benvin/gitea_cluster (#335)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/335

hieradata/roles/infra/git/server.eyaml

@@ -0,0 +1,2 @@
+---
+profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhg1qvPHyqM3QXINxU8v0AX2e4rbfaHym0VGH3U1qoJTODYynHwhGDWzVhD9sZPej9VtqdRR1oi+PAD4VSZxFOON3y2HaPJ8nJMDLN3FeKhTK6nCNte00w8EeKXma+0fcur+wKQTSOem/yBBXt2wCxqGk1vdoHod/92wNDljUV0evrChhgjjiEc+WdScrwSl8SSxFzdRa76iahYikZC0aTZViWQwN1XoEuZW/EszmxgEfEwSygvon31JKuyfZTzZazCoUmPq9dvhNvhLbStT4USMopDYuiwrpHKdEzDe1r1Q/FOL5iDIrULAoSHRnBsqWTJ8a+HkSS2DsvOiAnQJjCDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAPcCq5Ob9rpxiqcVSBztk4gDCPmuAGDBAeUgFHheDJN6Eu+OSn9zA8kuHw0AVtPou1JERPjDIQ9QA0RQOtZATpybE=]

hieradata/roles/infra/git/server.yaml

@@ -0,0 +1,101 @@
+---
+hiera_include:
+  - profiles::sql::postgresdb
+  - profiles::nginx::simpleproxy
+  - gitea
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - git.unkin.net
+  - git.main.unkin.net
+  - git.service.consul
+  - git.query.consul
+  - "git.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::ssh::sign::principals:
+  - git.unkin.net
+  - git.main.unkin.net
+  - git.service.consul
+  - git.query.consul
+
+consul::services:
+  git:
+    service_name: 'git'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'gitea_https_check'
+        name: 'Gitea HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: git
+    disposition: write
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - git.unkin.net
+  - git.main.unkin.net
+  - git.service.consul
+  - git.query.consul
+  - "git.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::nginx::simpleproxy::proxy_port: 3000
+profiles::nginx::simpleproxy::proxy_path: '/'
+nginx::client_max_body_size: 1024M
+
+profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}"
+profiles::sql::postgresdb::dbname: gitea
+profiles::sql::postgresdb::dbuser: gitea
+
+gitea::ensure: '1.22.4'
+gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
+gitea::custom_configuration:
+  '':
+    APP_NAME: 'Gitea'
+    RUN_USER: 'git'
+    RUN_MODE: 'prod'
+  repository:
+    ROOT: '/shared/apps/gitea/repos'
+    FORCE_PRIVATE: false
+    MAX_CREATION_LIMIT: -1
+    DISABLE_HTTP_GIT: false
+    DEFAULT_BRANCH: 'main'
+    DEFAULT_PRIVATE: 'last'
+  ui:
+    SHOW_USER_EMAIL: false
+  server:
+    PROTOCOL: 'http'
+    DOMAIN: 'git.unkin.net'
+    ROOT_URL: 'https://git.unkin.net'
+    HTTP_ADDR: '0.0.0.0'
+    HTTP_PORT: 3000
+    START_SSH_SERVER: false
+    SSH_DOMAIN: 'git.unkin.net'
+    SSH_PORT: 2222
+    SSH_LISTEN_HOST: '0.0.0.0'
+    OFFLINE_MODE: true
+    APP_DATA_PATH: '/shared/apps/gitea'
+    SSH_LISTEN_PORT: 22
+    LFS_START_SERVER: true
+  database:
+    DB_TYPE: 'postgres'
+    HOST: "master.%{hiera('profiles::sql::postgresdb::cluster_name')}.service.%{facts.country}-%{facts.region}.consul:5432"
+    NAME: "%{hiera('profiles::sql::postgresdb::dbname')}"
+    USER: "%{hiera('profiles::sql::postgresdb::dbuser')}"
+    PASSWD: "%{hiera('profiles::sql::postgresdb::dbpass')}"
+    SSL_MODE: 'disable'
+    LOG_SQL: false
+  lfs:
+    PATH: '/shared/apps/gitea/lfs'
+  session:
+    PROVIDER: db
+  metrics:
+    ENABLED: true
+    ENABLED_ISSUE_BY_REPOSITORY: true
+    ENABLED_ISSUE_BY_LABEL: true

hieradata/roles/infra/puppetdb/sql.yaml

@@ -15,6 +15,14 @@ profiles::sql::patroni::cluster_name: "patroni-puppetdb-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true
 profiles::sql::patroni::postgres_exporter_user: postgres_exporter
 profiles::sql::patroni::pgsql_version: "17"
+patroni::bootstrap_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host replication repl 0.0.0.0/0 md5'
+patroni::pgsql_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host replication repl 0.0.0.0/0 md5'
 
 # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
 python::manage_dev_package: false

hieradata/roles/infra/sql/shared.yaml

@@ -15,6 +15,16 @@ profiles::sql::patroni::cluster_name: "patroni-shared-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true
 profiles::sql::patroni::postgres_exporter_user: postgres_exporter
 profiles::sql::patroni::pgsql_version: "17"
+patroni::bootstrap_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host gitea gitea 0.0.0.0/0 scram-sha-256'
+  - 'host replication repl 0.0.0.0/0 md5'
+patroni::pgsql_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host gitea gitea 0.0.0.0/0 scram-sha-256'
+  - 'host replication repl 0.0.0.0/0 md5'
 
 python::manage_dev_package: false
 

site/profiles/manifests/sql/patroni.pp

@@ -64,16 +64,6 @@ class profiles::sql::patroni (
     pgsql_parameters              => {
       'max_connections' => 5000,
     },
-    bootstrap_pg_hba              => [
-      'local all postgres ident',
-      'host all all 0.0.0.0/0 md5',
-      'host replication repl 0.0.0.0/0 md5',
-    ],
-    pgsql_pg_hba                  => [
-      'local all postgres ident',
-      'host all all 0.0.0.0/0 md5',
-      'host replication repl 0.0.0.0/0 md5',
-    ],
     superuser_username            => $superuser_username,
     superuser_password            => $superuser_password,
     replication_username          => $replication_username,

site/roles/manifests/infra/git/server.pp

@@ -0,0 +1,11 @@
+# a role to deploy the gitea
+class roles::infra::git::server {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+  }
+}