Merge branch 'develop' into neoloc/datavol

This commit is contained in:
2023-11-05 17:40:19 +11:00
40 changed files with 706 additions and 40 deletions
@@ -0,0 +1,15 @@
# create the sysadmin user
class profiles::accounts::sysadmin(
Array[String] $sshkeys = [],
){
profiles::base::account {'sysadmin':
username => 'sysadmin',
uid => 1000,
gid => 1000,
groups => ['wheel'],
sshkeys => $sshkeys,
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
password => '',
ignore_pass => true,
}
}
+35
View File
@@ -1,6 +1,7 @@
# this is the base class, which will be used by all servers
class profiles::base (
Array $ntp_servers,
Array $puppet_servers,
) {
class { 'chrony':
servers => $ntp_servers,
@@ -8,6 +9,7 @@ class profiles::base (
case $facts['os']['family'] {
'RedHat': {
include profiles::yum::global
include profiles::firewall::firewalld
}
'Debian': {
include profiles::apt::global
@@ -17,8 +19,41 @@ class profiles::base (
}
}
# include the base packages profile
class { 'profiles::base::packages':
packages => hiera('profiles::base::packages::common'),
ensure => 'installed',
}
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
}
# include admin scripts
include profiles::base::scripts
# include admin scripts
include profiles::base::hosts
# include the python class
class { 'python':
manage_python_package => true,
manage_venv_package => true,
manage_pip_package => true,
use_epel => false,
}
# all hosts will have sudo applied
class { 'sudo':
secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
}
# default users
include profiles::accounts::sysadmin
# add a motd
include profiles::base::facts
include profiles::base::motd
}
+45
View File
@@ -0,0 +1,45 @@
# a wrapper for puppetlabs-account and saz-sudo
define profiles::base::account (
String $username,
Integer $uid,
Integer $gid = undef,
Boolean $manage_home = true,
Boolean $create_group = true,
Boolean $purge_sshkeys = true,
Boolean $system = false,
Boolean $locked = false,
String $password = '!!',
Boolean $ignore_pass = false,
Array[String] $groups = [],
Array[String] $sshkeys = [],
Array[String] $sudo_rules = [],
String $shell = '/usr/bin/bash',
) {
# Set gid to uid if gid is undef
$final_gid = $gid ? {
undef => $uid,
default => $gid,
}
# Manage user
accounts::user { $username:
uid => $uid,
gid => $final_gid,
shell => $shell,
groups => $groups,
sshkeys => $sshkeys,
system => $system,
locked => $locked,
password => $password,
create_group => $create_group,
managehome => $manage_home,
purge_sshkeys => $purge_sshkeys,
ignore_password_if_empty => $ignore_pass,
}
# Manage sudo rules
sudo::conf { "${username}_sudo":
content => $sudo_rules,
}
}
+29
View File
@@ -0,0 +1,29 @@
# a class to define some global facts
class profiles::base::facts {
# The path where external facts are stored
$facts_d_path = '/opt/puppetlabs/facter/facts.d'
# Ensure the directory exists
file { $facts_d_path:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
# facts to create
$fact_list = [ 'enc_role', 'enc_env' ]
# Manage the external fact file with content from the template
$fact_list.each | String $item | {
file { "${facts_d_path}/${item}.txt":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template("profiles/base/facts/${item}.erb"),
require => File[$facts_d_path],
}
}
}
+30
View File
@@ -0,0 +1,30 @@
# basic class to manage the /etc/hosts file from a template
#
# @param additional_hosts:
# An array of hashes with ip/hostname/aliases
# Aliases is an array in case there is a need for multiple aliases
#
# class { 'profiles::base::hosts':
# additional_hosts => [
# { 'ip' => '192.168.0.10', 'hostname' => 'server1.example.com', 'aliases' => ['server1'] },
# { 'ip' => '192.168.0.11', 'hostname' => 'server2.example.com' },
# # ... and so on
# ],
# }
#
class profiles::base::hosts (
Array[Hash] $additional_hosts = []
) {
$fqdn = $facts['networking']['fqdn']
$hostname = $facts['networking']['hostname']
# Ensure the file exists and manage its content
file { '/etc/hosts':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/base/hosts.erb'),
}
}
+20
View File
@@ -0,0 +1,20 @@
# set the motd
class profiles::base::motd (
String $enc_role = pick($facts['enc_role'], 'undefined'),
String $enc_env = pick($facts['enc_env'], 'undefined'),
String $fqdn = $facts['networking']['fqdn'],
String $addr = $facts['networking']['ip'],
String $nic = $facts['networking']['primary'],
String $os_name = $facts['os']['name'],
String $os_release = $facts['os']['release']['full'],
) {
# Use the regsubst function to remove the 'roles::' prefix from the role name
$clean_role = regsubst($enc_role, '^roles::', '')
# Manage the content of the /etc/motd file
file { '/etc/motd':
ensure => file,
content => template('profiles/base/motd/motd.erb'),
}
}
+26
View File
@@ -0,0 +1,26 @@
# This class can be included directly in node definitions or other classes.
# The preferred method for declaring the scripts is via Hiera.
#
# Here's an example Hiera configuration:
#
# profiles::base::scripts::scripts:
# script1: script1
# script2: script2
#
# This would deploy 'script1' and 'script2' to /usr/local/bin using their
# respective ERB templates in the profiles/base/scripts directory.
#
class profiles::base::scripts (
Hash $scripts = {},
) {
$scripts.each |$script_name, $template_name| {
file { "/usr/local/bin/${script_name}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => template("profiles/base/scripts/${template_name}.erb"),
}
}
}
@@ -0,0 +1,32 @@
# Manages the firewalld package and service on RedHat-like distributions.
#
# @param ensure_package Determines the state of the firewalld package.
# Can be set to 'absent' to remove the package or 'installed' to ensure it's present.
#
# @param ensure_service Determines the state of the firewalld service.
# Can be set to 'stopped' to stop the service or 'running' to ensure it's active.
#
# @param enable_service A boolean that specifies whether to enable or disable the firewalld service on boot.
#
class profiles::firewall::firewalld (
Enum['absent', 'installed'] $ensure_package = 'installed',
Enum['stopped', 'running'] $ensure_service = 'running',
Boolean $enable_service = true,
) {
# Ensure it only runs on RedHat like distributions
if $facts['os']['family'] == 'RedHat' {
# Manage the firewalld package
package { 'firewalld':
ensure => $ensure_package,
}
# Manage the firewalld service
service { 'firewalld':
ensure => $ensure_service,
enable => $enable_service,
hasrestart => true,
require => Package['firewalld'],
}
}
}
+50
View File
@@ -0,0 +1,50 @@
# Class: profiles::puppet::client
#
# This class manages Puppet client configuration and service.
#
# Parameters:
# vardir - Directory path for variable data.
# logdir - Directory path for logs.
# rundir - Directory path for run-time data.
# pidfile - File path for the PID file.
# codedir - Directory path for code data.
# dns_alt_names - Array of alternate DNS names for the server.
# server - Server's name.
#
# site/profile/manifests/puppet/client.pp
class profiles::puppet::client (
String $dns_alt_names = $trusted['certname'],
String $server = 'puppetmaster',
String $ca_server = 'puppetca',
String $environment = 'develop',
Integer $runinterval = 1800,
Integer $runtimeout = 3600,
Boolean $show_diff = true,
Boolean $usecacheonfailure = false,
String $puppet_version = 'latest',
) {
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
}
# Ensure the puppet service is running
service { 'puppet':
ensure => 'running',
enable => true,
hasrestart => true,
require => Package['puppet-agent'],
}
# Assuming you want to manage puppet.conf with this profile
file { '/etc/puppetlabs/puppet/puppet.conf':
ensure => 'present',
content => template('profiles/puppet/client/puppet.conf.erb'),
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['puppet'],
}
}
+6 -2
View File
@@ -34,7 +34,9 @@
# This is designed to work on Unix-like systems only.
#
class profiles::puppet::enc (
String $enc_repo,
String $repo,
String $release = 'master',
Boolean $force = false,
) {
include profiles::git::git
@@ -42,7 +44,9 @@ class profiles::puppet::enc (
vcsrepo { '/opt/puppetlabs/enc':
ensure => latest,
provider => git,
source => $enc_repo,
source => $repo,
revision => $release,
force => $force,
require => Package['git'],
}
@@ -0,0 +1,123 @@
# Class: profiles::puppet::puppetboard
#
# This class manages the Puppetboard, a web interface to PuppetDB.
#
class profiles::puppet::puppetboard (
String $python_version = '3.6',
Boolean $manage_virtualenv = false,
Integer $reports_count = 40,
Boolean $offline_mode = true,
String $default_environment = '*',
String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
Stdlib::AbsolutePath $basedir = '/opt/puppetboard',
Stdlib::Absolutepath $virtualenv_dir = "${basedir}/venv",
Stdlib::Absolutepath $settings_file = "${basedir}/settings.py",
String $user = 'puppetboard',
String $group = 'puppetboard',
String $gunicorn_bind = '127.0.0.1:8080',
String $gunicorn_bind_prefix = 'http://',
Integer $gunicorn_workers = 1,
Integer $gunicorn_threads = 4,
String $nginx_vhost = 'puppetboard.main.unkin.net',
Integer $nginx_port = 80,
#String[1] $secret_key = "${fqdn_rand_string(32)}",
) {
# store puppet-agents ssl settings/certname
$ssl_dir = $::settings::ssldir
$puppetboard_certname = $trusted['certname']
# setup the puppetboard venv
class { 'puppetboard':
python_version => $python_version,
manage_virtualenv => $manage_virtualenv,
reports_count => $reports_count,
offline_mode => $offline_mode,
basedir => $basedir,
virtualenv_dir => $virtualenv_dir,
settings_file => $settings_file,
#secret_key => $secret_key,
default_environment => $default_environment,
puppetdb_host => $puppetdb_host,
puppetdb_port => 8081,
puppetdb_key => "${basedir}/ssl/${puppetboard_certname}.pem",
puppetdb_ssl_verify => "${ssl_dir}/certs/ca.pem",
puppetdb_cert => "${ssl_dir}/certs/${puppetboard_certname}.pem",
user => $user,
group => $group,
notify => Service['puppetboard.service'],
}
# install gunicorn
python::pip { 'puppetboard_gunicorn':
ensure => 'latest',
pkgname => 'gunicorn',
virtualenv => $virtualenv_dir,
require => Class['puppetboard'],
}
# create ssl dir for puppetboard
file { "${basedir}/ssl":
ensure => directory,
owner => $user,
group => $group,
mode => '0750',
require => Class['puppetboard'],
}
# copy the ssl certs for puppetboard
file { "${basedir}/ssl/${puppetboard_certname}.pem":
ensure => present,
owner => $user,
group => $group,
mode => '0750',
source => "${ssl_dir}/private_keys/${puppetboard_certname}.pem",
require => File["${basedir}/ssl"],
notify => Service['puppetboard.service'],
}
# create script to start service
file { "${virtualenv_dir}/bin/start_puppetboard":
ensure => file,
owner => $user,
group => $group,
mode => '0755',
content => template('profiles/puppet/puppetboard/start_puppetboard.erb'),
require => Class['puppetboard'],
notify => Service['puppetboard.service'],
}
# create systemd service unit
systemd::unit_file { 'puppetboard.service':
content => template('profiles/puppet/puppetboard/puppetboard.service.erb'),
active => true,
enable => true,
require => File["${virtualenv_dir}/bin/start_puppetboard"],
}
# ensure the nginx service is managed
class { 'nginx': }
# create the nginx vhost
nginx::resource::server { $nginx_vhost:
listen_port => $nginx_port,
server_name => [$nginx_vhost],
proxy => "${gunicorn_bind_prefix}${gunicorn_bind}",
proxy_set_header => [
'Host $http_host',
'X-Real-IP $remote_addr',
'X-Scheme $scheme',
],
proxy_pass_header => ['Server'],
proxy_redirect => 'off',
proxy_connect_timeout => '10s',
proxy_read_timeout => '10s',
}
# service static files from nginx for performance
nginx::resource::location { "${nginx_vhost}_static":
location => '/static',
server => $nginx_vhost,
location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static",
}
}
@@ -0,0 +1,16 @@
# configure the puppetdb api service
class profiles::puppet::puppetdb_api (
String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'),
String $listen_address = $facts['networking']['ip'],
) {
class { 'puppetdb::server':
database_host => $postgres_host,
manage_firewall => false,
ssl_listen_address => $listen_address,
listen_address => $listen_address,
}
contain ::puppetdb::server
}
@@ -0,0 +1,27 @@
# configure the puppetdb sql service
class profiles::puppet::puppetdb_sql (
String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
String $listen_address = $facts['networking']['ip'],
) {
# disable the postgresql dnf module for el8+
if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
# based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
package { 'postgresql dnf module':
ensure => 'disabled',
name => 'postgresql',
provider => 'dnfmodule',
before => Class['puppetdb::database::postgresql'],
}
}
# Install and configure PostgreSQL for PuppetDB
class { 'puppetdb::database::postgresql':
listen_addresses => $listen_address,
postgres_version => '15',
puppetdb_server => $puppetdb_host,
}
contain ::puppetdb::database::postgresql
}
+24 -13
View File
@@ -22,19 +22,26 @@
#
# Limitations:
# This is designed to work on Unix-like systems.
class profiles::puppet::puppetmaster {
class profiles::puppet::puppetmaster (
String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
) {
include profiles::puppet::r10k
include profiles::puppet::g10k
include profiles::puppet::enc
include profiles::puppet::autosign
class { 'puppetdb::master::config':
puppetdb_server => $puppetdb_host,
manage_storeconfigs => false,
}
class { 'profiles::puppet::server':
vardir => '/opt/puppetlabs/server/data/puppetserver',
logdir => '/var/log/puppetlabs/puppetserver',
rundir => '/var/run/puppetlabs/puppetserver',
pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
codedir => '/etc/puppetlabs/code',
dns_alt_names => [
vardir => '/opt/puppetlabs/server/data/puppetserver',
logdir => '/var/log/puppetlabs/puppetserver',
rundir => '/var/run/puppetlabs/puppetserver',
pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
codedir => '/etc/puppetlabs/code',
dns_alt_names => [
'prodinf01n01.main.unkin.net',
'puppet.main.unkin.net',
'puppetca.main.unkin.net',
@@ -43,11 +50,15 @@ class profiles::puppet::puppetmaster {
'puppetca',
'puppetmaster',
],
server => 'prodinf01n01.main.unkin.net',
node_terminus => 'exec',
external_nodes => '/opt/puppetlabs/bin/enc',
autosign => '/etc/puppetlabs/puppet/autosign.conf',
default_manifest => '/etc/puppetlabs/code/environments/develop/manifests',
default_environment => 'develop',
server => 'prodinf01n01.main.unkin.net',
node_terminus => 'exec',
external_nodes => '/opt/puppetlabs/bin/enc',
autosign => '/etc/puppetlabs/puppet/autosign.conf',
default_manifest => '/etc/puppetlabs/code/environments/develop/manifests',
default_environment => 'develop',
storeconfigs => true,
storeconfigs_backend => 'puppetdb',
reports => 'puppetdb',
usecacheonfailure => false,
}
}
+1 -1
View File
@@ -52,7 +52,7 @@ class profiles::puppet::r10k (
group => 'root',
mode => '0755',
content => "#!/bin/bash\n(
cd /etc/puppetlabls/r10k
cd /etc/puppetlabs/r10k
git reset --hard master
git clean -fd
git pull\n)",
+20 -12
View File
@@ -27,6 +27,10 @@ class profiles::puppet::server (
String $autosign,
String $default_manifest,
String $default_environment,
Boolean $storeconfigs,
String $storeconfigs_backend,
String $reports,
Boolean $usecacheonfailure,
) {
file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -35,18 +39,22 @@ class profiles::puppet::server (
group => 'root',
mode => '0644',
content => epp('profiles/puppet/server/puppet.conf.epp', {
'vardir' => $vardir,
'logdir' => $logdir,
'rundir' => $rundir,
'pidfile' => $pidfile,
'codedir' => $codedir,
'dns_alt_names' => join($dns_alt_names, ','),
'server' => $server,
'node_terminus' => $node_terminus,
'external_nodes' => $external_nodes,
'autosign' => $autosign,
'default_manifest' => $default_manifest,
'default_environment' => $default_environment,
'vardir' => $vardir,
'logdir' => $logdir,
'rundir' => $rundir,
'pidfile' => $pidfile,
'codedir' => $codedir,
'dns_alt_names' => join($dns_alt_names, ','),
'server' => $server,
'node_terminus' => $node_terminus,
'external_nodes' => $external_nodes,
'autosign' => $autosign,
'default_manifest' => $default_manifest,
'default_environment' => $default_environment,
'storeconfigs' => $storeconfigs,
'storeconfigs_backend' => $storeconfigs_backend,
'reports' => $reports,
'usecacheonfailure' => $usecacheonfailure,
}),
notify => Service['puppetserver'],
}
@@ -0,0 +1 @@
enc_env=<%= @enc_env %>
@@ -0,0 +1 @@
enc_role=<%= @enc_role[0] %>
+15
View File
@@ -0,0 +1,15 @@
# /etc/hosts file managed by Puppet
# The following lines are desirable for IPv4 capable hosts
127.0.0.1 <%= @fqdn %> <%= @hostname %>
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4
# The following lines are desirable for IPv6 capable hosts
::1 <%= @fqdn %> <%= @hostname %>
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
<% @additional_hosts.each do |host| -%>
<%= host['ip'] %> <%= host['hostname'] %> <%= host['aliases'].join(' ') if host['aliases'] %>
<% end -%>
@@ -0,0 +1,13 @@
<%
# calculate padding for the longest word
max_length = ['fqdn:', 'os:', 'role:', 'branch:', 'addr:', 'nic:'].max_by(&:length).length
# helper lambda to right-align text
align = ->(word) { word.ljust(max_length) }
%>
<%= align.call('fqdn:') %> <%= @fqdn %>
<%= align.call('os:') %> <%= @os_name %> <%= @os_release %>
<%= align.call('role:') %> <%= @clean_role %>
<%= align.call('branch:') %> <%= @enc_env %>
<%= align.call('addr:') %> <%= @addr %>
<%= align.call('nic:') %> <%= @nic %>
@@ -0,0 +1,22 @@
#!/usr/bin/env python3
import sys
import subprocess
def main():
# If "-E" is in the arguments, modify the following argument
args = sys.argv[1:]
if "-E" in args:
index = args.index("-E")
if index + 1 < len(args): # Check if there's another argument after "-E"
environment_value = args[index + 1]
# Replace \ and - with _
modified_environment_value = environment_value.replace("\\", "_").replace("-", "_").replace("/","_")
args[index + 1] = modified_environment_value
# Construct the full puppet command with the modified args
command = ["/opt/puppetlabs/bin/puppet"] + args
subprocess.run(command)
if __name__ == "__main__":
main()
@@ -0,0 +1,13 @@
[main]
dns_alt_names = <%= @dns_alt_names %>
[agent]
server = <%= @server %>
ca_server = <%= @ca_server %>
environment = <%= @environment %>
report = true
report_server = <%= @server %>
runinterval = <%= @runinterval %>
runtimeout = <%= @runtimeout %>
show_diff = <%= @show_diff %>
usecacheonfailure = <%= @usecacheonfailure %>
@@ -0,0 +1,12 @@
[Unit]
Description=puppetboard daemon
After=network.target
[Service]
Type=simple
User=<%= @user %>
Group=<%= @group %>
Environment="PUPPETBOARD_SETTINGS=<%= @settings_file %>"
ExecStart=<%= @virtualenv_dir %>/bin/start_puppetboard
PrivateTmp=true
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,7 @@
#!/usr/bin/env bash
<%= @virtualenv_dir %>/bin/gunicorn \
--workers <%= @gunicorn_workers %> \
--threads <%= @gunicorn_threads %> \
--config <%= @settings_file %> \
--bind <%= @gunicorn_bind %> \
puppetboard.app:app
@@ -17,3 +17,7 @@ external_nodes = <%= $external_nodes %>
autosign = <%= $autosign %>
default_manifest = <%= $default_manifest %>
default_environment = <%= $default_environment %>
storeconfigs = <%= $storeconfigs %>
storeconfigs_backend = <%= $storeconfigs_backend %>
reports = <%= $reports %>
usecacheonfailure = <%= $usecacheonfailure %>
+6
View File
@@ -0,0 +1,6 @@
# a role to deploy the ceph mds
# work in progress
class roles::ceph::mds {
include profiles::defaults
include profiles::base
}
+6
View File
@@ -0,0 +1,6 @@
# a role to deploy the ceph mon
# work in progress
class roles::ceph::mon {
include profiles::defaults
include profiles::base
}
+6
View File
@@ -0,0 +1,6 @@
# a role to deploy the ceph osd
# work in progress
class roles::ceph::osd {
include profiles::defaults
include profiles::base
}
@@ -0,0 +1,6 @@
# a role to deploy the puppetboard
class roles::puppet::puppetboard {
include profiles::defaults
include profiles::base
include profiles::puppet::puppetboard
}
+7
View File
@@ -0,0 +1,7 @@
# a role to deploy the puppetdb
# work in progress
class roles::puppet::puppetdb {
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb
}
@@ -0,0 +1,6 @@
# a role to deploy the puppetdb api service
class roles::puppet::puppetdb_api {
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_api
}
@@ -0,0 +1,6 @@
# a role to deploy the puppetdb postgresql service
class roles::puppet::puppetdb_sql {
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_sql
}