJAe9ai+iqiX4400R2hXZl6KMpC] From b9c327799f7b247a1406740bfb9cf2304887ee49 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 25 May 2024 14:37:13 +1000 Subject: [PATCH 217/229] feat: add vault service/query altnames - add nginx aliases for vault services - add additional vault certificates - change certmanager script to use vault.service.consul --- hieradata/common.yaml | 3 +++ .../country/au/region/drw1/infra/storage/vault.yaml | 7 +++++++ .../country/au/region/syd1/infra/storage/vault.yaml | 9 +++++++++ hieradata/roles/infra/puppet/master.yaml | 2 +- hieradata/roles/infra/storage/vault.yaml | 3 ++- 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 66fddb6..54d0318 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -105,6 +105,9 @@ lookup_options: profiles::yum::global::repos: merge: strategy: deep + profiles::nginx::simpleproxy::nginx_aliases: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/drw1/infra/storage/vault.yaml b/hieradata/country/au/region/drw1/infra/storage/vault.yaml index 2d3ed4e..3994ded 100644 --- a/hieradata/country/au/region/drw1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/drw1/infra/storage/vault.yaml @@ -1,2 +1,9 @@ --- +# additional altnames +profiles::pki::vault::alt_names: + - vault.service.au-drw1.consul + +profiles::nginx::simpleproxy::nginx_aliases: + - vault.service.au-drw1.consul + profiles::vault::server::primary_datacenter: 'au-drw1' diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml index d66aeea..cd463f7 100644 --- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml @@ -1,4 +1,13 @@ --- +# additional altnames +profiles::pki::vault::alt_names: + - vault.service.au-syd1.consul + - vault.query.consul + +profiles::nginx::simpleproxy::nginx_aliases: + - vault.service.au-syd1.consul + - vault.query.consul + profiles::vault::server::primary_datacenter: 'au-syd1' consul::services: vault: diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 07ae874..f00b558 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -30,7 +30,7 @@ profiles::puppet::gems::puppet: - 'hiera-eyaml' profiles::helpers::certmanager::vault_config: - addr: 'https://198.18.17.39:8200' + addr: 'https://vault.service.consul:8200' mount_point: 'pki_int' approle_path: 'approle' role_name: 'servers_default' diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index 1209319..7d5cc42 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -10,13 +10,14 @@ vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vaul profiles::pki::vault::alt_names: - vault.main.unkin.net - vault.service.consul + - vault.service.consul - vault # manage a simple nginx reverse proxy profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul' profiles::nginx::simpleproxy::nginx_aliases: - - vault - vault.main.unkin.net + - vault profiles::nginx::simpleproxy::proxy_scheme: 'http' profiles::nginx::simpleproxy::proxy_host: '127.0.0.1' profiles::nginx::simpleproxy::proxy_port: 8200 From 7c0bf4a398354fbaae434c91039a7eb80bf11642 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 26 May 2024 01:06:48 +1000 Subject: [PATCH 218/229] feat: vault use vault - change vault to use vault ephemeral certificates - remove nginx frontend to vault --- .../au/region/syd1/infra/storage/vault.yaml | 4 ++-- site/profiles/manifests/vault/server.pp | 14 +++++--------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml index d66aeea..fad5da4 100644 --- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml @@ -7,11 +7,11 @@ consul::services: - 'https' - 'secure' address: "%{facts.networking.ip}" - port: 443 + port: 8200 checks: - id: 'vault_https_check' name: 'Vault HTTPS Check' - http: "https://%{facts.networking.fqdn}:443/v1/sys/health" + http: "https://%{facts.networking.fqdn}:8200/v1/sys/health" method: 'GET' tls_skip_verify: true interval: '10s' diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index 6aeaf6a..d07e8ba 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -18,9 +18,6 @@ class profiles::vault::server ( Stdlib::Absolutepath $bin_dir = '/usr/bin', ){ - # use puppet certs as base - include profiles::pki::puppetcerts - # set a datacentre/cluster name $vault_cluster = "${::facts['country']}-${::facts['region']}" @@ -48,9 +45,9 @@ class profiles::vault::server ( $server_urls = $servers_array.map |$fqdn| { { leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", - leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", - leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", - leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem', + leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt', + leader_client_key_file => '/etc/pki/tls/vault/private.key', + leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt', } } @@ -82,8 +79,8 @@ class profiles::vault::server ( address => "${::facts['networking']['ip']}:${client_port}", cluster_address => "${::facts['networking']['ip']}:${cluster_port}", tls_disable => $tls_disable, - tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", - tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", + tls_cert_file => '/etc/pki/tls/vault/certificate.crt', + tls_key_file => '/etc/pki/tls/vault/private.key', } } ] @@ -91,6 +88,5 @@ class profiles::vault::server ( # include classes to manage vault include profiles::vault::unseal - include profiles::nginx::simpleproxy } } From b00781b6040d16c4bfaad0d5a83231818660a9e2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 26 May 2024 01:22:53 +1000 Subject: [PATCH 219/229] feat: change vault url to vaul.query.consul - support access to vault from multiple datacentres for certmanager --- hieradata/roles/infra/puppet/master.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index f00b558..199ab00 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -30,7 +30,7 @@ profiles::puppet::gems::puppet: - 'hiera-eyaml' profiles::helpers::certmanager::vault_config: - addr: 'https://vault.service.consul:8200' + addr: 'https://vault.query.consul:8200' mount_point: 'pki_int' approle_path: 'approle' role_name: 'servers_default' From d2d08bc479417382fdb34c1601648565654bf356 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 26 May 2024 01:27:45 +1000 Subject: [PATCH 220/229] fix: change drw1 puppetmasters to use syd1 approle - changing vault url to vault.query.consul forced puppetmasters in drw1 to connect to syd1 vault hosts - set drw1 puppetmasters to use syd1 approle_id --- hieradata/country/au/region/drw1/infra/puppet/master.eyaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/country/au/region/drw1/infra/puppet/master.eyaml b/hieradata/country/au/region/drw1/infra/puppet/master.eyaml index 46f1d03..1dea3a5 100644 --- a/hieradata/country/au/region/drw1/infra/puppet/master.eyaml +++ b/hieradata/country/au/region/drw1/infra/puppet/master.eyaml @@ -1,3 +1,3 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] -certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] +certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=] From df371a6b0963e9f0382891fbb0373e03a7d7c522 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 28 May 2024 20:13:08 +1000 Subject: [PATCH 221/229] feat: syd1 puppetca provisioning - move puppetca to ausyd1nxvm1036 --- hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml diff --git a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml new file mode 100644 index 0000000..a909eb0 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml @@ -0,0 +1,9 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca.service.consul + - puppetca.query.consul + - puppetca + +profiles::puppet::puppetca::is_puppetca: true +profiles::puppet::puppetca::allow_subject_alt_names: true From 263d41fe9ecfe65c48c1f0d3ab5ea40212698fb4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 28 May 2024 21:06:04 +1000 Subject: [PATCH 222/229] chore: remove prodinf01n01 as puppetca --- hieradata/nodes/prodinf01n01.main.unkin.net.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml index a909eb0..e6e8fc8 100644 --- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml +++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml @@ -5,5 +5,5 @@ profiles::puppet::server::dns_alt_names: - puppetca.query.consul - puppetca -profiles::puppet::puppetca::is_puppetca: true +profiles::puppet::puppetca::is_puppetca: false profiles::puppet::puppetca::allow_subject_alt_names: true From ffd574e8f084f16549edfe5cc77d8ce2ad979dab Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 28 May 2024 21:12:38 +1000 Subject: [PATCH 223/229] feat: add gitea modules - add gitea module - add dependency extlib --- Puppetfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Puppetfile b/Puppetfile index 5c887fc..ca66b10 100644 --- a/Puppetfile +++ b/Puppetfile @@ -34,6 +34,7 @@ mod 'puppet-consul', '8.0.0' mod 'puppet-vault', '4.1.0' mod 'puppet-dhcp', '6.1.0' mod 'puppet-keepalived', '3.6.0' +mod 'puppet-extlib', '7.0.0' # other mod 'ghoneycutt-puppet', '3.3.0' @@ -44,6 +45,7 @@ mod 'markt-galera', '3.1.0' mod 'kogitoapp-minio', '1.1.4' mod 'broadinstitute-certs', '3.0.1' mod 'stm-file_capability', '6.0.0' +mod 'h0tw1r3-gitea', '3.2.0' mod 'bind', :git => 'https://git.unkin.net/unkinben/puppet-bind.git', From fab4ea599822830927ea93c3384dab4eacd1d419 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 28 May 2024 22:06:26 +1000 Subject: [PATCH 224/229] feat: add gitea classes - add basic gitea class --- hieradata/roles/infra/git/gitea.eyaml | 3 ++ hieradata/roles/infra/git/gitea.yaml | 38 ++++++++++++++++ hieradata/roles/infra/storage/consul.yaml | 6 +++ site/profiles/manifests/gitea/init.pp | 55 +++++++++++++++++++++++ site/roles/manifests/infra/git/gitea.pp | 14 ++++++ 5 files changed, 116 insertions(+) create mode 100644 hieradata/roles/infra/git/gitea.eyaml create mode 100644 hieradata/roles/infra/git/gitea.yaml create mode 100644 site/profiles/manifests/gitea/init.pp create mode 100644 site/roles/manifests/infra/git/gitea.pp diff --git a/hieradata/roles/infra/git/gitea.eyaml b/hieradata/roles/infra/git/gitea.eyaml new file mode 100644 index 0000000..fa29e19 --- /dev/null +++ b/hieradata/roles/infra/git/gitea.eyaml @@ -0,0 +1,3 @@ +--- +profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==] +profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=] diff --git a/hieradata/roles/infra/git/gitea.yaml b/hieradata/roles/infra/git/gitea.yaml new file mode 100644 index 0000000..a915908 --- /dev/null +++ b/hieradata/roles/infra/git/gitea.yaml @@ -0,0 +1,38 @@ +--- +# additional altnames +profiles::pki::vault::alt_names: + - git.main.unkin.net + - git.service.consul + - git.query.consul + - "git.service.%{facts.country}-%{facts.region}.consul" + +consul::services: + git: + service_name: 'git' + tags: + - 'git' + - 'gitea' + address: "%{facts.networking.ip}" + port: 443 + checks: + - id: 'gitea_https_check' + name: 'Gitea HTTPS Check' + http: "https://%{facts.networking.fqdn}:443" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: git + disposition: write + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - git.main.unkin.net + - git.service.consul + - git.query.consul + - "git.service.%{facts.country}-%{facts.region}.consul" +profiles::nginx::simpleproxy::proxy_port: 3000 +profiles::nginx::simpleproxy::proxy_path: '/' diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index ae60829..a3ea581 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -71,3 +71,9 @@ profiles::consul::prepared_query::rules: service_failover_n: 3 service_only_passing: true ttl: 10 + git: + ensure: 'present' + service_name: 'git' + service_failover_n: 3 + service_only_passing: true + ttl: 10 diff --git a/site/profiles/manifests/gitea/init.pp b/site/profiles/manifests/gitea/init.pp new file mode 100644 index 0000000..90e9e47 --- /dev/null +++ b/site/profiles/manifests/gitea/init.pp @@ -0,0 +1,55 @@ +# profiles::gitea::init +class profiles::gitea::init ( + String $mysql_pass = '', + String $lfs_jwt_secret = '', +) { + + include profiles::nginx::simpleproxy + + class { 'gitea': + ensure => '1.22.0', + checksum => 'a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d', + custom_configuration => { + '' => { + 'APP_NAME' => 'Gitea', + 'RUN_USER' => 'git', + 'RUN_MODE' => 'prod', + }, + 'repository' => { + 'ROOT' => '/data/gitea/repos', + 'FORCE_PRIVATE' => false, + 'MAX_CREATION_LIMIT' => -1, + 'DISABLE_HTTP_GIT' => false, + 'DEFAULT_BRANCH' => 'main', + 'DEFAULT_PRIVATE' => 'last', + }, + 'ui' => { + 'SHOW_USER_EMAIL' => false, + }, + 'server' => { + 'PROTOCOL' => 'http', + 'DOMAIN' => 'git.query.consul', + 'ROOT_URL' => 'https://git.query.consul', + 'HTTP_ADDR' => '0.0.0.0', + 'HTTP_PORT' => 3000, + 'START_SSH_SERVER' => false, + 'SSH_DOMAIN' => 'git.query.consul', + 'SSH_PORT' => 2222, + 'SSH_LISTEN_HOST' => '0.0.0.0', + 'OFFLINE_MODE' => true, + 'APP_DATA_PATH' => '/var/lib/gitea/data', + 'SSH_LISTEN_PORT' => 22, + }, + 'database' => { + 'DB_TYPE' => 'mysql', + 'HOST' => 'mariadb-prod.service.au-syd1.consul:3306', + 'NAME' => 'gitea', + 'USER' => 'gitea', + 'PASSWD' => Sensitive($mysql_pass), + 'SSL_MODE' => 'disable', + 'PATH' => '/var/lib/gitea/data/gitea.db', + 'LOG_SQL' => false, + }, + } + } +} diff --git a/site/roles/manifests/infra/git/gitea.pp b/site/roles/manifests/infra/git/gitea.pp new file mode 100644 index 0000000..a11e842 --- /dev/null +++ b/site/roles/manifests/infra/git/gitea.pp @@ -0,0 +1,14 @@ +# a role to deploy the puppetboard +class roles::infra::git::gitea { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + if $facts['enc_role'] == 'roles::infra::git::gitea' { + include profiles::gitea::init + } + } +} From f029b0442754d8492e4ab8c8b0a90f0ed38463fa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 28 May 2024 23:49:44 +1000 Subject: [PATCH 225/229] feat: update git sources - update r10k source - update enc source - update source for puppet-bind module --- Puppetfile | 2 +- hieradata/roles/infra/puppet/master.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Puppetfile b/Puppetfile index ca66b10..f29fb47 100644 --- a/Puppetfile +++ b/Puppetfile @@ -48,5 +48,5 @@ mod 'stm-file_capability', '6.0.0' mod 'h0tw1r3-gitea', '3.2.0' mod 'bind', - :git => 'https://git.unkin.net/unkinben/puppet-bind.git', + :git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git', :tag => '1.0' diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 199ab00..4af2c1c 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -18,8 +18,8 @@ profiles::puppet::cobbler_enc::version: 'system' profiles::puppet::cobbler_enc::packages: - 'requests' - 'PyYAML' -profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git +profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git +profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' From 91e3f2d42730f860f8c1f824f6d92ba0809d9997 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 1 Jun 2024 12:04:57 +1000 Subject: [PATCH 226/229] chore: change node_lookup to use consul - remove https, use http backend as no authentication is required --- site/profiles/templates/helpers/node_lookup.erb | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/site/profiles/templates/helpers/node_lookup.erb b/site/profiles/templates/helpers/node_lookup.erb index 248f3e7..7157f76 100644 --- a/site/profiles/templates/helpers/node_lookup.erb +++ b/site/profiles/templates/helpers/node_lookup.erb @@ -24,16 +24,8 @@ def build_query(node=None, fact_name=None, match=None, show_role=False): return json.dumps(["and"] + query_filters) def query_puppetdb(query): - # Determine the correct SSL certificate path based on the OS - if os.path.exists('/etc/ssl/certs/ca-certificates.crt'): # Debian/Ubuntu - cert_path = '/etc/ssl/certs/ca-certificates.crt' - elif os.path.exists('/etc/pki/tls/cert.pem'): # RHEL/CentOS - cert_path = '/etc/pki/tls/cert.pem' - else: - raise FileNotFoundError("SSL certificate file not found.") - - url = 'https://puppetdbapi.main.unkin.net/pdb/query/v4/facts' - response = requests.get(url, params={'query': query}, verify=cert_path) + url = 'http://puppetdbapi.service.consul:8080/pdb/query/v4/facts' + response = requests.get(url, params={'query': query}) process_response(response) def process_response(response): From 7cf2e78ceabecba9f6f1af8c4928bc8beb703fd2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 1 Jun 2024 12:09:53 +1000 Subject: [PATCH 227/229] feat: add sort and count to node_lookup - add -C option to count number of identical records - sort responses from node_lookup --- .../templates/helpers/node_lookup.erb | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/site/profiles/templates/helpers/node_lookup.erb b/site/profiles/templates/helpers/node_lookup.erb index 7157f76..deeb39e 100644 --- a/site/profiles/templates/helpers/node_lookup.erb +++ b/site/profiles/templates/helpers/node_lookup.erb @@ -28,10 +28,23 @@ def query_puppetdb(query): response = requests.get(url, params={'query': query}) process_response(response) -def process_response(response): +def process_response(response, count_only=False): if response.status_code == 200: - for fact in response.json(): - print(f"{fact['certname']} {fact['value']}") + try: + response_data = response.json() + except ValueError: + print("Error decoding JSON response") + return + + if count_only: + fact_counter = Counter(fact['value'] for fact in response_data) + for fact_value, count in fact_counter.items(): + print(f"{fact_value}: {count}") + else: + facts = [f"{fact['certname']} {fact['value']}" for fact in response_data] + facts.sort() + for fact in facts: + print(fact) else: print(f"Error querying PuppetDB: HTTP {response.status_code}") print("Response content:", response.text) @@ -46,6 +59,7 @@ def main(): parser.add_argument("-R", "--role", action="store_true", help="Show the role for matched hosts") parser.add_argument("-F", "--fact", help="Specify a fact name") parser.add_argument("-m", "--match", help="Simple pattern match for the value") + parser.add_argument("-C", "--count", action="store_true", help="Show count of rows with the same fact") args = parser.parse_args() From e7ddbfa0359b5265e9b8f78572662ed6ea0bbb6a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 1 Jun 2024 12:51:06 +1000 Subject: [PATCH 228/229] feat: increase client_max_body_size for git - update hieradata with client_max_body_size for git role --- hieradata/roles/infra/git/gitea.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hieradata/roles/infra/git/gitea.yaml b/hieradata/roles/infra/git/gitea.yaml index a915908..c5950ba 100644 --- a/hieradata/roles/infra/git/gitea.yaml +++ b/hieradata/roles/infra/git/gitea.yaml @@ -36,3 +36,4 @@ profiles::nginx::simpleproxy::nginx_aliases: - "git.service.%{facts.country}-%{facts.region}.consul" profiles::nginx::simpleproxy::proxy_port: 3000 profiles::nginx::simpleproxy::proxy_path: '/' +nginx::client_max_body_size: 100M From 6c2328e8baf07ff41e85b6ca884c6aef14cedb36 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 1 Jun 2024 13:31:35 +1000 Subject: [PATCH 229/229] feat: bump git client_max_body_size - change from 100m to 250m --- hieradata/roles/infra/git/gitea.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/infra/git/gitea.yaml b/hieradata/roles/infra/git/gitea.yaml index c5950ba..3199ed6 100644 --- a/hieradata/roles/infra/git/gitea.yaml +++ b/hieradata/roles/infra/git/gitea.yaml @@ -36,4 +36,4 @@ profiles::nginx::simpleproxy::nginx_aliases: - "git.service.%{facts.country}-%{facts.region}.consul" profiles::nginx::simpleproxy::proxy_port: 3000 profiles::nginx::simpleproxy::proxy_path: '/' -nginx::client_max_body_size: 100M +nginx::client_max_body_size: 250M