diff --git a/.reek.yml b/.reek.yml index 5d9b3c5..26c981b 100644 --- a/.reek.yml +++ b/.reek.yml @@ -3,3 +3,8 @@ detectors: FeatureEnvy: enabled: false + TooManyStatements: + enabled: false + UncommunicativeVariableName: + accept: + - e diff --git a/Puppetfile b/Puppetfile index c1773c7..7871912 100644 --- a/Puppetfile +++ b/Puppetfile @@ -2,54 +2,55 @@ forge 'forge.puppetlabs.com' moduledir 'external_modules' # puppetlabs -mod 'puppetlabs-stdlib', '9.1.0' -mod 'puppetlabs-inifile', '6.0.0' -mod 'puppetlabs-concat', '9.0.0' -mod 'puppetlabs-vcsrepo', '6.1.0' -mod 'puppetlabs-yumrepo_core', '2.0.0' -mod 'puppetlabs-apt', '9.4.0' -mod 'puppetlabs-lvm', '2.1.0' -mod 'puppetlabs-puppetdb', '7.13.0' -mod 'puppetlabs-postgresql', '9.1.0' -mod 'puppetlabs-firewall', '6.0.0' -mod 'puppetlabs-accounts', '8.1.0' -mod 'puppetlabs-mysql', '15.0.0' +mod 'puppetlabs-stdlib', '9.7.0' +mod 'puppetlabs-inifile', '6.2.0' +mod 'puppetlabs-concat', '9.1.0' +mod 'puppetlabs-vcsrepo', '7.0.0' +mod 'puppetlabs-yumrepo_core', '2.1.0' +mod 'puppetlabs-apt', '10.0.1' +mod 'puppetlabs-lvm', '3.0.1' +mod 'puppetlabs-puppetdb', '7.14.0' +mod 'puppetlabs-postgresql', '9.2.0' +mod 'puppetlabs-firewall', '8.1.4' +mod 'puppetlabs-accounts', '8.2.2' +mod 'puppetlabs-mysql', '16.2.0' mod 'puppetlabs-xinetd', '3.4.1' -mod 'puppetlabs-haproxy', '8.0.0' -mod 'puppetlabs-java', '10.1.2' -mod 'puppetlabs-reboot', '5.0.0' -mod 'puppetlabs-docker', '10.0.1' +mod 'puppetlabs-haproxy', '8.2.0' +mod 'puppetlabs-java', '11.1.0' +mod 'puppetlabs-reboot', '5.1.0' +mod 'puppetlabs-docker', '10.2.0' # puppet -mod 'puppet-python', '7.0.0' -mod 'puppet-systemd', '5.1.0' -mod 'puppet-yum', '7.0.0' -mod 'puppet-archive', '7.0.0' -mod 'puppet-chrony', '2.6.0' -mod 'puppet-puppetboard', '9.0.0' -mod 'puppet-nginx', '5.0.0' -mod 'puppet-selinux', '4.1.0' -mod 'puppet-prometheus', '13.4.0' -mod 'puppet-grafana', '13.1.0' -mod 'puppet-consul', '8.0.0' -mod 'puppet-vault', '4.1.0' +mod 'puppet-python', '7.4.0' +mod 'puppet-systemd', '8.1.0' +mod 'puppet-yum', '7.2.0' +mod 'puppet-archive', '7.1.0' +mod 'puppet-chrony', '3.0.0' +mod 'puppet-puppetboard', '11.0.0' +mod 'puppet-nginx', '6.0.1' +mod 'puppet-selinux', '5.0.0' +mod 'puppet-prometheus', '16.0.0' +mod 'puppet-grafana', '14.1.0' +mod 'puppet-consul', '9.1.0' +mod 'puppet-vault', '4.1.1' mod 'puppet-dhcp', '6.1.0' mod 'puppet-keepalived', '5.1.0' -mod 'puppet-extlib', '7.0.0' -mod 'puppet-network', '2.2.0' -mod 'puppet-kmod', '4.0.1' +mod 'puppet-extlib', '7.5.1' +mod 'puppet-network', '2.2.1' +mod 'puppet-kmod', '4.1.0' mod 'puppet-filemapper', '4.0.0' -mod 'puppet-letsencrypt', '11.0.0' -mod 'puppet-rundeck', '9.1.0' -mod 'puppet-redis', '11.0.0' +mod 'puppet-letsencrypt', '11.1.0' +mod 'puppet-rundeck', '9.2.0' +mod 'puppet-redis', '11.1.0' mod 'puppet-nodejs', '11.0.0' mod 'puppet-k8s', '2.0.1' # other -mod 'ghoneycutt-puppet', '3.3.0' -mod 'saz-sudo', '8.0.0' -mod 'saz-ssh', '12.1.0' +mod 'saz-sudo', '9.0.2' +mod 'saz-ssh', '13.1.0' +mod 'saz-limits', '5.0.0' mod 'ghoneycutt-timezone', '4.0.0' +mod 'ghoneycutt-puppet', '3.3.0' mod 'dalen-puppetdbquery', '3.0.1' mod 'markt-galera', '3.1.0' mod 'kogitoapp-minio', '1.1.4' @@ -59,6 +60,7 @@ mod 'h0tw1r3-gitea', '3.2.0' mod 'rehan-mkdir', '2.0.0' mod 'tailoredautomation-patroni', '2.0.0' mod 'ssm-crypto_policies', '0.3.3' +mod 'thias-sysctl', '1.0.8' mod 'bind', :git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git', diff --git a/hieradata/common.yaml b/hieradata/common.yaml index d3d3a15..4183ccd 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -36,6 +36,12 @@ lookup_options: profiles::haproxy::server::listeners: merge: strategy: deep + profiles::accounts::root::sshkeys: + merge: + strategy: deep + profiles::accounts::sysadmin::sshkeys: + merge: + strategy: deep haproxy::backend: merge: strategy: deep @@ -137,6 +143,20 @@ lookup_options: strategy: deep k8s::server::resources::bootstrap::secret: convert_to: "Sensitive" + profiles::etcd::node::initial_cluster_token: + convert_to: Sensitive + sysctl::base::values: + merge: + strategy: deep + limits::entries: + merge: + strategy: deep + zfs::zpools: + merge: + strategy: deep + zfs::datasets: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' @@ -145,6 +165,8 @@ hiera_include: - networking - ssh::server - profiles::accounts::rundeck + - limits + - sysctl::base profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::use_ntp: 'region' @@ -157,9 +179,22 @@ profiles::ntp::client::peers: profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' +consul::install_method: 'package' +consul::manage_repo: false +consul::bin_dir: /usr/bin + +vault::install_method: 'repo' +vault::manage_repo: false +vault::bin_dir: /usr/bin +vault::manage_service_file: true +vault::manage_config_dir: true +vault::disable_mlock: false + +profiles::dns::base::nameservers: + - 198.18.19.16 profiles::dns::master::basedir: '/var/named/sources' -profiles::dns::base::ns_role: 'roles::infra::dns::resolver' -profiles::dns::base::use_ns: 'region' +#profiles::dns::base::ns_role: 'roles::infra::dns::resolver' +#profiles::dns::base::use_ns: 'region' profiles::consul::server::members_role: roles::infra::storage::consul profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc' profiles::consul::client::members_lookup: true @@ -322,6 +357,7 @@ networking::route_defaults: netmask: 0.0.0.0 network: default +# FIXME these are for the proxmox ceph cluster profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8 profiles::ceph::client::mons: - 10.18.15.1 diff --git a/hieradata/country/au/region/drw1.yaml b/hieradata/country/au/region/drw1.yaml index 703d863..712da42 100644 --- a/hieradata/country/au/region/drw1.yaml +++ b/hieradata/country/au/region/drw1.yaml @@ -1,2 +1,9 @@ --- timezone::timezone: 'Australia/Darwin' +profiles_dns_upstream_forwarder_unkin: + - 198.18.17.23 + - 198.18.17.24 +profiles_dns_upstream_forwarder_consul: + - 198.18.17.34 + - 198.18.17.35 + - 198.18.17.36 diff --git a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml index 157667c..ed97d53 100644 --- a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml +++ b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml @@ -1,52 +1 @@ --- -profiles::dns::resolver::zones: - main.unkin.net-forward: - domain: 'main.unkin.net' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 13.18.198.in-addr.arpa-forward: - domain: '13.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 14.18.198.in-addr.arpa-forward: - domain: '14.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 15.18.198.in-addr.arpa-forward: - domain: '15.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 16.18.198.in-addr.arpa-forward: - domain: '16.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 17.18.198.in-addr.arpa-forward: - domain: '17.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - consul-forward: - domain: 'consul' - zone_type: 'forward' - forwarders: - - 198.18.17.34 - - 198.18.17.35 - - 198.18.17.36 - forward: 'only' diff --git a/hieradata/country/au/region/syd1.yaml b/hieradata/country/au/region/syd1.yaml index 4175d66..2d28c82 100644 --- a/hieradata/country/au/region/syd1.yaml +++ b/hieradata/country/au/region/syd1.yaml @@ -1,3 +1,7 @@ --- timezone::timezone: 'Australia/Sydney' certbot::client::webserver: ausyd1nxvm1021.main.unkin.net +profiles_dns_upstream_forwarder_unkin: + - 198.18.19.15 +profiles_dns_upstream_forwarder_consul: + - 198.18.19.14 diff --git a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml index 088f065..ed97d53 100644 --- a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml +++ b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml @@ -1,52 +1 @@ --- -profiles::dns::resolver::zones: - main.unkin.net-forward: - domain: 'main.unkin.net' - zone_type: 'forward' - forwarders: - - 198.18.13.14 - - 198.18.13.15 - forward: 'only' - 13.18.198.in-addr.arpa-forward: - domain: '13.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.13.14 - - 198.18.13.15 - forward: 'only' - 14.18.198.in-addr.arpa-forward: - domain: '14.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.13.14 - - 198.18.13.15 - forward: 'only' - 15.18.198.in-addr.arpa-forward: - domain: '15.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.13.14 - - 198.18.13.15 - forward: 'only' - 16.18.198.in-addr.arpa-forward: - domain: '16.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.13.14 - - 198.18.13.15 - forward: 'only' - 17.18.198.in-addr.arpa-forward: - domain: '17.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.13.14 - - 198.18.13.15 - forward: 'only' - consul-forward: - domain: 'consul' - zone_type: 'forward' - forwarders: - - 198.18.13.19 - - 198.18.13.20 - - 198.18.13.21 - forward: 'only' diff --git a/hieradata/nodes/ausyd1nxvm1067.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1067.main.unkin.net.yaml index 0645dfd..4ec44f8 100644 --- a/hieradata/nodes/ausyd1nxvm1067.main.unkin.net.yaml +++ b/hieradata/nodes/ausyd1nxvm1067.main.unkin.net.yaml @@ -2,6 +2,14 @@ networking::interfaces: eth0: ipaddress: 198.18.13.77 + ens19: + ensure: present + family: inet + method: static + ipaddress: 10.18.15.77 + netmask: 255.255.255.0 + onboot: true networking::routes: default: gateway: 198.18.13.254 +docker::bip: '198.18.67.254/24' diff --git a/hieradata/nodes/ausyd1nxvm1068.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1068.main.unkin.net.yaml index c52cba9..2089753 100644 --- a/hieradata/nodes/ausyd1nxvm1068.main.unkin.net.yaml +++ b/hieradata/nodes/ausyd1nxvm1068.main.unkin.net.yaml @@ -2,6 +2,14 @@ networking::interfaces: eth0: ipaddress: 198.18.13.78 + ens19: + ensure: present + family: inet + method: static + ipaddress: 10.18.15.78 + netmask: 255.255.255.0 + onboot: true networking::routes: default: - gateway: 198.18.13.254 \ No newline at end of file + gateway: 198.18.13.254 +docker::bip: '198.18.68.254/24' diff --git a/hieradata/nodes/ausyd1nxvm1069.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1069.main.unkin.net.yaml index b802e58..6dc3c14 100644 --- a/hieradata/nodes/ausyd1nxvm1069.main.unkin.net.yaml +++ b/hieradata/nodes/ausyd1nxvm1069.main.unkin.net.yaml @@ -2,6 +2,14 @@ networking::interfaces: eth0: ipaddress: 198.18.13.79 + ens19: + ensure: present + family: inet + method: static + ipaddress: 10.18.15.79 + netmask: 255.255.255.0 + onboot: true networking::routes: default: - gateway: 198.18.13.254 \ No newline at end of file + gateway: 198.18.13.254 +docker::bip: '198.18.69.254/24' diff --git a/hieradata/nodes/ausyd1nxvm1070.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1070.main.unkin.net.yaml new file mode 100644 index 0000000..4983f52 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1070.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.80 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/nodes/ausyd1nxvm1071.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1071.main.unkin.net.yaml new file mode 100644 index 0000000..0dffb7a --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1071.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.81 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/nodes/ausyd1nxvm1072.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1072.main.unkin.net.yaml new file mode 100644 index 0000000..97bf7f6 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1072.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.82 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml new file mode 100644 index 0000000..f873956 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +profiles::consul::server::anycast_ip: 198.18.19.14 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml new file mode 100644 index 0000000..f873956 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +profiles::consul::server::anycast_ip: 198.18.19.14 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml new file mode 100644 index 0000000..f873956 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +profiles::consul::server::anycast_ip: 198.18.19.14 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml new file mode 100644 index 0000000..f873956 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +profiles::consul::server::anycast_ip: 198.18.19.14 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml new file mode 100644 index 0000000..f873956 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +profiles::consul::server::anycast_ip: 198.18.19.14 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml new file mode 100644 index 0000000..ad02274 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +dns_master_anycast_ip: 198.18.19.15 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('dns_master_anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml new file mode 100644 index 0000000..ad02274 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +dns_master_anycast_ip: 198.18.19.15 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('dns_master_anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml new file mode 100644 index 0000000..ad02274 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +dns_master_anycast_ip: 198.18.19.15 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('dns_master_anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml new file mode 100644 index 0000000..69fc05d --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +dns_resolver_anycast_ip: 198.18.19.16 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('dns_resolver_anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml new file mode 100644 index 0000000..69fc05d --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +dns_resolver_anycast_ip: 198.18.19.16 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('dns_resolver_anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml new file mode 100644 index 0000000..69fc05d --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml @@ -0,0 +1,47 @@ +--- +hiera_include: + - frrouting + +# networking +dns_resolver_anycast_ip: 198.18.19.16 +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + anycast0: + type: dummy + ipaddress: "%{hiera('dns_resolver_anycast_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + anycast0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/nodes/ausyd1nxvm2040.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2040.main.unkin.net.yaml new file mode 100644 index 0000000..3060aaf --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2040.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +networking_loopback0_ip: 198.18.23.40 # ceph-public loopback diff --git a/hieradata/nodes/ausyd1nxvm2041.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2041.main.unkin.net.yaml new file mode 100644 index 0000000..a97bdfd --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2041.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +networking_loopback0_ip: 198.18.23.41 # ceph-public loopback diff --git a/hieradata/nodes/ausyd1nxvm2042.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2042.main.unkin.net.yaml new file mode 100644 index 0000000..2e9c4ff --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2042.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +networking_loopback0_ip: 198.18.23.42 # ceph-public loopback diff --git a/hieradata/nodes/ausyd1nxvm2043.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2043.main.unkin.net.yaml new file mode 100644 index 0000000..e058d7e --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2043.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +networking_loopback0_ip: 198.18.23.43 # ceph-public loopback diff --git a/hieradata/nodes/ausyd1nxvm2044.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2044.main.unkin.net.yaml new file mode 100644 index 0000000..5d95d34 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm2044.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +networking_loopback0_ip: 198.18.23.44 # ceph-public loopback diff --git a/hieradata/nodes/prodnxsr0009.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0009.main.unkin.net.yaml new file mode 100644 index 0000000..a1cc562 --- /dev/null +++ b/hieradata/nodes/prodnxsr0009.main.unkin.net.yaml @@ -0,0 +1,18 @@ +--- +networking_loopback0_ip: 198.18.19.9 # management loopback +networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback +networking_loopback2_ip: 198.18.23.9 # ceph-public loopback +networking_br10_ip: 198.18.25.254 +networking::interfaces: + enp2s0: + mac: 70:b5:e8:38:e9:8d + ipaddress: 198.18.15.9 + gateway: 198.18.15.254 + enp3s0: + mac: 00:e0:4c:68:0f:5d + ipaddress: 198.18.21.9 + +#zfs::zpools: +# fastpool: +# ensure: present +# disk: /dev/nvme0n1 diff --git a/hieradata/nodes/prodnxsr0010.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0010.main.unkin.net.yaml new file mode 100644 index 0000000..a7e0f91 --- /dev/null +++ b/hieradata/nodes/prodnxsr0010.main.unkin.net.yaml @@ -0,0 +1,13 @@ +--- +networking_loopback0_ip: 198.18.19.10 # management loopback +networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback +networking_loopback2_ip: 198.18.23.10 # ceph-public loopback +networking_br10_ip: 198.18.26.254 +networking::interfaces: + enp2s0: + mac: 70:b5:e8:38:e9:37 + ipaddress: 198.18.15.10 + gateway: 198.18.15.254 + enp3s0: + mac: 00:e0:4c:68:0f:de + ipaddress: 198.18.21.10 diff --git a/hieradata/nodes/prodnxsr0011.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0011.main.unkin.net.yaml new file mode 100644 index 0000000..e146b42 --- /dev/null +++ b/hieradata/nodes/prodnxsr0011.main.unkin.net.yaml @@ -0,0 +1,13 @@ +--- +networking_loopback0_ip: 198.18.19.11 # management loopback +networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback +networking_loopback2_ip: 198.18.23.11 # ceph-public loopback +networking_br10_ip: 198.18.27.254 +networking::interfaces: + enp2s0: + mac: 70:b5:e8:38:e9:0f + ipaddress: 198.18.15.11 + gateway: 198.18.15.254 + enp3s0: + mac: 00:e0:4c:68:0f:55 + ipaddress: 198.18.21.11 diff --git a/hieradata/nodes/prodnxsr0012.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0012.main.unkin.net.yaml new file mode 100644 index 0000000..c309a59 --- /dev/null +++ b/hieradata/nodes/prodnxsr0012.main.unkin.net.yaml @@ -0,0 +1,13 @@ +--- +networking_loopback0_ip: 198.18.19.12 # management loopback +networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback +networking_loopback2_ip: 198.18.23.12 # ceph-public loopback +networking_br10_ip: 198.18.28.254 +networking::interfaces: + enp2s0: + mac: 70:b5:e8:4f:05:1e + ipaddress: 198.18.15.12 + gateway: 198.18.15.254 + enp3s0: + mac: 00:e0:4c:68:0f:e5 + ipaddress: 198.18.21.12 diff --git a/hieradata/nodes/prodnxsr0013.main.unkin.net.yaml b/hieradata/nodes/prodnxsr0013.main.unkin.net.yaml new file mode 100644 index 0000000..86221c3 --- /dev/null +++ b/hieradata/nodes/prodnxsr0013.main.unkin.net.yaml @@ -0,0 +1,13 @@ +--- +networking_loopback0_ip: 198.18.19.13 # management loopback +networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback +networking_loopback2_ip: 198.18.23.13 # ceph-public loopback +networking_br10_ip: 198.18.29.254 +networking::interfaces: + enp2s0: + mac: 70:b5:e8:4f:04:b0 + ipaddress: 198.18.15.13 + gateway: 198.18.15.254 + enp3s0: + mac: 00:e0:4c:68:0f:36 + ipaddress: 198.18.21.13 diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index 808275c..798fea7 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -13,3 +13,11 @@ profiles::yum::global::repos: baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} mirrorlist: absent + unkin: + name: unkin + descr: unkin repository + target: /etc/yum.repos.d/unkin.repo + baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8 + gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key + gpgcheck: false + mirrorlist: absent diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index f275d86..f3f218e 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -3,10 +3,34 @@ crypto_policies::policy: 'DEFAULT:SHA1' profiles::yum::global::repos: + baseos: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + extras: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + appstream: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + highavailability: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent crb: name: crb descr: crb repository target: /etc/yum.repos.d/crb.repo - baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os - gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + unkin: + name: unkin + descr: unkin repository + target: /etc/yum.repos.d/unkin.repo + baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9 + gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key + gpgcheck: false mirrorlist: absent diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index db5a2e1..251649b 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -9,6 +9,7 @@ hiera_include: - profiles::almalinux::base profiles::packages::include: + crypto-policies-scripts: {} lzo: {} policycoreutils: {} unar: {} @@ -59,14 +60,6 @@ profiles::yum::global::repos: baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/ gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406 mirrorlist: absent - unkin: - name: unkin - descr: unkin repository - target: /etc/yum.repos.d/unkin.repo - baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8 - gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key - gpgcheck: false - mirrorlist: absent unkinben: name: unkinben descr: unkinben repository diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml index bd8f426..efd71f9 100644 --- a/hieradata/os/Debian/all_releases.yaml +++ b/hieradata/os/Debian/all_releases.yaml @@ -13,3 +13,7 @@ profiles::packages::include: lm-sensors::package: lm-sensors networking::nwmgr_dns_none: false + +consul::install_method: 'url' +consul::manage_repo: false +consul::bin_dir: /usr/local/bin diff --git a/hieradata/roles/apps/media/jellyfin.yaml b/hieradata/roles/apps/media/jellyfin.yaml index 7c0a226..a1e197c 100644 --- a/hieradata/roles/apps/media/jellyfin.yaml +++ b/hieradata/roles/apps/media/jellyfin.yaml @@ -2,6 +2,12 @@ hiera_include: - jellyfin +profiles::packages::include: + intel-media-driver: {} + libva-intel-driver: {} + libva-intel-hybrid-driver: {} + intel-mediasdk: {} + # manage jellyfin jellyfin::params::service_enable: true @@ -61,3 +67,11 @@ profiles::yum::global::repos: baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture} gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major} mirrorlist: absent + unkinben: + name: unkinben + descr: unkinben repository + target: /etc/yum.repos.d/unkin.repo + baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8 + gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key + gpgcheck: false + mirrorlist: absent diff --git a/hieradata/roles/apps/media/lidarr.yaml b/hieradata/roles/apps/media/lidarr.yaml index 5c3b754..87911c3 100644 --- a/hieradata/roles/apps/media/lidarr.yaml +++ b/hieradata/roles/apps/media/lidarr.yaml @@ -2,6 +2,7 @@ hiera_include: - lidarr - profiles::nginx::ldapauth + - profiles::media::lidarr # manage lidarr lidarr::params::user: lidarr diff --git a/hieradata/roles/apps/media/nzbget.yaml b/hieradata/roles/apps/media/nzbget.yaml index b46cca5..7a751db 100644 --- a/hieradata/roles/apps/media/nzbget.yaml +++ b/hieradata/roles/apps/media/nzbget.yaml @@ -5,6 +5,9 @@ hiera_include: - profiles::media::nzbget - profiles::nginx::ldapauth +profiles::packages::include: + unrar: {} + # manage nzbget nzbget::params::user: nzbget nzbget::params::group: media diff --git a/hieradata/roles/apps/media/prowlarr.yaml b/hieradata/roles/apps/media/prowlarr.yaml index 7ee7e70..38280cb 100644 --- a/hieradata/roles/apps/media/prowlarr.yaml +++ b/hieradata/roles/apps/media/prowlarr.yaml @@ -2,6 +2,7 @@ hiera_include: - prowlarr - profiles::nginx::ldapauth + - profiles::media::prowlarr # manage prowlarr prowlarr::params::user: prowlarr diff --git a/hieradata/roles/apps/media/radarr.yaml b/hieradata/roles/apps/media/radarr.yaml index 1cd50a4..64c9076 100644 --- a/hieradata/roles/apps/media/radarr.yaml +++ b/hieradata/roles/apps/media/radarr.yaml @@ -2,6 +2,7 @@ hiera_include: - radarr - profiles::nginx::ldapauth + - profiles::media::radarr # manage radarr radarr::params::user: radarr diff --git a/hieradata/roles/apps/media/readarr.yaml b/hieradata/roles/apps/media/readarr.yaml index ee17dce..b8cf38c 100644 --- a/hieradata/roles/apps/media/readarr.yaml +++ b/hieradata/roles/apps/media/readarr.yaml @@ -2,6 +2,7 @@ hiera_include: - readarr - profiles::nginx::ldapauth + - profiles::media::readarr # manage readarr readarr::params::user: readarr diff --git a/hieradata/roles/apps/media/sonarr.yaml b/hieradata/roles/apps/media/sonarr.yaml index 578bbff..32969e0 100644 --- a/hieradata/roles/apps/media/sonarr.yaml +++ b/hieradata/roles/apps/media/sonarr.yaml @@ -2,6 +2,7 @@ hiera_include: - sonarr - profiles::nginx::ldapauth + - profiles::media::sonarr # manage sonarr sonarr::params::user: sonarr diff --git a/hieradata/roles/ceph.yaml b/hieradata/roles/ceph.yaml new file mode 100644 index 0000000..cf89fc5 --- /dev/null +++ b/hieradata/roles/ceph.yaml @@ -0,0 +1,60 @@ +--- +hiera_include: + - frrouting + +# networking +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + loopback0: + type: dummy + ipaddress: "%{hiera('networking_loopback0_ip')}" # ceph public network + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{facts.networking.ip}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + eth0: + area: 0.0.0.0 + loopback0: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# additional repos +profiles::yum::global::repos: + ceph: + name: ceph + descr: ceph repository + target: /etc/yum.repos.d/ceph.repo + baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture} + gpgkey: https://download.ceph.com/keys/release.asc + mirrorlist: absent + ceph-noarch: + name: ceph-noarch + descr: ceph-noarch repository + target: /etc/yum.repos.d/ceph-noarch.repo + baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch + gpgkey: https://download.ceph.com/keys/release.asc + mirrorlist: absent + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent diff --git a/hieradata/roles/ceph/mon.yaml b/hieradata/roles/ceph/mon.yaml new file mode 100644 index 0000000..e69de29 diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml index d3c9799..e313e40 100644 --- a/hieradata/roles/infra/auth/glauth.yaml +++ b/hieradata/roles/infra/auth/glauth.yaml @@ -191,6 +191,18 @@ glauth::users: loginshell: '/bin/bash' homedir: '/home/sudobo' passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0' + waewak: + user_name: 'waewak' + givenname: 'Waew' + sn: 'Wakul' + mail: 'waewak@users.main.unkin.net' + uidnumber: 20008 + primarygroup: 20000 + othergroups: + - 20010 # jelly + loginshell: '/bin/bash' + homedir: '/home/waewak' + passsha256: 'd9bb99634215fe031c3bdca94149a165192fe8384ecaa238a19354c2f760a811' glauth::services: svc_jellyfin: diff --git a/hieradata/roles/infra/automation/rundeck.yaml b/hieradata/roles/infra/automation/rundeck.yaml index f46abc1..8fc070a 100644 --- a/hieradata/roles/infra/automation/rundeck.yaml +++ b/hieradata/roles/infra/automation/rundeck.yaml @@ -91,7 +91,7 @@ profiles::rundeck::server::key_storage_config: path: 'vault' config: prefix: 'rundeck' - address: https://vault.query.consul:8200 + address: https://vault.service.consul:8200 storageBehaviour: 'vault' secretBackend: rundeck engineVersion: '2' diff --git a/hieradata/roles/infra/dhcp/server.yaml b/hieradata/roles/infra/dhcp/server.yaml index a186d6c..8dc6d38 100644 --- a/hieradata/roles/infra/dhcp/server.yaml +++ b/hieradata/roles/infra/dhcp/server.yaml @@ -15,9 +15,7 @@ profiles::dhcp::server::pools: range: - '198.18.15.200 198.18.15.220' gateway: 198.18.15.254 - nameservers: - - 198.18.13.12 - - 198.18.13.13 + nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}" domain_name: main.unkin.net pxeserver: 198.18.13.27 syd1-test: @@ -26,9 +24,7 @@ profiles::dhcp::server::pools: range: - '198.18.16.200 198.18.16.220' gateway: 198.18.16.254 - nameservers: - - 198.18.13.12 - - 198.18.13.13 + nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}" domain_name: main.unkin.net pxeserver: 198.18.13.27 syd1-prod1: @@ -37,9 +33,7 @@ profiles::dhcp::server::pools: range: - '198.18.13.200 198.18.13.220' gateway: 198.18.13.254 - nameservers: - - 198.18.13.12 - - 198.18.13.13 + nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}" domain_name: main.unkin.net pxeserver: 198.18.13.27 syd1-prod2: @@ -48,9 +42,7 @@ profiles::dhcp::server::pools: range: - '198.18.14.200 198.18.14.220' gateway: 198.18.14.254 - nameservers: - - 198.18.13.12 - - 198.18.13.13 + nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}" domain_name: main.unkin.net pxeserver: 198.18.13.27 drw1-prod: @@ -59,9 +51,7 @@ profiles::dhcp::server::pools: range: - '198.18.17.200 198.18.17.220' gateway: 198.18.17.1 - nameservers: - - 198.18.17.7 - - 198.18.17.8 + nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}" domain_name: main.unkin.net pxeserver: 198.18.13.27 diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml index e9b81b7..c83c101 100644 --- a/hieradata/roles/infra/dns/master.yaml +++ b/hieradata/roles/infra/dns/master.yaml @@ -9,6 +9,14 @@ profiles::dns::master::acls: - 198.18.15.0/24 - 198.18.16.0/24 - 198.18.17.0/24 + - 198.18.19.0/24 + - 198.18.20.0/24 + - 198.18.24.0/24 + - 198.18.25.0/24 + - 198.18.26.0/24 + - 198.18.27.0/24 + - 198.18.28.0/24 + - 198.18.29.0/24 profiles::dns::master::zones: main.unkin.net: @@ -47,6 +55,72 @@ profiles::dns::master::zones: dynamic: false ns_notify: true source: '/var/named/sources/17.18.198.in-addr.arpa.conf' + 19.18.198.in-addr.arpa: + domain: '19.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/19.18.198.in-addr.arpa.conf' + 20.18.198.in-addr.arpa: + domain: '20.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/20.18.198.in-addr.arpa.conf' + 21.18.198.in-addr.arpa: + domain: '21.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/21.18.198.in-addr.arpa.conf' + 22.18.198.in-addr.arpa: + domain: '22.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/22.18.198.in-addr.arpa.conf' + 23.18.198.in-addr.arpa: + domain: '23.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/23.18.198.in-addr.arpa.conf' + 24.18.198.in-addr.arpa: + domain: '24.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/24.18.198.in-addr.arpa.conf' + 25.18.198.in-addr.arpa: + domain: '25.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/25.18.198.in-addr.arpa.conf' + 26.18.198.in-addr.arpa: + domain: '26.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/26.18.198.in-addr.arpa.conf' + 27.18.198.in-addr.arpa: + domain: '27.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/27.18.198.in-addr.arpa.conf' + 28.18.198.in-addr.arpa: + domain: '28.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/28.18.198.in-addr.arpa.conf' + 29.18.198.in-addr.arpa: + domain: '29.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + ns_notify: true + source: '/var/named/sources/29.18.198.in-addr.arpa.conf' profiles::dns::master::views: master-zones: @@ -58,6 +132,17 @@ profiles::dns::master::views: - 15.18.198.in-addr.arpa - 16.18.198.in-addr.arpa - 17.18.198.in-addr.arpa + - 19.18.198.in-addr.arpa + - 20.18.198.in-addr.arpa + - 21.18.198.in-addr.arpa + - 22.18.198.in-addr.arpa + - 23.18.198.in-addr.arpa + - 24.18.198.in-addr.arpa + - 25.18.198.in-addr.arpa + - 26.18.198.in-addr.arpa + - 27.18.198.in-addr.arpa + - 28.18.198.in-addr.arpa + - 29.18.198.in-addr.arpa match_clients: - acl-main.unkin.net diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index 5c0387a..e9adbdf 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -10,6 +10,30 @@ profiles::dns::resolver::acls: - 198.18.15.0/24 - 198.18.16.0/24 - 198.18.17.0/24 + - 198.18.18.0/24 + - 198.18.19.0/24 + - 198.18.20.0/24 + - 198.18.21.0/24 + - 198.18.22.0/24 + - 198.18.23.0/24 + acl-dmz: + addresses: + - 198.18.24.0/24 + acl-common: + addresses: + - 198.18.25.0/24 + - 198.18.26.0/24 + - 198.18.27.0/24 + - 198.18.28.0/24 + - 198.18.29.0/24 + acl-nomad-jobs: + addresses: + - 198.18.64.0/24 + - 198.18.65.0/24 + - 198.18.66.0/24 + - 198.18.67.0/24 + - 198.18.68.0/24 + - 198.18.69.0/24 profiles::dns::resolver::zones: 8.10.10.in-addr.arpa-forward: @@ -54,6 +78,96 @@ profiles::dns::resolver::zones: - 10.10.16.32 - 10.10.16.33 forward: 'only' + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 13.18.198.in-addr.arpa-forward: + domain: '13.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 14.18.198.in-addr.arpa-forward: + domain: '14.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 15.18.198.in-addr.arpa-forward: + domain: '15.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 16.18.198.in-addr.arpa-forward: + domain: '16.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 17.18.198.in-addr.arpa-forward: + domain: '17.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 19.18.198.in-addr.arpa-forward: + domain: '19.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 20.18.198.in-addr.arpa-forward: + domain: '20.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 21.18.198.in-addr.arpa-forward: + domain: '21.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 22.18.198.in-addr.arpa-forward: + domain: '22.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 23.18.198.in-addr.arpa-forward: + domain: '23.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 24.18.198.in-addr.arpa-forward: + domain: '24.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 25.18.198.in-addr.arpa-forward: + domain: '25.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 26.18.198.in-addr.arpa-forward: + domain: '26.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 27.18.198.in-addr.arpa-forward: + domain: '27.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 28.18.198.in-addr.arpa-forward: + domain: '28.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + 29.18.198.in-addr.arpa-forward: + domain: '29.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}" + forward: 'only' + consul-forward: + domain: 'consul' + zone_type: 'forward' + forwarders: "%{alias('profiles_dns_upstream_forwarder_consul')}" + forward: 'only' profiles::dns::resolver::views: openforwarder: @@ -69,8 +183,22 @@ profiles::dns::resolver::views: - 15.18.198.in-addr.arpa-forward - 16.18.198.in-addr.arpa-forward - 17.18.198.in-addr.arpa-forward + - 19.18.198.in-addr.arpa-forward + - 20.18.198.in-addr.arpa-forward + - 21.18.198.in-addr.arpa-forward + - 22.18.198.in-addr.arpa-forward + - 23.18.198.in-addr.arpa-forward + - 24.18.198.in-addr.arpa-forward + - 25.18.198.in-addr.arpa-forward + - 26.18.198.in-addr.arpa-forward + - 27.18.198.in-addr.arpa-forward + - 28.18.198.in-addr.arpa-forward + - 29.18.198.in-addr.arpa-forward - 8.10.10.in-addr.arpa-forward - 16.10.10.in-addr.arpa-forward - 20.10.10.in-addr.arpa-forward match_clients: - acl-main.unkin.net + - acl-nomad-jobs + - acl-common + - acl-dmz diff --git a/hieradata/roles/infra/etcd/node.eyaml b/hieradata/roles/infra/etcd/node.eyaml new file mode 100644 index 0000000..40ffd6b --- /dev/null +++ b/hieradata/roles/infra/etcd/node.eyaml @@ -0,0 +1,2 @@ +--- +profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==] diff --git a/hieradata/roles/infra/etcd/node.yaml b/hieradata/roles/infra/etcd/node.yaml new file mode 100644 index 0000000..38e933d --- /dev/null +++ b/hieradata/roles/infra/etcd/node.yaml @@ -0,0 +1,62 @@ +--- +hiera_include: + - profiles::etcd::node + +profiles::etcd::node::members_lookup: true +profiles::etcd::node::members_role: roles::infra::etcd::node + +profiles::etcd::node::config: + data-dir: /data/etcd + client-cert-auth: false + client-transport-security: + cert-file: /etc/pki/tls/vault/certificate.crt + key-file: /etc/pki/tls/vault/private.key + client-cert-auth: false + auto-tls: false + peer-transport-security: + cert-file: /etc/pki/tls/vault/certificate.crt + key-file: /etc/pki/tls/vault/private.key + client-cert-auth: false + auto-tls: false + allowed-cn: + max-wals: 5 + max-snapshots: 5 + snapshot-count: 10000 + heartbeat-interval: 100 + election-timeout: 1000 + cipher-suites: [ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + ] + tls-min-version: 'TLS1.2' + tls-max-version: 'TLS1.3' + +profiles::pki::vault::alt_names: + - etcd.service.consul + - etcd.query.consul + - "etcd.service.%{facts.country}-%{facts.region}.consul" + +profiles::ssh::sign::principals: + - etcd.query.consul + - etcd.service.consul + - etcd.service.%{facts.country}-%{facts.region}.consul + +consul::services: + etcd: + service_name: 'etcd' + tags: + - 'etcd' + address: "%{facts.networking.ip}" + port: 2379 + checks: + - id: 'etcd_http_health_check' + name: 'ETCD HTTP Health Check' + http: "https://%{facts.networking.ip}:2379/health" + method: 'GET' + interval: '10s' + timeout: '1s' + tls_skip_verify: true +profiles::consul::client::node_rules: + - resource: service + segment: etcd + disposition: write diff --git a/hieradata/roles/infra/git/runner.yaml b/hieradata/roles/infra/git/runner.yaml index f94954f..851c6df 100644 --- a/hieradata/roles/infra/git/runner.yaml +++ b/hieradata/roles/infra/git/runner.yaml @@ -45,3 +45,10 @@ profiles::gitea::runner::config: force_rebuild: false host: workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act" + +# enable ip forwarding for docker containers +sysctl::base::values: + net.ipv4.conf.all.forwarding: + value: '1' + net.ipv6.conf.all.forwarding: + value: '1' diff --git a/hieradata/roles/infra/incus/imagehost.yaml b/hieradata/roles/infra/incus/imagehost.yaml new file mode 100644 index 0000000..ef0ca71 --- /dev/null +++ b/hieradata/roles/infra/incus/imagehost.yaml @@ -0,0 +1,125 @@ +--- +hiera_include: + - incus + - zfs + +profiles::packages::include: + bridge-utils: {} + dnsmasq: {} + +profiles::pki::vault::alt_names: + - incus-images.service.consul + - incus-images.query.consul + - "incus-images.service.%{facts.country}-%{facts.region}.consul" + +profiles::ssh::sign::principals: + - incus-images.service.consul + - incus-images.query.consul + - "incus-images.service.%{facts.country}-%{facts.region}.consul" + +# configure consul service +consul::services: + incus-images: + service_name: 'incus-images' + tags: + - 'incus' + - 'images' + - 'container' + - 'lxd' + address: "%{facts.networking.ip}" + port: 8443 + checks: + - id: 'incus_https_check' + name: 'incus HTTPS Check' + http: "https://%{facts.networking.fqdn}:8443" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: incus-images + disposition: write + +# additional repos +profiles::yum::global::repos: + zfs-kmod: + name: zfs-kmod + descr: zfs-kmod repository + target: /etc/yum.repos.d/zfs-kmod.repo + baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022 + mirrorlist: absent + +# zfs settings +zfs::manage_repo: false +zfs::zfs_arc_min: ~ +zfs::zfs_arc_max: 429496729 # 400MB +zfs::zpools: + fastpool: + ensure: present + disk: /dev/vdb + ashift: 12 +zfs::datasets: + fastpool: + canmount: 'off' + acltype: posix + atime: 'off' + relatime: 'off' + compression: 'zstd' + xattr: 'sa' + fastpool/data: + canmount: 'on' + mountpoint: '/data' + fastpool/data/incus: + canmount: 'on' + mountpoint: '/data/incus' + +# manage incus +incus::init: true +incus::server_port: 8443 +incus::storage_images_volume: fastpool/imagestore + +# add sysadmin to incus-admin group +profiles::accounts::sysadmin::extra_groups: + - incus-admin + +# sysctl recommendations +sysctl::base::values: + fs.aio-max-nr: + value: '524288' + fs.inotify.max_queued_events: + value: '1048576' + fs.inotify.max_user_instances: + value: '1048576' + fs.inotify.max_user_watches: + value: '1048576' + kernel.dmesg_restrict: + value: '1' + kernel.keys.maxbytes: + value: '2000000' + kernel.keys.maxkeys: + value: '2000' + net.core.bpf_jit_limit: + value: '1000000000' + net.ipv4.neigh.default.gc_thresh3: + value: '8192' + net.ipv6.neigh.default.gc_thresh3: + value: '8192' + vm.max_map_count: + value: '262144' + net.ipv4.conf.all.forwarding: + value: '1' + net.ipv6.conf.all.forwarding: + value: '1' + +# limits.d recommendations +limits::entries: + '*/nofile': + both: 1048576 + 'root/nofile': + both: 1048576 + '*/memlock': + both: unlimited + 'root/memlock': + both: unlimited diff --git a/hieradata/roles/infra/incus/node.eyaml b/hieradata/roles/infra/incus/node.eyaml new file mode 100644 index 0000000..c85b8f6 --- /dev/null +++ b/hieradata/roles/infra/incus/node.eyaml @@ -0,0 +1,2 @@ +ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAX4pXMYx0Kms74s+CCT9EnuVSq3fvlcxpkezFt/VYR0cfo8K8Sm0CE0MFEQ/sdZJ+bnycjWhnkRrT0Wj2gCcqG5+KSJPVb6OOF/zkCMEjLu7xSatKakdOmnTxJEx47Lo84dGVk+YqiTT1E5XVoKlFUvZw7iIW6BgTSORo75fC2VE8MsV0GVMIusgjqMuWgyhVUGKkPGUsGAPs5Ky7uys9tlyH5s4FiZqUKvPdeKlX0HMH5XrHuKBSJg+Nju7GLNLB+/XjBsTZrY2OMC0fzczb1EQ5KL2Pl502sE8vr1VNbXqDg7vZGzWnI60Yv2t2GUxLpUjM741NP9jZ0ovGQT8I2DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDUnyCYnAG1HFiBAef1KYKsgDCtxa4fw0zb7DFzVxjpM1n5fAabbaAxIXaOxLC8u3XM3+5CYsG1dWTIDZOo+qkS9sY=] +ceph::key::apps: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANWnFzl98B+YVXXfj5zYF5XAFbZ8iGu2VZeF53QiYxuTmRCT2/3GI4h1WB/NYcGYgmxynEsdiJus7uRO8dplsJsm+lRNffTwjnC0oDxWI82C/QuccR+YxuywqnbHLFXxZecU6/joHewt8nIu9unmF92552pqOx30ashb30L0ptR3BYBy5e9eGjjWnMrKPM4wU5NJrpW8fb9OibMWWZ1JON9tq8QITm2USCHkVOAPCfo94Dlo+2mdQWtn0GhFnRaiTNNnKT1zqSdagOUOkkY6v3yDQdmOKtR77R8bJLo/WDxUodKOt6Oi8Iuvkkvjjk6t/u05eQTPNoVQo6blV13qoDzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDWHi5X6rS0BOznTJZH1IfBgDBFQ7cIEZWzVqrEkKAb7FXdK9U+/Z2Coda3GTZ0FPJ2SzVoAV9CXNuw4808RMsS6RU=] diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml new file mode 100644 index 0000000..cd07ebc --- /dev/null +++ b/hieradata/roles/infra/incus/node.yaml @@ -0,0 +1,272 @@ +--- +hiera_include: + - profiles::selinux::frr + - frrouting + - incus + - zfs + - profiles::ceph::node + - profiles::ceph::client + - profiles::storage::cephfsvols + +# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package +python::manage_dev_package: false + +profiles::packages::include: + bridge-utils: {} + cephadm: {} + ceph-common: {} + +profiles::pki::vault::alt_names: + - incus.service.consul + - incus.query.consul + - "incus.service.%{facts.country}-%{facts.region}.consul" + +profiles::pki::vault::ip_sans: + - "%{hiera('networking_loopback0_ip')}" + - "%{hiera('networking_loopback1_ip')}" + - "%{hiera('networking_loopback2_ip')}" + +profiles::ssh::sign::principals: + - incus.service.consul + - incus.query.consul + - "incus.service.%{facts.country}-%{facts.region}.consul" + - "%{hiera('networking_loopback0_ip')}" + - "%{facts.networking.interfaces.enp2s0.ip}" + - "%{facts.networking.interfaces.enp3s0.ip}" + +# configure consul service +consul::services: + incus: + service_name: 'incus' + tags: + - 'incus' + - 'container' + - 'lxd' + address: "%{hiera('networking_loopback0_ip')}" + port: 8443 + checks: + - id: 'incus_https_check' + name: 'incus HTTPS Check' + http: "https://%{hiera('networking_loopback0_ip')}:8443" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: incus + disposition: write + +# additional repos +profiles::yum::global::repos: + ceph: + name: ceph + descr: ceph repository + target: /etc/yum.repos.d/ceph.repo + baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture} + gpgkey: https://download.ceph.com/keys/release.asc + mirrorlist: absent + ceph-noarch: + name: ceph-noarch + descr: ceph-noarch repository + target: /etc/yum.repos.d/ceph-noarch.repo + baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch + gpgkey: https://download.ceph.com/keys/release.asc + mirrorlist: absent + frr-extras: + name: frr-extras + descr: frr-extras repository + target: /etc/yum.repos.d/frr-extras.repo + baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + frr-stable: + name: frr-stable + descr: frr-stable repository + target: /etc/yum.repos.d/frr-stable.repo + baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR + mirrorlist: absent + zfs-kmod: + name: zfs-kmod + descr: zfs-kmod repository + target: /etc/yum.repos.d/zfs-kmod.repo + baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022 + mirrorlist: absent + +# dns +profiles::dns::base::primary_interface: loopback0 + +# networking +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + enp2s0: + type: physical + txqueuelen: 10000 + forwarding: true + enp3s0: + type: physical + mtu: 1500 + txqueuelen: 10000 + forwarding: true + loopback0: + type: dummy + ipaddress: "%{hiera('networking_loopback0_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + loopback1: + type: dummy + ipaddress: "%{hiera('networking_loopback1_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + loopback2: + type: dummy + ipaddress: "%{hiera('networking_loopback2_ip')}" + netmask: 255.255.255.255 + mtu: 1500 + +# frrouting +frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}" +frrouting::ospfd_redistribute: + - connected +frrouting::ospfd_interfaces: + enp2s0: + area: 0.0.0.0 + enp3s0: + area: 0.0.0.0 + loopback0: + area: 0.0.0.0 + loopback1: + area: 0.0.0.0 + loopback2: + area: 0.0.0.0 + brcom1: + area: 0.0.0.0 + brdmz1: + area: 0.0.0.0 + brwan1: + area: 0.0.0.0 +frrouting::daemons: + ospfd: true + +# add loopback interfaces to ssh list +ssh::server::options: + ListenAddress: + - "%{hiera('networking_loopback0_ip')}" + - "%{facts.networking.interfaces.enp2s0.ip}" + - "%{facts.networking.interfaces.enp3s0.ip}" + +# zfs settings +zfs::manage_repo: false +zfs::zfs_arc_min: ~ +zfs::zfs_arc_max: 4294967296 # 4GB +zfs::zpools: + fastpool: + ensure: present + disk: /dev/nvme1n1 + ashift: 12 +zfs::datasets: + fastpool: + canmount: 'off' + acltype: posix + atime: 'off' + relatime: 'off' + compression: 'zstd' + xattr: 'sa' + fastpool/data: + canmount: 'on' + mountpoint: '/data' + fastpool/data/incus: + canmount: 'on' + mountpoint: '/data/incus' + +# manage incus +incus::init: true +incus::bridge: br10 +incus::server_port: 8443 +incus::server_addr: "%{hiera('networking_loopback0_ip')}" + +# add sysadmin to incus-admin group +profiles::accounts::sysadmin::extra_groups: + - incus-admin + +# manage cephfs mounts +profiles::ceph::client::manage_ceph_conf: false +profiles::ceph::client::manage_ceph_package: false +profiles::ceph::client::manage_ceph_paths: false +profiles::ceph::client::fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8' +profiles::ceph::client::mons: + - 198.18.23.9 + - 198.18.23.10 + - 198.18.23.11 + - 198.18.23.12 + - 198.18.23.13 +profiles::ceph::client::keyrings: + media: + key: "%{hiera('ceph::key::media')}" + apps: + key: "%{hiera('ceph::key::apps')}" + +profiles::storage::cephfsvols::volumes: + cephfsvol_media: + mount: "/shared/media" + keyring: "/etc/ceph/ceph.client.media.keyring" + cephfs_name: "media" + cephfs_fs: "mediafs" + cephfs_mon: "%{alias('profiles::ceph::client::mons')}" + require: "Profiles::Ceph::Keyring[media]" + cephfsvol_apps: + mount: "/shared/apps" + keyring: "/etc/ceph/ceph.client.apps.keyring" + cephfs_name: "apps" + cephfs_fs: "appfs" + cephfs_mon: "%{alias('profiles::ceph::client::mons')}" + require: "Profiles::Ceph::Keyring[apps]" + +# sysctl recommendations +sysctl::base::values: + fs.aio-max-nr: + value: '524288' + fs.inotify.max_queued_events: + value: '1048576' + fs.inotify.max_user_instances: + value: '1048576' + fs.inotify.max_user_watches: + value: '1048576' + kernel.dmesg_restrict: + value: '1' + kernel.keys.maxbytes: + value: '2000000' + kernel.keys.maxkeys: + value: '2000' + net.core.bpf_jit_limit: + value: '1000000000' + net.ipv4.neigh.default.gc_thresh3: + value: '8192' + net.ipv6.neigh.default.gc_thresh3: + value: '8192' + vm.max_map_count: + value: '262144' + net.ipv4.conf.all.forwarding: + value: '1' + net.ipv6.conf.all.forwarding: + value: '1' + net.ipv4.tcp_l3mdev_accept: + value: '0' + net.ipv4.conf.default.rp_filter: + value: '0' + net.ipv4.conf.all.rp_filter: + value: '0' + +# limits.d recommendations +limits::entries: + '*/nofile': + both: 1048576 + 'root/nofile': + both: 1048576 + '*/memlock': + both: unlimited + 'root/memlock': + both: unlimited diff --git a/hieradata/roles/infra/nomad/agent.yaml b/hieradata/roles/infra/nomad/agent.yaml index f300b30..3c9d1c3 100644 --- a/hieradata/roles/infra/nomad/agent.yaml +++ b/hieradata/roles/infra/nomad/agent.yaml @@ -64,3 +64,9 @@ profiles::consul::client::node_rules: - resource: service_prefix segment: '' disposition: write + - resource: key_prefix + segment: "nomad" + disposition: write + - resource: session_prefix + segment: "" + disposition: write diff --git a/hieradata/roles/infra/nomad/agentv2.yaml b/hieradata/roles/infra/nomad/agentv2.yaml new file mode 100644 index 0000000..629a9be --- /dev/null +++ b/hieradata/roles/infra/nomad/agentv2.yaml @@ -0,0 +1,55 @@ +--- +hiera_include: + - docker + - docker::networks + - profiles::nomad::node + +docker::version: latest +docker::curl_ensure: false +docker::root_dir: /data/docker +docker::ip_forward: true +#docker::ip_masq: false +#docker::iptables: false + +systemd::manage_networkd: true +systemd::manage_all_network_files: true +networking::interfaces: + eth0: + type: physical + forwarding: true + dhcp: true + +profiles::packages::include: + nomad: {} + cni-plugins: {} + +profiles::nomad::node::client: true + +# additional altnames +profiles::pki::vault::alt_names: + - client.global.nomad + - client.au-syd1.nomad + - nomad-client.service.consul + - nomad-client.query.consul + - "nomad-client.service.%{facts.country}-%{facts.region}.consul" + +# configure consul service +profiles::consul::client::node_rules: + - resource: service + segment: nomad-client + disposition: write + - resource: agent_prefix + segment: '' + disposition: read + - resource: node_prefix + segment: '' + disposition: write + - resource: service_prefix + segment: '' + disposition: write + - resource: key_prefix + segment: "nomad" + disposition: write + - resource: session_prefix + segment: "" + disposition: write diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index c9a7376..ea51ac8 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges: - '198.18.15.0/24' - '198.18.16.0/24' - '198.18.17.0/24' + - '198.18.20.0/24' + - '198.18.24.0/24' + - '198.18.25.0/24' + - '198.18.26.0/24' + - '198.18.27.0/24' + - '198.18.28.0/24' + - '198.18.29.0/24' profiles::puppet::autosign::domains: - '*.main.unkin.net' @@ -30,7 +37,7 @@ profiles::puppet::gems::puppet: - 'hiera-eyaml' profiles::helpers::certmanager::vault_config: - addr: 'https://vault.query.consul:8200' + addr: 'https://vault.service.consul:8200' mount_point: 'pki_int' approle_path: 'approle' role_name: 'servers_default' diff --git a/hieradata/roles/infra/puppetboard/server.eyaml b/hieradata/roles/infra/puppetboard/server.eyaml new file mode 100644 index 0000000..29c7cb3 --- /dev/null +++ b/hieradata/roles/infra/puppetboard/server.eyaml @@ -0,0 +1 @@ +profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==] diff --git a/hieradata/roles/infra/puppetdb/api.eyaml b/hieradata/roles/infra/puppetdb/api.eyaml new file mode 100644 index 0000000..4bb4232 --- /dev/null +++ b/hieradata/roles/infra/puppetdb/api.eyaml @@ -0,0 +1,2 @@ +profiles::puppet::puppetdb_api::public_cert: ENC[PKCS7,MIIJrQYJKoZIhvcNAQcDoIIJnjCCCZoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEATUl7Aa6W6Q0gWWPet6fufBUtFUO7wCkED8w3NojkDYNR0Cine5+yWupy1FZ0d75mtdjI16DgZ9d2BhNlnbvPrZHuFSfBFj0s6lc0cYs1dpEUwPwPssmfNNfLe+73Fn0e43fguXisBYiE0Xn4x9UqGEIXXnwBqucIo4lkR0QAvhrmgEsNJKrxKV2isBZOnV40hrilnK3fLszGlfEfEuK1ZLrdtQV54Cl/Fpga8OOEk3Ji+WO/qC3WSQ+RWmc+si5L7w6raFLcHb3ZN96BHNVN2h2rBe85RRTg08LT+9Eyge3Fc0/+eoRmzTvnHMc4RptRfvopv5RGGyOma0mExmD6CzCCCG4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEB2t8I7YdvzPGIuGG1fUIViAgghAKhUoHO1UphPXu/KwYgo3xPSmWWF76B/ZKPd3SdzobYBsfK7CEhRiONU29W/wEzDdn7An2E16bIuecxT114z0i6OqQc3W92jBETWlpV1IRWs4DTb2QWjA4l74KdwRtltpeAKeFjSjuW2+L5UUOgGsaW4lxR0wP/uIqUT76/wQCoCAIw/i+YcIvIJDpeVPKSyaA6GFJbiT8CuG1SzD/1tb+XOxEf3WpeUwVNrPIO1ADjdi3cha6bJDa6Dvrtz8ornYwsfZ9cIlhDb6kmz938+EWpH5swCppfHcMncSd+R1zST6DzhN54+kvWGjvrN79m5+f0al/t3a85iZ6boLXSE8VkPLWZnlAt0ISdCtt0m7luxWWUN3AvmBmLZ5hhjnHUQC4RNCmu3BrjB7bN/nvInZQNcBlArhthiy/DpbdjLpF5kkUq+J+S7I898rG/B8lWrWjYsQvOUM/yiVbpCtsLJS9Pv1UjlkHcere6YgOq4gZKaESF19npV6SLU2MfC+Raefj1biE+haOOjpDdR+xQLAHmZqgOBUFMkYh1RH77zg2QPtz5aDLGypO/yVuJDcuSGV6qpoxc0uu7EmihfOg2cHF6FtSlStwFQYw3mG3oyuByv527lVRUjNHOx85bXeFccb96lyTzStAopLADo9nuOHjDxs6qzXj4h0y5w0ODh3Wyy/h4EXYaTrXuSB/FJJb1rvToC+XJ7ABxzt0rB8ySNtt+DFRssZQ5ZXWF6T88YKLcigKYGNTGmf92Iwpq6+hw0NEF1OWy7aHDzog6xORilgy6zcPTWkz2TUxzOuwN6Y0UeLlj+C4r+hl17/9aYhls6UJ+5xF+ZNcJmqEXqZ5HHykcYRwaWI0FF4tkbsto8Is2/aZVfeQc/2JZ+9IbLXlh1Km6hJxWJmw/S9RwTXVK7kGO/IlIoQiYTFYoeSU4RDPVUXZTBmGxuBmz37JPVMLXkL6tGUPwTz6pa+AMppT/qMLC8y2LhLm+eRsfz4w2ySc/kBR0FKsD0Z1h9h4zM+VtNnxaSYmxkFG77pX+bi/ToQqaydWblf0NPdw2t+uoULzkxxhX3wjZi8V9gGOhZ7s7YUKJFljZZYcl0MnDab+xGjD8DGiq/vHqTLXm8DYpVOxsryGIJ3zXf5KPvo8y6/wQAkKq6Vb4lraqkg9m5wGLxQDemE4h2OWgjcnWOXx/N9bcVO0xMyqrFo337wPoZ+hYQhwxzrfiQZ87nLe28OstaWS8OK6KoAx95LvMypaFURf+EoZkYO8wFiLmFBNAMMOkf/TJjmXoeDw46Qv1sZi57239pgzxz6RXEjd5TBURli7tSaniqKNarRY7ZoYymzYBv9Kyj6zQGgXxozhQsMsju9fTo2l+bXQ2siBljHnNkI+I3aO5Q6FLpM57h5xhA86ayJzfaKSbniMARGY2inG3qUfKafgQUvrYBxaIxSBAg7LfE2GRJx8gEioATFZpclrm+0fP3xaXW3I/wiyl/EPKIP2aPP8lqJam/KWXZ46nYdgrKIrg51tXp/YUcgR6geZYHIBWkAgofJeThKPz9ervLzu3dYS0FgMiRcyCOXfI4nttW/QCNl5a19UXXYpSgj0MOAKuSZYkHYgaSt7DNt3sZtWLtCZ1M/QFLSiqsfUAULVwUJpOCS4Ul0Bn9gu038xCBCkaQ8VnSHtvl6NsCUHDhk/JGq5pmZjrE5zTEnlMBUBoQ1sun/HwLAnoX24KV+3pzwul0eCLm2pBndWvgnHsEY7COiookx7mwvg93xuejN7zQk/NAJp4L3haT5ueVTcUcEsTPmsIDMn2xg2HSGLum6yG02XPMBYJlG/GHtu2kuvOV2UFqxkzje4FB3cNishelQ1VRDOBJodt8xmfKkgPciFChEOVe5OY7AbBvKIBab+kjbG78guGReqkmePFkEtsnL7KouiERojAVsGXtvqOT2dQvO7xLrozLk+kY/Xk6HkGedmc2PUEc/CSKPy73k2a154ByzwfOaAaTM1XCvo4Ff7hTA7VHUu3rWpHmd2LZbKN1nlGbrrX0Wk0jt72OsRWRzgKp+81jEkNh/hbD9xCjmIbzdloOmcJJbcyikmThVpFaUMaHowZmrBtQxE7pR2ARbhVvNXH3fZQnIpxMcHEPoKh12pOTlp+GIO8H1EsGZ6tOjXniBiy/szoa8Oi/eJp/Co8uRoDSyBc5t6ZD6ciLHOVG4c0nCdMHaouA/EXNe/EOzLg4fYk7cLBNGoaBUo8LbXv0Z2tkhtE1ctl8NBvZS3X80VchtmQg7lVlqZUEkcXEtoadrjRpiWL9EW68mzjTsejePMNBb6CCL4zGqQwCfA1zUVtlNJslguClQ2u0IlqPjBYsj3Xy+leg24YrHKB1zEu1/aGuVxCBlJMozQj//5OCTp+1iO0EExnGBYjZuk8UTYrUj9FZeu5GiRlBvky1HBE/fq4LPD7l/Gr0npAwKJofIglA2DZe9Sr4VmA8oi4vsmbpmtyPLVa/pfVXrl/w2dLH/Y2TI8MbPFMvjtAgdlK6endrxpb9EC2YeWrFibDXL9EsOAXo5droa6WyIDoVr7GBZ0Faa19uW2IZf0fw02tz0L1Bg/4RopeIZpbH0CKCwpqg5GNb7gKvKkXt9ugI84ZGnF5CgrqXH+lXXtMgHsEkUQ6vAJeKioLSMVla6Pu/BdztDKBVuKTEzV/lH/nbR2qhjlIEm+AntndtRNU3J6Aakje0keGjDV66paCnh/v7fha3SOPkgCV8OxrqMDAUl9/RxB907OF/Ethg4F/gsWfwDJLcAoS206rV6r+VZyurb3xx6HSLFzh+MMBgNlJhf] +profiles::puppet::puppetdb_api::private_cert: ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAR7TO46Sg7DTeJmy+YMKpcKgcbbyDed4zHib7Jii2ltlFBMzFAJ49u986i13pSE0qaPIgydc94ILKc0oTwTWvstbiBJB2NYikswKHIJwKKSTzzbfCz1/eyfVKwKyp3DakdImdPClmjZIp/eQyWsLkZjxmJ5T9MVHSo3l8sNVY3WyGbKwEi0TwZabE9Op8cvFTifcBL5zDwKMrhwghAPEoVz8DALoMOko8Lp2K7yCo+LvyvY/Ib9CtIfbgpXQTo2NDbww29/KWHqw6PjzRdyuswUDdnCuLOaThUQkDopTZyhhJ9Y5z5/7Doo/zGYQLBkyThjtKkKwsPlq1eGkjFzY/ITCCDN4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAvibroua3O2ot73run7uWKAggywIm7gZ/o/vc47kaCICTS2LtsHDmTe9HHqujdAdQLlBGvEhasKGDMr8s54aIbNUbLhD82Vuvwjl2GShqSg/IATfwzDPoqm982KrVZd/9kO61o3vBdtqZO1+InbY7iDbTqf45A7Ar3545aF+/y30WDamFyECwCePrQu1Y9bw6VhLTEVYO+A8zr8y0CYRKAtWNYcPpTP/3VO8/RKtMV+nWrUzS00zAp56lA7xeOzdeKdHzCkpKeaHrpSEN6YGrZmAhTdKBxHYiez9h3eZprEtqoAz0I5DL9Y54t74+pZxicFjQKYPxUGccqg0dIkFZUgE1dxuOkASspydJ890xC/SYJZxREeuF9SPCUkT4Szc814/JHzfqrHt5ZfdzQcBX0xjtEfwoud+Hc4MVerT4cmhyaJLP1/jEe8l3B3Cj4uVilbfAyxOAmAHZl4lcKawdzqUm1os6bsBzCwQU0usKYlW1vczvjvxHvq5z/+IQvCvvlPlUrVIlB7XaiIihkW4LbgZBKNaCWW8rihewX5FUTtvjveHzkGqXnzBBF8WfQmNvVtjKFGdkz3teOHShZOZO7fYo4rHGAV+KVz3kzSCZ8pgqAUsYYW5z/aViNnFuNdDz8xiq05DfUtD3GwbydH2mr5IN8bAFwufAidKEfuQeAusCuS5k6PRJyXK81ErqYMW/H+mSLVw9jCNOqqGGfiYdfcx8oNw+U1Vz/fDmQIQ+eT/JKDSOCbBYjrydC9WBzvgRngDoLQ/UXGCnIENqLJekvVJ0x9KTUhrzQyZVky+INyzp3i5UDyu2uLH55vJEI7qSmcM0Y8Eyj3Buc+0k739OQCC56IiQm/Aw6Uh+6Vi+/MfevcI5K0etMgTZ+dIhRAJAT5Jd4vRu4ge8M1HqEOQQj5lQfO+WtHcgwFyg1dGeQF6I6iy0JfMqXZVDsEkyCsDN6ZDaLcgMQN0FYWSsqy7tCzU9ZbvQ/pAHT/Ed1mNDWs+w0YzgcVv8+XCBGVzunpqcjbi08aKDYIKOIL5EBVOfDwGIeYjBuJhINQa49tNryXEkjZs+OxXDM4YvvksvwfNq4P4OLNJHoQ4DCEyqVbdqGGksRjNtU28Lu8y2M5eX6ehG8ismBMSgUy0SIbR5vTDVNjguo4HD7slVNYqERfMjlwHbnOLajoPl8nWIrhW3glWKBvJ1bQKWU81TRawlCAQ3k5DFnebFgoBagtqo0+Zoygt29Bz38wwqfF90jvfzVEM0sy4X+7FxZFYX2WTWKyZV3+16a7hWBjMbJeulU1chzs1V0/lPMXVEa+c3xcO8W2DyrX4wR27fUEfjPmug49tMhMSFOZXEOwzUMsXjz3K4XhEcC0mtYHDMT0EYtRX8pHe62RkMILuJGRHvw3Wwg2GzZRMpZfPQy8jLhkOhUSGc7z4XEWC/PdLmfGjBTZsZ6G2FfKlGLbSxOlgQlew2sZ+oNTHRrN+aMrkgyG11TheXDbE0y+Sxls+13DEYbMaflq5wjE2FlvD3b5X7/Pu4BizQI7Ski7jjb5qcqik8xoin2qGfhnY6H6PNSPz67J1RTxVZjHgUtZQKG56e+aKIv5FFyjFTgEPRqj3Yyrzh7+E6gt+LETh3vuJDUxKPLZskLD03xP6E/yiLbIu5DIYzK9+uuS/JGF3OibE93hgwp9uzDFirDzRbcuDVDxZyToSfH8P7m58lhp/FiKO3rpUqRqaC/GXz5xbekQ+yGuMKk6qEmiPj7B3pHm2Ic2tJIGTpTNCDNfsqefplUJXbKskiKRxOP04yCIn3XuHu8jUDhWZW848RWHgXfySdqEAFKrvsyamJKXz/1IGIdDzOgnAcd/wiudhZ41gDaCyA1DQYxU9T04106eD9aTZwj+mS9uZmfwHfROiBinC1ZAHsXfjLtwVZj3gpdUsieIqAiuAuMKle9yOMn3np4NEu5vjj/SOZeVWCvBfcPg8VB+uj6s7FtXRH5jdxkaB72PykYa8aTAbNKqcw/qlowv0k/vWnWa++fFFVfbg+VZ3a6oEW2YKvcVefQg/R4nEeTusmH/tnOl7SHLlJ4WLQ+U+v0GLeCY6zJKS6WweN+6SXIbkB9BLES2VpvxlYAmjqLlQuJBpcIuxL1SwCIkKUXdWjQqp6WzfS4XSxuxizZNL8xlEjXSJzFXvo+rPZXF37gHvmLHnjJkQdhctZUjyzDUfgLdR4FcMsp/U8qugWtbbemARFtrXHT9D3M/hVp0z/0ho80LB2chI1nOfY0u8GXgHtJfwZtoeyctud6JLo4zUxZy0zQMqIqgpytVNhjMPOIK5sWpKCKscPlg8+vANhPQHze7Wc8PXwC7jbSMH4QqqnGz+fPB/KKl+wz4jICe/vu7fNJRq0pehibPifXJtBDBH+i+s/U3ZX2WECKPYsF0DXq8Askisa3b97WPO7oWk8ghzE8ZXZs5CypkLpq+oPRg/WrsRJea+EWmkzKmBXtS23AQzhItNB0KFP18elLVmb6atYNs4lzv22ptifD+5wbYmk+/mAVgInqqixLPAy2uofCXvlXhIPd4vgkwpjar/lxcZWGtX7c7EUzDND1AyirMjcZyTaMsHEzYybT3S/8n8OgxVvyemLvgHnmZxmWnUBFUhItQ2Pt6iF2Dn68huo+0PE5K5qlKzoRPbfNLrNYImn4KxmLW5+bT2STe1j8aowyY3ROY1r+4BxHIbDknCb5aj6N4WR14SeUWSSPu23oK1VDLBlQUMiHHqfJwu0NiGhsI8Vl0Mp5Slp6FK0UvZz2O7C+x0HGaWVK9mMuP40BKHjEo7T97ZoXMN0uX4GmBQ3jEwXzsPpuPbZI5JnwwEyp5YX+IyYWJyCww2fntSQ/fS509b6mvG5isUMK3lpiogucROtJTA1KrODrocpTgUGvIwDUP/tosGT57lmXjTmHbTf6WjCHIUZsrbT5ycjYNJI0sn+dfx3Tba289CEeBEaX2FefnHX+o8HMLlRI4JmiD6faswCjC2IFMjDVfkJoie45Y+8Q9LSVZ8TkZey1QucNRrMIKpNLo4cPDCdUJIOPUDbfX4I1g0Qhk7T5WYX/JUtiaUgKiR5Gc/PHmV8oL8G9P+OSgg2Lc5XaN7/PevHCiBOLwAXsKbSCwL7oGmxyw90+sHIZr+ZyClNnfuXE3UrW7NXQI6mCxvQWKtJKn1trO17I6Cd00RMfC3uPy5/LIicubunfvDjp3BlaatxIrzDg3rVnFPX0dKzt/s4iuSyK3IT0le/x9OBLIp4EhdQdvd2HOFYxOtjxzbvWRzWrqGpBsLQLg7EG5adrqg69VOQMCT2pq0sCJp6hk4yGHbuz4hoX2PIeiI3l/Z0TwDGopGWW3uWRWxH/6bq1a6idgxHYhruUmR8aFpUKSsVyodiDV1PtK1zj5mKcZdeXx0THBYTEUWyo3RI9iLUnMcDYyPRTjCKoCm6pPS7yjIT7tq+MUi3iWo2XijY8AaV/K+WrnkcqoQH2cXsrBoH0sZMksdWwYBYz97+RKkx3FSxgdXJb1xxr0X21oPW1PhJq/zHSxe3OmxwYMPeZsGPaG8UngxTdfTQ3KPn+mN9NRXvlXkqudGJa/d/QMinCf/tp9eU1WX5xktqDgqBbPD391+6gcDsFgdidFdpLKf6yGLEovTwE9GrLX7srAC2dPOxviWekqng8H0N9RjHT06NVD9kAnnR/01ZkmmPzdP7vLX9imy0j/huTpN8i9XpFS6za4jdGt46Y5SfRKg/4qpwtE6meElgiOnTkP2uBI5cF4czaK1rYr1ZlwoneFzNHnBVFctAP7CD+w98hYexQ5RrdUYgFrMB5+88Y1IrI8Gd02RCEycPCoxdEFXqBVWmu2N/fuovgihTn9qf/mUxpQPsiUHjCgmV5w+ALs02oiRf08b8mTBAjy8utziFA6efpAppv98bQUfTs8lyNn7sH6OCoa4ZKeB51wqPXZBsKZ8Ja9VDZXjpCV+MB0b9XuSgOx2Y3UD/GJ/+eW7J6MiYFTHrhB1kRert5vRdF4M2KMoyYnVRFMBRqimnNBq6xrOvz4D6dSiquhFRtxlnb6dPCyRgHImsFbR/qdDukLB6DB+vfjzZQArLbkaMVF86hX1+9xP+BdZPsnVapY9u+DSZP7ZkEP/VftTl7uJZnqAWUis+jOncUizmzSIpV6cZO7SVdiQicHiRm6VSOmpBhniRKYN13Ct8B0g+JJeyMlx6OGALMLvcXKDXxJNvyYL9FuXyRvOygButRRjvLsEku+fl9ESD27r56ZNExf7w411cGbKQ+obhSnMsBM2qGBDR97VJyLGhbFX7SKl7CGOAWZF3TbOe4PU4Ty75qb8+U5R8amQ1FFQD4r65M=] diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml index 838300d..baae548 100644 --- a/hieradata/roles/infra/puppetdb/sql.yaml +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -29,11 +29,11 @@ profiles::yum::global::repos: name: postgresql-15 descr: postgresql-15 repository target: /etc/yum.repos.d/postgresql.repo - baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} - gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL + baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL postgresql-common: name: postgresql-common descr: postgresql-common repository target: /etc/yum.repos.d/postgresql.repo - baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} - gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL + baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 34f8961..26d6d82 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -38,6 +38,125 @@ profiles::consul::client::node_rules: profiles::reposync::webserver::nginx_listen_mode: both profiles::reposync::webserver::nginx_cert_type: vault profiles::reposync::repos_list: + almalinux_9_5_baseos: + repository: 'baseos' + description: 'AlmaLinux 9.5 BaseOS' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_appstream: + repository: 'appstream' + description: 'AlmaLinux 9.5 AppStream' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_crb: + repository: 'crb' + description: 'AlmaLinux 9.5 CRB' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_ha: + repository: 'ha' + description: 'AlmaLinux 9.5 HighAvailability' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_extras: + repository: 'extras' + description: 'AlmaLinux 9.5 extras' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_baseos: + repository: 'baseos' + description: 'AlmaLinux 9.4 BaseOS' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_appstream: + repository: 'appstream' + description: 'AlmaLinux 9.4 AppStream' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_crb: + repository: 'crb' + description: 'AlmaLinux 9.4 CRB' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_ha: + repository: 'ha' + description: 'AlmaLinux 9.4 HighAvailability' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_extras: + repository: 'extras' + description: 'AlmaLinux 9.4 extras' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + docker_stable_el8: + repository: 'stable' + description: 'Docker CE Stable EL8' + osname: 'docker' + release: 'el8' + baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/' + gpgkey: 'https://download.docker.com/linux/centos/gpg' + docker_stable_el9: + repository: 'stable' + description: 'Docker CE Stable EL9' + osname: 'docker' + release: 'el9' + baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/' + gpgkey: 'https://download.docker.com/linux/centos/gpg' + frr_stable_el8: + repository: 'stable' + description: 'FRR Stable EL8' + osname: 'frr' + release: 'el8' + baseurl: 'https://rpm.frrouting.org/repo/el8/frr/' + gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR' + frr_extras_el8: + repository: 'extras' + description: 'FRR Extras EL8' + osname: 'frr' + release: 'el8' + baseurl: 'https://rpm.frrouting.org/repo/el8/extras/' + gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR' + frr_stable_el9: + repository: 'stable' + description: 'FRR Stable EL9' + osname: 'frr' + release: 'el9' + baseurl: 'https://rpm.frrouting.org/repo/el9/frr/' + gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR' + frr_extras_el9: + repository: 'extras' + description: 'FRR Extras el9' + osname: 'frr' + release: 'el9' + baseurl: 'https://rpm.frrouting.org/repo/el9/extras/' + gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR' + k8s_1.32: + repository: '1.32' + description: 'Kubernetes 1.32' + osname: 'k8s' + release: '1.32' + baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/' + gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key' mariadb_11_2_el8: repository: 'el8' description: 'MariaDB 11.2' @@ -87,6 +206,20 @@ profiles::reposync::repos_list: release: 'rhel9' baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/' gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' + postgresql_rhel8_15: + repository: '15' + description: 'PostgreSQL 15 RHEL 8' + osname: 'postgresql' + release: 'rhel8' + baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' + postgresql_rhel9_15: + repository: '15' + description: 'PostgreSQL 15 RHEL 9' + osname: 'postgresql' + release: 'rhel9' + baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' postgresql_rhel8_16: repository: '16' description: 'PostgreSQL 16 RHEL 8' @@ -101,3 +234,45 @@ profiles::reposync::repos_list: release: 'rhel9' baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/' gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' + postgresql_rhel8_17: + repository: '17' + description: 'PostgreSQL 17 RHEL 8' + osname: 'postgresql' + release: 'rhel8' + baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' + postgresql_rhel9_17: + repository: '17' + description: 'PostgreSQL 17 RHEL 9' + osname: 'postgresql' + release: 'rhel9' + baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL' + zfs_dkms_rhel8: + repository: 'dkms' + description: 'ZFS DKMS RHEL 8' + osname: 'zfs' + release: 'rhel8' + baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/' + gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013' + zfs_kmod_rhel8: + repository: 'kmod' + description: 'ZFS KMOD RHEL 8' + osname: 'zfs' + release: 'rhel8' + baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/' + gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013' + zfs_dkms_rhel9: + repository: 'dkms' + description: 'ZFS DKMS RHEL 9' + osname: 'zfs' + release: 'rhel9' + baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/' + gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022' + zfs_kmod_rhel9: + repository: 'kmod' + description: 'ZFS KMOD RHEL 9' + osname: 'zfs' + release: 'rhel9' + baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/' + gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022' diff --git a/hieradata/roles/infra/sql/patroni.yaml b/hieradata/roles/infra/sql/patroni.yaml index f925067..f962a62 100644 --- a/hieradata/roles/infra/sql/patroni.yaml +++ b/hieradata/roles/infra/sql/patroni.yaml @@ -4,14 +4,14 @@ profiles::yum::global::repos: name: postgresql-15 descr: postgresql-15 repository target: /etc/yum.repos.d/postgresql.repo - baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} - gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL + baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL postgresql-common: name: postgresql-common descr: postgresql-common repository target: /etc/yum.repos.d/postgresql.repo - baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture} - gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL + baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}" profiles::sql::patroni::postgres_exporter_enabled: true diff --git a/hieradata/virtual/lxc.yaml b/hieradata/virtual/lxc.yaml new file mode 100644 index 0000000..8eb12d0 --- /dev/null +++ b/hieradata/virtual/lxc.yaml @@ -0,0 +1,10 @@ +--- +profiles::packages::include: + chrony: + ensure: absent + +# disable mlock for vault nodes on lxd/incus +vault::disable_mlock: true + +# manage jellyfin changes +profiles::media::jellyfin::data_dir: /shared/apps/jellyfin diff --git a/modules/etcd/manifests/init.pp b/modules/etcd/manifests/init.pp new file mode 100644 index 0000000..fdf7c56 --- /dev/null +++ b/modules/etcd/manifests/init.pp @@ -0,0 +1,110 @@ +# manage etcd +class etcd ( + Boolean $manage_user = true, + Boolean $manage_group = true, + Boolean $manage_package = true, + Boolean $manage_service = true, + String[1] $package_name = 'etcd', + String[1] $user = 'etcd', + String[1] $group = 'etcd', + Stdlib::Absolutepath $config_path = '/etc/etcd', + Stdlib::Absolutepath $config_file = "${config_path}/etcd.yaml", + Hash $config = { 'data-dir' => '/var/lib/etcd' }, + Integer $max_open_files = 40000, +) { + if downcase($facts['kernel']) != 'linux' { + fail("Module etcd only supports Linux, not ${facts['kernel']}") + } + if $facts['service_provider'] != 'systemd' { + fail('Module etcd only supported on systems using systemd') + } + if ! $config['data-dir'] { + fail('Module etcd requires data-dir be specified in config Hash') + } + + if $manage_package { + package { $package_name: + ensure => installed, + } + } + + if $manage_user { + user { 'etcd': + ensure => 'present', + name => $user, + forcelocal => true, + shell => '/bin/false', + gid => $group, + home => $config['data-dir'], + managehome => false, + system => true, + before => Systemd::Unit_file['etcd.service'], + } + } + if $manage_group { + group { 'etcd': + ensure => 'present', + name => $group, + forcelocal => true, + system => true, + before => Systemd::Unit_file['etcd.service'], + } + } + + mkdir::p { $config_path: } + mkdir::p { $config['data-dir']: } + + file { $config_file: + ensure => 'file', + owner => $user, + group => $group, + mode => '0600', + content => to_yaml($config), + notify => Systemd::Unit_file['etcd.service'], + require => Mkdir::P[$config_path], + } + + file { 'etcd-data-dir': + ensure => 'directory', + path => $config['data-dir'], + owner => $user, + group => $group, + mode => '0700', + notify => Systemd::Unit_file['etcd.service'], + require => Mkdir::P[$config['data-dir']], + } + + file { 'etcd-data-dir-wal.tmp': + ensure => 'directory', + path => "${config['data-dir']}/wal.tmp", + owner => $user, + group => $group, + mode => '0700', + notify => Systemd::Unit_file['etcd.service'], + require => File['etcd-data-dir'], + } + + if $config['wal-dir'] { + mkdir::p { $config['wal-dir']: } + file { 'etcd-wal-dir': + ensure => 'directory', + path => $config['wal-dir'], + owner => $user, + group => $group, + mode => '0700', + notify => Systemd::Unit_file['etcd.service'], + require => Mkdir::P[$config['wal-dir']], + } + } + + if $manage_service { + include ::systemd + + systemd::unit_file { 'etcd.service': + content => template('etcd/etcd.service.erb'), + enable => true, + active => true, + require => Package[$package_name], + } + } +} diff --git a/modules/etcd/templates/etcd.service.erb b/modules/etcd/templates/etcd.service.erb new file mode 100644 index 0000000..967a95d --- /dev/null +++ b/modules/etcd/templates/etcd.service.erb @@ -0,0 +1,17 @@ +# DO NOT EDIT: This file is being managed by Puppet. +[Unit] +Description=etcd key-value store +Documentation=https://github.com/etcd-io/etcd +After=network.target + +[Service] +User=<%= @user %> +Group=<%= @group %> +Type=notify +ExecStart=/usr/bin/etcd --config-file <%= @config_file %> +Restart=always +RestartSec=10s +LimitNOFILE=<%= @max_open_files %> + +[Install] +WantedBy=multi-user.target diff --git a/modules/frrouting/manifests/init.pp b/modules/frrouting/manifests/init.pp index b5acb3d..007aa37 100644 --- a/modules/frrouting/manifests/init.pp +++ b/modules/frrouting/manifests/init.pp @@ -10,12 +10,17 @@ class frrouting ( Array[String] $ospfd_redistribute = [], Array[String] $ospfd_networks = [], Boolean $ospfd_default_originate_always = false, + Boolean $mpls_te_enabled = false, + Optional[String] $mpls_ldp_router_id = undef, + Optional[String] $mpls_ldp_transport_addr = undef, + Array[String] $mpls_ldp_interfaces = [], ) { $daemons_defaults = { 'bgpd' => false, 'ospfd' => true, 'ospf6d' => false, + 'ldpd' => false, 'ripd' => false, 'ripngd' => false, 'isisd' => false, @@ -32,7 +37,7 @@ class frrouting ( 'staticd' => false, } - $daemons_merged = merge($daemons, $daemons_defaults) + $daemons_merged = merge($daemons_defaults, $daemons) if $manage_package { package { $package_name: @@ -62,4 +67,23 @@ class frrouting ( hasrestart => true, } } + + if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) { + file { '/etc/modules-load.d/mpls_ldp_modules.conf': + ensure => file, + content => @(EOT/L), + # Load MPLS Kernel Modules + mpls_router + mpls_iptunnel + | EOT + } + + ['mpls_router', 'mpls_iptunnel'].each |$mod| { + exec { "load_${mod}": + command => "/sbin/modprobe ${mod}", + unless => "/sbin/lsmod | /bin/grep -q ^${mod}", + path => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'], + } + } + } } diff --git a/modules/frrouting/templates/daemons.erb b/modules/frrouting/templates/daemons.erb index 846b339..09baa52 100644 --- a/modules/frrouting/templates/daemons.erb +++ b/modules/frrouting/templates/daemons.erb @@ -12,6 +12,7 @@ zebra_options=" -A 127.0.0.1 -s 90000000" bgpd_options=" -A 127.0.0.1" ospfd_options=" -A 127.0.0.1" ospf6d_options=" -A ::1" +ldpd_options=" -A 127.0.0.1" ripd_options=" -A 127.0.0.1" ripngd_options=" -A ::1" isisd_options=" -A 127.0.0.1" diff --git a/modules/frrouting/templates/frr.conf.erb b/modules/frrouting/templates/frr.conf.erb index f1638fd..4e6668b 100644 --- a/modules/frrouting/templates/frr.conf.erb +++ b/modules/frrouting/templates/frr.conf.erb @@ -24,4 +24,22 @@ router ospf <% if @ospfd_default_originate_always -%> default-information originate always <% end -%> +<% if @mpls_te_enabled -%> + capability opaque + mpls-te on + mpls-te router-address <%= @ospfd_router_id %> + mpls-te inter-as area 0.0.0.0 +<% end -%> exit +<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%> +mpls ldp + router-id <%= @mpls_ldp_router_id %> + address-family ipv4 + discovery transport-address <%= @mpls_ldp_transport_addr %> +<% @mpls_ldp_interfaces.each do |iface| -%> + interface <%= iface %> + exit +<% end -%> + exit-address-family +exit +<% end -%> diff --git a/modules/incus/lib/facter/incus.rb b/modules/incus/lib/facter/incus.rb new file mode 100644 index 0000000..585bd28 --- /dev/null +++ b/modules/incus/lib/facter/incus.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +require 'yaml' + +Facter.add(:incus) do + setcode do + # Check if the 'incus' executable exists + incus_path = Facter::Util::Resolution.which('incus') + next {} unless incus_path # Return an empty fact if incus isn't found + + # Run the `incus info` command using the found path + incus_output = Facter::Core::Execution.execute("#{incus_path} info") + next {} if incus_output.empty? # Return an empty fact if there's no output + + # Parse the output as YAML and return it + YAML.safe_load(incus_output, permitted_classes: [Symbol, Time, Date]) + end +end diff --git a/modules/incus/manifests/cluster.pp b/modules/incus/manifests/cluster.pp new file mode 100644 index 0000000..80c76b5 --- /dev/null +++ b/modules/incus/manifests/cluster.pp @@ -0,0 +1,57 @@ +# manage incus clusters +class incus::cluster ( + Boolean $members_lookup = false, + String $members_role = undef, + String $master = undef, + Array $servers = [], + Stdlib::Fqdn $server_fqdn = $facts['networking']['fqdn'], + Stdlib::Port $server_port = 8443, +){ + + # check that the master is named + unless !($master == undef) { + fail("master must be provided for ${title}") + } + + # if lookup is enabled + if $members_lookup { + + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = $servers + } + + # if its not an empty array. Give puppetdb a chance to be populated with data. + if length($servers_array) >= 3 { + + # check if this is the master_node + if $master == $trusted['certname'] { + $master_bool = true + }else{ + $master_bool = false + } + + # find bootstrap status for servers + $bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${members_role}' }").map |$node| { + { + 'fqdn' => $node['certname'], + 'ip' => $node['facts']['networking']['ip'], + 'clustered' => $node['facts']['incus']['environment']['server_clustered'], + 'certificate' => $node['facts']['incus']['environment']['certificate'], + } + } + + # determine if the cluster is bootstrapped + $cluster_bootstrapped = $bootstrap_array.any |$server| { + $server['fqdn'] == $master and $server['clustered'] == true + } + } +} diff --git a/modules/incus/manifests/init.pp b/modules/incus/manifests/init.pp new file mode 100644 index 0000000..077de8f --- /dev/null +++ b/modules/incus/manifests/init.pp @@ -0,0 +1,77 @@ +class incus ( + Array[String] $packages = [ + 'incus', + 'incus-tools', + 'incus-client' + ], + Boolean $cluster = false, + Boolean $init = true, + String $bridge = 'incusbr0', + Stdlib::Port $server_port = 8443, + Stdlib::IP::Address $server_addr = $facts['networking']['ip'], + Optional[String] $storage_images_volume = undef, +) { + + package { $packages: + ensure => installed, + } + + service { 'incus': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + } + + file_line { 'subuid_root': + ensure => present, + path => '/etc/subuid', + line => 'root:1000000:1000000000', + match => '^root:', + notify => Service['incus'], + } + + file_line { 'subgid_root': + ensure => present, + path => '/etc/subgid', + line => 'root:1000000:1000000000', + match => '^root:', + notify => Service['incus'], + } + + if $init { + file {'/root/incus.preseed.yaml': + ensure => file, + owner => root, + group => root, + content => template('incus/join_preseed.yaml.erb') + } + + exec { 'initiate_incus': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized', + refreshonly => true, + creates => '/root/.incus_initialized', + subscribe => File['/root/incus.preseed.yaml'], + } + } + + if $facts['incus'] and $facts['incus']['config'] { + # set core.https_address + if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" { + exec { 'incus_config_set_core_https_address': + path => ['/bin', '/usr/bin'], + command => "incus config set core.https_address ${server_addr}:${server_port}", + } + } + # set storage.images_volume # path to store images + if $storage_images_volume { + if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume { + exec { 'incus_config_set_storage_images_volume': + path => ['/bin', '/usr/bin'], + command => "incus config set storage.images_volume ${storage_images_volume}", + } + } + } + } +} diff --git a/modules/incus/templates/join_preseed.yaml.erb b/modules/incus/templates/join_preseed.yaml.erb new file mode 100644 index 0000000..71026af --- /dev/null +++ b/modules/incus/templates/join_preseed.yaml.erb @@ -0,0 +1,18 @@ +config: + core.https_address: <%= @server_fqdn %>:<%= @server_port %> +networks: [] +storage_pools: [] +storage_volumes: [] +profiles: +- config: {} + description: "" + devices: + eth0: + name: eth0 + nictype: bridged + parent: <%= @bridge %> + type: nic + name: default + project: default +projects: [] +cluster: null diff --git a/modules/jellyfin/manifests/params.pp b/modules/jellyfin/manifests/params.pp index d74a3a4..889b067 100644 --- a/modules/jellyfin/manifests/params.pp +++ b/modules/jellyfin/manifests/params.pp @@ -1,9 +1,9 @@ # jellyfin params class jellyfin::params ( Array[String] $packages = [ - 'jellyfin', 'jellyfin-web', 'jellyfin-server', + 'jellyfin-ffmpeg-bin', 'SDL2', 'ffmpeg', 'ffmpeg-devel', diff --git a/modules/libs/lib/facter/enc_direct_facts.rb b/modules/libs/lib/facter/enc_direct_facts.rb new file mode 100644 index 0000000..3aec01b --- /dev/null +++ b/modules/libs/lib/facter/enc_direct_facts.rb @@ -0,0 +1,74 @@ +# frozen_string_literal: true + +require 'facter' +require 'yaml' +require 'net/http' +require 'uri' +require 'fileutils' + +# CobblerENC module: Fetches ENC data from Cobbler, caches it, and provides structured facts. +module CobblerENC + CACHE_FILE = '/var/cache/puppet_enc.yaml' + CACHE_TTL = 7 * 24 * 60 * 60 # 7 days in seconds + @enc_data = nil # In-memory cache for the ENC response + + def self.read_cache + return {} unless File.exist?(CACHE_FILE) + + cache_data = YAML.safe_load(File.read(CACHE_FILE)) || {} + timestamp = cache_data.fetch('timestamp', 0) + + return cache_data if Time.now.to_i - timestamp < CACHE_TTL + + {} + end + + def self.write_cache(enc_data) + FileUtils.mkdir_p(File.dirname(CACHE_FILE)) + cache_data = enc_data.merge({ 'timestamp' => Time.now.to_i }) + File.write(CACHE_FILE, cache_data.to_yaml) + end + + def self.fetch_from_cobbler + uri = URI("http://cobbler.main.unkin.net/cblr/svc/op/puppet/hostname/#{Facter.value(:fqdn) || Facter.value(:hostname)}") + response = Net::HTTP.get_response(uri) + + raise "Failed to fetch ENC data. HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess) + + YAML.safe_load(response.body) || {} + end + + def self.retrieve_enc_data + return @enc_data if @enc_data + + @enc_data = fetch_from_cobbler + write_cache(@enc_data) + @enc_data + end + + def self.fetch_enc_data + retrieve_enc_data + rescue StandardError => e + Facter.warn("Error retrieving Cobbler ENC data: #{e.message}") + @enc_data = read_cache + return @enc_data unless @enc_data.empty? + + raise 'No cached ENC data available and Cobbler is down.' + end + + def self.enc_role + fetch_enc_data.fetch('classes', {}).keys.first || raise('ENC Role not found in Cobbler ENC response') + end + + def self.enc_env + fetch_enc_data.fetch('environment', nil) || raise('ENC Environment not found in Cobbler ENC response') + end +end + +Facter.add('enc_role') do + setcode { CobblerENC.enc_role } +end + +Facter.add('enc_env') do + setcode { CobblerENC.enc_env } +end diff --git a/modules/libs/lib/facter/enc_env.rb b/modules/libs/lib/facter/enc_env.rb deleted file mode 100644 index 2975c45..0000000 --- a/modules/libs/lib/facter/enc_env.rb +++ /dev/null @@ -1,13 +0,0 @@ -# frozen_string_literal: true - -Facter.add('enc_env') do - setcode do - require 'yaml' - # Check if the YAML file exists - if File.exist?('/root/.cache/custom_facts.yaml') - data = YAML.load_file('/root/.cache/custom_facts.yaml') - # Use safe navigation to return 'enc_env' or nil - data&.dig('enc_env') - end - end -end diff --git a/modules/libs/lib/facter/enc_role.rb b/modules/libs/lib/facter/enc_role.rb deleted file mode 100644 index 979b4bf..0000000 --- a/modules/libs/lib/facter/enc_role.rb +++ /dev/null @@ -1,13 +0,0 @@ -# frozen_string_literal: true - -Facter.add('enc_role') do - setcode do - require 'yaml' - # Check if the YAML file exists - if File.exist?('/root/.cache/custom_facts.yaml') - data = YAML.load_file('/root/.cache/custom_facts.yaml') - # Use safe navigation to return 'enc_role' or nil - data&.dig('enc_role') - end - end -end diff --git a/modules/libs/lib/facter/subnet_facts.rb b/modules/libs/lib/facter/subnet_facts.rb index 458c8e0..6bc2886 100644 --- a/modules/libs/lib/facter/subnet_facts.rb +++ b/modules/libs/lib/facter/subnet_facts.rb @@ -10,7 +10,18 @@ class SubnetAttributes '198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, '198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' }, '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' }, - '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' } + '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' }, + '198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks + '198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS + '198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe + '198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster + '198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public + '198.18.24.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # dmz 1 + '198.18.25.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0009 + '198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010 + '198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011 + '198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012 + '198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' } # common node0013 }.freeze # Default attributes if no subnet matches, also defined as a constant diff --git a/modules/networking/manifests/bridge.pp b/modules/networking/manifests/bridge.pp new file mode 100644 index 0000000..7fd30f1 --- /dev/null +++ b/modules/networking/manifests/bridge.pp @@ -0,0 +1,22 @@ +# manage bridges and bridge slaves +define networking::bridge ( + String $type, + Optional[Stdlib::IP::Address] $ipaddress, + Optional[Stdlib::IP::Address] $netmask = undef, + Optional[Stdlib::IP::Address] $gateway = undef, + Optional[Boolean] $nocarrier = undef, + Boolean $bridge = true, + Integer[100-9200] $mtu = 1500, + Optional[Boolean] $forwarding = false, +) { + include systemd + + systemd::network { "${title}.netdev": + content => template('networking/bridge.netdev.erb'), + } + + # Use shared template, it will detect bridge=true and skip Address/DNS/etc + systemd::network { "${title}.network": + content => template('networking/networkd-network.erb'), + } +} diff --git a/modules/networking/manifests/dummy.pp b/modules/networking/manifests/dummy.pp new file mode 100644 index 0000000..cae8e10 --- /dev/null +++ b/modules/networking/manifests/dummy.pp @@ -0,0 +1,18 @@ +# manage dummy/loopback interfaces +define networking::dummy ( + String $type, + Stdlib::IP::Address $ipaddress, + Stdlib::IP::Address $netmask, + Integer[100-9200] $mtu = 1500, + Optional[Boolean] $forwarding = false, +) { + include systemd + + systemd::network { "${title}.netdev": + content => template('networking/dummy.netdev.erb'), + } + + systemd::network { "${title}.network": + content => template('networking/networkd-network.erb'), + } +} diff --git a/modules/networking/manifests/init.pp b/modules/networking/manifests/init.pp index ae3970a..2cce6c7 100644 --- a/modules/networking/manifests/init.pp +++ b/modules/networking/manifests/init.pp @@ -4,34 +4,67 @@ class networking ( Hash $interface_defaults = {}, Hash $routes = {}, Hash $route_defaults = {}, + Boolean $use_networkd = lookup('systemd::manage_networkd', undef, undef, false), ){ include network include networking::params - # manage interfaces - $interfaces.each | $interface, $data | { - $merged_data = merge($interface_defaults, $data) - network_config { $interface: - * => $merged_data, - notify => Exec['networking_reload_network'], - } - } + if $use_networkd { - # manage routes - $routes.each | $route, $data | { - $merged_data = merge($route_defaults, $data) - network_route { $route: - * => $merged_data, - notify => Exec['networking_reload_network'], + include systemd + + service { 'NetworkManager': + ensure => 'stopped', + enable => false, + } + + $interfaces.each |String $iface, Hash $data| { + $type = $data['type'] + #$params = $data.filter |$key, $value| { $key != 'type' } + + case $type { + 'bridge': { networking::bridge { $iface: * => $data } } + 'dummy': { networking::dummy { $iface: * => $data } } + 'static': { networking::static { $iface: * => $data } } + 'physical': { networking::static { $iface: * => $data } } + default: { + fail("Unsupported interface type '${type}' for interface '${iface}'") + } + } + } + }else{ + # manage interfaces + $interfaces.each | $interface, $data | { + $merged_data = merge($interface_defaults, $data) + network_config { $interface: + * => $merged_data, + notify => Exec['networking_reload_network'], + } + } + + # manage routes + $routes.each | $route, $data | { + $merged_data = merge($route_defaults, $data) + network_route { $route: + * => $merged_data, + notify => Exec['networking_reload_network'], + } } } # determine which networking service to restart - $restart_command = $facts['os']['family'] ? { - 'RedHat' => '/usr/bin/systemctl restart network', - 'Debian' => '/usr/bin/systemctl restart networking', - default => fail('Unsupported OS in networking-restart-command'), + $restart_command = $use_networkd ? { + true => '/usr/bin/systemctl restart systemd-networkd', + default => $facts['os']['family'] ? { + 'RedHat' => $facts['os']['release']['major'] ? { + '8' => '/usr/bin/systemctl restart network', + '9' => '/usr/bin/systemctl restart NetworkManager', + default => fail('Unsupported RedHat OS release for networking restart'), + }, + 'Debian' => '/usr/bin/systemctl restart networking', + default => fail('Unsupported OS in networking-restart-command'), + } } # restart network/networking only if $restart_networking boolean is true diff --git a/modules/networking/manifests/static.pp b/modules/networking/manifests/static.pp new file mode 100644 index 0000000..8110d8a --- /dev/null +++ b/modules/networking/manifests/static.pp @@ -0,0 +1,27 @@ +# manage static interfaces +define networking::static ( + String $type, + Stdlib::IP::Address $netmask = '255.255.255.0', + Integer[100-9200] $mtu = 1500, + Boolean $dhcp = false, + Optional[Boolean] $forwarding = false, + Optional[Stdlib::IP::Address] $ipaddress = undef, + Optional[Stdlib::IP::Address] $gateway = undef, + Optional[Array[Stdlib::IP::Address]] $dns = undef, + Optional[Array[Stdlib::Fqdn]] $domains = undef, + Optional[Integer[0-4096]] $vlan = undef, + Optional[Variant[Boolean,String]] $bridge = undef, + Optional[Integer[0-4294967294]] $txqueuelen = undef, + Optional[Stdlib::MAC] $mac = undef, +) { + include systemd + + systemd::network { "${title}.network": + content => template('networking/networkd-network.erb'), + } + #if $type == 'physical' and $mac { + # systemd::network { "${title}.link": + # content => template('networking/networkd-link.erb'), + # } + #} +} diff --git a/modules/networking/templates/bridge.netdev.erb b/modules/networking/templates/bridge.netdev.erb new file mode 100644 index 0000000..94253e0 --- /dev/null +++ b/modules/networking/templates/bridge.netdev.erb @@ -0,0 +1,3 @@ +[NetDev] +Name=<%= @title %> +Kind=bridge diff --git a/modules/networking/templates/dummy.netdev.erb b/modules/networking/templates/dummy.netdev.erb new file mode 100644 index 0000000..05ef8f4 --- /dev/null +++ b/modules/networking/templates/dummy.netdev.erb @@ -0,0 +1,3 @@ +[NetDev] +Name=<%= @title %> +Kind=dummy diff --git a/modules/networking/templates/networkd-link.erb b/modules/networking/templates/networkd-link.erb new file mode 100644 index 0000000..d45240d --- /dev/null +++ b/modules/networking/templates/networkd-link.erb @@ -0,0 +1,8 @@ +[Match] +MACAddress=<%= @mac %> + +[Link] +MTUBytes=<%= @mtu %> +<% if @txqueuelen and @txqueuelen >= 1 -%> +TransmitQueueLength=<%= @txqueuelen %> +<% end -%> diff --git a/modules/networking/templates/networkd-network.erb b/modules/networking/templates/networkd-network.erb new file mode 100644 index 0000000..b2ffc1e --- /dev/null +++ b/modules/networking/templates/networkd-network.erb @@ -0,0 +1,41 @@ +[Match] +Name=<%= @title %> + +[Network] +<% if @dhcp == true -%> +DHCP=yes +<% else -%> +<% if @ipaddress && @netmask -%> +Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %> +<% end -%> +<% if @gateway -%> +Gateway=<%= @gateway %> +<% end -%> +<% if @dns -%> +DNS=<%= Array(@dns).join(' ') %> +<% end -%> +<% if @domains -%> +Domains=<%= Array(@domains).join(' ') %> +<% end -%> +<% end -%> +<% if @bridge and @bridge != true -%> +Bridge=<%= @bridge %> +<% end -%> +<% if @vlan -%> +VLAN=<%= @vlan %> +<% end -%> +<% if @nocarrier and @nocarrier == true -%> +ConfigureWithoutCarrier=true +DuplicateAddressDetection=none +RequiredForOnline=no-carrier +<% end -%> +<% if @type == 'dummy' -%> +LinkLocalAddressing=no +ActivationPolicy=always-up +<% end -%> +<% if @forwarding and @forwarding == true -%> +IPForward=true +<% end -%> + +[Link] +MTUBytes=<%= @mtu %> diff --git a/modules/zfs/lib/facter/zfs_zpool_cache_present.rb b/modules/zfs/lib/facter/zfs_zpool_cache_present.rb new file mode 100644 index 0000000..d2e87fe --- /dev/null +++ b/modules/zfs/lib/facter/zfs_zpool_cache_present.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +Facter.add('zfs_zpool_cache_present') do + confine kernel: 'Linux' + setcode do + File.exist?('/etc/zfs/zpool.cache') + end +end + +Facter.add('zfs_zpool_cache_present') do + setcode do + false + end +end diff --git a/modules/zfs/manifests/config.pp b/modules/zfs/manifests/config.pp new file mode 100644 index 0000000..b1e05fa --- /dev/null +++ b/modules/zfs/manifests/config.pp @@ -0,0 +1,10 @@ +# manage zfs config +class zfs::config { + + file { $zfs::conf_dir: + ensure => directory, + owner => 0, + group => 0, + mode => '0644', + } +} diff --git a/modules/zfs/manifests/init.pp b/modules/zfs/manifests/init.pp new file mode 100644 index 0000000..6feeeed --- /dev/null +++ b/modules/zfs/manifests/init.pp @@ -0,0 +1,52 @@ +# Installs basic ZFS kernel and userland support. +# +# @example Declaring the class +# include zfs +# +# @example Tuning the ZFS ARC +# class { 'zfs': +# zfs_arc_max => to_bytes('256 M'), +# zfs_arc_min => to_bytes('128 M'), +# } +# +# @param conf_dir Top-level configuration directory, usually `/etc/zfs`. +# @param kmod_type Whether to use DKMS kernel packages or ones built to match +# the running kernel (only applies to RHEL platforms). +# @param manage_repo Whether to setup and manage external package repositories. +# @param package_name The name of the top-level metapackage that installs ZFS +# support. +# @param service_manage Whether to manage the various ZFS services. +# @param zfs_arc_max Maximum size of the ARC in bytes. +# @param zfs_arc_min Minimum size of the ARC in bytes. +class zfs ( + Optional[Integer[0]] $zfs_arc_max, + Optional[Integer[0]] $zfs_arc_min, + Optional[Hash] $zpools, + Optional[Hash] $datasets, + Stdlib::Absolutepath $conf_dir = '/etc/zfs', + Enum['dkms', 'kabi'] $kmod_type = 'kabi', + Boolean $manage_repo = true, + Variant[String, Array[String, 1]] $package_name = 'zfs', + Boolean $service_manage = true, +) { + + contain zfs::install + contain zfs::config + contain zfs::service + + Class['zfs::install'] ~> Class['zfs::config'] ~> Class['zfs::service'] + + # create zpools + $zpools.each | $zpool, $data | { + zpool { $zpool: + * => $data + } + } + + # create datasets + $datasets.each | $dataset, $data | { + zfs { $dataset: + * => $data + } + } +} diff --git a/modules/zfs/manifests/install.pp b/modules/zfs/manifests/install.pp new file mode 100644 index 0000000..cb78576 --- /dev/null +++ b/modules/zfs/manifests/install.pp @@ -0,0 +1,151 @@ +# manage zfs install/repos +class zfs::install { + + if $zfs::manage_repo { + case $facts['os']['family'] { + 'RedHat': { + $baseurl = 'http://download.zfsonlinux.org' + $release = $facts['os']['release']['major'] ? { + '6' => '6', + '7' => $facts['os']['release']['full'] ? { + /^7\.[012]/ => '7', + default => regsubst($facts['os']['release']['full'], '^7\.(\d+).*$', '7.\1'), + }, + '8' => $facts['os']['release']['full'] ? { + /^8\.4/ => '8.3', + default => regsubst($facts['os']['release']['full'], '^8\.(\d+).*$', '8.\1'), + }, + default => regsubst($facts['os']['release']['full'], '^(\d\.\d+).*$', '\1'), + } + + yumrepo { 'zfs': + baseurl => "${baseurl}/epel/${release}/\$basearch/", + descr => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms", + enabled => Integer($zfs::kmod_type == 'dkms'), + before => Package[$zfs::package_name], + } + + yumrepo { 'zfs-kmod': + baseurl => "${baseurl}/epel/${release}/kmod/\$basearch/", + descr => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod", + enabled => Integer($zfs::kmod_type == 'kabi'), + } + + yumrepo { 'zfs-source': + baseurl => "${baseurl}/epel/${release}/SRPMS/", + descr => "ZFS on Linux for EL${facts['os']['release']['major']} - Source", + enabled => 0, + } + + yumrepo { 'zfs-testing': + baseurl => "${baseurl}/epel-testing/${release}/\$basearch/", + descr => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms - Testing", + enabled => 0, + } + + yumrepo { 'zfs-testing-kmod': + baseurl => "${baseurl}/epel-testing/${release}/kmod/\$basearch/", + descr => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod - Testing", + enabled => 0, + } + + yumrepo { 'zfs-testing-source': + baseurl => "${baseurl}/epel-testing/${release}/SRPMS/", + descr => "ZFS on Linux for EL${facts['os']['release']['major']} - Testing Source", + enabled => 0, + } + } + default: { + # noop + } + } + } + + # Handle these dependencies separately as they shouldn't be guarded by + # `$zfs::manage_repo` + case $facts['os']['family'] { + 'RedHat': { + case $zfs::kmod_type { + 'dkms': { + # Puppet doesn't like managing multiple versions of the same package. + # By using the version in the name Yum will do the right thing + ensure_packages(["kernel-devel-${facts['kernelrelease']}"], { + ensure => present, + before => Package[$zfs::package_name], + }) + } + default: { + # noop + } + } + } + 'Debian': { + case $facts['os']['name'] { + 'Ubuntu': { + # noop + } + default: { + ensure_packages(["linux-headers-${facts['kernelrelease']}", "linux-headers-${facts['os']['architecture']}"], { + before => Package[$zfs::package_name], + }) + } + } + } + default: { + # noop + } + } + + # This is to work around the broken Debian 9 packages. Upon install the + # zfs-mount.service is started first which is the only unit that doesn't + # have an "ExecStartPre=-/sbin/modprobe zfs" line so the package can never + # be installed! + if $facts['os']['name'] == 'Debian' and $facts['os']['release']['major'] == '9' { + exec { 'zfs systemctl daemon-reload': + command => 'systemctl daemon-reload', + refreshonly => true, + path => $facts['path'], + } + + Exec['zfs systemctl daemon-reload'] -> Package[$zfs::package_name] + + file { '/etc/systemd/system/zfs-mount.service.d': + ensure => directory, + owner => 0, + group => 0, + mode => '0644', + } + + file { '/etc/systemd/system/zfs-mount.service.d/override.conf': + ensure => file, + owner => 0, + group => 0, + mode => '0644', + content => @(EOS/L), + [Service] + ExecStartPre=-/sbin/modprobe zfs + | EOS + notify => Exec['zfs systemctl daemon-reload'], + } + } + + # These need to be done here so the kernel settings are present before the + # package is installed and potentially loading the kernel module + $config = delete_undef_values({ + 'zfs_arc_max' => $zfs::zfs_arc_max, + 'zfs_arc_min' => $zfs::zfs_arc_min, + }) + + $config.each |$option,$value| { + kmod::option { "zfs ${option}": + module => 'zfs', + option => $option, + value => $value, + before => Package[$zfs::package_name], + } + } + + package { $zfs::package_name: + ensure => present, + } +} diff --git a/modules/zfs/manifests/service.pp b/modules/zfs/manifests/service.pp new file mode 100644 index 0000000..64ec056 --- /dev/null +++ b/modules/zfs/manifests/service.pp @@ -0,0 +1,90 @@ +# manage zfs services +class zfs::service { + + if $zfs::service_manage { + + exec { 'modprobe zfs': + path => $facts['path'], + unless => 'grep -q "^zfs " /proc/modules', + } + + case $facts['service_provider'] { + 'systemd': { + $cache_ensure = str2bool($facts['zfs_zpool_cache_present']) ? { + true => 'running', + default => 'stopped', + } + + $scan_ensure = str2bool($facts['zfs_zpool_cache_present']) ? { + true => 'stopped', + default => 'running', + } + + service { 'zfs-import-cache': + ensure => $cache_ensure, + enable => true, + hasstatus => true, + hasrestart => true, + require => Exec['modprobe zfs'], + before => Service['zfs-mount'], + } + + service { 'zfs-import-scan': + ensure => $scan_ensure, + enable => true, + hasstatus => true, + hasrestart => true, + require => Exec['modprobe zfs'], + before => Service['zfs-mount'], + } + } + default: { + + case $facts['os']['family'] { + 'RedHat': { + service { 'zfs-import': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Exec['modprobe zfs'], + before => Service['zfs-mount'], + } + } + 'Debian': { + $import_ensure = str2bool($facts['zfs_zpool_cache_present']) ? { + true => 'running', + default => 'stopped', + } + + service { 'zpool-import': + ensure => $import_ensure, + enable => true, + hasstatus => true, + hasrestart => true, + require => Exec['modprobe zfs'], + } + } + default: { + # noop + } + } + } + } + + service { 'zfs-mount': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + before => Service['zfs-share'], + } + + service { 'zfs-share': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + } + } +} diff --git a/site/profiles/manifests/accounts/root.pp b/site/profiles/manifests/accounts/root.pp new file mode 100644 index 0000000..ebae0d4 --- /dev/null +++ b/site/profiles/manifests/accounts/root.pp @@ -0,0 +1,18 @@ +# manage the root user +class profiles::accounts::root ( + Optional[Array[String]] $sshkeys = undef, +) { + + if $sshkeys { + accounts::user { 'root': + sshkeys => $sshkeys, + } + } + + file {'/root/.config': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0600', + } +} diff --git a/site/profiles/manifests/accounts/sysadmin.pp b/site/profiles/manifests/accounts/sysadmin.pp index f766f31..8e5d6a6 100644 --- a/site/profiles/manifests/accounts/sysadmin.pp +++ b/site/profiles/manifests/accounts/sysadmin.pp @@ -2,12 +2,20 @@ class profiles::accounts::sysadmin( String $password, Array[String] $sshkeys = [], + Array[String] $extra_groups = [], ){ + + $default_groups = [ + 'adm', + 'admins', + 'systemd-journal' + ] + + $groups = $extra_groups + $default_groups + profiles::base::account {'sysadmin': username => 'sysadmin', - uid => 1000, - gid => 1000, - groups => ['adm', 'admins', 'systemd-journal'], + groups => $groups, sshkeys => $sshkeys, sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'], password => $password, diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 7eec9ab..890fa6f 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -22,18 +22,20 @@ class profiles::base ( # include the base profiles include profiles::base::repos include profiles::packages - include profiles::base::facts include profiles::base::motd include profiles::base::scripts include profiles::base::hosts include profiles::base::groups - include profiles::base::root + include profiles::accounts::root include profiles::accounts::sysadmin - include profiles::ntp::client + if $facts['virtual'] != 'lxc' { + include profiles::ntp::client + } include profiles::dns::base include profiles::pki::vault include profiles::ssh::sign include profiles::ssh::knownhosts + include profiles::ssh::service include profiles::cloudinit::init include profiles::metrics::default include profiles::helpers::node_lookup @@ -57,6 +59,10 @@ class profiles::base ( include profiles::qemu::agent } + class { 'limits': + purge_limits_d_dir => false, + } + # include classes from hiera $hiera_include = lookup('hiera_include', Array[String], 'unique', []) $hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', []) diff --git a/site/profiles/manifests/base/account.pp b/site/profiles/manifests/base/account.pp index 92011b4..e9dd48c 100644 --- a/site/profiles/manifests/base/account.pp +++ b/site/profiles/manifests/base/account.pp @@ -1,8 +1,8 @@ # a wrapper for puppetlabs-account and saz-sudo define profiles::base::account ( String $username, - Integer $uid, - Integer $gid = undef, + Optional[Integer] $uid = undef, + Optional[Integer] $gid = undef, Boolean $manage_home = true, Boolean $create_group = true, Boolean $purge_sshkeys = true, diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp index 5cb2a12..cf37f8e 100644 --- a/site/profiles/manifests/base/datavol.pp +++ b/site/profiles/manifests/base/datavol.pp @@ -2,6 +2,9 @@ # # This class manages the creation of a logical volume using the `lvm::volume` definition. # +# For LXC hosts, this is replaced with a mount added from the host os. This class will simply check the +# mountpoint exists. +# # Parameters: # $ensure - Ensure whether the logical volume is present or not. Defaults to 'present'. # $vg - Volume group name. No default. @@ -25,33 +28,48 @@ class profiles::base::datavol ( ]] $mount_options = ['noatime', 'nodiratime'], ) { - # Ensure the physical volume exists - physical_volume { $pv: - ensure => $ensure, - before => Volume_group[$vg], - } + if $facts['virtual'] != 'lxc' { - # Ensure the volume group exists - volume_group { $vg: - ensure => $ensure, - physical_volumes => [$pv], - before => Logical_volume[$lv], - } + # Ensure the physical volume exists + physical_volume { $pv: + ensure => $ensure, + before => Volume_group[$vg], + } - # Ensure the logical volume exists - logical_volume { $lv: - ensure => $ensure, - volume_group => $vg, - size => $size, - before => Filesystem["/dev/${vg}/${lv}"], - } + # Ensure the volume group exists + volume_group { $vg: + ensure => $ensure, + physical_volumes => [$pv], + before => Logical_volume[$lv], + } - # Ensure the filesystem is created on the logical volume - filesystem { "/dev/${vg}/${lv}": - ensure => $ensure, - fs_type => $fstype, - require => Logical_volume[$lv], - before => Mount[$mount], + # Ensure the logical volume exists + logical_volume { $lv: + ensure => $ensure, + volume_group => $vg, + size => $size, + before => Filesystem["/dev/${vg}/${lv}"], + } + + # Ensure the filesystem is created on the logical volume + filesystem { "/dev/${vg}/${lv}": + ensure => $ensure, + fs_type => $fstype, + require => Logical_volume[$lv], + before => Mount[$mount], + } + + # Ensure the logical volume is mounted at the desired location + mount { $mount: + ensure => $mountstate, + device => "/dev/${vg}/${lv}", + fstype => $fstype, + options => $mount_options.join(','), + require => [ + Filesystem["/dev/${vg}/${lv}"], + File[$mount] + ], + } } # Ensure the mountpath exists @@ -62,12 +80,4 @@ class profiles::base::datavol ( mode => '0755', } - # Ensure the logical volume is mounted at the desired location - mount { $mount: - ensure => $mountstate, - device => "/dev/${vg}/${lv}", - fstype => $fstype, - options => $mount_options.join(','), - require => Filesystem["/dev/${vg}/${lv}"], - } } diff --git a/site/profiles/manifests/base/facts.pp b/site/profiles/manifests/base/facts.pp deleted file mode 100644 index 5344d19..0000000 --- a/site/profiles/manifests/base/facts.pp +++ /dev/null @@ -1,39 +0,0 @@ -# a class to define some global facts -class profiles::base::facts { - - # The path where external facts are stored - $facts_d_path = '/opt/puppetlabs/facter/facts.d' - - # Ensure the directory exists - file { $facts_d_path: - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - } - - # cleanup old facts files - $fact_list = [ 'enc_role', 'enc_env' ] - $fact_list.each | String $item | { - file { "${facts_d_path}/${item}.txt": - ensure => absent, - } - } - - # ensure the path to the custom store exists - file { '/root/.cache': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0750', - } - - # create the file that will be read - file { '/root/.cache/custom_facts.yaml': - ensure => file, - owner => 'root', - group => 'root', - mode => '0644', - content => template('profiles/base/facts/custom_facts.yaml.erb'), - } -} diff --git a/site/profiles/manifests/base/root.pp b/site/profiles/manifests/base/root.pp deleted file mode 100644 index d53951e..0000000 --- a/site/profiles/manifests/base/root.pp +++ /dev/null @@ -1,13 +0,0 @@ -# manage the root user -class profiles::base::root { - - # TODO - # for now, add some root directories - - file {'/root/.config': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0600', - } -} diff --git a/site/profiles/manifests/ceph/client.pp b/site/profiles/manifests/ceph/client.pp index 1735a19..db7187c 100644 --- a/site/profiles/manifests/ceph/client.pp +++ b/site/profiles/manifests/ceph/client.pp @@ -3,6 +3,9 @@ class profiles::ceph::client ( String $fsid, Array[Stdlib::Host] $mons, Stdlib::Absolutepath $config_file = '/etc/ceph/ceph.conf', + Boolean $manage_ceph_conf = true, + Boolean $manage_ceph_package = true, + Boolean $manage_ceph_paths = true, String $owner = 'ceph', String $group = 'ceph', Stdlib::Filemode $mode = '0644', @@ -13,27 +16,33 @@ class profiles::ceph::client ( if $facts['enc_role'] != 'roles::infra::proxmox::node' { # install the ceph client package - package { 'ceph-common': - ensure => installed, + if $manage_ceph_package { + package { 'ceph-common': + ensure => installed, + } } # manage the ceph directory - file { '/etc/ceph': - ensure => directory, - owner => $owner, - group => $group, - mode => $mode, - require => Package['ceph-common'], + if $manage_ceph_paths { + file { '/etc/ceph': + ensure => directory, + owner => $owner, + group => $group, + mode => $mode, + require => Package['ceph-common'], + } } # create a basic client config - file { $config_file: - ensure => file, - owner => $owner, - group => $group, - mode => $mode, - content => template('profiles/ceph/client.conf.erb'), - require => Package['ceph-common'], + if $manage_ceph_conf { + file { $config_file: + ensure => file, + owner => $owner, + group => $group, + mode => $mode, + content => template('profiles/ceph/client.conf.erb'), + require => Package['ceph-common'], + } } # manage ceph keyrings diff --git a/site/profiles/manifests/ceph/node.pp b/site/profiles/manifests/ceph/node.pp new file mode 100644 index 0000000..df10456 --- /dev/null +++ b/site/profiles/manifests/ceph/node.pp @@ -0,0 +1,31 @@ +class profiles::ceph::node ( + +){ + + package {'ceph': + ensure => 'installed', + } + + file {'/etc/ceph': + ensure => directory, + owner => 'ceph', + group => 'ceph', + mode => '0755', + require => Package['ceph'], + } + + file {'/var/log/ceph': + ensure => directory, + owner => 'ceph', + group => 'ceph', + mode => '0755', + require => Package['ceph'], + } + + # run sudo pip3 install CherryPy==18.10.0 + # unless: + # [sysadmin@prodnxsr0009 ~]$ sudo pip3.9 list | grep -i cherrypy + # CherryPy 18.10.0 + + +} diff --git a/site/profiles/manifests/cobbler/config.pp b/site/profiles/manifests/cobbler/config.pp index c736be8..3042d98 100644 --- a/site/profiles/manifests/cobbler/config.pp +++ b/site/profiles/manifests/cobbler/config.pp @@ -11,6 +11,7 @@ class profiles::cobbler::config { $service_cname = $profiles::cobbler::params::service_cname $next_server = $profiles::cobbler::params::next_server $server = $profiles::cobbler::params::server + $cache_enabled = $profiles::cobbler::params::cache_enabled # manage the cobbler settings file file { '/etc/cobbler/settings.yaml': diff --git a/site/profiles/manifests/cobbler/params.pp b/site/profiles/manifests/cobbler/params.pp index 877f986..2b51acf 100644 --- a/site/profiles/manifests/cobbler/params.pp +++ b/site/profiles/manifests/cobbler/params.pp @@ -9,6 +9,7 @@ class profiles::cobbler::params ( String $next_server = $::facts['networking']['ip'], Boolean $pxe_just_once = true, Boolean $is_cobbler_master = false, + Boolean $cache_enabled = false, Array $packages = [ 'cobbler', 'cobbler3.2-web', diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index d1d82d8..fa229c8 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -85,4 +85,10 @@ class profiles::consul::client ( require => File['/root/.config'], } + # cleanup /usr/local/bin/consul which was created by url install method + if $facts['os']['family'] == 'RedHat' { + file {'/usr/local/bin/consul': + ensure => absent, + } + } } diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index f71c567..9a57ae7 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -45,6 +45,9 @@ class profiles::consul::server ( Boolean $disable_update_check = true, Boolean $join_remote_regions = false, Array[String] $remote_regions = [], + Stdlib::IP::Address $bind_addr = $facts['networking']['ip'], + Stdlib::IP::Address $advertise_addr = $facts['networking']['ip'], + Optional[Stdlib::IP::Address] $anycast_ip = undef, ) { # wait for all attributes to be ready @@ -112,8 +115,8 @@ class profiles::consul::server ( 'ui' => $enable_ui, 'ui_config' => { 'enabled' => $enable_ui_config }, 'performance' => { 'raft_multiplier' => $raft_multiplier }, - 'bind_addr' => $::facts['networking']['ip'], - 'advertise_addr' => $::facts['networking']['ip'], + 'bind_addr' => $bind_addr, + 'advertise_addr' => $advertise_addr, 'retry_join' => $servers_array, 'retry_join_wan' => $remote_servers_array, }, @@ -143,7 +146,7 @@ class profiles::consul::server ( owner => 'root', group => 'root', mode => '0644', - content => "server=/${domain}/${::facts['networking']['ip']}#${dns_port}\n", + content => template('profiles/consul/dnsmasq.conf.erb'), require => Package['dnsmasq'], notify => Service['dnsmasq'], } diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp index d86b76a..210a1b8 100644 --- a/site/profiles/manifests/defaults.pp +++ b/site/profiles/manifests/defaults.pp @@ -32,13 +32,14 @@ class profiles::defaults { } Yumrepo { - ensure => 'present', - enabled => 1, - gpgcheck => 1, - require => [ + ensure => 'present', + enabled => 1, + gpgcheck => 1, + metadata_expire => '1d', + require => [ Class['profiles::pki::vaultca'], Class['crypto_policies'], ], - notify => Exec['dnf_makecache'], + notify => Exec['dnf_makecache'], } } diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp index e22e964..a25ba08 100644 --- a/site/profiles/manifests/dns/base.pp +++ b/site/profiles/manifests/dns/base.pp @@ -1,13 +1,14 @@ # profiles::dns::base class profiles::dns::base ( - String $ns_role = undef, Array $search = [], - Array $nameservers = ['8.8.8.8', '1.1.1.1'], - Enum[ + Array $nameservers = ['198.18.13.12', '198.18.13.13'], + Optional[Enum[ 'all', 'region', 'country' - ] $use_ns = 'all', + ]] $use_ns = undef, + String $primary_interface = $facts['networking']['primary'], + Optional[String] $ns_role = undef, ){ # install bind_utils @@ -23,6 +24,12 @@ class profiles::dns::base ( } } + # if nameservers not returned from puppetdb, use default + $use_nameservers = empty($nameserver_array) ? { + true => $nameservers, + false => $nameserver_array, + } + # if search is undef, fallback to domainname from facts if $search == [] { $search_array = [$::facts['networking']['domain']] @@ -32,11 +39,29 @@ class profiles::dns::base ( # include resolvconf class class { 'profiles::dns::resolvconf': - nameservers => sort($nameserver_array), + nameservers => sort($use_nameservers), search_domains => sort($search_array), } # export dns records for client - profiles::dns::client {"${facts['networking']['fqdn']}-default":} + $facts['networking']['interfaces'].each | $interface, $data | { + # exclude those without ipv4 address, lo, docker0 and anycast addresses + if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ { + + # use defaults for the primary_interface + if $interface == $primary_interface { + profiles::dns::client {"${facts['networking']['fqdn']}-${interface}": + interface => $interface, + } + + # update secondary interfaces + }else{ + profiles::dns::client {"${facts['networking']['fqdn']}-${interface}": + interface => $interface, + hostname => "${facts['networking']['hostname']}-${interface}", + } + } + } + } } diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp index 3dca748..9e2d637 100644 --- a/site/profiles/manifests/dns/client.pp +++ b/site/profiles/manifests/dns/client.pp @@ -1,30 +1,31 @@ # profiles::dns::client define profiles::dns::client ( - Boolean $forward = true, - Boolean $reverse = true, - Integer $order = 10, + Boolean $forward = true, + Boolean $reverse = true, + Integer $order = 10, + String $interface = $facts['networking']['primary'], + Stdlib::Fqdn $hostname = $facts['networking']['hostname'], + Stdlib::Fqdn $domain = $facts['networking']['domain'], ){ - $intf = $facts['networking']['primary'] - $fqdn = $facts['networking']['fqdn'] - $last_octet = regsubst($::facts['networking']['ip'], '^.*\.', '') + $last_octet = regsubst($facts['networking']['interfaces'][$interface]['ip'], '^.*\.', '') if $forward { - profiles::dns::record { "${fqdn}_${intf}_A": - value => $::facts['networking']['ip'], + profiles::dns::record { "${title}_A": + value => $facts['networking']['interfaces'][$interface]['ip'], type => 'A', - record => $::facts['networking']['hostname'], - zone => $::facts['networking']['domain'], + record => $hostname, + zone => $domain, order => $order, } } if $reverse { - profiles::dns::record { "${fqdn}_${intf}_PTR": - value => "${::facts['networking']['fqdn']}.", + profiles::dns::record { "${title}_PTR": + value => "${hostname}.${domain}.", type => 'PTR', record => $last_octet, - zone => $::facts['arpa'][$intf]['zone'], + zone => $facts['arpa'][$interface]['zone'], order => $order, } } diff --git a/site/profiles/manifests/etcd/node.pp b/site/profiles/manifests/etcd/node.pp new file mode 100644 index 0000000..0a13f60 --- /dev/null +++ b/site/profiles/manifests/etcd/node.pp @@ -0,0 +1,58 @@ +# manage the use of the etcd module +class profiles::etcd::node ( + Sensitive[String[1]] $initial_cluster_token, + Boolean $members_lookup = false, + String $members_role = undef, + Array $servers = [], + Stdlib::Port $client_port = 2379, + Stdlib::Port $peer_port = 2380, + Hash $config = {}, +){ + + # if lookup is enabled + if $members_lookup { + + # check that the role is also set + unless !($members_role == undef) { + fail("members_role must be provided for ${title} when members_lookup is True") + } + + # if it is, find hosts, sort them so they dont cause changes every run + $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn')) + + # else use provided array from params + }else{ + $servers_array = sort($servers) + } + + if length($servers_array) >= 3 { + + # construct the initial-cluster string + $initial_cluster = $servers_array.map |$fqdn| { + + # lookup the ip address for the current fqdn + $ip = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')[0] + + # construct the string for this server + "${fqdn}=https://${ip}:${peer_port}" + }.join(',') + + $defaults = { + 'data-dir' => '/var/lib/etcd', + 'name' => $facts['networking']['fqdn'], + 'listen-client-urls' => "https://${facts['networking']['ip']}:${client_port}", + 'listen-peer-urls' => "https://${facts['networking']['ip']}:${peer_port}", + 'advertise-client-urls' => "https://${facts['networking']['ip']}:${client_port}", + 'initial-advertise-peer-urls' => "https://${facts['networking']['ip']}:${peer_port}", + 'initial-cluster-token' => $initial_cluster_token.unwrap, + 'initial-cluster' => $initial_cluster, + 'initial-cluster-state' => 'new', + } + + $merged_config = merge($defaults, $config) + + class { 'etcd': + config => $merged_config, + } + } +} diff --git a/site/profiles/manifests/firstrun/complete.pp b/site/profiles/manifests/firstrun/complete.pp index b80d5a4..fabd873 100644 --- a/site/profiles/manifests/firstrun/complete.pp +++ b/site/profiles/manifests/firstrun/complete.pp @@ -1,6 +1,11 @@ # profiles::firstrun::complete class profiles::firstrun::complete { + file {'/root/.cache': + ensure => 'directory', + owner => 'root', + group => 'root', + } file {'/root/.cache/puppet_firstrun_complete': ensure => 'file', owner => 'root', diff --git a/site/profiles/manifests/firstrun/init.pp b/site/profiles/manifests/firstrun/init.pp index 3b33622..ce39cc1 100644 --- a/site/profiles/manifests/firstrun/init.pp +++ b/site/profiles/manifests/firstrun/init.pp @@ -8,13 +8,11 @@ class profiles::firstrun::init { include profiles::base::repos include profiles::firstrun::packages - # set the motd and base facts - include profiles::base::facts + # set the motd include profiles::base::motd - # create the sysadmin account + # create groups include profiles::base::groups - include profiles::accounts::sysadmin # mark the firstrun as done include profiles::firstrun::complete diff --git a/site/profiles/manifests/media/jellyfin.pp b/site/profiles/manifests/media/jellyfin.pp index 4943a1c..be024a4 100644 --- a/site/profiles/manifests/media/jellyfin.pp +++ b/site/profiles/manifests/media/jellyfin.pp @@ -2,26 +2,31 @@ class profiles::media::jellyfin ( Stdlib::Absolutepath $media_root = '/shared/media', Stdlib::Absolutepath $data_dir = '/data/jellyfin', - Stdlib::Absolutepath $lib_dir = '/data/jellyfin/var/lib', - Stdlib::Absolutepath $cache_dir = '/data/jellyfin/var/cache', - Stdlib::Absolutepath $config_dir = '/data/jellyfin/etc', - Stdlib::Absolutepath $log_dir = '/data/jellyfin/var/log', - Stdlib::Absolutepath $ffmpeg_path = '/usr/local/bin/ffmpeg', + Stdlib::Absolutepath $lib_dir = "${data_dir}/var/lib", + Stdlib::Absolutepath $cache_dir = "${data_dir}/var/cache", + Stdlib::Absolutepath $config_dir = "${data_dir}/etc", + Stdlib::Absolutepath $log_dir = "${data_dir}/var/log", + Stdlib::Absolutepath $ffmpeg_path = '/usr/lib/jellyfin-ffmpeg/ffmpeg', + Stdlib::Absolutepath $jellyfin_web = '/usr/share/jellyfin/web', Stdlib::Absolutepath $sysconfig_file = '/etc/sysconfig/jellyfin', Stdlib::Absolutepath $migration_flag = '/etc/sysconfig/jellyfin_migration_done', + Stdlib::Absolutepath $transcodes_dir = '/data/jellyfin/transcodes', String $service_name = 'jellyfin', Boolean $migrate_data = true, ) { - include profiles::ceph::client + if $facts['virtual'] != 'lxc' { + include profiles::ceph::client + + # manage the sharedvol + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], } # export haproxy balancemember @@ -39,8 +44,8 @@ class profiles::media::jellyfin ( ] } - mkdir::p {[$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir]:} - -> file { [$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir]: + mkdir::p {[$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir, $transcodes_dir]:} + -> file { [$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir, $transcodes_dir]: ensure => directory, owner => 'jellyfin', group => 'jellyfin', @@ -113,5 +118,13 @@ class profiles::media::jellyfin ( ], } + exec {'add_jellyfin_to_video_group': + path => ['/usr/bin', '/bin', '/usr/sbin', '/sbin'], + unless => 'getent group video | grep -q jellyfin', + command => 'usermod -aG video jellyfin', + require => Package['jellyfin-server'], + before => Service['jellyfin'], + } + systemd::daemon_reload {"${service_name}_service":} } diff --git a/site/profiles/manifests/media/lidarr.pp b/site/profiles/manifests/media/lidarr.pp index 6c6a0b9..c3e7a5f 100644 --- a/site/profiles/manifests/media/lidarr.pp +++ b/site/profiles/manifests/media/lidarr.pp @@ -3,15 +3,16 @@ class profiles::media::lidarr ( Stdlib::Absolutepath $media_root = '/shared/media', ) { - include profiles::ceph::client - - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], + if $facts['virtual'] != 'lxc' { + # manage the sharedvol + include profiles::ceph::client + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } } # export haproxy balancemember diff --git a/site/profiles/manifests/media/nzbget.pp b/site/profiles/manifests/media/nzbget.pp index f80b4c8..e4df8b3 100644 --- a/site/profiles/manifests/media/nzbget.pp +++ b/site/profiles/manifests/media/nzbget.pp @@ -3,15 +3,16 @@ class profiles::media::nzbget ( Stdlib::Absolutepath $media_root = '/shared/media', ) { - include profiles::ceph::client - - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], + if $facts['virtual'] != 'lxc' { + # manage the sharedvol + include profiles::ceph::client + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } } # export haproxy balancemember diff --git a/site/profiles/manifests/media/prowlarr.pp b/site/profiles/manifests/media/prowlarr.pp index 87d266d..de7d50a 100644 --- a/site/profiles/manifests/media/prowlarr.pp +++ b/site/profiles/manifests/media/prowlarr.pp @@ -3,15 +3,16 @@ class profiles::media::prowlarr ( Stdlib::Absolutepath $media_root = '/shared/media', ) { - include profiles::ceph::client - - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], + if $facts['virtual'] != 'lxc' { + # manage the sharedvol + include profiles::ceph::client + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } } # export haproxy balancemember diff --git a/site/profiles/manifests/media/radarr.pp b/site/profiles/manifests/media/radarr.pp index c28560f..cae7de3 100644 --- a/site/profiles/manifests/media/radarr.pp +++ b/site/profiles/manifests/media/radarr.pp @@ -3,15 +3,16 @@ class profiles::media::radarr ( Stdlib::Absolutepath $media_root = '/shared/media', ) { - include profiles::ceph::client - - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], + if $facts['virtual'] != 'lxc' { + # manage the sharedvol + include profiles::ceph::client + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } } # export haproxy balancemember diff --git a/site/profiles/manifests/media/readarr.pp b/site/profiles/manifests/media/readarr.pp index a788855..425a166 100644 --- a/site/profiles/manifests/media/readarr.pp +++ b/site/profiles/manifests/media/readarr.pp @@ -3,15 +3,16 @@ class profiles::media::readarr ( Stdlib::Absolutepath $media_root = '/shared/media', ) { - include profiles::ceph::client - - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], + if $facts['virtual'] != 'lxc' { + # manage the sharedvol + include profiles::ceph::client + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } } # export haproxy balancemember diff --git a/site/profiles/manifests/media/sonarr.pp b/site/profiles/manifests/media/sonarr.pp index 2c271bc..4946871 100644 --- a/site/profiles/manifests/media/sonarr.pp +++ b/site/profiles/manifests/media/sonarr.pp @@ -3,15 +3,16 @@ class profiles::media::sonarr ( Stdlib::Absolutepath $media_root = '/shared/media', ) { - include profiles::ceph::client - - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": - mount => $media_root, - keyring => '/etc/ceph/ceph.client.media.keyring', - cephfs_name => 'media', - cephfs_fs => 'mediafs', - require => Profiles::Ceph::Keyring['media'], + if $facts['virtual'] != 'lxc' { + # manage the sharedvol + include profiles::ceph::client + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media": + mount => $media_root, + keyring => '/etc/ceph/ceph.client.media.keyring', + cephfs_name => 'media', + cephfs_fs => 'mediafs', + require => Profiles::Ceph::Keyring['media'], + } } # export haproxy balancemember diff --git a/site/profiles/manifests/nomad/node.pp b/site/profiles/manifests/nomad/node.pp index 942b596..dfc33ff 100644 --- a/site/profiles/manifests/nomad/node.pp +++ b/site/profiles/manifests/nomad/node.pp @@ -33,16 +33,19 @@ class profiles::nomad::node ( if $client { - include profiles::ceph::client + if $facts['virtual'] != 'lxc' { + include profiles::ceph::client - # manage the sharedvol - profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_nomad": - mount => $nomad_root, - keyring => '/etc/ceph/ceph.client.nomad.keyring', - cephfs_name => 'nomad', - cephfs_fs => 'nomadfs', - require => Profiles::Ceph::Keyring['nomad'], + # manage the sharedvol + profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_nomad": + mount => $nomad_root, + keyring => '/etc/ceph/ceph.client.nomad.keyring', + cephfs_name => 'nomad', + cephfs_fs => 'nomadfs', + require => Profiles::Ceph::Keyring['nomad'], + } } + } file { $data_dir: diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 08b49aa..121f39b 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -3,7 +3,7 @@ # This class manages the Puppetboard, a web interface to PuppetDB. # class profiles::puppet::puppetboard ( - String $python_version = '3.6', + String $python_version = $facts['python3_release'], Boolean $manage_virtualenv = false, Integer $reports_count = 40, Boolean $offline_mode = true, @@ -21,7 +21,7 @@ class profiles::puppet::puppetboard ( Stdlib::Port $nginx_port = 80, Stdlib::Host $nginx_vhost = 'puppetboard.main.unkin.net', Array[Stdlib::Host] $nginx_aliases = [], - #String[1] $secret_key = "${fqdn_rand_string(32)}", + String[1] $secret_key = "${fqdn_rand_string(32)}", ) { # store puppet-agents ssl settings/certname @@ -37,7 +37,7 @@ class profiles::puppet::puppetboard ( basedir => $basedir, virtualenv_dir => $virtualenv_dir, settings_file => $settings_file, - #secret_key => $secret_key, + secret_key => $secret_key, default_environment => $default_environment, puppetdb_host => $puppetdb_host, puppetdb_port => 8081, diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index bdf7532..03567b3 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -1,5 +1,7 @@ # configure the puppetdb api service class profiles::puppet::puppetdb_api ( + String $private_cert, + String $public_cert, String $postgres_host = lookup('puppetdbsql'), String $listen_address = $facts['networking']['ip'], Stdlib::Absolutepath $java_bin = '/usr/bin/java', @@ -24,6 +26,24 @@ class profiles::puppet::puppetdb_api ( contain ::puppetdb::server + file { '/etc/puppetlabs/puppetdb/ssl/private.pem': + ensure => 'file', + content => Sensitive($private_cert), + owner => 'puppetdb', + group => 'puppetdb', + mode => '0600', + notify => Service['puppetdb'], + } + + file { '/etc/puppetlabs/puppetdb/ssl/public.pem': + ensure => 'file', + content => $public_cert, + owner => 'puppetdb', + group => 'puppetdb', + mode => '0600', + notify => Service['puppetdb'], + } + # generate the minute for the cron job using fqdn_rand $random_minute = fqdn_rand(60) diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 657bd41..94753ab 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -65,6 +65,15 @@ class profiles::puppet::server ( notify => Service['puppetserver'], } + file { '/etc/puppetlabs/puppetserver/conf.d/auth.conf': + ensure => 'file', + content => template('profiles/puppet/server/auth.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + notify => Service['puppetserver'], + } + service { 'puppetserver': ensure => running, enable => true, diff --git a/site/profiles/manifests/selinux/frr.pp b/site/profiles/manifests/selinux/frr.pp new file mode 100644 index 0000000..65bcb46 --- /dev/null +++ b/site/profiles/manifests/selinux/frr.pp @@ -0,0 +1,47 @@ +# this is a modification to frr-selinux that ships with EL9, adding support for frr10 +class profiles::selinux::frr { + + $frr_te_content = @("EOF") + module frr_local 1.0; + + require { + type frr_t; + type initrc_t; + type kernel_t; + type var_run_t; + type frr_tmp_t; + type frr_var_run_t; + type init_t; + class unix_stream_socket connectto; + class system module_request; + class sock_file { getattr write }; + class dir { add_name write }; + class file { create write open }; + class process setpgid; + } + + #============= frr_t ============== + allow frr_t initrc_t:unix_stream_socket connectto; + allow frr_t kernel_t:system module_request; + allow frr_t var_run_t:sock_file { getattr write }; + + #============= init_t ============== + allow init_t frr_tmp_t:dir add_name; + allow init_t frr_var_run_t:dir { write add_name }; + allow init_t frr_var_run_t:file { create open write }; + allow init_t self:process setpgid; + | EOF + + selinux::module { 'frr_local': + ensure => 'present', + content_te => $frr_te_content, + builder => 'simple', + before => Service['frr'], + } + + selboolean { 'domain_can_mmap_files': + value => 'on', + persistent => true, + before => Service['frr'], + } +} diff --git a/site/profiles/manifests/ssh/service.pp b/site/profiles/manifests/ssh/service.pp new file mode 100644 index 0000000..c75a625 --- /dev/null +++ b/site/profiles/manifests/ssh/service.pp @@ -0,0 +1,17 @@ +# profiles::ssh::service +# saz-ssh manages the service, this is just some additional stuff +class profiles::ssh::service { + + include ssh::server + + # set sshd to start + systemd::manage_dropin { 'after-network-online.conf': + ensure => present, + unit => 'sshd.service', + unit_entry => { + 'After' => [ + 'network-online.target', + ], + }, + } +} diff --git a/site/profiles/manifests/storage/cephfsvols.pp b/site/profiles/manifests/storage/cephfsvols.pp new file mode 100644 index 0000000..eb48995 --- /dev/null +++ b/site/profiles/manifests/storage/cephfsvols.pp @@ -0,0 +1,36 @@ +# a class to manage the cephfsvol defines +class profiles::storage::cephfsvols ( + Hash[String, Hash] $volumes, +) { + + $volumes.each |String $title, Hash $params| { + + $ensure = pick($params['ensure'], 'mounted') + $owner = pick($params['owner'], 'root') + $group = pick($params['group'], 'root') + $mode = pick($params['mode'], '0755') + $mount = $params['mount'] + $mount_options = pick($params['mount_options'], ['noatime', 'nodiratime']) + $cephfs_mon = pick($params['cephfs_mon'], 'ceph-mon.service.consul') + $cephfs_path = pick($params['cephfs_path'], '/') + $cephfs_name = $params['cephfs_name'] + $cephfs_fs = $params['cephfs_fs'] + $keyring = $params['keyring'] + + profiles::storage::cephfsvol { $title: + ensure => $ensure, + owner => $owner, + group => $group, + mode => $mode, + mount => $mount, + mount_options => $mount_options, + cephfs_mon => $cephfs_mon, + cephfs_path => $cephfs_path, + cephfs_name => $cephfs_name, + cephfs_fs => $cephfs_fs, + keyring => $keyring, + # Optional metaparameters like `require` + * => $params.filter |$k, $v| { $k in ['require', 'before', 'notify', 'subscribe'] }, + } + } +} diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index a27ef46..d73a4a3 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -6,10 +6,6 @@ class profiles::vault::server ( Undef ] $members_role = undef, Array $vault_servers = [], - Enum[ - 'archive', - 'repo' - ] $install_method = 'archive', Boolean $tls_disable = false, Stdlib::Port $client_port = 8200, Stdlib::Port $cluster_port = 8201, @@ -19,6 +15,7 @@ class profiles::vault::server ( Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt', Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key', Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt', + Stdlib::Absolutepath $audit_log = '/var/log/vault_audit.log', ){ # set a datacentre/cluster name @@ -56,7 +53,6 @@ class profiles::vault::server ( class { 'vault': manage_service => false, - install_method => $install_method, manage_storage_dir => $manage_storage_dir, enable_ui => true, storage => { @@ -90,6 +86,14 @@ class profiles::vault::server ( ] } + # ensure the vault audit log exists + file { $audit_log: + ensure => 'file', + owner => 'vault', + group => 'vault', + mode => '0600', + } + service { 'vault': ensure => true, enable => true, diff --git a/site/profiles/templates/base/facts/custom_facts.yaml.erb b/site/profiles/templates/base/facts/custom_facts.yaml.erb deleted file mode 100644 index e4b3895..0000000 --- a/site/profiles/templates/base/facts/custom_facts.yaml.erb +++ /dev/null @@ -1,3 +0,0 @@ ---- -enc_role: <%= @enc_role[0] %> -enc_env: <%= @enc_env %> diff --git a/site/profiles/templates/base/facts/enc_env.erb b/site/profiles/templates/base/facts/enc_env.erb deleted file mode 100644 index 7695e4d..0000000 --- a/site/profiles/templates/base/facts/enc_env.erb +++ /dev/null @@ -1 +0,0 @@ -enc_env=<%= @enc_env %> diff --git a/site/profiles/templates/base/facts/enc_role.erb b/site/profiles/templates/base/facts/enc_role.erb deleted file mode 100644 index d59acdf..0000000 --- a/site/profiles/templates/base/facts/enc_role.erb +++ /dev/null @@ -1 +0,0 @@ -enc_role=<%= @enc_role[0] %> diff --git a/site/profiles/templates/cobbler/settings.yaml.erb b/site/profiles/templates/cobbler/settings.yaml.erb index 1869444..135d431 100644 --- a/site/profiles/templates/cobbler/settings.yaml.erb +++ b/site/profiles/templates/cobbler/settings.yaml.erb @@ -59,7 +59,7 @@ build_reporting_ignorelist: [] # use cases like writing out large numbers of records. There is a known issue with cache and remote XMLRPC API calls. # If you will use Cobbler with config management or infrastructure-as-code tools such as Terraform, it is recommended # to disable by setting to false. -cache_enabled: true +cache_enabled: <%= @cache_enabled %> # Cheetah-language autoinstall templates can import Python modules. While this is a useful feature, it is not safe to # allow them to import anything they want. This whitelists which modules can be imported through Cheetah. Users can diff --git a/site/profiles/templates/consul/dnsmasq.conf.erb b/site/profiles/templates/consul/dnsmasq.conf.erb new file mode 100644 index 0000000..1e0a328 --- /dev/null +++ b/site/profiles/templates/consul/dnsmasq.conf.erb @@ -0,0 +1,6 @@ +server=/<%= @domain %>/<%= @bind_addr %>#<%= @dns_port %> +<% if @anycast_ip -%> +listen-address=<%= @anycast_ip %> +<% else -%> +listen-address=<%= @bind_addr %> +<% end -%> diff --git a/site/profiles/templates/jellyfin/override.conf.erb b/site/profiles/templates/jellyfin/override.conf.erb index 53104e7..802bec3 100644 --- a/site/profiles/templates/jellyfin/override.conf.erb +++ b/site/profiles/templates/jellyfin/override.conf.erb @@ -4,5 +4,5 @@ [Service] #User = jellyfin -EnvironmentFile = <%= @environment_file %> +EnvironmentFile = <%= @sysconfig_file %> WorkingDirectory = <%= @lib_dir %> diff --git a/site/profiles/templates/jellyfin/sysconfig.erb b/site/profiles/templates/jellyfin/sysconfig.erb index c37b26d..3a8d5cd 100644 --- a/site/profiles/templates/jellyfin/sysconfig.erb +++ b/site/profiles/templates/jellyfin/sysconfig.erb @@ -21,10 +21,10 @@ JELLYFIN_LOG_DIR="<%= @log_dir %>" JELLYFIN_CACHE_DIR="<%= @cache_dir %>" # web client path, installed by the jellyfin-web package -JELLYFIN_WEB_OPT="--webdir=/usr/share/jellyfin-web" +JELLYFIN_WEB_OPT="--webdir=<%= @jellyfin_web %>" # [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values -JELLYFIN_FFMPEG_OPT="--ffmpeg=<% @ffmpeg_path %>" +JELLYFIN_FFMPEG_OPT="--ffmpeg=<%= @ffmpeg_path %>" # [OPTIONAL] run Jellyfin as a headless service #JELLYFIN_SERVICE_OPT="--service" diff --git a/site/profiles/templates/puppet/server/auth.conf.erb b/site/profiles/templates/puppet/server/auth.conf.erb new file mode 100644 index 0000000..9f36063 --- /dev/null +++ b/site/profiles/templates/puppet/server/auth.conf.erb @@ -0,0 +1,266 @@ +authorization: { + version: 1 + rules: [ + { + # Allow nodes to retrieve their own catalog + match-request: { + path: "^/puppet/v3/catalog/([^/]+)$" + type: regex + method: [get, post] + } + allow: "$1" + sort-order: 500 + name: "puppetlabs v3 catalog from agents" + }, + { + # Allow services to retrieve catalogs on behalf of others + match-request: { + path: "^/puppet/v4/catalog/?$" + type: regex + method: post + } + deny: "*" + sort-order: 500 + name: "puppetlabs v4 catalog for services" + }, + { + # Allow nodes to retrieve the certificate they requested earlier + match-request: { + path: "/puppet-ca/v1/certificate/" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs certificate" + }, + { + # Allow all nodes to access the certificate revocation list + match-request: { + path: "/puppet-ca/v1/certificate_revocation_list/ca" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs crl" + }, + { + # Allow nodes to request a new certificate + match-request: { + path: "/puppet-ca/v1/certificate_request" + type: path + method: [get, put] + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs csr" + }, + { + # Allow the CA CLI to access the certificate_status endpoint + match-request: { + path: "/puppet-ca/v1/certificate_status" + type: path + method: [get, put, delete] + } + allow: [ + { + extensions: { + pp_cli_auth: "true" + } + }, + terraform + ] + sort-order: 500 + name: "puppetlabs cert status" + }, + { + match-request: { + path: "^/puppet-ca/v1/certificate_revocation_list$" + type: regex + method: put + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs CRL update" + }, + { + # Allow the CA CLI to access the certificate_statuses endpoint + match-request: { + path: "/puppet-ca/v1/certificate_statuses" + type: path + method: get + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs cert statuses" + }, + { + # Allow authenticated access to the CA expirations endpoint + match-request: { + path: "/puppet-ca/v1/expirations" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs CA cert and CRL expirations" + }, + { + # Allow the CA CLI to access the certificate clean endpoint + match-request: { + path: "/puppet-ca/v1/clean" + type: path + method: put + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs cert clean" + }, + { + # Allow unauthenticated access to the status service endpoint + match-request: { + path: "/status/v1/services" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - full" + }, + { + match-request: { + path: "/status/v1/simple" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - simple" + }, + { + match-request: { + path: "/puppet/v3/environments" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs environments" + }, + { + # Allow nodes to access all file_bucket_files. Note that access for + # the 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_bucket_file" + type: path + method: [get, head, post, put] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file bucket file" + }, + { + # Allow nodes to access all file_content. Note that access for the + # 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_content" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file content" + }, + { + # Allow nodes to access all file_metadata. Note that access for the + # 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_metadata" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file metadata" + }, + { + # Allow nodes to retrieve only their own node definition + match-request: { + path: "^/puppet/v3/node/([^/]+)$" + type: regex + method: get + } + allow: "$1" + sort-order: 500 + name: "puppetlabs node" + }, + { + # Allow nodes to store only their own reports + match-request: { + path: "^/puppet/v3/report/([^/]+)$" + type: regex + method: put + } + allow: "$1" + sort-order: 500 + name: "puppetlabs report" + }, + { + # Allow nodes to update their own facts + match-request: { + path: "^/puppet/v3/facts/([^/]+)$" + type: regex + method: put + } + allow: "$1" + sort-order: 500 + name: "puppetlabs facts" + }, + { + match-request: { + path: "/puppet/v3/static_file_content" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs static file content" + }, + { + match-request: { + path: "/puppet/v3/tasks" + type: path + } + allow: "*" + sort-order: 500 + name: "puppet tasks information" + }, + { + # Deny everything else. This ACL is not strictly + # necessary, but illustrates the default policy + match-request: { + path: "/" + type: path + } + deny: "*" + sort-order: 999 + name: "puppetlabs deny all" + } + ] +} diff --git a/site/roles/manifests/apps/media/lidarr.pp b/site/roles/manifests/apps/media/lidarr.pp index 5278575..2691cc2 100644 --- a/site/roles/manifests/apps/media/lidarr.pp +++ b/site/roles/manifests/apps/media/lidarr.pp @@ -6,6 +6,5 @@ class roles::apps::media::lidarr { }else{ include profiles::defaults include profiles::base - include profiles::media::lidarr } } diff --git a/site/roles/manifests/apps/media/prowlarr.pp b/site/roles/manifests/apps/media/prowlarr.pp index 03e0839..4dd5854 100644 --- a/site/roles/manifests/apps/media/prowlarr.pp +++ b/site/roles/manifests/apps/media/prowlarr.pp @@ -6,6 +6,5 @@ class roles::apps::media::prowlarr { }else{ include profiles::defaults include profiles::base - include profiles::media::prowlarr } } diff --git a/site/roles/manifests/apps/media/radarr.pp b/site/roles/manifests/apps/media/radarr.pp index c94ae81..93fca24 100644 --- a/site/roles/manifests/apps/media/radarr.pp +++ b/site/roles/manifests/apps/media/radarr.pp @@ -6,6 +6,5 @@ class roles::apps::media::radarr { }else{ include profiles::defaults include profiles::base - include profiles::media::radarr } } diff --git a/site/roles/manifests/apps/media/readarr.pp b/site/roles/manifests/apps/media/readarr.pp index adbd553..0dfcf55 100644 --- a/site/roles/manifests/apps/media/readarr.pp +++ b/site/roles/manifests/apps/media/readarr.pp @@ -6,6 +6,5 @@ class roles::apps::media::readarr { }else{ include profiles::defaults include profiles::base - include profiles::media::readarr } } diff --git a/site/roles/manifests/apps/media/sonarr.pp b/site/roles/manifests/apps/media/sonarr.pp index 07a919c..0ceab35 100644 --- a/site/roles/manifests/apps/media/sonarr.pp +++ b/site/roles/manifests/apps/media/sonarr.pp @@ -6,6 +6,5 @@ class roles::apps::media::sonarr { }else{ include profiles::defaults include profiles::base - include profiles::media::sonarr } } diff --git a/site/roles/manifests/ceph/mds.pp b/site/roles/manifests/ceph/mds.pp index a7a6a2e..f8e0430 100644 --- a/site/roles/manifests/ceph/mds.pp +++ b/site/roles/manifests/ceph/mds.pp @@ -1,5 +1,4 @@ # a role to deploy the ceph mds -# work in progress class roles::ceph::mds { include profiles::defaults include profiles::base diff --git a/site/roles/manifests/ceph/mon.pp b/site/roles/manifests/ceph/mon.pp index b1fe65a..a1e3f2a 100644 --- a/site/roles/manifests/ceph/mon.pp +++ b/site/roles/manifests/ceph/mon.pp @@ -1,5 +1,4 @@ # a role to deploy the ceph mon -# work in progress class roles::ceph::mon { include profiles::defaults include profiles::base diff --git a/site/roles/manifests/ceph/osd.pp b/site/roles/manifests/ceph/osd.pp deleted file mode 100644 index 047718a..0000000 --- a/site/roles/manifests/ceph/osd.pp +++ /dev/null @@ -1,6 +0,0 @@ -# a role to deploy the ceph osd -# work in progress -class roles::ceph::osd { - include profiles::defaults - include profiles::base -} diff --git a/site/roles/manifests/ceph/rgw.pp b/site/roles/manifests/ceph/rgw.pp new file mode 100644 index 0000000..c758ea9 --- /dev/null +++ b/site/roles/manifests/ceph/rgw.pp @@ -0,0 +1,5 @@ +# a role to deploy the ceph rgw +class roles::ceph::rgw { + include profiles::defaults + include profiles::base +} diff --git a/site/roles/manifests/infra/etcd/node.pp b/site/roles/manifests/infra/etcd/node.pp new file mode 100644 index 0000000..39a1793 --- /dev/null +++ b/site/roles/manifests/infra/etcd/node.pp @@ -0,0 +1,11 @@ +# a role to deploy etcd +class roles::infra::etcd::node { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + } +} diff --git a/site/roles/manifests/infra/incus/imagehost.pp b/site/roles/manifests/infra/incus/imagehost.pp new file mode 100644 index 0000000..26a4716 --- /dev/null +++ b/site/roles/manifests/infra/incus/imagehost.pp @@ -0,0 +1,10 @@ +# a role to deploy a incus image server +class roles::infra::incus::imagehost { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } +} diff --git a/site/roles/manifests/infra/incus/node.pp b/site/roles/manifests/infra/incus/node.pp new file mode 100644 index 0000000..070bbf1 --- /dev/null +++ b/site/roles/manifests/infra/incus/node.pp @@ -0,0 +1,10 @@ +# a role to deploy a incus node +class roles::infra::incus::node { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } +} diff --git a/site/roles/manifests/infra/nomad/agentv2.pp b/site/roles/manifests/infra/nomad/agentv2.pp new file mode 100644 index 0000000..1a5a02e --- /dev/null +++ b/site/roles/manifests/infra/nomad/agentv2.pp @@ -0,0 +1,12 @@ +# a role to deploy a nomad agent, second iteration +# using host based networking +class roles::infra::nomad::agentv2 { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + } +}