unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Merge branch 'develop' into neoloc/sshsign_hostkeys

Browse Source
This commit is contained in:
Ben Vincent 2024-06-09 20:38:25 +10:00
commit d4163233f6
55 changed files with 391 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Puppetfile
View File

@ -35,6 +35,9 @@ mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0' mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0' mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0' mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
# other # other
mod 'ghoneycutt-puppet', '3.3.0' mod 'ghoneycutt-puppet', '3.3.0'

29
hieradata/common.yaml
View File

@ -108,11 +108,18 @@ lookup_options:
profiles::nginx::simpleproxy::nginx_aliases: profiles::nginx::simpleproxy::nginx_aliases:
merge: merge:
strategy: deep strategy: deep
networking::interfaces:
merge:
strategy: deep
networking::routes:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d' facts_path: '/opt/puppetlabs/facter/facts.d'
hiera_classes: hiera_include:
- timezone - timezone
- networking
- ssh::server - ssh::server
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
@ -264,6 +271,26 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys: profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
networking::interfaces:
lo:
ensure: present
family: inet
method: loopback
onboot: true
eth0:
ensure: present
family: inet
method: static
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
ensure: present
interface: eth0
netmask: 0.0.0.0
network: default
profiles::base::hosts::additional_hosts: profiles::base::hosts::additional_hosts:
- ip: 198.18.17.3 - ip: 198.18.17.3
hostname: prodinf01n01.main.unkin.net hostname: prodinf01n01.main.unkin.net

7
hieradata/nodes/ausyd1nxvm1000.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1001.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1008.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1015.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1016.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254

6
hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml
View File

@ -1,2 +1,8 @@
--- ---
profiles::cobbler::params::is_cobbler_master: true profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1018.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1021.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1022.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1023.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1024.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1025.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1026.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1027.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1028.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1029.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1030.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1031.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1032.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1033.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254

6
hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
View File

@ -7,3 +7,9 @@ profiles::puppet::server::dns_alt_names:
profiles::puppet::puppetca::is_puppetca: true profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254

3
hieradata/nodes/prodinf01n01.main.unkin.net.yaml
View File

@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names:
profiles::puppet::puppetca::is_puppetca: false profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking

3
hieradata/os/AlmaLinux/all_releases.yaml
View File

@ -59,4 +59,5 @@ profiles::yum::global::repos:
name: unkin name: unkin
descr: unkin repository descr: unkin repository
target: /etc/yum.repos.d/unkin.repo target: /etc/yum.repos.d/unkin.repo
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key

3
hieradata/os/Debian/all_releases.yaml
View File

@ -1,6 +1,6 @@
# hieradata/os/debian/all_releases.yaml # hieradata/os/debian/all_releases.yaml
--- ---
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7 profiles::apt::puppet7::repo: puppet7
@ -12,3 +12,4 @@ profiles::packages::install:
- xz-utils - xz-utils
lm-sensors::package: lm-sensors lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false

2
hieradata/roles/infra/cobbler/server.yaml
View File

@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive profiles::selinux::setenforce::mode: permissive
hiera_classes: hiera_include:
- profiles::selinux::setenforce - profiles::selinux::setenforce

21
hieradata/roles/infra/ntp/server.yaml
View File

@ -12,3 +12,24 @@ profiles::ntp::server::peers:
- '1.au.pool.ntp.org' - '1.au.pool.ntp.org'
- '2.au.pool.ntp.org' - '2.au.pool.ntp.org'
- '3.au.pool.ntp.org' - '3.au.pool.ntp.org'
consul::services:
ntp:
service_name: 'ntp'
tags:
- 'ntp'
- 'time'
- 'sync'
address: "%{facts.networking.ip}"
port: 123
checks:
- id: ntp_check
name: "NTP Service Check"
args:
- '/usr/local/bin/check_ntp.sh'
interval: '15s'
timeout: '5s'
profiles::consul::client::node_rules:
- resource: service
segment: ntp
disposition: write

3
hieradata/roles/infra/proxmox.yaml
View File

@ -5,3 +5,6 @@ sudo::configs:
content: | content: |
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/* ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/* ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
hiera_exclude:
- networking

6
hieradata/roles/infra/storage/consul.yaml
View File

@ -77,3 +77,9 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3 service_failover_n: 3
service_only_passing: true service_only_passing: true
ttl: 10 ttl: 10
ntp:
ensure: 'present'
service_name: 'ntp'
service_failover_n: 3
service_only_passing: true
ttl: 10

35
modules/networking/manifests/init.pp Normal file
View File

@ -0,0 +1,35 @@
# unkin networking module
class networking (
Hash $interfaces = {},
Hash $routes = {},
){
include network
include networking::params
$interfaces.each | $interface, $data | {
network_config {$interface:
* => $data,
}
}
$routes.each | $route, $data | {
network_route {$route:
* => $data,
}
}
# prevent DNS from being overwritten by networkmanager
if $networking::params::nwmgr_dns_none {
file {'/etc/NetworkManager/conf.d/dns_none.conf':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0655',
content => "[main]\ndns=none",
}
}else{
file {'/etc/NetworkManager/conf.d/dns_none.conf':
ensure => 'absent',
}
}
}

6
modules/networking/manifests/params.pp Normal file
View File

@ -0,0 +1,6 @@
# networking params
class networking::params (
Boolean $nwmgr_dns_none = true,
Boolean $nwmgr_service_running = true,
){
}

4
site/profiles/manifests/base.pp
View File

@ -58,7 +58,9 @@ class profiles::base (
} }
# include classes from hiera # include classes from hiera
lookup('hiera_classes', Array[String], 'unique').include $hiera_include = lookup('hiera_include', Array[String], 'unique', [])
$hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', [])
($hiera_include - $hiera_exclude).include
# specifc ordering constraints # specifc ordering constraints
Class['profiles::pki::vaultca'] Class['profiles::pki::vaultca']

8
site/profiles/manifests/ntp/server.pp
View File

@ -35,5 +35,13 @@ class profiles::ntp::server (
queryhosts => $allowquery, queryhosts => $allowquery,
} }
} }
file {'/usr/local/bin/check_ntp.sh':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profiles/ntp/check_ntp.sh.erb'),
}
} }
} }

1
site/profiles/manifests/puppet/client.pp
View File

@ -12,6 +12,7 @@ class profiles::puppet::client (
Integer $runtimeout = 3600, Integer $runtimeout = 3600,
Boolean $show_diff = true, Boolean $show_diff = true,
Boolean $usecacheonfailure = false, Boolean $usecacheonfailure = false,
Integer $facts_soft_limit = 4096,
) { ) {
# dont manage puppet.conf if this is a puppetmaster # dont manage puppet.conf if this is a puppetmaster

2
site/profiles/manifests/puppet/server.pp
View File

@ -28,6 +28,7 @@ class profiles::puppet::server (
Integer $runinterval = 1800, Integer $runinterval = 1800,
Integer $runtimeout = 3600, Integer $runtimeout = 3600,
Boolean $show_diff = true, Boolean $show_diff = true,
Integer $facts_soft_limit = 4096,
) { ) {
file { '/etc/puppetlabs/puppet/puppet.conf': file { '/etc/puppetlabs/puppet/puppet.conf':
@ -59,6 +60,7 @@ class profiles::puppet::server (
'storeconfigs_backend' => $storeconfigs_backend, 'storeconfigs_backend' => $storeconfigs_backend,
'reports' => $reports, 'reports' => $reports,
'usecacheonfailure' => $usecacheonfailure, 'usecacheonfailure' => $usecacheonfailure,
'facts_soft_limit' => $facts_soft_limit,
}), }),
notify => Service['puppetserver'], notify => Service['puppetserver'],
} }

8
site/profiles/templates/ntp/check_ntp.sh.erb Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/bash
# Check if ntpd or chronyd is running
if pgrep ntpd > /dev/null || pgrep chronyd > /dev/null; then
exit 0
else
exit 2
fi

1
site/profiles/templates/puppet/client/puppet.conf.erb
View File

@ -11,3 +11,4 @@ runinterval = <%= @runinterval %>
runtimeout = <%= @runtimeout %> runtimeout = <%= @runtimeout %>
show_diff = <%= @show_diff %> show_diff = <%= @show_diff %>
usecacheonfailure = <%= @usecacheonfailure %> usecacheonfailure = <%= @usecacheonfailure %>
number_of_facts_soft_limit = <%= @facts_soft_limit %>

1
site/profiles/templates/puppet/server/puppet.conf.epp
View File

@ -17,6 +17,7 @@ report_server = <%= $report_server %>
runinterval = <%= $runinterval %> runinterval = <%= $runinterval %>
runtimeout = <%= $runtimeout %> runtimeout = <%= $runtimeout %>
show_diff = <%= $show_diff %> show_diff = <%= $show_diff %>
number_of_facts_soft_limit = <%= $facts_soft_limit %>
[master] [master]
node_terminus = <%= $node_terminus %> node_terminus = <%= $node_terminus %>