Merge branch 'develop' into neoloc/k8s

.reek.yml

@@ -3,3 +3,8 @@
 detectors:
   FeatureEnvy:
     enabled: false
+  TooManyStatements:
+    enabled: false
+  UncommunicativeVariableName:
+    accept:
+      - e

Puppetfile

@@ -2,54 +2,55 @@ forge 'forge.puppetlabs.com'
 moduledir 'external_modules'
 
 # puppetlabs
-mod 'puppetlabs-stdlib', '9.1.0'
+mod 'puppetlabs-stdlib', '9.7.0'
-mod 'puppetlabs-inifile', '6.0.0'
+mod 'puppetlabs-inifile', '6.2.0'
-mod 'puppetlabs-concat', '9.0.0'
+mod 'puppetlabs-concat', '9.1.0'
-mod 'puppetlabs-vcsrepo', '6.1.0'
+mod 'puppetlabs-vcsrepo', '7.0.0'
-mod 'puppetlabs-yumrepo_core', '2.0.0'
+mod 'puppetlabs-yumrepo_core', '2.1.0'
-mod 'puppetlabs-apt', '9.4.0'
+mod 'puppetlabs-apt', '10.0.1'
-mod 'puppetlabs-lvm', '2.1.0'
+mod 'puppetlabs-lvm', '3.0.1'
-mod 'puppetlabs-puppetdb', '7.13.0'
+mod 'puppetlabs-puppetdb', '7.14.0'
-mod 'puppetlabs-postgresql', '9.1.0'
+mod 'puppetlabs-postgresql', '9.2.0'
-mod 'puppetlabs-firewall', '6.0.0'
+mod 'puppetlabs-firewall', '8.1.4'
-mod 'puppetlabs-accounts', '8.1.0'
+mod 'puppetlabs-accounts', '8.2.2'
-mod 'puppetlabs-mysql', '15.0.0'
+mod 'puppetlabs-mysql', '16.2.0'
 mod 'puppetlabs-xinetd', '3.4.1'
-mod 'puppetlabs-haproxy', '8.0.0'
+mod 'puppetlabs-haproxy', '8.2.0'
-mod 'puppetlabs-java', '10.1.2'
+mod 'puppetlabs-java', '11.1.0'
-mod 'puppetlabs-reboot', '5.0.0'
+mod 'puppetlabs-reboot', '5.1.0'
-mod 'puppetlabs-docker', '10.0.1'
+mod 'puppetlabs-docker', '10.2.0'
 
 # puppet
-mod 'puppet-python', '7.0.0'
+mod 'puppet-python', '7.4.0'
-mod 'puppet-systemd', '5.1.0'
+mod 'puppet-systemd', '8.1.0'
-mod 'puppet-yum', '7.0.0'
+mod 'puppet-yum', '7.2.0'
-mod 'puppet-archive', '7.0.0'
+mod 'puppet-archive', '7.1.0'
-mod 'puppet-chrony', '2.6.0'
+mod 'puppet-chrony', '3.0.0'
-mod 'puppet-puppetboard', '9.0.0'
+mod 'puppet-puppetboard', '11.0.0'
-mod 'puppet-nginx', '5.0.0'
+mod 'puppet-nginx', '6.0.1'
-mod 'puppet-selinux', '4.1.0'
+mod 'puppet-selinux', '5.0.0'
-mod 'puppet-prometheus', '13.4.0'
+mod 'puppet-prometheus', '16.0.0'
-mod 'puppet-grafana', '13.1.0'
+mod 'puppet-grafana', '14.1.0'
-mod 'puppet-consul', '8.0.0'
+mod 'puppet-consul', '9.1.0'
-mod 'puppet-vault', '4.1.0'
+mod 'puppet-vault', '4.1.1'
 mod 'puppet-dhcp', '6.1.0'
 mod 'puppet-keepalived', '5.1.0'
-mod 'puppet-extlib', '7.0.0'
+mod 'puppet-extlib', '7.5.1'
-mod 'puppet-network', '2.2.0'
+mod 'puppet-network', '2.2.1'
-mod 'puppet-kmod', '4.0.1'
+mod 'puppet-kmod', '4.1.0'
 mod 'puppet-filemapper', '4.0.0'
-mod 'puppet-letsencrypt', '11.0.0'
+mod 'puppet-letsencrypt', '11.1.0'
-mod 'puppet-rundeck', '9.1.0'
+mod 'puppet-rundeck', '9.2.0'
-mod 'puppet-redis', '11.0.0'
+mod 'puppet-redis', '11.1.0'
 mod 'puppet-nodejs', '11.0.0'
 mod 'puppet-k8s', '2.0.1'
 
 # other
-mod 'ghoneycutt-puppet', '3.3.0'
+mod 'saz-sudo', '9.0.2'
-mod 'saz-sudo', '8.0.0'
+mod 'saz-ssh', '13.1.0'
-mod 'saz-ssh', '12.1.0'
+mod 'saz-limits', '5.0.0'
 mod 'ghoneycutt-timezone', '4.0.0'
+mod 'ghoneycutt-puppet', '3.3.0'
 mod 'dalen-puppetdbquery', '3.0.1'
 mod 'markt-galera', '3.1.0'
 mod 'kogitoapp-minio', '1.1.4'
@@ -59,6 +60,7 @@ mod 'h0tw1r3-gitea', '3.2.0'
 mod 'rehan-mkdir', '2.0.0'
 mod 'tailoredautomation-patroni', '2.0.0'
 mod 'ssm-crypto_policies', '0.3.3'
+mod 'thias-sysctl', '1.0.8'
 
 mod 'bind',
   :git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',

hieradata/common.yaml

@@ -36,6 +36,12 @@ lookup_options:
   profiles::haproxy::server::listeners:
     merge:
       strategy: deep
+  profiles::accounts::root::sshkeys:
+    merge:
+      strategy: deep
+  profiles::accounts::sysadmin::sshkeys:
+    merge:
+      strategy: deep
   haproxy::backend:
     merge:
       strategy: deep
@@ -137,6 +143,20 @@ lookup_options:
       strategy: deep
   k8s::server::resources::bootstrap::secret:
     convert_to: "Sensitive"
+  profiles::etcd::node::initial_cluster_token:
+    convert_to: Sensitive
+  sysctl::base::values:
+    merge:
+      strategy: deep
+  limits::entries:
+    merge:
+      strategy: deep
+  zfs::zpools:
+    merge:
+      strategy: deep
+  zfs::datasets:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
@@ -145,6 +165,8 @@ hiera_include:
   - networking
   - ssh::server
   - profiles::accounts::rundeck
+  - limits
+  - sysctl::base
 
 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::use_ntp: 'region'
@@ -157,9 +179,22 @@ profiles::ntp::client::peers:
 profiles::base::puppet_servers:
   - 'prodinf01n01.main.unkin.net'
 
+consul::install_method: 'package'
+consul::manage_repo: false
+consul::bin_dir: /usr/bin
+
+vault::install_method: 'repo'
+vault::manage_repo: false
+vault::bin_dir: /usr/bin
+vault::manage_service_file: true
+vault::manage_config_dir: true
+vault::disable_mlock: false
+
+profiles::dns::base::nameservers:
+  - 198.18.19.16
 profiles::dns::master::basedir: '/var/named/sources'
-profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
+#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
-profiles::dns::base::use_ns: 'region'
+#profiles::dns::base::use_ns: 'region'
 profiles::consul::server::members_role: roles::infra::storage::consul
 profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
 profiles::consul::client::members_lookup: true
@@ -322,6 +357,7 @@ networking::route_defaults:
   netmask: 0.0.0.0
   network: default
 
+# FIXME these are for the proxmox ceph cluster
 profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
 profiles::ceph::client::mons:
   - 10.18.15.1

hieradata/country/au/region/drw1.yaml

@@ -1,2 +1,9 @@
 ---
 timezone::timezone: 'Australia/Darwin'
+profiles_dns_upstream_forwarder_unkin:
+  - 198.18.17.23
+  - 198.18.17.24
+profiles_dns_upstream_forwarder_consul:
+  - 198.18.17.34
+  - 198.18.17.35
+  - 198.18.17.36

hieradata/country/au/region/drw1/infra/dns/resolver.yaml

@@ -1,52 +1 @@
 ---
-profiles::dns::resolver::zones:
-  main.unkin.net-forward:
-    domain: 'main.unkin.net'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.23
-      - 198.18.17.24
-    forward: 'only'
-  13.18.198.in-addr.arpa-forward:
-    domain: '13.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.23
-      - 198.18.17.24
-    forward: 'only'
-  14.18.198.in-addr.arpa-forward:
-    domain: '14.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.23
-      - 198.18.17.24
-    forward: 'only'
-  15.18.198.in-addr.arpa-forward:
-    domain: '15.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.23
-      - 198.18.17.24
-    forward: 'only'
-  16.18.198.in-addr.arpa-forward:
-    domain: '16.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.23
-      - 198.18.17.24
-    forward: 'only'
-  17.18.198.in-addr.arpa-forward:
-    domain: '17.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.23
-      - 198.18.17.24
-    forward: 'only'
-  consul-forward:
-    domain: 'consul'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.17.34
-      - 198.18.17.35
-      - 198.18.17.36
-    forward: 'only'

hieradata/country/au/region/syd1.yaml

@@ -1,3 +1,7 @@
 ---
 timezone::timezone: 'Australia/Sydney'
 certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
+profiles_dns_upstream_forwarder_unkin:
+  - 198.18.19.15
+profiles_dns_upstream_forwarder_consul:
+  - 198.18.19.14

hieradata/country/au/region/syd1/infra/dns/resolver.yaml

@@ -1,52 +1 @@
 ---
-profiles::dns::resolver::zones:
-  main.unkin.net-forward:
-    domain: 'main.unkin.net'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.14
-      - 198.18.13.15
-    forward: 'only'
-  13.18.198.in-addr.arpa-forward:
-    domain: '13.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.14
-      - 198.18.13.15
-    forward: 'only'
-  14.18.198.in-addr.arpa-forward:
-    domain: '14.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.14
-      - 198.18.13.15
-    forward: 'only'
-  15.18.198.in-addr.arpa-forward:
-    domain: '15.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.14
-      - 198.18.13.15
-    forward: 'only'
-  16.18.198.in-addr.arpa-forward:
-    domain: '16.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.14
-      - 198.18.13.15
-    forward: 'only'
-  17.18.198.in-addr.arpa-forward:
-    domain: '17.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.14
-      - 198.18.13.15
-    forward: 'only'
-  consul-forward:
-    domain: 'consul'
-    zone_type: 'forward'
-    forwarders:
-      - 198.18.13.19
-      - 198.18.13.20
-      - 198.18.13.21
-    forward: 'only'

hieradata/nodes/ausyd1nxvm1067.main.unkin.net.yaml

@@ -2,6 +2,14 @@
 networking::interfaces:
   eth0:
     ipaddress: 198.18.13.77
+  ens19:
+    ensure: present
+    family: inet
+    method: static
+    ipaddress: 10.18.15.77
+    netmask: 255.255.255.0
+    onboot: true
 networking::routes:
   default:
     gateway: 198.18.13.254
+docker::bip: '198.18.67.254/24'

hieradata/nodes/ausyd1nxvm1068.main.unkin.net.yaml

@@ -2,6 +2,14 @@
 networking::interfaces:
   eth0:
     ipaddress: 198.18.13.78
+  ens19:
+    ensure: present
+    family: inet
+    method: static
+    ipaddress: 10.18.15.78
+    netmask: 255.255.255.0
+    onboot: true
 networking::routes:
   default:
     gateway: 198.18.13.254
+docker::bip: '198.18.68.254/24'

hieradata/nodes/ausyd1nxvm1069.main.unkin.net.yaml

@@ -2,6 +2,14 @@
 networking::interfaces:
   eth0:
     ipaddress: 198.18.13.79
+  ens19:
+    ensure: present
+    family: inet
+    method: static
+    ipaddress: 10.18.15.79
+    netmask: 255.255.255.0
+    onboot: true
 networking::routes:
   default:
     gateway: 198.18.13.254
+docker::bip: '198.18.69.254/24'

hieradata/nodes/ausyd1nxvm1070.main.unkin.net.yaml

@@ -0,0 +1,7 @@
+---
+networking::interfaces:
+  eth0:
+    ipaddress: 198.18.13.80
+networking::routes:
+  default:
+    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1071.main.unkin.net.yaml

@@ -0,0 +1,7 @@
+---
+networking::interfaces:
+  eth0:
+    ipaddress: 198.18.13.81
+networking::routes:
+  default:
+    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm1072.main.unkin.net.yaml

@@ -0,0 +1,7 @@
+---
+networking::interfaces:
+  eth0:
+    ipaddress: 198.18.13.82
+networking::routes:
+  default:
+    gateway: 198.18.13.254

hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+profiles::consul::server::anycast_ip: 198.18.19.14
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+profiles::consul::server::anycast_ip: 198.18.19.14
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+profiles::consul::server::anycast_ip: 198.18.19.14
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+profiles::consul::server::anycast_ip: 198.18.19.14
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+profiles::consul::server::anycast_ip: 198.18.19.14
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+dns_master_anycast_ip: 198.18.19.15
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('dns_master_anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+dns_master_anycast_ip: 198.18.19.15
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('dns_master_anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+dns_master_anycast_ip: 198.18.19.15
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('dns_master_anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+dns_resolver_anycast_ip: 198.18.19.16
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+dns_resolver_anycast_ip: 198.18.19.16
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml

@@ -0,0 +1,47 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+dns_resolver_anycast_ip: 198.18.19.16
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/nodes/ausyd1nxvm2040.main.unkin.net.yaml

@@ -0,0 +1,2 @@
+---
+networking_loopback0_ip: 198.18.23.40  # ceph-public loopback

hieradata/nodes/ausyd1nxvm2041.main.unkin.net.yaml

@@ -0,0 +1,2 @@
+---
+networking_loopback0_ip: 198.18.23.41  # ceph-public loopback

hieradata/nodes/ausyd1nxvm2042.main.unkin.net.yaml

@@ -0,0 +1,2 @@
+---
+networking_loopback0_ip: 198.18.23.42   # ceph-public loopback

hieradata/nodes/ausyd1nxvm2043.main.unkin.net.yaml

@@ -0,0 +1,2 @@
+---
+networking_loopback0_ip: 198.18.23.43  # ceph-public loopback

hieradata/nodes/ausyd1nxvm2044.main.unkin.net.yaml

@@ -0,0 +1,2 @@
+---
+networking_loopback0_ip: 198.18.23.44  # ceph-public loopback

hieradata/nodes/prodnxsr0009.main.unkin.net.yaml

@@ -0,0 +1,18 @@
+---
+networking_loopback0_ip: 198.18.19.9  # management loopback
+networking_loopback1_ip: 198.18.22.9  # ceph-cluster loopback
+networking_loopback2_ip: 198.18.23.9  # ceph-public loopback
+networking_br10_ip: 198.18.25.254
+networking::interfaces:
+  enp2s0:
+    mac: 70:b5:e8:38:e9:8d
+    ipaddress: 198.18.15.9
+    gateway: 198.18.15.254
+  enp3s0:
+    mac: 00:e0:4c:68:0f:5d
+    ipaddress: 198.18.21.9
+
+#zfs::zpools:
+#  fastpool:
+#    ensure: present
+#    disk: /dev/nvme0n1

hieradata/nodes/prodnxsr0010.main.unkin.net.yaml

@@ -0,0 +1,13 @@
+---
+networking_loopback0_ip: 198.18.19.10  # management loopback
+networking_loopback1_ip: 198.18.22.10  # ceph-cluster loopback
+networking_loopback2_ip: 198.18.23.10  # ceph-public loopback
+networking_br10_ip: 198.18.26.254
+networking::interfaces:
+  enp2s0:
+    mac: 70:b5:e8:38:e9:37
+    ipaddress: 198.18.15.10
+    gateway: 198.18.15.254
+  enp3s0:
+    mac: 00:e0:4c:68:0f:de
+    ipaddress: 198.18.21.10

hieradata/nodes/prodnxsr0011.main.unkin.net.yaml

@@ -0,0 +1,13 @@
+---
+networking_loopback0_ip: 198.18.19.11  # management loopback
+networking_loopback1_ip: 198.18.22.11  # ceph-cluster loopback
+networking_loopback2_ip: 198.18.23.11  # ceph-public loopback
+networking_br10_ip: 198.18.27.254
+networking::interfaces:
+  enp2s0:
+    mac: 70:b5:e8:38:e9:0f
+    ipaddress: 198.18.15.11
+    gateway: 198.18.15.254
+  enp3s0:
+    mac: 00:e0:4c:68:0f:55
+    ipaddress: 198.18.21.11

hieradata/nodes/prodnxsr0012.main.unkin.net.yaml

@@ -0,0 +1,13 @@
+---
+networking_loopback0_ip: 198.18.19.12  # management loopback
+networking_loopback1_ip: 198.18.22.12  # ceph-cluster loopback
+networking_loopback2_ip: 198.18.23.12  # ceph-public loopback
+networking_br10_ip: 198.18.28.254
+networking::interfaces:
+  enp2s0:
+    mac: 70:b5:e8:4f:05:1e
+    ipaddress: 198.18.15.12
+    gateway: 198.18.15.254
+  enp3s0:
+    mac: 00:e0:4c:68:0f:e5
+    ipaddress: 198.18.21.12

hieradata/nodes/prodnxsr0013.main.unkin.net.yaml

@@ -0,0 +1,13 @@
+---
+networking_loopback0_ip: 198.18.19.13  # management loopback
+networking_loopback1_ip: 198.18.22.13  # ceph-cluster loopback
+networking_loopback2_ip: 198.18.23.13  # ceph-public loopback
+networking_br10_ip: 198.18.29.254
+networking::interfaces:
+  enp2s0:
+    mac: 70:b5:e8:4f:04:b0
+    ipaddress: 198.18.15.13
+    gateway: 198.18.15.254
+  enp3s0:
+    mac: 00:e0:4c:68:0f:36
+    ipaddress: 198.18.21.13

hieradata/os/AlmaLinux/AlmaLinux8.yaml

@@ -13,3 +13,11 @@ profiles::yum::global::repos:
     baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
     gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
+  unkin:
+    name: unkin
+    descr: unkin repository
+    target: /etc/yum.repos.d/unkin.repo
+    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
+    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
+    gpgcheck: false
+    mirrorlist: absent

hieradata/os/AlmaLinux/AlmaLinux9.yaml

@@ -3,10 +3,34 @@
 crypto_policies::policy: 'DEFAULT:SHA1'
 
 profiles::yum::global::repos:
+  baseos:
+    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
+    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
+    mirrorlist: absent
+  extras:
+    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
+    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
+    mirrorlist: absent
+  appstream:
+    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
+    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
+    mirrorlist: absent
+  highavailability:
+    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
+    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
+    mirrorlist: absent
   crb:
     name: crb
     descr: crb repository
     target: /etc/yum.repos.d/crb.repo
-    baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os
+    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
-    gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
+    mirrorlist: absent
+  unkin:
+    name: unkin
+    descr: unkin repository
+    target: /etc/yum.repos.d/unkin.repo
+    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
+    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
+    gpgcheck: false
     mirrorlist: absent

hieradata/os/AlmaLinux/all_releases.yaml

@@ -9,6 +9,7 @@ hiera_include:
   - profiles::almalinux::base
 
 profiles::packages::include:
+  crypto-policies-scripts: {}
   lzo: {}
   policycoreutils: {}
   unar: {}
@@ -59,14 +60,6 @@ profiles::yum::global::repos:
     baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
     gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
     mirrorlist: absent
-  unkin:
-    name: unkin
-    descr: unkin repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
-    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent
   unkinben:
     name: unkinben
     descr: unkinben repository

hieradata/os/Debian/all_releases.yaml

@@ -13,3 +13,7 @@ profiles::packages::include:
 
 lm-sensors::package: lm-sensors
 networking::nwmgr_dns_none: false
+
+consul::install_method: 'url'
+consul::manage_repo: false
+consul::bin_dir: /usr/local/bin

hieradata/roles/apps/media/jellyfin.yaml

@@ -2,6 +2,12 @@
 hiera_include:
   - jellyfin
 
+profiles::packages::include:
+  intel-media-driver: {}
+  libva-intel-driver: {}
+  libva-intel-hybrid-driver: {}
+  intel-mediasdk: {}
+
 # manage jellyfin
 jellyfin::params::service_enable: true
 
@@ -61,3 +67,11 @@ profiles::yum::global::repos:
     baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
     gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
     mirrorlist: absent
+  unkinben:
+    name: unkinben
+    descr: unkinben repository
+    target: /etc/yum.repos.d/unkin.repo
+    baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8
+    gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
+    gpgcheck: false
+    mirrorlist: absent

hieradata/roles/apps/media/lidarr.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - lidarr
   - profiles::nginx::ldapauth
+  - profiles::media::lidarr
 
 # manage lidarr
 lidarr::params::user: lidarr

hieradata/roles/apps/media/nzbget.yaml

@@ -5,6 +5,9 @@ hiera_include:
   - profiles::media::nzbget
   - profiles::nginx::ldapauth
 
+profiles::packages::include:
+  unrar: {}
+
 # manage nzbget
 nzbget::params::user: nzbget
 nzbget::params::group: media

hieradata/roles/apps/media/prowlarr.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - prowlarr
   - profiles::nginx::ldapauth
+  - profiles::media::prowlarr
 
 # manage prowlarr
 prowlarr::params::user: prowlarr

hieradata/roles/apps/media/radarr.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - radarr
   - profiles::nginx::ldapauth
+  - profiles::media::radarr
 
 # manage radarr
 radarr::params::user: radarr

hieradata/roles/apps/media/readarr.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - readarr
   - profiles::nginx::ldapauth
+  - profiles::media::readarr
 
 # manage readarr
 readarr::params::user: readarr

hieradata/roles/apps/media/sonarr.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - sonarr
   - profiles::nginx::ldapauth
+  - profiles::media::sonarr
 
 # manage sonarr
 sonarr::params::user: sonarr

hieradata/roles/ceph.yaml

@@ -0,0 +1,60 @@
+---
+hiera_include:
+  - frrouting
+
+# networking
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  loopback0:
+    type: dummy
+    ipaddress: "%{hiera('networking_loopback0_ip')}" # ceph public network
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  loopback0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# additional repos
+profiles::yum::global::repos:
+  ceph:
+    name: ceph
+    descr: ceph repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
+    gpgkey: https://download.ceph.com/keys/release.asc
+    mirrorlist: absent
+  ceph-noarch:
+    name: ceph-noarch
+    descr: ceph-noarch repository
+    target: /etc/yum.repos.d/ceph-noarch.repo
+    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
+    gpgkey: https://download.ceph.com/keys/release.asc
+    mirrorlist: absent
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/roles/infra/auth/glauth.yaml

@@ -191,6 +191,18 @@ glauth::users:
     loginshell: '/bin/bash'
     homedir: '/home/sudobo'
     passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
+  waewak:
+    user_name: 'waewak'
+    givenname: 'Waew'
+    sn: 'Wakul'
+    mail: 'waewak@users.main.unkin.net'
+    uidnumber: 20008
+    primarygroup: 20000
+    othergroups:
+      - 20010 # jelly
+    loginshell: '/bin/bash'
+    homedir: '/home/waewak'
+    passsha256: 'd9bb99634215fe031c3bdca94149a165192fe8384ecaa238a19354c2f760a811'
 
 glauth::services:
   svc_jellyfin:

hieradata/roles/infra/automation/rundeck.yaml

@@ -91,7 +91,7 @@ profiles::rundeck::server::key_storage_config:
     path: 'vault'
     config:
       prefix: 'rundeck'
-      address: https://vault.query.consul:8200
+      address: https://vault.service.consul:8200
       storageBehaviour: 'vault'
       secretBackend: rundeck
       engineVersion: '2'

hieradata/roles/infra/dhcp/server.yaml

@@ -15,9 +15,7 @@ profiles::dhcp::server::pools:
     range:
       - '198.18.15.200 198.18.15.220'
     gateway: 198.18.15.254
-    nameservers:
+    nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
-      - 198.18.13.12
-      - 198.18.13.13
     domain_name: main.unkin.net
     pxeserver: 198.18.13.27
   syd1-test:
@@ -26,9 +24,7 @@ profiles::dhcp::server::pools:
     range:
       - '198.18.16.200 198.18.16.220'
     gateway: 198.18.16.254
-    nameservers:
+    nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
-      - 198.18.13.12
-      - 198.18.13.13
     domain_name: main.unkin.net
     pxeserver: 198.18.13.27
   syd1-prod1:
@@ -37,9 +33,7 @@ profiles::dhcp::server::pools:
     range:
       - '198.18.13.200 198.18.13.220'
     gateway: 198.18.13.254
-    nameservers:
+    nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
-      - 198.18.13.12
-      - 198.18.13.13
     domain_name: main.unkin.net
     pxeserver: 198.18.13.27
   syd1-prod2:
@@ -48,9 +42,7 @@ profiles::dhcp::server::pools:
     range:
       - '198.18.14.200 198.18.14.220'
     gateway: 198.18.14.254
-    nameservers:
+    nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
-      - 198.18.13.12
-      - 198.18.13.13
     domain_name: main.unkin.net
     pxeserver: 198.18.13.27
   drw1-prod:
@@ -59,9 +51,7 @@ profiles::dhcp::server::pools:
     range:
       - '198.18.17.200 198.18.17.220'
     gateway: 198.18.17.1
-    nameservers:
+    nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
-      - 198.18.17.7
-      - 198.18.17.8
     domain_name: main.unkin.net
     pxeserver: 198.18.13.27
 

hieradata/roles/infra/dns/master.yaml

@@ -9,6 +9,14 @@ profiles::dns::master::acls:
       - 198.18.15.0/24
       - 198.18.16.0/24
       - 198.18.17.0/24
+      - 198.18.19.0/24
+      - 198.18.20.0/24
+      - 198.18.24.0/24
+      - 198.18.25.0/24
+      - 198.18.26.0/24
+      - 198.18.27.0/24
+      - 198.18.28.0/24
+      - 198.18.29.0/24
 
 profiles::dns::master::zones:
   main.unkin.net:
@@ -47,6 +55,72 @@ profiles::dns::master::zones:
     dynamic: false
     ns_notify: true
     source: '/var/named/sources/17.18.198.in-addr.arpa.conf'
+  19.18.198.in-addr.arpa:
+    domain: '19.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/19.18.198.in-addr.arpa.conf'
+  20.18.198.in-addr.arpa:
+    domain: '20.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/20.18.198.in-addr.arpa.conf'
+  21.18.198.in-addr.arpa:
+    domain: '21.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/21.18.198.in-addr.arpa.conf'
+  22.18.198.in-addr.arpa:
+    domain: '22.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/22.18.198.in-addr.arpa.conf'
+  23.18.198.in-addr.arpa:
+    domain: '23.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/23.18.198.in-addr.arpa.conf'
+  24.18.198.in-addr.arpa:
+    domain: '24.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/24.18.198.in-addr.arpa.conf'
+  25.18.198.in-addr.arpa:
+    domain: '25.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/25.18.198.in-addr.arpa.conf'
+  26.18.198.in-addr.arpa:
+    domain: '26.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/26.18.198.in-addr.arpa.conf'
+  27.18.198.in-addr.arpa:
+    domain: '27.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/27.18.198.in-addr.arpa.conf'
+  28.18.198.in-addr.arpa:
+    domain: '28.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/28.18.198.in-addr.arpa.conf'
+  29.18.198.in-addr.arpa:
+    domain: '29.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+    ns_notify: true
+    source: '/var/named/sources/29.18.198.in-addr.arpa.conf'
 
 profiles::dns::master::views:
   master-zones:
@@ -58,6 +132,17 @@ profiles::dns::master::views:
       - 15.18.198.in-addr.arpa
       - 16.18.198.in-addr.arpa
       - 17.18.198.in-addr.arpa
+      - 19.18.198.in-addr.arpa
+      - 20.18.198.in-addr.arpa
+      - 21.18.198.in-addr.arpa
+      - 22.18.198.in-addr.arpa
+      - 23.18.198.in-addr.arpa
+      - 24.18.198.in-addr.arpa
+      - 25.18.198.in-addr.arpa
+      - 26.18.198.in-addr.arpa
+      - 27.18.198.in-addr.arpa
+      - 28.18.198.in-addr.arpa
+      - 29.18.198.in-addr.arpa
     match_clients:
       - acl-main.unkin.net
 

hieradata/roles/infra/dns/resolver.yaml

@@ -10,6 +10,30 @@ profiles::dns::resolver::acls:
       - 198.18.15.0/24
       - 198.18.16.0/24
       - 198.18.17.0/24
+      - 198.18.18.0/24
+      - 198.18.19.0/24
+      - 198.18.20.0/24
+      - 198.18.21.0/24
+      - 198.18.22.0/24
+      - 198.18.23.0/24
+  acl-dmz:
+    addresses:
+      - 198.18.24.0/24
+  acl-common:
+    addresses:
+      - 198.18.25.0/24
+      - 198.18.26.0/24
+      - 198.18.27.0/24
+      - 198.18.28.0/24
+      - 198.18.29.0/24
+  acl-nomad-jobs:
+    addresses:
+      - 198.18.64.0/24
+      - 198.18.65.0/24
+      - 198.18.66.0/24
+      - 198.18.67.0/24
+      - 198.18.68.0/24
+      - 198.18.69.0/24
 
 profiles::dns::resolver::zones:
   8.10.10.in-addr.arpa-forward:
@@ -54,6 +78,96 @@ profiles::dns::resolver::zones:
       - 10.10.16.32
       - 10.10.16.33
     forward: 'only'
+  main.unkin.net-forward:
+    domain: 'main.unkin.net'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  13.18.198.in-addr.arpa-forward:
+    domain: '13.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  14.18.198.in-addr.arpa-forward:
+    domain: '14.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  15.18.198.in-addr.arpa-forward:
+    domain: '15.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  16.18.198.in-addr.arpa-forward:
+    domain: '16.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  17.18.198.in-addr.arpa-forward:
+    domain: '17.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  19.18.198.in-addr.arpa-forward:
+    domain: '19.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  20.18.198.in-addr.arpa-forward:
+    domain: '20.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  21.18.198.in-addr.arpa-forward:
+    domain: '21.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  22.18.198.in-addr.arpa-forward:
+    domain: '22.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  23.18.198.in-addr.arpa-forward:
+    domain: '23.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  24.18.198.in-addr.arpa-forward:
+    domain: '24.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  25.18.198.in-addr.arpa-forward:
+    domain: '25.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  26.18.198.in-addr.arpa-forward:
+    domain: '26.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  27.18.198.in-addr.arpa-forward:
+    domain: '27.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  28.18.198.in-addr.arpa-forward:
+    domain: '28.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  29.18.198.in-addr.arpa-forward:
+    domain: '29.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
+    forward: 'only'
+  consul-forward:
+    domain: 'consul'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_consul')}"
+    forward: 'only'
 
 profiles::dns::resolver::views:
   openforwarder:
@@ -69,8 +183,22 @@ profiles::dns::resolver::views:
       - 15.18.198.in-addr.arpa-forward
       - 16.18.198.in-addr.arpa-forward
       - 17.18.198.in-addr.arpa-forward
+      - 19.18.198.in-addr.arpa-forward
+      - 20.18.198.in-addr.arpa-forward
+      - 21.18.198.in-addr.arpa-forward
+      - 22.18.198.in-addr.arpa-forward
+      - 23.18.198.in-addr.arpa-forward
+      - 24.18.198.in-addr.arpa-forward
+      - 25.18.198.in-addr.arpa-forward
+      - 26.18.198.in-addr.arpa-forward
+      - 27.18.198.in-addr.arpa-forward
+      - 28.18.198.in-addr.arpa-forward
+      - 29.18.198.in-addr.arpa-forward
       - 8.10.10.in-addr.arpa-forward
       - 16.10.10.in-addr.arpa-forward
       - 20.10.10.in-addr.arpa-forward
     match_clients:
       - acl-main.unkin.net
+      - acl-nomad-jobs
+      - acl-common
+      - acl-dmz

hieradata/roles/infra/etcd/node.eyaml

@@ -0,0 +1,2 @@
+---
+profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==]

hieradata/roles/infra/etcd/node.yaml

@@ -0,0 +1,62 @@
+---
+hiera_include:
+  - profiles::etcd::node
+
+profiles::etcd::node::members_lookup: true
+profiles::etcd::node::members_role: roles::infra::etcd::node
+
+profiles::etcd::node::config:
+  data-dir: /data/etcd
+  client-cert-auth: false
+  client-transport-security:
+    cert-file: /etc/pki/tls/vault/certificate.crt
+    key-file: /etc/pki/tls/vault/private.key
+    client-cert-auth: false
+    auto-tls: false
+  peer-transport-security:
+    cert-file: /etc/pki/tls/vault/certificate.crt
+    key-file: /etc/pki/tls/vault/private.key
+    client-cert-auth: false
+    auto-tls: false
+  allowed-cn:
+  max-wals: 5
+  max-snapshots: 5
+  snapshot-count: 10000
+  heartbeat-interval: 100
+  election-timeout: 1000
+  cipher-suites: [
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  ]
+  tls-min-version: 'TLS1.2'
+  tls-max-version: 'TLS1.3'
+
+profiles::pki::vault::alt_names:
+  - etcd.service.consul
+  - etcd.query.consul
+  - "etcd.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::ssh::sign::principals:
+  - etcd.query.consul
+  - etcd.service.consul
+  - etcd.service.%{facts.country}-%{facts.region}.consul
+
+consul::services:
+  etcd:
+    service_name: 'etcd'
+    tags:
+      - 'etcd'
+    address: "%{facts.networking.ip}"
+    port: 2379
+    checks:
+      - id: 'etcd_http_health_check'
+        name: 'ETCD HTTP Health Check'
+        http: "https://%{facts.networking.ip}:2379/health"
+        method: 'GET'
+        interval: '10s'
+        timeout: '1s'
+        tls_skip_verify: true
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: etcd
+    disposition: write

hieradata/roles/infra/git/runner.yaml

@@ -45,3 +45,10 @@ profiles::gitea::runner::config:
     force_rebuild: false
   host:
     workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
+
+# enable ip forwarding for docker containers
+sysctl::base::values:
+  net.ipv4.conf.all.forwarding:
+    value: '1'
+  net.ipv6.conf.all.forwarding:
+    value: '1'

hieradata/roles/infra/incus/imagehost.yaml

@@ -0,0 +1,125 @@
+---
+hiera_include:
+  - incus
+  - zfs
+
+profiles::packages::include:
+  bridge-utils: {}
+  dnsmasq: {}
+
+profiles::pki::vault::alt_names:
+  - incus-images.service.consul
+  - incus-images.query.consul
+  - "incus-images.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::ssh::sign::principals:
+  - incus-images.service.consul
+  - incus-images.query.consul
+  - "incus-images.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+consul::services:
+  incus-images:
+    service_name: 'incus-images'
+    tags:
+      - 'incus'
+      - 'images'
+      - 'container'
+      - 'lxd'
+    address: "%{facts.networking.ip}"
+    port: 8443
+    checks:
+      - id: 'incus_https_check'
+        name: 'incus HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:8443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: incus-images
+    disposition: write
+
+# additional repos
+profiles::yum::global::repos:
+  zfs-kmod:
+    name: zfs-kmod
+    descr: zfs-kmod repository
+    target: /etc/yum.repos.d/zfs-kmod.repo
+    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
+    mirrorlist: absent
+
+# zfs settings
+zfs::manage_repo: false
+zfs::zfs_arc_min: ~
+zfs::zfs_arc_max: 429496729 # 400MB
+zfs::zpools:
+  fastpool:
+    ensure: present
+    disk: /dev/vdb
+    ashift: 12
+zfs::datasets:
+  fastpool:
+    canmount: 'off'
+    acltype: posix
+    atime: 'off'
+    relatime: 'off'
+    compression: 'zstd'
+    xattr: 'sa'
+  fastpool/data:
+    canmount: 'on'
+    mountpoint: '/data'
+  fastpool/data/incus:
+    canmount: 'on'
+    mountpoint: '/data/incus'
+
+# manage incus
+incus::init: true
+incus::server_port: 8443
+incus::storage_images_volume: fastpool/imagestore
+
+# add sysadmin to incus-admin group
+profiles::accounts::sysadmin::extra_groups:
+  - incus-admin
+
+# sysctl recommendations
+sysctl::base::values:
+  fs.aio-max-nr:
+    value: '524288'
+  fs.inotify.max_queued_events:
+    value: '1048576'
+  fs.inotify.max_user_instances:
+    value: '1048576'
+  fs.inotify.max_user_watches:
+    value: '1048576'
+  kernel.dmesg_restrict:
+    value: '1'
+  kernel.keys.maxbytes:
+    value: '2000000'
+  kernel.keys.maxkeys:
+    value: '2000'
+  net.core.bpf_jit_limit:
+    value: '1000000000'
+  net.ipv4.neigh.default.gc_thresh3:
+    value: '8192'
+  net.ipv6.neigh.default.gc_thresh3:
+    value: '8192'
+  vm.max_map_count:
+    value: '262144'
+  net.ipv4.conf.all.forwarding:
+    value: '1'
+  net.ipv6.conf.all.forwarding:
+    value: '1'
+
+# limits.d recommendations
+limits::entries:
+  '*/nofile':
+    both: 1048576
+  'root/nofile':
+    both: 1048576
+  '*/memlock':
+    both: unlimited
+  'root/memlock':
+    both: unlimited

hieradata/roles/infra/incus/node.eyaml

@@ -0,0 +1,2 @@
+ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAX4pXMYx0Kms74s+CCT9EnuVSq3fvlcxpkezFt/VYR0cfo8K8Sm0CE0MFEQ/sdZJ+bnycjWhnkRrT0Wj2gCcqG5+KSJPVb6OOF/zkCMEjLu7xSatKakdOmnTxJEx47Lo84dGVk+YqiTT1E5XVoKlFUvZw7iIW6BgTSORo75fC2VE8MsV0GVMIusgjqMuWgyhVUGKkPGUsGAPs5Ky7uys9tlyH5s4FiZqUKvPdeKlX0HMH5XrHuKBSJg+Nju7GLNLB+/XjBsTZrY2OMC0fzczb1EQ5KL2Pl502sE8vr1VNbXqDg7vZGzWnI60Yv2t2GUxLpUjM741NP9jZ0ovGQT8I2DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDUnyCYnAG1HFiBAef1KYKsgDCtxa4fw0zb7DFzVxjpM1n5fAabbaAxIXaOxLC8u3XM3+5CYsG1dWTIDZOo+qkS9sY=]
+ceph::key::apps: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANWnFzl98B+YVXXfj5zYF5XAFbZ8iGu2VZeF53QiYxuTmRCT2/3GI4h1WB/NYcGYgmxynEsdiJus7uRO8dplsJsm+lRNffTwjnC0oDxWI82C/QuccR+YxuywqnbHLFXxZecU6/joHewt8nIu9unmF92552pqOx30ashb30L0ptR3BYBy5e9eGjjWnMrKPM4wU5NJrpW8fb9OibMWWZ1JON9tq8QITm2USCHkVOAPCfo94Dlo+2mdQWtn0GhFnRaiTNNnKT1zqSdagOUOkkY6v3yDQdmOKtR77R8bJLo/WDxUodKOt6Oi8Iuvkkvjjk6t/u05eQTPNoVQo6blV13qoDzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDWHi5X6rS0BOznTJZH1IfBgDBFQ7cIEZWzVqrEkKAb7FXdK9U+/Z2Coda3GTZ0FPJ2SzVoAV9CXNuw4808RMsS6RU=]

hieradata/roles/infra/incus/node.yaml

@@ -0,0 +1,272 @@
+---
+hiera_include:
+  - profiles::selinux::frr
+  - frrouting
+  - incus
+  - zfs
+  - profiles::ceph::node
+  - profiles::ceph::client
+  - profiles::storage::cephfsvols
+
+# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
+python::manage_dev_package: false
+
+profiles::packages::include:
+  bridge-utils: {}
+  cephadm: {}
+  ceph-common: {}
+
+profiles::pki::vault::alt_names:
+  - incus.service.consul
+  - incus.query.consul
+  - "incus.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::pki::vault::ip_sans:
+  - "%{hiera('networking_loopback0_ip')}"
+  - "%{hiera('networking_loopback1_ip')}"
+  - "%{hiera('networking_loopback2_ip')}"
+
+profiles::ssh::sign::principals:
+  - incus.service.consul
+  - incus.query.consul
+  - "incus.service.%{facts.country}-%{facts.region}.consul"
+  - "%{hiera('networking_loopback0_ip')}"
+  - "%{facts.networking.interfaces.enp2s0.ip}"
+  - "%{facts.networking.interfaces.enp3s0.ip}"
+
+# configure consul service
+consul::services:
+  incus:
+    service_name: 'incus'
+    tags:
+      - 'incus'
+      - 'container'
+      - 'lxd'
+    address: "%{hiera('networking_loopback0_ip')}"
+    port: 8443
+    checks:
+      - id: 'incus_https_check'
+        name: 'incus HTTPS Check'
+        http: "https://%{hiera('networking_loopback0_ip')}:8443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: incus
+    disposition: write
+
+# additional repos
+profiles::yum::global::repos:
+  ceph:
+    name: ceph
+    descr: ceph repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
+    gpgkey: https://download.ceph.com/keys/release.asc
+    mirrorlist: absent
+  ceph-noarch:
+    name: ceph-noarch
+    descr: ceph-noarch repository
+    target: /etc/yum.repos.d/ceph-noarch.repo
+    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
+    gpgkey: https://download.ceph.com/keys/release.asc
+    mirrorlist: absent
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  zfs-kmod:
+    name: zfs-kmod
+    descr: zfs-kmod repository
+    target: /etc/yum.repos.d/zfs-kmod.repo
+    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
+    mirrorlist: absent
+
+# dns
+profiles::dns::base::primary_interface: loopback0
+
+# networking
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  enp2s0:
+    type: physical
+    txqueuelen: 10000
+    forwarding: true
+  enp3s0:
+    type: physical
+    mtu: 1500
+    txqueuelen: 10000
+    forwarding: true
+  loopback0:
+    type: dummy
+    ipaddress: "%{hiera('networking_loopback0_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+  loopback1:
+    type: dummy
+    ipaddress: "%{hiera('networking_loopback1_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+  loopback2:
+    type: dummy
+    ipaddress: "%{hiera('networking_loopback2_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  enp2s0:
+    area: 0.0.0.0
+  enp3s0:
+    area: 0.0.0.0
+  loopback0:
+    area: 0.0.0.0
+  loopback1:
+    area: 0.0.0.0
+  loopback2:
+    area: 0.0.0.0
+  brcom1:
+    area: 0.0.0.0
+  brdmz1:
+    area: 0.0.0.0
+  brwan1:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# add loopback interfaces to ssh list
+ssh::server::options:
+  ListenAddress:
+    - "%{hiera('networking_loopback0_ip')}"
+    - "%{facts.networking.interfaces.enp2s0.ip}"
+    - "%{facts.networking.interfaces.enp3s0.ip}"
+
+# zfs settings
+zfs::manage_repo: false
+zfs::zfs_arc_min: ~
+zfs::zfs_arc_max: 4294967296 # 4GB
+zfs::zpools:
+  fastpool:
+    ensure: present
+    disk: /dev/nvme1n1
+    ashift: 12
+zfs::datasets:
+  fastpool:
+    canmount: 'off'
+    acltype: posix
+    atime: 'off'
+    relatime: 'off'
+    compression: 'zstd'
+    xattr: 'sa'
+  fastpool/data:
+    canmount: 'on'
+    mountpoint: '/data'
+  fastpool/data/incus:
+    canmount: 'on'
+    mountpoint: '/data/incus'
+
+# manage incus
+incus::init: true
+incus::bridge: br10
+incus::server_port: 8443
+incus::server_addr: "%{hiera('networking_loopback0_ip')}"
+
+# add sysadmin to incus-admin group
+profiles::accounts::sysadmin::extra_groups:
+  - incus-admin
+
+# manage cephfs mounts
+profiles::ceph::client::manage_ceph_conf: false
+profiles::ceph::client::manage_ceph_package: false
+profiles::ceph::client::manage_ceph_paths: false
+profiles::ceph::client::fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
+profiles::ceph::client::mons:
+  - 198.18.23.9
+  - 198.18.23.10
+  - 198.18.23.11
+  - 198.18.23.12
+  - 198.18.23.13
+profiles::ceph::client::keyrings:
+  media:
+    key: "%{hiera('ceph::key::media')}"
+  apps:
+    key: "%{hiera('ceph::key::apps')}"
+
+profiles::storage::cephfsvols::volumes:
+  cephfsvol_media:
+    mount: "/shared/media"
+    keyring: "/etc/ceph/ceph.client.media.keyring"
+    cephfs_name: "media"
+    cephfs_fs: "mediafs"
+    cephfs_mon: "%{alias('profiles::ceph::client::mons')}"
+    require: "Profiles::Ceph::Keyring[media]"
+  cephfsvol_apps:
+    mount: "/shared/apps"
+    keyring: "/etc/ceph/ceph.client.apps.keyring"
+    cephfs_name: "apps"
+    cephfs_fs: "appfs"
+    cephfs_mon: "%{alias('profiles::ceph::client::mons')}"
+    require: "Profiles::Ceph::Keyring[apps]"
+
+# sysctl recommendations
+sysctl::base::values:
+  fs.aio-max-nr:
+    value: '524288'
+  fs.inotify.max_queued_events:
+    value: '1048576'
+  fs.inotify.max_user_instances:
+    value: '1048576'
+  fs.inotify.max_user_watches:
+    value: '1048576'
+  kernel.dmesg_restrict:
+    value: '1'
+  kernel.keys.maxbytes:
+    value: '2000000'
+  kernel.keys.maxkeys:
+    value: '2000'
+  net.core.bpf_jit_limit:
+    value: '1000000000'
+  net.ipv4.neigh.default.gc_thresh3:
+    value: '8192'
+  net.ipv6.neigh.default.gc_thresh3:
+    value: '8192'
+  vm.max_map_count:
+    value: '262144'
+  net.ipv4.conf.all.forwarding:
+    value: '1'
+  net.ipv6.conf.all.forwarding:
+    value: '1'
+  net.ipv4.tcp_l3mdev_accept:
+    value: '0'
+  net.ipv4.conf.default.rp_filter:
+    value: '0'
+  net.ipv4.conf.all.rp_filter:
+    value: '0'
+
+# limits.d recommendations
+limits::entries:
+  '*/nofile':
+    both: 1048576
+  'root/nofile':
+    both: 1048576
+  '*/memlock':
+    both: unlimited
+  'root/memlock':
+    both: unlimited

hieradata/roles/infra/nomad/agent.yaml

@@ -64,3 +64,9 @@ profiles::consul::client::node_rules:
   - resource: service_prefix
     segment: ''
     disposition: write
+  - resource: key_prefix
+    segment: "nomad"
+    disposition: write
+  - resource: session_prefix
+    segment: ""
+    disposition: write

hieradata/roles/infra/nomad/agentv2.yaml

@@ -0,0 +1,55 @@
+---
+hiera_include:
+  - docker
+  - docker::networks
+  - profiles::nomad::node
+
+docker::version: latest
+docker::curl_ensure: false
+docker::root_dir: /data/docker
+docker::ip_forward: true
+#docker::ip_masq: false
+#docker::iptables: false
+
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+
+profiles::packages::include:
+  nomad: {}
+  cni-plugins: {}
+
+profiles::nomad::node::client: true
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - client.global.nomad
+  - client.au-syd1.nomad
+  - nomad-client.service.consul
+  - nomad-client.query.consul
+  - "nomad-client.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: nomad-client
+    disposition: write
+  - resource: agent_prefix
+    segment: ''
+    disposition: read
+  - resource: node_prefix
+    segment: ''
+    disposition: write
+  - resource: service_prefix
+    segment: ''
+    disposition: write
+  - resource: key_prefix
+    segment: "nomad"
+    disposition: write
+  - resource: session_prefix
+    segment: ""
+    disposition: write

hieradata/roles/infra/puppet/master.yaml

@@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges:
   - '198.18.15.0/24'
   - '198.18.16.0/24'
   - '198.18.17.0/24'
+  - '198.18.20.0/24'
+  - '198.18.24.0/24'
+  - '198.18.25.0/24'
+  - '198.18.26.0/24'
+  - '198.18.27.0/24'
+  - '198.18.28.0/24'
+  - '198.18.29.0/24'
 
 profiles::puppet::autosign::domains:
   - '*.main.unkin.net'
@@ -30,7 +37,7 @@ profiles::puppet::gems::puppet:
   - 'hiera-eyaml'
 
 profiles::helpers::certmanager::vault_config:
-  addr: 'https://vault.query.consul:8200'
+  addr: 'https://vault.service.consul:8200'
   mount_point: 'pki_int'
   approle_path: 'approle'
   role_name: 'servers_default'

hieradata/roles/infra/puppetboard/server.eyaml

@@ -0,0 +1 @@
+profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==]

hieradata/roles/infra/puppetdb/api.eyaml

@@ -0,0 +1,2 @@
+profiles::puppet::puppetdb_api::public_cert: ENC[PKCS7,MIIJrQYJKoZIhvcNAQcDoIIJnjCCCZoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEATUl7Aa6W6Q0gWWPet6fufBUtFUO7wCkED8w3NojkDYNR0Cine5+yWupy1FZ0d75mtdjI16DgZ9d2BhNlnbvPrZHuFSfBFj0s6lc0cYs1dpEUwPwPssmfNNfLe+73Fn0e43fguXisBYiE0Xn4x9UqGEIXXnwBqucIo4lkR0QAvhrmgEsNJKrxKV2isBZOnV40hrilnK3fLszGlfEfEuK1ZLrdtQV54Cl/Fpga8OOEk3Ji+WO/qC3WSQ+RWmc+si5L7w6raFLcHb3ZN96BHNVN2h2rBe85RRTg08LT+9Eyge3Fc0/+eoRmzTvnHMc4RptRfvopv5RGGyOma0mExmD6CzCCCG4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEB2t8I7YdvzPGIuGG1fUIViAgghAKhUoHO1UphPXu/KwYgo3xPSmWWF76B/ZKPd3SdzobYBsfK7CEhRiONU29W/wEzDdn7An2E16bIuecxT114z0i6OqQc3W92jBETWlpV1IRWs4DTb2QWjA4l74KdwRtltpeAKeFjSjuW2+L5UUOgGsaW4lxR0wP/uIqUT76/wQCoCAIw/i+YcIvIJDpeVPKSyaA6GFJbiT8CuG1SzD/1tb+XOxEf3WpeUwVNrPIO1ADjdi3cha6bJDa6Dvrtz8ornYwsfZ9cIlhDb6kmz938+EWpH5swCppfHcMncSd+R1zST6DzhN54+kvWGjvrN79m5+f0al/t3a85iZ6boLXSE8VkPLWZnlAt0ISdCtt0m7luxWWUN3AvmBmLZ5hhjnHUQC4RNCmu3BrjB7bN/nvInZQNcBlArhthiy/DpbdjLpF5kkUq+J+S7I898rG/B8lWrWjYsQvOUM/yiVbpCtsLJS9Pv1UjlkHcere6YgOq4gZKaESF19npV6SLU2MfC+Raefj1biE+haOOjpDdR+xQLAHmZqgOBUFMkYh1RH77zg2QPtz5aDLGypO/yVuJDcuSGV6qpoxc0uu7EmihfOg2cHF6FtSlStwFQYw3mG3oyuByv527lVRUjNHOx85bXeFccb96lyTzStAopLADo9nuOHjDxs6qzXj4h0y5w0ODh3Wyy/h4EXYaTrXuSB/FJJb1rvToC+XJ7ABxzt0rB8ySNtt+DFRssZQ5ZXWF6T88YKLcigKYGNTGmf92Iwpq6+hw0NEF1OWy7aHDzog6xORilgy6zcPTWkz2TUxzOuwN6Y0UeLlj+C4r+hl17/9aYhls6UJ+5xF+ZNcJmqEXqZ5HHykcYRwaWI0FF4tkbsto8Is2/aZVfeQc/2JZ+9IbLXlh1Km6hJxWJmw/S9RwTXVK7kGO/IlIoQiYTFYoeSU4RDPVUXZTBmGxuBmz37JPVMLXkL6tGUPwTz6pa+AMppT/qMLC8y2LhLm+eRsfz4w2ySc/kBR0FKsD0Z1h9h4zM+VtNnxaSYmxkFG77pX+bi/ToQqaydWblf0NPdw2t+uoULzkxxhX3wjZi8V9gGOhZ7s7YUKJFljZZYcl0MnDab+xGjD8DGiq/vHqTLXm8DYpVOxsryGIJ3zXf5KPvo8y6/wQAkKq6Vb4lraqkg9m5wGLxQDemE4h2OWgjcnWOXx/N9bcVO0xMyqrFo337wPoZ+hYQhwxzrfiQZ87nLe28OstaWS8OK6KoAx95LvMypaFURf+EoZkYO8wFiLmFBNAMMOkf/TJjmXoeDw46Qv1sZi57239pgzxz6RXEjd5TBURli7tSaniqKNarRY7ZoYymzYBv9Kyj6zQGgXxozhQsMsju9fTo2l+bXQ2siBljHnNkI+I3aO5Q6FLpM57h5xhA86ayJzfaKSbniMARGY2inG3qUfKafgQUvrYBxaIxSBAg7LfE2GRJx8gEioATFZpclrm+0fP3xaXW3I/wiyl/EPKIP2aPP8lqJam/KWXZ46nYdgrKIrg51tXp/YUcgR6geZYHIBWkAgofJeThKPz9ervLzu3dYS0FgMiRcyCOXfI4nttW/QCNl5a19UXXYpSgj0MOAKuSZYkHYgaSt7DNt3sZtWLtCZ1M/QFLSiqsfUAULVwUJpOCS4Ul0Bn9gu038xCBCkaQ8VnSHtvl6NsCUHDhk/JGq5pmZjrE5zTEnlMBUBoQ1sun/HwLAnoX24KV+3pzwul0eCLm2pBndWvgnHsEY7COiookx7mwvg93xuejN7zQk/NAJp4L3haT5ueVTcUcEsTPmsIDMn2xg2HSGLum6yG02XPMBYJlG/GHtu2kuvOV2UFqxkzje4FB3cNishelQ1VRDOBJodt8xmfKkgPciFChEOVe5OY7AbBvKIBab+kjbG78guGReqkmePFkEtsnL7KouiERojAVsGXtvqOT2dQvO7xLrozLk+kY/Xk6HkGedmc2PUEc/CSKPy73k2a154ByzwfOaAaTM1XCvo4Ff7hTA7VHUu3rWpHmd2LZbKN1nlGbrrX0Wk0jt72OsRWRzgKp+81jEkNh/hbD9xCjmIbzdloOmcJJbcyikmThVpFaUMaHowZmrBtQxE7pR2ARbhVvNXH3fZQnIpxMcHEPoKh12pOTlp+GIO8H1EsGZ6tOjXniBiy/szoa8Oi/eJp/Co8uRoDSyBc5t6ZD6ciLHOVG4c0nCdMHaouA/EXNe/EOzLg4fYk7cLBNGoaBUo8LbXv0Z2tkhtE1ctl8NBvZS3X80VchtmQg7lVlqZUEkcXEtoadrjRpiWL9EW68mzjTsejePMNBb6CCL4zGqQwCfA1zUVtlNJslguClQ2u0IlqPjBYsj3Xy+leg24YrHKB1zEu1/aGuVxCBlJMozQj//5OCTp+1iO0EExnGBYjZuk8UTYrUj9FZeu5GiRlBvky1HBE/fq4LPD7l/Gr0npAwKJofIglA2DZe9Sr4VmA8oi4vsmbpmtyPLVa/pfVXrl/w2dLH/Y2TI8MbPFMvjtAgdlK6endrxpb9EC2YeWrFibDXL9EsOAXo5droa6WyIDoVr7GBZ0Faa19uW2IZf0fw02tz0L1Bg/4RopeIZpbH0CKCwpqg5GNb7gKvKkXt9ugI84ZGnF5CgrqXH+lXXtMgHsEkUQ6vAJeKioLSMVla6Pu/BdztDKBVuKTEzV/lH/nbR2qhjlIEm+AntndtRNU3J6Aakje0keGjDV66paCnh/v7fha3SOPkgCV8OxrqMDAUl9/RxB907OF/Ethg4F/gsWfwDJLcAoS206rV6r+VZyurb3xx6HSLFzh+MMBgNlJhf]
+profiles::puppet::puppetdb_api::private_cert: ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAR7TO46Sg7DTeJmy+YMKpcKgcbbyDed4zHib7Jii2ltlFBMzFAJ49u986i13pSE0qaPIgydc94ILKc0oTwTWvstbiBJB2NYikswKHIJwKKSTzzbfCz1/eyfVKwKyp3DakdImdPClmjZIp/eQyWsLkZjxmJ5T9MVHSo3l8sNVY3WyGbKwEi0TwZabE9Op8cvFTifcBL5zDwKMrhwghAPEoVz8DALoMOko8Lp2K7yCo+LvyvY/Ib9CtIfbgpXQTo2NDbww29/KWHqw6PjzRdyuswUDdnCuLOaThUQkDopTZyhhJ9Y5z5/7Doo/zGYQLBkyThjtKkKwsPlq1eGkjFzY/ITCCDN4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAvibroua3O2ot73run7uWKAggywIm7gZ/o/vc47kaCICTS2LtsHDmTe9HHqujdAdQLlBGvEhasKGDMr8s54aIbNUbLhD82Vuvwjl2GShqSg/IATfwzDPoqm982KrVZd/9kO61o3vBdtqZO1+InbY7iDbTqf45A7Ar3545aF+/y30WDamFyECwCePrQu1Y9bw6VhLTEVYO+A8zr8y0CYRKAtWNYcPpTP/3VO8/RKtMV+nWrUzS00zAp56lA7xeOzdeKdHzCkpKeaHrpSEN6YGrZmAhTdKBxHYiez9h3eZprEtqoAz0I5DL9Y54t74+pZxicFjQKYPxUGccqg0dIkFZUgE1dxuOkASspydJ890xC/SYJZxREeuF9SPCUkT4Szc814/JHzfqrHt5ZfdzQcBX0xjtEfwoud+Hc4MVerT4cmhyaJLP1/jEe8l3B3Cj4uVilbfAyxOAmAHZl4lcKawdzqUm1os6bsBzCwQU0usKYlW1vczvjvxHvq5z/+IQvCvvlPlUrVIlB7XaiIihkW4LbgZBKNaCWW8rihewX5FUTtvjveHzkGqXnzBBF8WfQmNvVtjKFGdkz3teOHShZOZO7fYo4rHGAV+KVz3kzSCZ8pgqAUsYYW5z/aViNnFuNdDz8xiq05DfUtD3GwbydH2mr5IN8bAFwufAidKEfuQeAusCuS5k6PRJyXK81ErqYMW/H+mSLVw9jCNOqqGGfiYdfcx8oNw+U1Vz/fDmQIQ+eT/JKDSOCbBYjrydC9WBzvgRngDoLQ/UXGCnIENqLJekvVJ0x9KTUhrzQyZVky+INyzp3i5UDyu2uLH55vJEI7qSmcM0Y8Eyj3Buc+0k739OQCC56IiQm/Aw6Uh+6Vi+/MfevcI5K0etMgTZ+dIhRAJAT5Jd4vRu4ge8M1HqEOQQj5lQfO+WtHcgwFyg1dGeQF6I6iy0JfMqXZVDsEkyCsDN6ZDaLcgMQN0FYWSsqy7tCzU9ZbvQ/pAHT/Ed1mNDWs+w0YzgcVv8+XCBGVzunpqcjbi08aKDYIKOIL5EBVOfDwGIeYjBuJhINQa49tNryXEkjZs+OxXDM4YvvksvwfNq4P4OLNJHoQ4DCEyqVbdqGGksRjNtU28Lu8y2M5eX6ehG8ismBMSgUy0SIbR5vTDVNjguo4HD7slVNYqERfMjlwHbnOLajoPl8nWIrhW3glWKBvJ1bQKWU81TRawlCAQ3k5DFnebFgoBagtqo0+Zoygt29Bz38wwqfF90jvfzVEM0sy4X+7FxZFYX2WTWKyZV3+16a7hWBjMbJeulU1chzs1V0/lPMXVEa+c3xcO8W2DyrX4wR27fUEfjPmug49tMhMSFOZXEOwzUMsXjz3K4XhEcC0mtYHDMT0EYtRX8pHe62RkMILuJGRHvw3Wwg2GzZRMpZfPQy8jLhkOhUSGc7z4XEWC/PdLmfGjBTZsZ6G2FfKlGLbSxOlgQlew2sZ+oNTHRrN+aMrkgyG11TheXDbE0y+Sxls+13DEYbMaflq5wjE2FlvD3b5X7/Pu4BizQI7Ski7jjb5qcqik8xoin2qGfhnY6H6PNSPz67J1RTxVZjHgUtZQKG56e+aKIv5FFyjFTgEPRqj3Yyrzh7+E6gt+LETh3vuJDUxKPLZskLD03xP6E/yiLbIu5DIYzK9+uuS/JGF3OibE93hgwp9uzDFirDzRbcuDVDxZyToSfH8P7m58lhp/FiKO3rpUqRqaC/GXz5xbekQ+yGuMKk6qEmiPj7B3pHm2Ic2tJIGTpTNCDNfsqefplUJXbKskiKRxOP04yCIn3XuHu8jUDhWZW848RWHgXfySdqEAFKrvsyamJKXz/1IGIdDzOgnAcd/wiudhZ41gDaCyA1DQYxU9T04106eD9aTZwj+mS9uZmfwHfROiBinC1ZAHsXfjLtwVZj3gpdUsieIqAiuAuMKle9yOMn3np4NEu5vjj/SOZeVWCvBfcPg8VB+uj6s7FtXRH5jdxkaB72PykYa8aTAbNKqcw/qlowv0k/vWnWa++fFFVfbg+VZ3a6oEW2YKvcVefQg/R4nEeTusmH/tnOl7SHLlJ4WLQ+U+v0GLeCY6zJKS6WweN+6SXIbkB9BLES2VpvxlYAmjqLlQuJBpcIuxL1SwCIkKUXdWjQqp6WzfS4XSxuxizZNL8xlEjXSJzFXvo+rPZXF37gHvmLHnjJkQdhctZUjyzDUfgLdR4FcMsp/U8qugWtbbemARFtrXHT9D3M/hVp0z/0ho80LB2chI1nOfY0u8GXgHtJfwZtoeyctud6JLo4zUxZy0zQMqIqgpytVNhjMPOIK5sWpKCKscPlg8+vANhPQHze7Wc8PXwC7jbSMH4QqqnGz+fPB/KKl+wz4jICe/vu7fNJRq0pehibPifXJtBDBH+i+s/U3ZX2WECKPYsF0DXq8Askisa3b97WPO7oWk8ghzE8ZXZs5CypkLpq+oPRg/WrsRJea+EWmkzKmBXtS23AQzhItNB0KFP18elLVmb6atYNs4lzv22ptifD+5wbYmk+/mAVgInqqixLPAy2uofCXvlXhIPd4vgkwpjar/lxcZWGtX7c7EUzDND1AyirMjcZyTaMsHEzYybT3S/8n8OgxVvyemLvgHnmZxmWnUBFUhItQ2Pt6iF2Dn68huo+0PE5K5qlKzoRPbfNLrNYImn4KxmLW5+bT2STe1j8aowyY3ROY1r+4BxHIbDknCb5aj6N4WR14SeUWSSPu23oK1VDLBlQUMiHHqfJwu0NiGhsI8Vl0Mp5Slp6FK0UvZz2O7C+x0HGaWVK9mMuP40BKHjEo7T97ZoXMN0uX4GmBQ3jEwXzsPpuPbZI5JnwwEyp5YX+IyYWJyCww2fntSQ/fS509b6mvG5isUMK3lpiogucROtJTA1KrODrocpTgUGvIwDUP/tosGT57lmXjTmHbTf6WjCHIUZsrbT5ycjYNJI0sn+dfx3Tba289CEeBEaX2FefnHX+o8HMLlRI4JmiD6faswCjC2IFMjDVfkJoie45Y+8Q9LSVZ8TkZey1QucNRrMIKpNLo4cPDCdUJIOPUDbfX4I1g0Qhk7T5WYX/JUtiaUgKiR5Gc/PHmV8oL8G9P+OSgg2Lc5XaN7/PevHCiBOLwAXsKbSCwL7oGmxyw90+sHIZr+ZyClNnfuXE3UrW7NXQI6mCxvQWKtJKn1trO17I6Cd00RMfC3uPy5/LIicubunfvDjp3BlaatxIrzDg3rVnFPX0dKzt/s4iuSyK3IT0le/x9OBLIp4EhdQdvd2HOFYxOtjxzbvWRzWrqGpBsLQLg7EG5adrqg69VOQMCT2pq0sCJp6hk4yGHbuz4hoX2PIeiI3l/Z0TwDGopGWW3uWRWxH/6bq1a6idgxHYhruUmR8aFpUKSsVyodiDV1PtK1zj5mKcZdeXx0THBYTEUWyo3RI9iLUnMcDYyPRTjCKoCm6pPS7yjIT7tq+MUi3iWo2XijY8AaV/K+WrnkcqoQH2cXsrBoH0sZMksdWwYBYz97+RKkx3FSxgdXJb1xxr0X21oPW1PhJq/zHSxe3OmxwYMPeZsGPaG8UngxTdfTQ3KPn+mN9NRXvlXkqudGJa/d/QMinCf/tp9eU1WX5xktqDgqBbPD391+6gcDsFgdidFdpLKf6yGLEovTwE9GrLX7srAC2dPOxviWekqng8H0N9RjHT06NVD9kAnnR/01ZkmmPzdP7vLX9imy0j/huTpN8i9XpFS6za4jdGt46Y5SfRKg/4qpwtE6meElgiOnTkP2uBI5cF4czaK1rYr1ZlwoneFzNHnBVFctAP7CD+w98hYexQ5RrdUYgFrMB5+88Y1IrI8Gd02RCEycPCoxdEFXqBVWmu2N/fuovgihTn9qf/mUxpQPsiUHjCgmV5w+ALs02oiRf08b8mTBAjy8utziFA6efpAppv98bQUfTs8lyNn7sH6OCoa4ZKeB51wqPXZBsKZ8Ja9VDZXjpCV+MB0b9XuSgOx2Y3UD/GJ/+eW7J6MiYFTHrhB1kRert5vRdF4M2KMoyYnVRFMBRqimnNBq6xrOvz4D6dSiquhFRtxlnb6dPCyRgHImsFbR/qdDukLB6DB+vfjzZQArLbkaMVF86hX1+9xP+BdZPsnVapY9u+DSZP7ZkEP/VftTl7uJZnqAWUis+jOncUizmzSIpV6cZO7SVdiQicHiRm6VSOmpBhniRKYN13Ct8B0g+JJeyMlx6OGALMLvcXKDXxJNvyYL9FuXyRvOygButRRjvLsEku+fl9ESD27r56ZNExf7w411cGbKQ+obhSnMsBM2qGBDR97VJyLGhbFX7SKl7CGOAWZF3TbOe4PU4Ty75qb8+U5R8amQ1FFQD4r65M=]

hieradata/roles/infra/puppetdb/sql.yaml

@@ -29,11 +29,11 @@ profiles::yum::global::repos:
     name: postgresql-15
     descr: postgresql-15 repository
     target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
+    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
-    gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
   postgresql-common:
     name: postgresql-common
     descr: postgresql-common repository
     target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
+    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL

hieradata/roles/infra/reposync/syncer.yaml

@@ -38,6 +38,125 @@ profiles::consul::client::node_rules:
 profiles::reposync::webserver::nginx_listen_mode: both
 profiles::reposync::webserver::nginx_cert_type: vault
 profiles::reposync::repos_list:
+  almalinux_9_5_baseos:
+    repository: 'baseos'
+    description: 'AlmaLinux 9.5 BaseOS'
+    osname: 'almalinux'
+    release: '9.5'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_5_appstream:
+    repository: 'appstream'
+    description: 'AlmaLinux 9.5 AppStream'
+    osname: 'almalinux'
+    release: '9.5'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_5_crb:
+    repository: 'crb'
+    description: 'AlmaLinux 9.5 CRB'
+    osname: 'almalinux'
+    release: '9.5'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_5_ha:
+    repository: 'ha'
+    description: 'AlmaLinux 9.5 HighAvailability'
+    osname: 'almalinux'
+    release: '9.5'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_5_extras:
+    repository: 'extras'
+    description: 'AlmaLinux 9.5 extras'
+    osname: 'almalinux'
+    release: '9.5'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_4_baseos:
+    repository: 'baseos'
+    description: 'AlmaLinux 9.4 BaseOS'
+    osname: 'almalinux'
+    release: '9.4'
+    baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/'
+    gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_4_appstream:
+    repository: 'appstream'
+    description: 'AlmaLinux 9.4 AppStream'
+    osname: 'almalinux'
+    release: '9.4'
+    baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/'
+    gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_4_crb:
+    repository: 'crb'
+    description: 'AlmaLinux 9.4 CRB'
+    osname: 'almalinux'
+    release: '9.4'
+    baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/'
+    gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_4_ha:
+    repository: 'ha'
+    description: 'AlmaLinux 9.4 HighAvailability'
+    osname: 'almalinux'
+    release: '9.4'
+    baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/'
+    gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9_4_extras:
+    repository: 'extras'
+    description: 'AlmaLinux 9.4 extras'
+    osname: 'almalinux'
+    release: '9.4'
+    baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/'
+    gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
+  docker_stable_el8:
+    repository: 'stable'
+    description: 'Docker CE Stable EL8'
+    osname: 'docker'
+    release: 'el8'
+    baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/'
+    gpgkey: 'https://download.docker.com/linux/centos/gpg'
+  docker_stable_el9:
+    repository: 'stable'
+    description: 'Docker CE Stable EL9'
+    osname: 'docker'
+    release: 'el9'
+    baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
+    gpgkey: 'https://download.docker.com/linux/centos/gpg'
+  frr_stable_el8:
+    repository: 'stable'
+    description: 'FRR Stable EL8'
+    osname: 'frr'
+    release: 'el8'
+    baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
+    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
+  frr_extras_el8:
+    repository: 'extras'
+    description: 'FRR Extras EL8'
+    osname: 'frr'
+    release: 'el8'
+    baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
+    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
+  frr_stable_el9:
+    repository: 'stable'
+    description: 'FRR Stable EL9'
+    osname: 'frr'
+    release: 'el9'
+    baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
+    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
+  frr_extras_el9:
+    repository: 'extras'
+    description: 'FRR Extras el9'
+    osname: 'frr'
+    release: 'el9'
+    baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
+    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
+  k8s_1.32:
+    repository: '1.32'
+    description: 'Kubernetes 1.32'
+    osname: 'k8s'
+    release: '1.32'
+    baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/'
+    gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key'
   mariadb_11_2_el8:
     repository: 'el8'
     description: 'MariaDB 11.2'
@@ -87,6 +206,20 @@ profiles::reposync::repos_list:
     release: 'rhel9'
     baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
     gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
+  postgresql_rhel8_15:
+    repository: '15'
+    description: 'PostgreSQL 15 RHEL 8'
+    osname: 'postgresql'
+    release: 'rhel8'
+    baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
+    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
+  postgresql_rhel9_15:
+    repository: '15'
+    description: 'PostgreSQL 15 RHEL 9'
+    osname: 'postgresql'
+    release: 'rhel9'
+    baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
+    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
   postgresql_rhel8_16:
     repository: '16'
     description: 'PostgreSQL 16 RHEL 8'
@@ -101,3 +234,45 @@ profiles::reposync::repos_list:
     release: 'rhel9'
     baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
     gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
+  postgresql_rhel8_17:
+    repository: '17'
+    description: 'PostgreSQL 17 RHEL 8'
+    osname: 'postgresql'
+    release: 'rhel8'
+    baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
+    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
+  postgresql_rhel9_17:
+    repository: '17'
+    description: 'PostgreSQL 17 RHEL 9'
+    osname: 'postgresql'
+    release: 'rhel9'
+    baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
+    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
+  zfs_dkms_rhel8:
+    repository: 'dkms'
+    description: 'ZFS DKMS RHEL 8'
+    osname: 'zfs'
+    release: 'rhel8'
+    baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/'
+    gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
+  zfs_kmod_rhel8:
+    repository: 'kmod'
+    description: 'ZFS KMOD RHEL 8'
+    osname: 'zfs'
+    release: 'rhel8'
+    baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/'
+    gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
+  zfs_dkms_rhel9:
+    repository: 'dkms'
+    description: 'ZFS DKMS RHEL 9'
+    osname: 'zfs'
+    release: 'rhel9'
+    baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/'
+    gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
+  zfs_kmod_rhel9:
+    repository: 'kmod'
+    description: 'ZFS KMOD RHEL 9'
+    osname: 'zfs'
+    release: 'rhel9'
+    baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/'
+    gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'

hieradata/roles/infra/sql/patroni.yaml

@@ -4,14 +4,14 @@ profiles::yum::global::repos:
     name: postgresql-15
     descr: postgresql-15 repository
     target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
+    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
-    gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
   postgresql-common:
     name: postgresql-common
     descr: postgresql-common repository
     target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
+    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
 
 profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true

hieradata/virtual/lxc.yaml

@@ -0,0 +1,10 @@
+---
+profiles::packages::include:
+  chrony:
+    ensure: absent
+
+# disable mlock for vault nodes on lxd/incus
+vault::disable_mlock: true
+
+# manage jellyfin changes
+profiles::media::jellyfin::data_dir: /shared/apps/jellyfin

modules/etcd/manifests/init.pp

@@ -0,0 +1,110 @@
+# manage etcd
+class etcd (
+  Boolean $manage_user = true,
+  Boolean $manage_group = true,
+  Boolean $manage_package = true,
+  Boolean $manage_service = true,
+  String[1] $package_name = 'etcd',
+  String[1] $user = 'etcd',
+  String[1] $group = 'etcd',
+  Stdlib::Absolutepath $config_path = '/etc/etcd',
+  Stdlib::Absolutepath $config_file = "${config_path}/etcd.yaml",
+  Hash $config = { 'data-dir' => '/var/lib/etcd' },
+  Integer $max_open_files = 40000,
+) {
+  if downcase($facts['kernel']) != 'linux' {
+    fail("Module etcd only supports Linux, not ${facts['kernel']}")
+  }
+  if $facts['service_provider'] != 'systemd' {
+    fail('Module etcd only supported on systems using systemd')
+  }
+  if ! $config['data-dir'] {
+    fail('Module etcd requires data-dir be specified in config Hash')
+  }
+
+  if $manage_package {
+    package { $package_name:
+      ensure => installed,
+    }
+  }
+
+  if $manage_user {
+    user { 'etcd':
+      ensure     => 'present',
+      name       => $user,
+      forcelocal => true,
+      shell      => '/bin/false',
+      gid        => $group,
+      home       => $config['data-dir'],
+      managehome => false,
+      system     => true,
+      before     => Systemd::Unit_file['etcd.service'],
+    }
+  }
+  if $manage_group {
+    group { 'etcd':
+      ensure     => 'present',
+      name       => $group,
+      forcelocal => true,
+      system     => true,
+      before     => Systemd::Unit_file['etcd.service'],
+    }
+  }
+
+  mkdir::p { $config_path: }
+  mkdir::p { $config['data-dir']: }
+
+  file { $config_file:
+    ensure  => 'file',
+    owner   => $user,
+    group   => $group,
+    mode    => '0600',
+    content => to_yaml($config),
+    notify  => Systemd::Unit_file['etcd.service'],
+    require => Mkdir::P[$config_path],
+  }
+
+  file { 'etcd-data-dir':
+    ensure  => 'directory',
+    path    => $config['data-dir'],
+    owner   => $user,
+    group   => $group,
+    mode    => '0700',
+    notify  => Systemd::Unit_file['etcd.service'],
+    require => Mkdir::P[$config['data-dir']],
+  }
+
+  file { 'etcd-data-dir-wal.tmp':
+    ensure  => 'directory',
+    path    => "${config['data-dir']}/wal.tmp",
+    owner   => $user,
+    group   => $group,
+    mode    => '0700',
+    notify  => Systemd::Unit_file['etcd.service'],
+    require => File['etcd-data-dir'],
+  }
+
+  if $config['wal-dir'] {
+    mkdir::p { $config['wal-dir']: }
+    file { 'etcd-wal-dir':
+      ensure  => 'directory',
+      path    => $config['wal-dir'],
+      owner   => $user,
+      group   => $group,
+      mode    => '0700',
+      notify  => Systemd::Unit_file['etcd.service'],
+      require => Mkdir::P[$config['wal-dir']],
+    }
+  }
+
+  if $manage_service {
+    include ::systemd
+
+    systemd::unit_file { 'etcd.service':
+      content => template('etcd/etcd.service.erb'),
+      enable  => true,
+      active  => true,
+      require => Package[$package_name],
+    }
+  }
+}

modules/etcd/templates/etcd.service.erb

@@ -0,0 +1,17 @@
+# DO NOT EDIT: This file is being managed by Puppet.
+[Unit]
+Description=etcd key-value store
+Documentation=https://github.com/etcd-io/etcd
+After=network.target
+
+[Service]
+User=<%= @user %>
+Group=<%= @group %>
+Type=notify
+ExecStart=/usr/bin/etcd --config-file <%= @config_file %>
+Restart=always
+RestartSec=10s
+LimitNOFILE=<%= @max_open_files %>
+
+[Install]
+WantedBy=multi-user.target

modules/frrouting/manifests/init.pp

@@ -10,12 +10,17 @@ class frrouting (
   Array[String] $ospfd_redistribute = [],
   Array[String] $ospfd_networks     = [],
   Boolean $ospfd_default_originate_always = false,
+  Boolean $mpls_te_enabled                   = false,
+  Optional[String] $mpls_ldp_router_id       = undef,
+  Optional[String] $mpls_ldp_transport_addr  = undef,
+  Array[String] $mpls_ldp_interfaces         = [],
 ) {
 
   $daemons_defaults = {
     'bgpd'    => false,
     'ospfd'   => true,
     'ospf6d'  => false,
+    'ldpd'    => false,
     'ripd'    => false,
     'ripngd'  => false,
     'isisd'   => false,
@@ -32,7 +37,7 @@ class frrouting (
     'staticd' => false,
   }
 
-  $daemons_merged = merge($daemons, $daemons_defaults)
+  $daemons_merged = merge($daemons_defaults, $daemons)
 
   if $manage_package {
     package { $package_name:
@@ -62,4 +67,23 @@ class frrouting (
       hasrestart => true,
     }
   }
+
+  if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
+    file { '/etc/modules-load.d/mpls_ldp_modules.conf':
+      ensure  => file,
+      content => @(EOT/L),
+        # Load MPLS Kernel Modules
+        mpls_router
+        mpls_iptunnel
+        | EOT
+    }
+
+    ['mpls_router', 'mpls_iptunnel'].each |$mod| {
+      exec { "load_${mod}":
+        command => "/sbin/modprobe ${mod}",
+        unless  => "/sbin/lsmod | /bin/grep -q ^${mod}",
+        path    => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
+      }
+    }
+  }
 }

modules/frrouting/templates/daemons.erb

@@ -12,6 +12,7 @@ zebra_options="  -A 127.0.0.1 -s 90000000"
 bgpd_options="   -A 127.0.0.1"
 ospfd_options="  -A 127.0.0.1"
 ospf6d_options=" -A ::1"
+ldpd_options="   -A 127.0.0.1"
 ripd_options="   -A 127.0.0.1"
 ripngd_options=" -A ::1"
 isisd_options="  -A 127.0.0.1"

modules/frrouting/templates/frr.conf.erb

@@ -24,4 +24,22 @@ router ospf
 <% if @ospfd_default_originate_always -%>
  default-information originate always
 <% end -%>
+<% if @mpls_te_enabled -%>
+ capability opaque
+ mpls-te on
+ mpls-te router-address <%= @ospfd_router_id %>
+ mpls-te inter-as area 0.0.0.0
+<% end -%>
 exit
+<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
+mpls ldp
+ router-id <%= @mpls_ldp_router_id %>
+ address-family ipv4
+  discovery transport-address <%= @mpls_ldp_transport_addr %>
+<% @mpls_ldp_interfaces.each do |iface| -%>
+  interface <%= iface %>
+  exit
+<% end -%>
+ exit-address-family
+exit
+<% end -%>

modules/incus/lib/facter/incus.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+Facter.add(:incus) do
+  setcode do
+    # Check if the 'incus' executable exists
+    incus_path = Facter::Util::Resolution.which('incus')
+    next {} unless incus_path # Return an empty fact if incus isn't found
+
+    # Run the `incus info` command using the found path
+    incus_output = Facter::Core::Execution.execute("#{incus_path} info")
+    next {} if incus_output.empty? # Return an empty fact if there's no output
+
+    # Parse the output as YAML and return it
+    YAML.safe_load(incus_output, permitted_classes: [Symbol, Time, Date])
+  end
+end

modules/incus/manifests/cluster.pp

@@ -0,0 +1,57 @@
+# manage incus clusters
+class incus::cluster (
+  Boolean $members_lookup   = false,
+  String  $members_role     = undef,
+  String  $master           = undef,
+  Array   $servers          = [],
+  Stdlib::Fqdn $server_fqdn = $facts['networking']['fqdn'],
+  Stdlib::Port $server_port = 8443,
+){
+
+  # check that the master is named
+  unless !($master == undef) {
+    fail("master must be provided for ${title}")
+  }
+
+  # if lookup is enabled
+  if $members_lookup {
+
+    # check that the role is also set
+    unless !($members_role == undef) {
+      fail("members_role must be provided for ${title} when members_lookup is True")
+    }
+
+    # if it is, find hosts, sort them so they dont cause changes every run
+    $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
+
+  # else use provided array from params
+  }else{
+    $servers_array = $servers
+  }
+
+  # if its not an empty array. Give puppetdb a chance to be populated with data.
+  if length($servers_array) >= 3 {
+
+    # check if this is the master_node
+    if $master == $trusted['certname'] {
+      $master_bool = true
+    }else{
+      $master_bool = false
+    }
+
+    # find bootstrap status for servers
+    $bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${members_role}' }").map |$node| {
+      {
+        'fqdn'        => $node['certname'],
+        'ip'          => $node['facts']['networking']['ip'],
+        'clustered'   => $node['facts']['incus']['environment']['server_clustered'],
+        'certificate' => $node['facts']['incus']['environment']['certificate'],
+      }
+    }
+
+    # determine if the cluster is bootstrapped
+    $cluster_bootstrapped = $bootstrap_array.any |$server| {
+      $server['fqdn'] == $master and $server['clustered'] == true
+    }
+  }
+}

modules/incus/manifests/init.pp

@@ -0,0 +1,77 @@
+class incus (
+  Array[String] $packages     = [
+    'incus',
+    'incus-tools',
+    'incus-client'
+  ],
+  Boolean       $cluster      = false,
+  Boolean       $init         = true,
+  String        $bridge       = 'incusbr0',
+  Stdlib::Port        $server_port = 8443,
+  Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
+  Optional[String] $storage_images_volume = undef,
+) {
+
+  package { $packages:
+    ensure => installed,
+  }
+
+  service { 'incus':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+  }
+
+  file_line { 'subuid_root':
+    ensure => present,
+    path   => '/etc/subuid',
+    line   => 'root:1000000:1000000000',
+    match  => '^root:',
+    notify => Service['incus'],
+  }
+
+  file_line { 'subgid_root':
+    ensure => present,
+    path   => '/etc/subgid',
+    line   => 'root:1000000:1000000000',
+    match  => '^root:',
+    notify => Service['incus'],
+  }
+
+  if $init {
+    file {'/root/incus.preseed.yaml':
+      ensure  => file,
+      owner   => root,
+      group   => root,
+      content => template('incus/join_preseed.yaml.erb')
+    }
+
+    exec { 'initiate_incus':
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
+      refreshonly => true,
+      creates     => '/root/.incus_initialized',
+      subscribe   => File['/root/incus.preseed.yaml'],
+    }
+  }
+
+  if $facts['incus'] and $facts['incus']['config'] {
+    # set core.https_address
+    if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
+      exec { 'incus_config_set_core_https_address':
+        path    => ['/bin', '/usr/bin'],
+        command => "incus config set core.https_address ${server_addr}:${server_port}",
+      }
+    }
+    # set storage.images_volume # path to store images
+    if $storage_images_volume {
+      if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
+        exec { 'incus_config_set_storage_images_volume':
+          path    => ['/bin', '/usr/bin'],
+          command => "incus config set storage.images_volume ${storage_images_volume}",
+        }
+      }
+    }
+  }
+}

modules/incus/templates/join_preseed.yaml.erb

@@ -0,0 +1,18 @@
+config:
+  core.https_address: <%= @server_fqdn %>:<%= @server_port %>
+networks: []
+storage_pools: []
+storage_volumes: []
+profiles:
+- config: {}
+  description: ""
+  devices:
+    eth0:
+      name: eth0
+      nictype: bridged
+      parent: <%= @bridge %>
+      type: nic
+  name: default
+  project: default
+projects: []
+cluster: null

modules/jellyfin/manifests/params.pp

@@ -1,9 +1,9 @@
 # jellyfin params
 class jellyfin::params (
   Array[String]             $packages = [
-    'jellyfin',
     'jellyfin-web',
     'jellyfin-server',
+    'jellyfin-ffmpeg-bin',
     'SDL2',
     'ffmpeg',
     'ffmpeg-devel',

modules/libs/lib/facter/enc_direct_facts.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require 'facter'
+require 'yaml'
+require 'net/http'
+require 'uri'
+require 'fileutils'
+
+# CobblerENC module: Fetches ENC data from Cobbler, caches it, and provides structured facts.
+module CobblerENC
+  CACHE_FILE = '/var/cache/puppet_enc.yaml'
+  CACHE_TTL = 7 * 24 * 60 * 60 # 7 days in seconds
+  @enc_data = nil # In-memory cache for the ENC response
+
+  def self.read_cache
+    return {} unless File.exist?(CACHE_FILE)
+
+    cache_data = YAML.safe_load(File.read(CACHE_FILE)) || {}
+    timestamp = cache_data.fetch('timestamp', 0)
+
+    return cache_data if Time.now.to_i - timestamp < CACHE_TTL
+
+    {}
+  end
+
+  def self.write_cache(enc_data)
+    FileUtils.mkdir_p(File.dirname(CACHE_FILE))
+    cache_data = enc_data.merge({ 'timestamp' => Time.now.to_i })
+    File.write(CACHE_FILE, cache_data.to_yaml)
+  end
+
+  def self.fetch_from_cobbler
+    uri = URI("http://cobbler.main.unkin.net/cblr/svc/op/puppet/hostname/#{Facter.value(:fqdn) || Facter.value(:hostname)}")
+    response = Net::HTTP.get_response(uri)
+
+    raise "Failed to fetch ENC data. HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)
+
+    YAML.safe_load(response.body) || {}
+  end
+
+  def self.retrieve_enc_data
+    return @enc_data if @enc_data
+
+    @enc_data = fetch_from_cobbler
+    write_cache(@enc_data)
+    @enc_data
+  end
+
+  def self.fetch_enc_data
+    retrieve_enc_data
+  rescue StandardError => e
+    Facter.warn("Error retrieving Cobbler ENC data: #{e.message}")
+    @enc_data = read_cache
+    return @enc_data unless @enc_data.empty?
+
+    raise 'No cached ENC data available and Cobbler is down.'
+  end
+
+  def self.enc_role
+    fetch_enc_data.fetch('classes', {}).keys.first || raise('ENC Role not found in Cobbler ENC response')
+  end
+
+  def self.enc_env
+    fetch_enc_data.fetch('environment', nil) || raise('ENC Environment not found in Cobbler ENC response')
+  end
+end
+
+Facter.add('enc_role') do
+  setcode { CobblerENC.enc_role }
+end
+
+Facter.add('enc_env') do
+  setcode { CobblerENC.enc_env }
+end

modules/libs/lib/facter/enc_env.rb

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-Facter.add('enc_env') do
-  setcode do
-    require 'yaml'
-    # Check if the YAML file exists
-    if File.exist?('/root/.cache/custom_facts.yaml')
-      data = YAML.load_file('/root/.cache/custom_facts.yaml')
-      # Use safe navigation to return 'enc_env' or nil
-      data&.dig('enc_env')
-    end
-  end
-end

modules/libs/lib/facter/enc_role.rb

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-Facter.add('enc_role') do
-  setcode do
-    require 'yaml'
-    # Check if the YAML file exists
-    if File.exist?('/root/.cache/custom_facts.yaml')
-      data = YAML.load_file('/root/.cache/custom_facts.yaml')
-      # Use safe navigation to return 'enc_role' or nil
-      data&.dig('enc_role')
-    end
-  end
-end

modules/libs/lib/facter/subnet_facts.rb

@@ -10,7 +10,18 @@ class SubnetAttributes
     '198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' },
     '198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' },
     '198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
-    '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' }
+    '198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
+    '198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
+    '198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
+    '198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
+    '198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
+    '198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
+    '198.18.24.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # dmz 1
+    '198.18.25.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0009
+    '198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010
+    '198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011
+    '198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012
+    '198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }  # common node0013
   }.freeze
 
   # Default attributes if no subnet matches, also defined as a constant

modules/networking/manifests/bridge.pp

@@ -0,0 +1,22 @@
+# manage bridges and bridge slaves
+define networking::bridge (
+  String                $type,
+  Optional[Stdlib::IP::Address] $ipaddress,
+  Optional[Stdlib::IP::Address] $netmask   = undef,
+  Optional[Stdlib::IP::Address] $gateway   = undef,
+  Optional[Boolean]             $nocarrier = undef,
+  Boolean               $bridge = true,
+  Integer[100-9200]     $mtu    = 1500,
+  Optional[Boolean]     $forwarding = false,
+) {
+  include systemd
+
+  systemd::network { "${title}.netdev":
+    content => template('networking/bridge.netdev.erb'),
+  }
+
+  # Use shared template, it will detect bridge=true and skip Address/DNS/etc
+  systemd::network { "${title}.network":
+    content => template('networking/networkd-network.erb'),
+  }
+}

modules/networking/manifests/dummy.pp

@@ -0,0 +1,18 @@
+# manage dummy/loopback interfaces
+define networking::dummy (
+  String                $type,
+  Stdlib::IP::Address   $ipaddress,
+  Stdlib::IP::Address   $netmask,
+  Integer[100-9200]     $mtu = 1500,
+  Optional[Boolean]     $forwarding = false,
+) {
+  include systemd
+
+  systemd::network { "${title}.netdev":
+    content => template('networking/dummy.netdev.erb'),
+  }
+
+  systemd::network { "${title}.network":
+    content => template('networking/networkd-network.erb'),
+  }
+}

modules/networking/manifests/init.pp

@@ -4,34 +4,67 @@ class networking (
   Hash $interface_defaults = {},
   Hash $routes = {},
   Hash $route_defaults = {},
+  Boolean $use_networkd = lookup('systemd::manage_networkd', undef, undef, false),
 ){
 
   include network
   include networking::params
 
-  # manage interfaces
+  if $use_networkd {
-  $interfaces.each | $interface, $data | {
-    $merged_data = merge($interface_defaults, $data)
-    network_config { $interface:
-      *      => $merged_data,
-      notify => Exec['networking_reload_network'],
-    }
-  }
 
-  # manage routes
+    include systemd
-  $routes.each | $route, $data | {
+
-    $merged_data = merge($route_defaults, $data)
+    service { 'NetworkManager':
-    network_route { $route:
+      ensure => 'stopped',
-      *      => $merged_data,
+      enable => false,
-      notify => Exec['networking_reload_network'],
+    }
+
+    $interfaces.each |String $iface, Hash $data| {
+      $type   = $data['type']
+      #$params = $data.filter |$key, $value| { $key != 'type' }
+
+      case $type {
+        'bridge': { networking::bridge { $iface: * => $data } }
+        'dummy': { networking::dummy { $iface: * => $data } }
+        'static': { networking::static { $iface: * => $data } }
+        'physical': { networking::static { $iface: * => $data } }
+        default: {
+          fail("Unsupported interface type '${type}' for interface '${iface}'")
+        }
+      }
+    }
+  }else{
+    # manage interfaces
+    $interfaces.each | $interface, $data | {
+      $merged_data = merge($interface_defaults, $data)
+      network_config { $interface:
+        *      => $merged_data,
+        notify => Exec['networking_reload_network'],
+      }
+    }
+
+    # manage routes
+    $routes.each | $route, $data | {
+      $merged_data = merge($route_defaults, $data)
+      network_route { $route:
+        *      => $merged_data,
+        notify => Exec['networking_reload_network'],
+      }
     }
   }
 
   # determine which networking service to restart
-  $restart_command = $facts['os']['family'] ? {
+  $restart_command = $use_networkd ? {
-    'RedHat' => '/usr/bin/systemctl restart network',
+    true    => '/usr/bin/systemctl restart systemd-networkd',
-    'Debian' => '/usr/bin/systemctl restart networking',
+    default => $facts['os']['family'] ? {
-    default  => fail('Unsupported OS in networking-restart-command'),
+      'RedHat' => $facts['os']['release']['major'] ? {
+        '8' => '/usr/bin/systemctl restart network',
+        '9' => '/usr/bin/systemctl restart NetworkManager',
+        default => fail('Unsupported RedHat OS release for networking restart'),
+      },
+      'Debian' => '/usr/bin/systemctl restart networking',
+      default  => fail('Unsupported OS in networking-restart-command'),
+    }
   }
 
   # restart network/networking only if $restart_networking boolean is true

modules/networking/manifests/static.pp

@@ -0,0 +1,27 @@
+# manage static interfaces
+define networking::static (
+  String                $type,
+  Stdlib::IP::Address   $netmask  = '255.255.255.0',
+  Integer[100-9200]     $mtu      = 1500,
+  Boolean               $dhcp     = false,
+  Optional[Boolean]     $forwarding = false,
+  Optional[Stdlib::IP::Address]         $ipaddress = undef,
+  Optional[Stdlib::IP::Address]         $gateway = undef,
+  Optional[Array[Stdlib::IP::Address]]  $dns = undef,
+  Optional[Array[Stdlib::Fqdn]]         $domains = undef,
+  Optional[Integer[0-4096]]             $vlan = undef,
+  Optional[Variant[Boolean,String]]     $bridge = undef,
+  Optional[Integer[0-4294967294]]       $txqueuelen = undef,
+  Optional[Stdlib::MAC]                 $mac = undef,
+) {
+  include systemd
+
+  systemd::network { "${title}.network":
+    content => template('networking/networkd-network.erb'),
+  }
+  #if $type == 'physical' and $mac {
+  #  systemd::network { "${title}.link":
+  #    content => template('networking/networkd-link.erb'),
+  #  }
+  #}
+}

modules/networking/templates/bridge.netdev.erb

@@ -0,0 +1,3 @@
+[NetDev]
+Name=<%= @title %>
+Kind=bridge

modules/networking/templates/dummy.netdev.erb

@@ -0,0 +1,3 @@
+[NetDev]
+Name=<%= @title %>
+Kind=dummy

modules/networking/templates/networkd-link.erb

@@ -0,0 +1,8 @@
+[Match]
+MACAddress=<%= @mac %>
+
+[Link]
+MTUBytes=<%= @mtu %>
+<% if @txqueuelen and @txqueuelen >= 1 -%>
+TransmitQueueLength=<%= @txqueuelen %>
+<% end -%>

modules/networking/templates/networkd-network.erb

@@ -0,0 +1,41 @@
+[Match]
+Name=<%= @title %>
+
+[Network]
+<% if @dhcp == true -%>
+DHCP=yes
+<% else -%>
+<% if @ipaddress && @netmask -%>
+Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
+<% end -%>
+<% if @gateway -%>
+Gateway=<%= @gateway %>
+<% end -%>
+<% if @dns -%>
+DNS=<%= Array(@dns).join(' ') %>
+<% end -%>
+<% if @domains -%>
+Domains=<%= Array(@domains).join(' ') %>
+<% end -%>
+<% end -%>
+<% if @bridge and @bridge != true -%>
+Bridge=<%= @bridge %>
+<% end -%>
+<% if @vlan -%>
+VLAN=<%= @vlan %>
+<% end -%>
+<% if @nocarrier and @nocarrier == true -%>
+ConfigureWithoutCarrier=true
+DuplicateAddressDetection=none
+RequiredForOnline=no-carrier
+<% end -%>
+<% if @type == 'dummy' -%>
+LinkLocalAddressing=no
+ActivationPolicy=always-up
+<% end -%>
+<% if @forwarding and @forwarding == true -%>
+IPForward=true
+<% end -%>
+
+[Link]
+MTUBytes=<%= @mtu %>

modules/zfs/lib/facter/zfs_zpool_cache_present.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+Facter.add('zfs_zpool_cache_present') do
+  confine kernel: 'Linux'
+  setcode do
+    File.exist?('/etc/zfs/zpool.cache')
+  end
+end
+
+Facter.add('zfs_zpool_cache_present') do
+  setcode do
+    false
+  end
+end

modules/zfs/manifests/config.pp

@@ -0,0 +1,10 @@
+# manage zfs config
+class zfs::config {
+
+  file { $zfs::conf_dir:
+    ensure => directory,
+    owner  => 0,
+    group  => 0,
+    mode   => '0644',
+  }
+}

modules/zfs/manifests/init.pp

@@ -0,0 +1,52 @@
+# Installs basic ZFS kernel and userland support.
+#
+# @example Declaring the class
+#   include zfs
+#
+# @example Tuning the ZFS ARC
+#   class { 'zfs':
+#     zfs_arc_max => to_bytes('256 M'),
+#     zfs_arc_min => to_bytes('128 M'),
+#   }
+#
+# @param conf_dir Top-level configuration directory, usually `/etc/zfs`.
+# @param kmod_type Whether to use DKMS kernel packages or ones built to match
+#   the running kernel (only applies to RHEL platforms).
+# @param manage_repo Whether to setup and manage external package repositories.
+# @param package_name The name of the top-level metapackage that installs ZFS
+#   support.
+# @param service_manage Whether to manage the various ZFS services.
+# @param zfs_arc_max Maximum size of the ARC in bytes.
+# @param zfs_arc_min Minimum size of the ARC in bytes.
+class zfs (
+  Optional[Integer[0]]              $zfs_arc_max,
+  Optional[Integer[0]]              $zfs_arc_min,
+  Optional[Hash]                    $zpools,
+  Optional[Hash]                    $datasets,
+  Stdlib::Absolutepath              $conf_dir = '/etc/zfs',
+  Enum['dkms', 'kabi']              $kmod_type = 'kabi',
+  Boolean                           $manage_repo = true,
+  Variant[String, Array[String, 1]] $package_name = 'zfs',
+  Boolean                           $service_manage = true,
+) {
+
+  contain zfs::install
+  contain zfs::config
+  contain zfs::service
+
+  Class['zfs::install'] ~> Class['zfs::config'] ~> Class['zfs::service']
+
+  # create zpools
+  $zpools.each | $zpool, $data | {
+    zpool { $zpool:
+      * => $data
+    }
+  }
+
+  # create datasets
+  $datasets.each | $dataset, $data | {
+    zfs { $dataset:
+      * => $data
+    }
+  }
+}

modules/zfs/manifests/install.pp

@@ -0,0 +1,151 @@
+# manage zfs install/repos
+class zfs::install {
+
+  if $zfs::manage_repo {
+    case $facts['os']['family'] {
+      'RedHat': {
+        $baseurl = 'http://download.zfsonlinux.org'
+        $release = $facts['os']['release']['major'] ? {
+          '6'     => '6',
+          '7'     => $facts['os']['release']['full'] ? {
+            /^7\.[012]/ => '7',
+            default     => regsubst($facts['os']['release']['full'], '^7\.(\d+).*$', '7.\1'),
+          },
+          '8'     => $facts['os']['release']['full'] ? {
+            /^8\.4/ => '8.3',
+            default => regsubst($facts['os']['release']['full'], '^8\.(\d+).*$', '8.\1'),
+          },
+          default => regsubst($facts['os']['release']['full'], '^(\d\.\d+).*$', '\1'),
+        }
+
+        yumrepo { 'zfs':
+          baseurl => "${baseurl}/epel/${release}/\$basearch/",
+          descr   => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms",
+          enabled => Integer($zfs::kmod_type == 'dkms'),
+          before  => Package[$zfs::package_name],
+        }
+
+        yumrepo { 'zfs-kmod':
+          baseurl => "${baseurl}/epel/${release}/kmod/\$basearch/",
+          descr   => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod",
+          enabled => Integer($zfs::kmod_type == 'kabi'),
+        }
+
+        yumrepo { 'zfs-source':
+          baseurl => "${baseurl}/epel/${release}/SRPMS/",
+          descr   => "ZFS on Linux for EL${facts['os']['release']['major']} - Source",
+          enabled => 0,
+        }
+
+        yumrepo { 'zfs-testing':
+          baseurl => "${baseurl}/epel-testing/${release}/\$basearch/",
+          descr   => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms - Testing",
+          enabled => 0,
+        }
+
+        yumrepo { 'zfs-testing-kmod':
+          baseurl => "${baseurl}/epel-testing/${release}/kmod/\$basearch/",
+          descr   => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod - Testing",
+          enabled => 0,
+        }
+
+        yumrepo { 'zfs-testing-source':
+          baseurl => "${baseurl}/epel-testing/${release}/SRPMS/",
+          descr   => "ZFS on Linux for EL${facts['os']['release']['major']} - Testing Source",
+          enabled => 0,
+        }
+      }
+      default: {
+        # noop
+      }
+    }
+  }
+
+  # Handle these dependencies separately as they shouldn't be guarded by
+  # `$zfs::manage_repo`
+  case $facts['os']['family'] {
+    'RedHat': {
+      case $zfs::kmod_type {
+        'dkms': {
+          # Puppet doesn't like managing multiple versions of the same package.
+          # By using the version in the name Yum will do the right thing
+          ensure_packages(["kernel-devel-${facts['kernelrelease']}"], {
+            ensure => present,
+            before => Package[$zfs::package_name],
+          })
+        }
+        default: {
+          # noop
+        }
+      }
+    }
+    'Debian': {
+      case $facts['os']['name'] {
+        'Ubuntu': {
+          # noop
+        }
+        default: {
+          ensure_packages(["linux-headers-${facts['kernelrelease']}", "linux-headers-${facts['os']['architecture']}"], {
+            before => Package[$zfs::package_name],
+          })
+        }
+      }
+    }
+    default: {
+      # noop
+    }
+  }
+
+  # This is to work around the broken Debian 9 packages. Upon install the
+  # zfs-mount.service is started first which is the only unit that doesn't
+  # have an "ExecStartPre=-/sbin/modprobe zfs" line so the package can never
+  # be installed!
+  if $facts['os']['name'] == 'Debian' and $facts['os']['release']['major'] == '9' {
+    exec { 'zfs systemctl daemon-reload':
+      command     => 'systemctl daemon-reload',
+      refreshonly => true,
+      path        => $facts['path'],
+    }
+
+    Exec['zfs systemctl daemon-reload'] -> Package[$zfs::package_name]
+
+    file { '/etc/systemd/system/zfs-mount.service.d':
+      ensure => directory,
+      owner  => 0,
+      group  => 0,
+      mode   => '0644',
+    }
+
+    file { '/etc/systemd/system/zfs-mount.service.d/override.conf':
+      ensure  => file,
+      owner   => 0,
+      group   => 0,
+      mode    => '0644',
+      content => @(EOS/L),
+        [Service]
+        ExecStartPre=-/sbin/modprobe zfs
+        | EOS
+      notify  => Exec['zfs systemctl daemon-reload'],
+    }
+  }
+
+  # These need to be done here so the kernel settings are present before the
+  # package is installed and potentially loading the kernel module
+  $config = delete_undef_values({
+    'zfs_arc_max' => $zfs::zfs_arc_max,
+    'zfs_arc_min' => $zfs::zfs_arc_min,
+  })
+
+  $config.each |$option,$value| {
+    kmod::option { "zfs ${option}":
+      module => 'zfs',
+      option => $option,
+      value  => $value,
+      before => Package[$zfs::package_name],
+    }
+  }
+
+  package { $zfs::package_name:
+    ensure => present,
+  }
+}

modules/zfs/manifests/service.pp

@@ -0,0 +1,90 @@
+# manage zfs services
+class zfs::service {
+
+  if $zfs::service_manage {
+
+    exec { 'modprobe zfs':
+      path   => $facts['path'],
+      unless => 'grep -q "^zfs " /proc/modules',
+    }
+
+    case $facts['service_provider'] {
+      'systemd': {
+        $cache_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
+          true    => 'running',
+          default => 'stopped',
+        }
+
+        $scan_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
+          true    => 'stopped',
+          default => 'running',
+        }
+
+        service { 'zfs-import-cache':
+          ensure     => $cache_ensure,
+          enable     => true,
+          hasstatus  => true,
+          hasrestart => true,
+          require    => Exec['modprobe zfs'],
+          before     => Service['zfs-mount'],
+        }
+
+        service { 'zfs-import-scan':
+          ensure     => $scan_ensure,
+          enable     => true,
+          hasstatus  => true,
+          hasrestart => true,
+          require    => Exec['modprobe zfs'],
+          before     => Service['zfs-mount'],
+        }
+      }
+      default: {
+
+        case $facts['os']['family'] {
+          'RedHat': {
+            service { 'zfs-import':
+              ensure     => running,
+              enable     => true,
+              hasstatus  => true,
+              hasrestart => true,
+              require    => Exec['modprobe zfs'],
+              before     => Service['zfs-mount'],
+            }
+          }
+          'Debian': {
+            $import_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
+              true    => 'running',
+              default => 'stopped',
+            }
+
+            service { 'zpool-import':
+              ensure     => $import_ensure,
+              enable     => true,
+              hasstatus  => true,
+              hasrestart => true,
+              require    => Exec['modprobe zfs'],
+            }
+          }
+          default: {
+            # noop
+          }
+        }
+      }
+    }
+
+    service { 'zfs-mount':
+      ensure     => running,
+      enable     => true,
+      hasstatus  => true,
+      hasrestart => true,
+      before     => Service['zfs-share'],
+    }
+
+    service { 'zfs-share':
+      ensure     => running,
+      enable     => true,
+      hasstatus  => true,
+      hasrestart => true,
+    }
+  }
+}

site/profiles/manifests/accounts/root.pp

@@ -0,0 +1,18 @@
+# manage the root user
+class profiles::accounts::root (
+  Optional[Array[String]] $sshkeys = undef,
+) {
+
+  if $sshkeys {
+    accounts::user { 'root':
+      sshkeys => $sshkeys,
+    }
+  }
+
+  file {'/root/.config':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
+  }
+}

site/profiles/manifests/accounts/sysadmin.pp

@@ -2,12 +2,20 @@
 class profiles::accounts::sysadmin(
   String $password,
   Array[String] $sshkeys = [],
+  Array[String] $extra_groups = [],
 ){
+
+  $default_groups = [
+    'adm',
+    'admins',
+    'systemd-journal'
+  ]
+
+  $groups = $extra_groups + $default_groups
+
   profiles::base::account {'sysadmin':
     username   => 'sysadmin',
-    uid        => 1000,
+    groups     => $groups,
-    gid        => 1000,
-    groups     => ['adm', 'admins', 'systemd-journal'],
     sshkeys    => $sshkeys,
     sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
     password   => $password,

site/profiles/manifests/base.pp

@@ -22,18 +22,20 @@ class profiles::base (
     # include the base profiles
     include profiles::base::repos
     include profiles::packages
-    include profiles::base::facts
     include profiles::base::motd
     include profiles::base::scripts
     include profiles::base::hosts
     include profiles::base::groups
-    include profiles::base::root
+    include profiles::accounts::root
     include profiles::accounts::sysadmin
-    include profiles::ntp::client
+    if $facts['virtual'] != 'lxc' {
+      include profiles::ntp::client
+    }
     include profiles::dns::base
     include profiles::pki::vault
     include profiles::ssh::sign
     include profiles::ssh::knownhosts
+    include profiles::ssh::service
     include profiles::cloudinit::init
     include profiles::metrics::default
     include profiles::helpers::node_lookup
@@ -57,6 +59,10 @@ class profiles::base (
       include profiles::qemu::agent
     }
 
+    class { 'limits':
+      purge_limits_d_dir => false,
+    }
+
     # include classes from hiera
     $hiera_include = lookup('hiera_include', Array[String], 'unique', [])
     $hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', [])

site/profiles/manifests/base/account.pp

@@ -1,8 +1,8 @@
 # a wrapper for puppetlabs-account and saz-sudo
 define profiles::base::account (
   String $username,
-  Integer $uid,
+  Optional[Integer] $uid = undef,
-  Integer $gid = undef,
+  Optional[Integer] $gid = undef,
   Boolean $manage_home = true,
   Boolean $create_group = true,
   Boolean $purge_sshkeys = true,

site/profiles/manifests/base/datavol.pp

@@ -2,6 +2,9 @@
 #
 # This class manages the creation of a logical volume using the `lvm::volume` definition.
 #
+# For LXC hosts, this is replaced with a mount added from the host os. This class will simply check the
+# mountpoint exists.
+#
 # Parameters:
 #   $ensure   - Ensure whether the logical volume is present or not. Defaults to 'present'.
 #   $vg       - Volume group name. No default.
@@ -25,33 +28,48 @@ class profiles::base::datavol (
   ]] $mount_options = ['noatime', 'nodiratime'],
 ) {
 
-  # Ensure the physical volume exists
+  if $facts['virtual'] != 'lxc' {
-  physical_volume { $pv:
-    ensure => $ensure,
-    before => Volume_group[$vg],
-  }
 
-  # Ensure the volume group exists
+    # Ensure the physical volume exists
-  volume_group { $vg:
+    physical_volume { $pv:
-    ensure           => $ensure,
+      ensure => $ensure,
-    physical_volumes => [$pv],
+      before => Volume_group[$vg],
-    before           => Logical_volume[$lv],
+    }
-  }
 
-  # Ensure the logical volume exists
+    # Ensure the volume group exists
-  logical_volume { $lv:
+    volume_group { $vg:
-    ensure       => $ensure,
+      ensure           => $ensure,
-    volume_group => $vg,
+      physical_volumes => [$pv],
-    size         => $size,
+      before           => Logical_volume[$lv],
-    before       => Filesystem["/dev/${vg}/${lv}"],
+    }
-  }
 
-  # Ensure the filesystem is created on the logical volume
+    # Ensure the logical volume exists
-  filesystem { "/dev/${vg}/${lv}":
+    logical_volume { $lv:
-    ensure  => $ensure,
+      ensure       => $ensure,
-    fs_type => $fstype,
+      volume_group => $vg,
-    require => Logical_volume[$lv],
+      size         => $size,
-    before  => Mount[$mount],
+      before       => Filesystem["/dev/${vg}/${lv}"],
+    }
+
+    # Ensure the filesystem is created on the logical volume
+    filesystem { "/dev/${vg}/${lv}":
+      ensure  => $ensure,
+      fs_type => $fstype,
+      require => Logical_volume[$lv],
+      before  => Mount[$mount],
+    }
+
+    # Ensure the logical volume is mounted at the desired location
+    mount { $mount:
+      ensure  => $mountstate,
+      device  => "/dev/${vg}/${lv}",
+      fstype  => $fstype,
+      options => $mount_options.join(','),
+      require => [
+        Filesystem["/dev/${vg}/${lv}"],
+        File[$mount]
+      ],
+    }
   }
 
   # Ensure the mountpath exists
@@ -62,12 +80,4 @@ class profiles::base::datavol (
     mode   => '0755',
   }
 
-  # Ensure the logical volume is mounted at the desired location
-  mount { $mount:
-    ensure  => $mountstate,
-    device  => "/dev/${vg}/${lv}",
-    fstype  => $fstype,
-    options => $mount_options.join(','),
-    require => Filesystem["/dev/${vg}/${lv}"],
-  }
 }

site/profiles/manifests/base/facts.pp

@@ -1,39 +0,0 @@
-# a class to define some global facts
-class profiles::base::facts {
-
-  # The path where external facts are stored
-  $facts_d_path = '/opt/puppetlabs/facter/facts.d'
-
-  # Ensure the directory exists
-  file { $facts_d_path:
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0755',
-  }
-
-  # cleanup old facts files
-  $fact_list = [ 'enc_role', 'enc_env' ]
-  $fact_list.each | String $item | {
-    file { "${facts_d_path}/${item}.txt":
-      ensure  => absent,
-    }
-  }
-
-  # ensure the path to the custom store exists
-  file { '/root/.cache':
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0750',
-  }
-
-  # create the file that will be read
-  file { '/root/.cache/custom_facts.yaml':
-    ensure  => file,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('profiles/base/facts/custom_facts.yaml.erb'),
-  }
-}