From df56213b188c2a3107987fc79f522d6f31b8a2a1 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 22 Apr 2024 18:51:20 +1000 Subject: [PATCH 1/5] fix: enable repos before installing packages --- site/profiles/manifests/base.pp | 21 +++++++-------------- site/profiles/manifests/base/repos.pp | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 site/profiles/manifests/base/repos.pp diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index fb463d6..5d30011 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -6,20 +6,6 @@ class profiles::base ( # install the vault ca first include profiles::pki::vaultca - # manage package repositories - case $facts['os']['family'] { - 'RedHat': { - include profiles::yum::global - include profiles::firewall::firewalld - } - 'Debian': { - include profiles::apt::global - } - default: { - fail("Unsupported OS family ${facts['os']['family']}") - } - } - # manage the puppet agent include profiles::puppet::agent @@ -29,6 +15,7 @@ class profiles::base ( } # include the base profiles + include profiles::base::repos include profiles::packages include profiles::base::facts include profiles::base::motd @@ -63,4 +50,10 @@ class profiles::base ( # include classes from hiera lookup('hiera_classes', Array[String], 'unique').include + + # specifc ordering constraints + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::packages'] + } diff --git a/site/profiles/manifests/base/repos.pp b/site/profiles/manifests/base/repos.pp new file mode 100644 index 0000000..8d3223f --- /dev/null +++ b/site/profiles/manifests/base/repos.pp @@ -0,0 +1,16 @@ +# profiles::base::repos +class profiles::base::repos { + # manage package repositories + case $facts['os']['family'] { + 'RedHat': { + include profiles::yum::global + include profiles::firewall::firewalld + } + 'Debian': { + include profiles::apt::global + } + default: { + fail("Unsupported OS family ${facts['os']['family']}") + } + } +} From bb8bf202ac043a586c0a8cea05291f697ea45c7b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 21:11:56 +1000 Subject: [PATCH 2/5] feat: sort nameserver/search_domains - ensure the list doesnt change every puppet run --- site/profiles/manifests/dns/base.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index 6bd2458..671bf3d 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -24,8 +24,8 @@ class profiles::dns::base ( # include resolvconf class class { 'profiles::dns::resolvconf': - nameservers => $nameserver_array, - search_domains => $search_array, + nameservers => sort($nameserver_array), + search_domains => sort($search_array), } # export dns records for client From dbe11323c5246ac7db6e41d79e49f1bc073bcc1e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 22:39:33 +1000 Subject: [PATCH 3/5] feat: enable selecting nameserver by fact - enable selecting nameservers to use by region, country or all - set default for nameservers to be region --- hieradata/common.yaml | 1 + site/profiles/manifests/dns/base.pp | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 185780a..9dd7df2 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -57,6 +57,7 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' +profiles::dns::base::use_ns: 'region' profiles::packages::install: - bash-completion diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index 671bf3d..e22e964 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -3,16 +3,24 @@ class profiles::dns::base ( String $ns_role = undef, Array $search = [], Array $nameservers = ['8.8.8.8', '1.1.1.1'], + Enum[ + 'all', + 'region', + 'country' + ] $use_ns = 'all', ){ # install bind_utils include bind::updater # if ns_role is set, find all hosts matching that enc_role - if $ns_role == undef { - $nameserver_array = $nameservers - }else{ - $nameserver_array = query_nodes("enc_role='${ns_role}'", 'networking.ip') + $nameserver_array = $ns_role ? { + undef => $nameservers, + default => $use_ns ? { + 'all' => query_nodes("enc_role='${ns_role}'", 'networking.ip'), + 'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.ip'), + 'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.ip'), + } } # if search is undef, fallback to domainname from facts From 7b316c6b0b762aae2c1ec47d38060f31daf5bf7b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 23 Apr 2024 23:57:01 +1000 Subject: [PATCH 4/5] feat: sort ntpservers, select ntp to use - sort the ntpservers array so it doesnt change each run of puppet - allow the selection of all, region or country specific ntp servers --- hieradata/common.yaml | 1 + site/profiles/manifests/ntp/client.pp | 21 ++++++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 185780a..2781951 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -46,6 +46,7 @@ hiera_classes: - timezone profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' +profiles::ntp::client::use_ntp: 'region' profiles::ntp::client::peers: - 0.pool.ntp.org - 1.pool.ntp.org diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp index e3c90a7..c09cff2 100644 --- a/site/profiles/manifests/ntp/client.pp +++ b/site/profiles/manifests/ntp/client.pp @@ -11,6 +11,11 @@ class profiles::ntp::client ( 'running', 'stopped' ] $wait_ensure = 'running', + Enum[ + 'all', + 'region', + 'country' + ] $use_ntp = 'all', Boolean $client_only = true, ) { @@ -18,23 +23,25 @@ class profiles::ntp::client ( # through the profiles::ntp::server class. if $client_only { - # if ntp_role is set, find all hosts matching that enc_role - if $ntp_role == undef { - $ntpserver_array = $peers - }else{ - $ntpserver_array = query_nodes("enc_role='${ntp_role}'", 'networking.fqdn') + $ntpserver_array = $ntp_role ? { + undef => $peers, + default => $use_ntp ? { + 'all' => query_nodes("enc_role='${ntp_role}'", 'networking.fqdn'), + 'region' => query_nodes("enc_role='${ntp_role}' and region=${facts['region']}", 'networking.fqdn'), + 'country' => query_nodes("enc_role='${ntp_role}' and country=${facts['country']}", 'networking.fqdn'), + } } # Define the client configuration based on OS family if $facts['os']['family'] == 'RedHat' { class { 'chrony': - servers => $ntpserver_array, + servers => sort($ntpserver_array), wait_enable => $wait_enable, wait_ensure => $wait_ensure, } } else { class { 'chrony': - servers => $ntpserver_array, + servers => sort($ntpserver_array), } } } From 3810385fcd89b443e6f0a260e91670806c747ee0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 24 Apr 2024 18:13:56 +1000 Subject: [PATCH 5/5] feat: install ksm for proxmox --- site/profiles/manifests/proxmox/params.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/proxmox/params.pp b/site/profiles/manifests/proxmox/params.pp index 2a4844e..d520f45 100644 --- a/site/profiles/manifests/proxmox/params.pp +++ b/site/profiles/manifests/proxmox/params.pp @@ -23,7 +23,8 @@ class profiles::proxmox::params ( 'proxmox-ve', 'postfix', 'open-iscsi', - 'frr-pythontools' + 'frr-pythontools', + 'ksm-control-daemon' ], Array $pve_packages_remove = [ 'os-prober',