diff --git a/hieradata/common.yaml b/hieradata/common.yaml index d56d46c..79f8edb 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -1,4 +1,12 @@ --- +lookup_options: + profiles::packages::base::add: + merge: + strategy: deep + profiles::packages::base::remove: + merge: + strategy: deep + profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::peers: - 0.pool.ntp.org @@ -12,24 +20,55 @@ profiles::base::puppet_servers: profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' -profiles::packages::base: +profiles::packages::base::add: - bash-completion + - bzip2 - ccze - curl - dstat + - gzip - htop + - inotify-tools + - iotop + - jq + - lz4 + - lzo - mtr - ncdu - neovim + - p7zip + - pbzip2 + - pigz + - pv - rsync - screen + - socat - strace + - sysstat - tmux + - traceroute - vim - vnstat - wget + - xz - zsh - - socat + - zstd + +profiles::packages::base::remove: + - iwl100-firmware + - iwl1000-firmware + - iwl105-firmware + - iwl135-firmware + - iwl2000-firmware + - iwl2030-firmware + - iwl3160-firmware + - iwl5000-firmware + - iwl5150-firmware + - iwl6000-firmware + - iwl6000g2a-firmware + - iwl6050-firmware + - iwl7260-firmware + - puppet7-release profiles::base::scripts::scripts: puppet: puppetwrapper.py diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index 105a19a..6592ae6 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -6,4 +6,4 @@ profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false -profiles::puppet::client::puppet_version: '7.26.0' +profiles::puppet::agent::puppet_version: '7.26.0' diff --git a/hieradata/os/Debian/Debian11.yaml b/hieradata/os/Debian/Debian11.yaml index 41e6201..594461c 100644 --- a/hieradata/os/Debian/Debian11.yaml +++ b/hieradata/os/Debian/Debian11.yaml @@ -11,4 +11,4 @@ profiles::apt::components: - main - non-free -profiles::puppet::client::puppet_version: '7.25.0-1bullseye' +profiles::puppet::agent::puppet_version: '7.25.0-1bullseye' diff --git a/hieradata/os/Debian/Debian12.yaml b/hieradata/os/Debian/Debian12.yaml index fab31d1..f6b5f7d 100644 --- a/hieradata/os/Debian/Debian12.yaml +++ b/hieradata/os/Debian/Debian12.yaml @@ -12,4 +12,4 @@ profiles::apt::components: - non-free - non-free-firmware -profiles::puppet::client::puppet_version: 'latest' +profiles::puppet::agent::puppet_version: 'latest' diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 123fbaa..e6a341e 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -5,47 +5,104 @@ profiles::reposync::repos_list: description: 'AlmaLinux 8.8 - BaseOS' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/baseos gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_appstream: repository: 'AppStream' description: 'AlmaLinux 8.8 - AppStream' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/appstream gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_highavailability: repository: 'HighAvailability' description: 'AlmaLinux 8.8 - HighAvailability' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/ha gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_powertools: repository: 'PowerTools' description: 'AlmaLinux 8.8 - PowerTools' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/PowerTools/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/powertools gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' almalinux_8_8_extras: repository: 'extras' description: 'AlmaLinux 8.8 - extras' osname: 'almalinux' release: '8.8' - baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/extras/x86_64/os/' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/extras + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_baseos: + repository: 'BaseOS' + description: 'AlmaLinux 8.9 - BaseOS' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_appstream: + repository: 'AppStream' + description: 'AlmaLinux 8.9 - AppStream' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_highavailability: + repository: 'HighAvailability' + description: 'AlmaLinux 8.9 - HighAvailability' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_powertools: + repository: 'PowerTools' + description: 'AlmaLinux 8.9 - PowerTools' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' + almalinux_8_9_extras: + repository: 'extras' + description: 'AlmaLinux 8.9 - extras' + osname: 'almalinux' + release: '8.9' + mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux' epel_8_everything: repository: 'Everything' description: 'EPEL 8 Everything' osname: 'epel' release: '8' - baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' - gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' - epel_8_modular: - repository: 'Modular' - description: 'EPEL 8 Modular' - osname: 'epel' - release: '8' - baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/' + # baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/' + mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64' gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8' + mariadb_11_2_el8: + repository: 'el8' + description: 'MariaDB 11.2' + osname: 'mariadb' + release: '11.2' + baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.2/rhel8-amd64/' + gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB' + puppet7_el8: + repository: '8' + description: 'Puppet 7 EL8' + osname: 'puppet7' + release: 'el' + baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/' + gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet' + postgresql_rhel8_common: + repository: 'common' + description: 'PostgreSQL Common RHEL 8' + osname: 'postgresql' + release: 'rhel8' + baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' + postgresql_rhel8_16: + repository: '16' + description: 'PostgreSQL 16 RHEL 8' + osname: 'postgresql' + release: 'rhel8' + baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/' + gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' diff --git a/site/profiles/lib/facter/mysql_wsrep.rb b/site/profiles/lib/facter/mysql_wsrep.rb new file mode 100644 index 0000000..e5ff2a2 --- /dev/null +++ b/site/profiles/lib/facter/mysql_wsrep.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +# skip if mysql isnt installed or active +if system('which mysql > /dev/null 2>&1') && system('systemctl is-active --quiet mariadb') + + # export mysql wsrep status + wsrep_status = `mysql -e "SHOW STATUS LIKE 'wsrep%';"` + + # loop over the output + wsrep_status.each_line do |line| + # skip the line unless it starts with 'wsrep_' + next unless line.match(/^wsrep_/) + + key, value = line.split("\t") + Facter.add("mysql_#{key.strip}") do + setcode do + value.strip + end + end + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 6337422..62b242e 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -16,6 +16,9 @@ class profiles::base ( } } + # manage the puppet agent + include profiles::puppet::agent + # manage puppet clients if ! member($puppet_servers, $trusted['certname']) { include profiles::puppet::client diff --git a/site/profiles/manifests/packages/base.pp b/site/profiles/manifests/packages/base.pp index 807c8a8..f7d51cf 100644 --- a/site/profiles/manifests/packages/base.pp +++ b/site/profiles/manifests/packages/base.pp @@ -1,21 +1,21 @@ # This class manages the installation of packages for the base profile # # Parameters: -# - $packages: An array of package names to be installed (optional) -# - $ensure: Enum of present, absent, latest or installed (optional) -# -# Example usage: -# class { 'profiles::base::packages': -# packages => ['package1', 'package2', 'package3'], +# - $add: An array of package names to be installed +# - $remove: An array of package names to be removed # class profiles::packages::base ( - Array $packages = lookup('profiles::packages::base', Array, 'first', []), - Enum[ - 'present', - 'absent', - 'latest', - 'installed' - ] $ensure = 'installed', -){ - ensure_packages($packages, {'ensure' => $ensure}) + Array $add = [], + Array $remove = [], +) { + + # Ensure packages to add are installed + ensure_packages($add, {'ensure' => 'present'}) + + # Ensure packages to remove are absent + $remove.each |String $package| { + package { $package: + ensure => 'absent', + } + } } diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp new file mode 100644 index 0000000..0c2122e --- /dev/null +++ b/site/profiles/manifests/puppet/agent.pp @@ -0,0 +1,35 @@ +# profiles::puppet::agent +# This class manages Puppet agent package and service. +class profiles::puppet::agent ( + String $puppet_version = 'latest', +) { + + # Ensure the puppet-agent package is installed and locked to a specific version + package { 'puppet-agent': + ensure => $puppet_version, + } + + # if puppet-version is anything other than latest, set a versionlock + $puppet_versionlock_ensure = $puppet_version ? { + 'latest' => 'absent', + default => 'present', + } + $puppet_versionlock_version = $puppet_version ? { + 'latest' => undef, + default => $puppet_version, + } + yum::versionlock{'puppet-agent': + ensure => $puppet_versionlock_ensure, + version => $puppet_versionlock_version, + } + + # Ensure the puppet service is running + service { 'puppet': + ensure => 'running', + enable => true, + hasrestart => true, + require => Package['puppet-agent'], + } + +} + diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index 68ab61a..973f621 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -1,15 +1,6 @@ # Class: profiles::puppet::client # -# This class manages Puppet client configuration and service. -# -# Parameters: -# vardir - Directory path for variable data. -# logdir - Directory path for logs. -# rundir - Directory path for run-time data. -# pidfile - File path for the PID file. -# codedir - Directory path for code data. -# dns_alt_names - Array of alternate DNS names for the server. -# server - Server's name. +# This class manages Puppet client configuration. # # site/profile/manifests/puppet/client.pp class profiles::puppet::client ( @@ -21,36 +12,8 @@ class profiles::puppet::client ( Integer $runtimeout = 3600, Boolean $show_diff = true, Boolean $usecacheonfailure = false, - String $puppet_version = 'latest', ) { - # Ensure the puppet-agent package is installed and locked to a specific version - package { 'puppet-agent': - ensure => $puppet_version, - } - - # if puppet-version is anything other than latest, set a versionlock - $puppet_versionlock_ensure = $puppet_version ? { - 'latest' => 'absent', - default => 'present', - } - $puppet_versionlock_version = $puppet_version ? { - 'latest' => undef, - default => $puppet_version, - } - yum::versionlock{'puppet-agent': - ensure => $puppet_versionlock_ensure, - version => $puppet_versionlock_version, - } - - # Ensure the puppet service is running - service { 'puppet': - ensure => 'running', - enable => true, - hasrestart => true, - require => Package['puppet-agent'], - } - # Assuming you want to manage puppet.conf with this profile file { '/etc/puppetlabs/puppet/puppet.conf': ensure => 'present', diff --git a/site/profiles/manifests/reposync/autosyncer.pp b/site/profiles/manifests/reposync/autosyncer.pp index e2e8683..04393cd 100644 --- a/site/profiles/manifests/reposync/autosyncer.pp +++ b/site/profiles/manifests/reposync/autosyncer.pp @@ -1,5 +1,7 @@ # setup the autosyncer -class profiles::reposync::autosyncer { +class profiles::reposync::autosyncer ( + Stdlib::Absolutepath $basepath = '/data/repos', +) { # Ensure the autosyncer script is present and executable file { '/usr/local/bin/autosyncer': diff --git a/site/profiles/manifests/reposync/repos.pp b/site/profiles/manifests/reposync/repos.pp index 5886785..046e404 100644 --- a/site/profiles/manifests/reposync/repos.pp +++ b/site/profiles/manifests/reposync/repos.pp @@ -4,26 +4,32 @@ define profiles::reposync::repos ( String $description, String $osname, String $release, - Stdlib::HTTPUrl $baseurl, Stdlib::HTTPUrl $gpgkey, String $arch = 'x86_64', String $repo_owner = 'root', String $repo_group = 'root', Stdlib::Absolutepath $basepath = '/data/repos', + Optional[Stdlib::HTTPUrl] $baseurl = undef, + Optional[Stdlib::HTTPUrl] $mirrorlist = undef, ){ + if ($mirrorlist == undef and $baseurl == undef) or ($mirrorlist != undef and $baseurl != undef) { + fail('profiles::reposync::repos must have either mirrorlist or baseurl set, but not both') + } + $repos_name = downcase("${osname}-${release}-${repository}-${arch}") $conf_file = "/etc/reposync/conf.d/${repos_name}.conf" # Create the repository configuration yumrepo { $repos_name: - ensure => 'present', - descr => $description, - baseurl => $baseurl, - gpgkey => $gpgkey, - target => '/etc/yum.repos.d/reposync.repo', - enabled => 0, - gpgcheck => 1, + ensure => 'present', + descr => $description, + baseurl => $baseurl, + mirrorlist => $mirrorlist, + gpgkey => $gpgkey, + target => '/etc/yum.repos.d/reposync.repo', + enabled => 0, + gpgcheck => 1, } # Ensure the repo dest path exists diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp index 66f549a..9321db1 100644 --- a/site/profiles/manifests/reposync/webserver.pp +++ b/site/profiles/manifests/reposync/webserver.pp @@ -30,6 +30,15 @@ class profiles::reposync::webserver ( } } + # export cnames for webserver + profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME": + value => $::facts['networking']['hostname'], + type => 'CNAME', + record => 'repos.main.unkin.net.', + zone => $::facts['networking']['domain'], + order => 10, + } + if $selinux { # include packages that are required diff --git a/site/profiles/manifests/yum/autoupdater.pp b/site/profiles/manifests/yum/autoupdater.pp new file mode 100644 index 0000000..17b2935 --- /dev/null +++ b/site/profiles/manifests/yum/autoupdater.pp @@ -0,0 +1,18 @@ +# profiles::yum::autoupdater +# +# manage automatic updates for dnf +# +class profiles::yum::autoupdater ( + String $on_calendar = '*-*-* 05:00:00', + Integer $randomized_delay_sec = 1800, + Boolean $enabled = true, +) { + + # Ensure the timer is enabled and running + systemd::timer { 'dnf-autoupdate.timer': + timer_content => template('profiles/yum/autoupdate_timer.erb'), + service_content => template('profiles/yum/autoupdate_service.erb'), + active => true, + enable => true, + } +} diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index eca5715..119230e 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -86,4 +86,8 @@ class profiles::yum::global ( class { 'profiles::yum::puppet7': managed_repos => $managed_repos, } + + # setup dnf-autoupdate + include profiles::yum::autoupdater + } diff --git a/site/profiles/templates/reposync/autosyncer.erb b/site/profiles/templates/reposync/autosyncer.erb index 9c3caed..cd6c963 100644 --- a/site/profiles/templates/reposync/autosyncer.erb +++ b/site/profiles/templates/reposync/autosyncer.erb @@ -88,4 +88,7 @@ for conf in /etc/reposync/conf.d/*.conf; do # After syncing each repo, fix the repository metadata create_repo_metadata "${snap_path}" + # Update selinux + restorecon <%= @basepath %> + done diff --git a/site/profiles/templates/yum/autoupdate_service.erb b/site/profiles/templates/yum/autoupdate_service.erb new file mode 100644 index 0000000..988b272 --- /dev/null +++ b/site/profiles/templates/yum/autoupdate_service.erb @@ -0,0 +1,6 @@ +[Unit] +Description=dnf-autoupdater-service + +[Service] +Type=oneshot +ExecStart=/usr/bin/dnf update -y diff --git a/site/profiles/templates/yum/autoupdate_timer.erb b/site/profiles/templates/yum/autoupdate_timer.erb new file mode 100644 index 0000000..6dcc3cb --- /dev/null +++ b/site/profiles/templates/yum/autoupdate_timer.erb @@ -0,0 +1,10 @@ +[Unit] +Description=dnf-autoupdater-timer + +[Timer] +OnCalendar=<%= @on_calendar %> +RandomizedDelaySec=<%= @randomized_delay_sec %> +Persistent=true + +[Install] +WantedBy=timers.target