Merge branch 'develop' into neoloc/mariadbgalera

hieradata/common.yaml

@@ -1,4 +1,12 @@
 ---
+lookup_options:
+  profiles::packages::base::add:
+    merge:
+      strategy: deep
+  profiles::packages::base::remove:
+    merge:
+      strategy: deep
+
 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::peers:
   - 0.pool.ntp.org
@@ -12,24 +20,55 @@ profiles::base::puppet_servers:
 profiles::dns::master::basedir: '/var/named/sources'
 profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
 
-profiles::packages::base:
+profiles::packages::base::add:
   - bash-completion
+  - bzip2
   - ccze
   - curl
   - dstat
+  - gzip
   - htop
+  - inotify-tools
+  - iotop
+  - jq
+  - lz4
+  - lzo
   - mtr
   - ncdu
   - neovim
+  - p7zip
+  - pbzip2
+  - pigz
+  - pv
   - rsync
   - screen
+  - socat
   - strace
+  - sysstat
   - tmux
+  - traceroute
   - vim
   - vnstat
   - wget
+  - xz
   - zsh
-  - socat
+  - zstd
+
+profiles::packages::base::remove:
+  - iwl100-firmware
+  - iwl1000-firmware
+  - iwl105-firmware
+  - iwl135-firmware
+  - iwl2000-firmware
+  - iwl2030-firmware
+  - iwl3160-firmware
+  - iwl5000-firmware
+  - iwl5150-firmware
+  - iwl6000-firmware
+  - iwl6000g2a-firmware
+  - iwl6050-firmware
+  - iwl7260-firmware
+  - puppet7-release
 
 profiles::base::scripts::scripts:
   puppet: puppetwrapper.py

hieradata/os/AlmaLinux/all_releases.yaml

@@ -6,4 +6,4 @@ profiles::firewall::firewalld::ensure_package: 'absent'
 profiles::firewall::firewalld::ensure_service: 'stopped'
 profiles::firewall::firewalld::enable_service: false
 
-profiles::puppet::client::puppet_version: '7.26.0'
+profiles::puppet::agent::puppet_version: '7.26.0'

hieradata/os/Debian/Debian11.yaml

@@ -11,4 +11,4 @@ profiles::apt::components:
   - main
   - non-free
 
-profiles::puppet::client::puppet_version: '7.25.0-1bullseye'
+profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'

hieradata/os/Debian/Debian12.yaml

@@ -12,4 +12,4 @@ profiles::apt::components:
   - non-free
   - non-free-firmware
 
-profiles::puppet::client::puppet_version: 'latest'
+profiles::puppet::agent::puppet_version: 'latest'

hieradata/roles/infra/reposync/syncer.yaml

@@ -5,47 +5,104 @@ profiles::reposync::repos_list:
     description: 'AlmaLinux 8.8 - BaseOS'
     osname: 'almalinux'
     release: '8.8'
-    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/BaseOS/x86_64/os/'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/baseos
     gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
   almalinux_8_8_appstream:
     repository: 'AppStream'
     description: 'AlmaLinux 8.8 - AppStream'
     osname: 'almalinux'
     release: '8.8'
-    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/AppStream/x86_64/os/'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/appstream
     gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
   almalinux_8_8_highavailability:
     repository: 'HighAvailability'
     description: 'AlmaLinux 8.8 - HighAvailability'
     osname: 'almalinux'
     release: '8.8'
-    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/HighAvailability/x86_64/os/'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/ha
     gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
   almalinux_8_8_powertools:
     repository: 'PowerTools'
     description: 'AlmaLinux 8.8 - PowerTools'
     osname: 'almalinux'
     release: '8.8'
-    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/PowerTools/x86_64/os/'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/powertools
     gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
   almalinux_8_8_extras:
     repository: 'extras'
     description: 'AlmaLinux 8.8 - extras'
     osname: 'almalinux'
     release: '8.8'
-    baseurl: 'http://mirror.aarnet.edu.au/pub/almalinux/8.8/extras/x86_64/os/'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.8/extras
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_9_baseos:
+    repository: 'BaseOS'
+    description: 'AlmaLinux 8.9 - BaseOS'
+    osname: 'almalinux'
+    release: '8.9'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_9_appstream:
+    repository: 'AppStream'
+    description: 'AlmaLinux 8.9 - AppStream'
+    osname: 'almalinux'
+    release: '8.9'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_9_highavailability:
+    repository: 'HighAvailability'
+    description: 'AlmaLinux 8.9 - HighAvailability'
+    osname: 'almalinux'
+    release: '8.9'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_9_powertools:
+    repository: 'PowerTools'
+    description: 'AlmaLinux 8.9 - PowerTools'
+    osname: 'almalinux'
+    release: '8.9'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
+  almalinux_8_9_extras:
+    repository: 'extras'
+    description: 'AlmaLinux 8.9 - extras'
+    osname: 'almalinux'
+    release: '8.9'
+    mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
     gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
   epel_8_everything:
     repository: 'Everything'
     description: 'EPEL 8 Everything'
     osname: 'epel'
     release: '8'
-    baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/'
+    # baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/'
-    gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
+    mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
-  epel_8_modular:
-    repository: 'Modular'
-    description: 'EPEL 8 Modular'
-    osname: 'epel'
-    release: '8'
-    baseurl: 'https://dl.fedoraproject.org/pub/epel/8/Modular/x86_64/'
     gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
+  mariadb_11_2_el8:
+    repository: 'el8'
+    description: 'MariaDB 11.2'
+    osname: 'mariadb'
+    release: '11.2'
+    baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.2/rhel8-amd64/'
+    gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
+  puppet7_el8:
+    repository: '8'
+    description: 'Puppet 7 EL8'
+    osname: 'puppet7'
+    release: 'el'
+    baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
+    gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet'
+  postgresql_rhel8_common:
+    repository: 'common'
+    description: 'PostgreSQL Common RHEL 8'
+    osname: 'postgresql'
+    release: 'rhel8'
+    baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
+    gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG'
+  postgresql_rhel8_16:
+    repository: '16'
+    description: 'PostgreSQL 16 RHEL 8'
+    osname: 'postgresql'
+    release: 'rhel8'
+    baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
+    gpgkey: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG'

site/profiles/lib/facter/mysql_wsrep.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# skip if mysql isnt installed or active
+if system('which mysql > /dev/null 2>&1') && system('systemctl is-active --quiet mariadb')
+
+  # export mysql wsrep status
+  wsrep_status = `mysql -e "SHOW STATUS LIKE 'wsrep%';"`
+
+  # loop over the output
+  wsrep_status.each_line do |line|
+    # skip the line unless it starts with 'wsrep_'
+    next unless line.match(/^wsrep_/)
+
+    key, value = line.split("\t")
+    Facter.add("mysql_#{key.strip}") do
+      setcode do
+        value.strip
+      end
+    end
+  end
+end

site/profiles/manifests/base.pp

@@ -16,6 +16,9 @@ class profiles::base (
     }
   }
 
+  # manage the puppet agent
+  include profiles::puppet::agent
+
   # manage puppet clients
   if ! member($puppet_servers, $trusted['certname']) {
     include profiles::puppet::client

site/profiles/manifests/packages/base.pp

@@ -1,21 +1,21 @@
 # This class manages the installation of packages for the base profile
 #
 # Parameters:
-# - $packages: An array of package names to be installed (optional)
+# - $add: An array of package names to be installed
-# - $ensure: Enum of present, absent, latest or installed (optional)
+# - $remove: An array of package names to be removed
-#
-# Example usage:
-# class { 'profiles::base::packages':
-#   packages => ['package1', 'package2', 'package3'],
 #
 class profiles::packages::base (
-  Array     $packages = lookup('profiles::packages::base', Array, 'first', []),
+  Array $add    = [],
-  Enum[
+  Array $remove = [],
-    'present',
+) {
-    'absent',
+
-    'latest',
+  # Ensure packages to add are installed
-    'installed'
+  ensure_packages($add, {'ensure' => 'present'})
-    ]       $ensure = 'installed',
+
-){
+  # Ensure packages to remove are absent
-  ensure_packages($packages, {'ensure' => $ensure})
+  $remove.each |String $package| {
+    package { $package:
+      ensure => 'absent',
+    }
+  }
 }

site/profiles/manifests/puppet/agent.pp

@@ -0,0 +1,35 @@
+# profiles::puppet::agent
+# This class manages Puppet agent package and service.
+class profiles::puppet::agent (
+  String $puppet_version      = 'latest',
+) {
+
+  # Ensure the puppet-agent package is installed and locked to a specific version
+  package { 'puppet-agent':
+    ensure => $puppet_version,
+  }
+
+  # if puppet-version is anything other than latest, set a versionlock
+  $puppet_versionlock_ensure = $puppet_version ? {
+    'latest' => 'absent',
+    default  => 'present',
+  }
+  $puppet_versionlock_version = $puppet_version ? {
+    'latest' => undef,
+    default  => $puppet_version,
+  }
+  yum::versionlock{'puppet-agent':
+    ensure  => $puppet_versionlock_ensure,
+    version => $puppet_versionlock_version,
+  }
+
+  # Ensure the puppet service is running
+  service { 'puppet':
+    ensure     => 'running',
+    enable     => true,
+    hasrestart => true,
+    require    => Package['puppet-agent'],
+  }
+
+}
+

site/profiles/manifests/puppet/client.pp

@@ -1,15 +1,6 @@
 # Class: profiles::puppet::client
 #
-# This class manages Puppet client configuration and service.
+# This class manages Puppet client configuration.
-#
-# Parameters:
-#   vardir - Directory path for variable data.
-#   logdir - Directory path for logs.
-#   rundir - Directory path for run-time data.
-#   pidfile - File path for the PID file.
-#   codedir - Directory path for code data.
-#   dns_alt_names - Array of alternate DNS names for the server.
-#   server - Server's name.
 #
 # site/profile/manifests/puppet/client.pp
 class profiles::puppet::client (
@@ -21,36 +12,8 @@ class profiles::puppet::client (
   Integer $runtimeout         = 3600,
   Boolean $show_diff          = true,
   Boolean $usecacheonfailure  = false,
-  String $puppet_version      = 'latest',
 ) {
 
-  # Ensure the puppet-agent package is installed and locked to a specific version
-  package { 'puppet-agent':
-    ensure => $puppet_version,
-  }
-
-  # if puppet-version is anything other than latest, set a versionlock
-  $puppet_versionlock_ensure = $puppet_version ? {
-    'latest' => 'absent',
-    default  => 'present',
-  }
-  $puppet_versionlock_version = $puppet_version ? {
-    'latest' => undef,
-    default  => $puppet_version,
-  }
-  yum::versionlock{'puppet-agent':
-    ensure  => $puppet_versionlock_ensure,
-    version => $puppet_versionlock_version,
-  }
-
-  # Ensure the puppet service is running
-  service { 'puppet':
-    ensure     => 'running',
-    enable     => true,
-    hasrestart => true,
-    require    => Package['puppet-agent'],
-  }
-
   # Assuming you want to manage puppet.conf with this profile
   file { '/etc/puppetlabs/puppet/puppet.conf':
     ensure  => 'present',

site/profiles/manifests/reposync/autosyncer.pp

@@ -1,5 +1,7 @@
 # setup the autosyncer
-class profiles::reposync::autosyncer {
+class profiles::reposync::autosyncer (
+  Stdlib::Absolutepath $basepath = '/data/repos',
+) {
 
   # Ensure the autosyncer script is present and executable
   file { '/usr/local/bin/autosyncer':

site/profiles/manifests/reposync/repos.pp

@@ -4,14 +4,19 @@ define profiles::reposync::repos (
   String          $description,
   String          $osname,
   String          $release,
-  Stdlib::HTTPUrl $baseurl,
   Stdlib::HTTPUrl $gpgkey,
   String          $arch = 'x86_64',
   String          $repo_owner = 'root',
   String          $repo_group = 'root',
   Stdlib::Absolutepath $basepath = '/data/repos',
+  Optional[Stdlib::HTTPUrl] $baseurl = undef,
+  Optional[Stdlib::HTTPUrl] $mirrorlist = undef,
 ){
 
+  if ($mirrorlist == undef and $baseurl == undef) or ($mirrorlist != undef and $baseurl != undef) {
+    fail('profiles::reposync::repos must have either mirrorlist or baseurl set, but not both')
+  }
+
   $repos_name = downcase("${osname}-${release}-${repository}-${arch}")
   $conf_file = "/etc/reposync/conf.d/${repos_name}.conf"
 
@@ -20,6 +25,7 @@ define profiles::reposync::repos (
     ensure     => 'present',
     descr      => $description,
     baseurl    => $baseurl,
+    mirrorlist => $mirrorlist,
     gpgkey     => $gpgkey,
     target     => '/etc/yum.repos.d/reposync.repo',
     enabled    => 0,

site/profiles/manifests/reposync/webserver.pp

@@ -30,6 +30,15 @@ class profiles::reposync::webserver (
     }
   }
 
+  # export cnames for webserver
+  profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME":
+    value  => $::facts['networking']['hostname'],
+    type   => 'CNAME',
+    record => 'repos.main.unkin.net.',
+    zone   => $::facts['networking']['domain'],
+    order  => 10,
+  }
+
   if $selinux {
 
     # include packages that are required

site/profiles/manifests/yum/autoupdater.pp

@@ -0,0 +1,18 @@
+# profiles::yum::autoupdater
+#
+# manage automatic updates for dnf
+#
+class profiles::yum::autoupdater (
+  String  $on_calendar          = '*-*-* 05:00:00',
+  Integer $randomized_delay_sec = 1800,
+  Boolean $enabled              = true,
+) {
+
+  # Ensure the timer is enabled and running
+  systemd::timer { 'dnf-autoupdate.timer':
+    timer_content   => template('profiles/yum/autoupdate_timer.erb'),
+    service_content => template('profiles/yum/autoupdate_service.erb'),
+    active          => true,
+    enable          => true,
+  }
+}

site/profiles/manifests/yum/global.pp

@@ -86,4 +86,8 @@ class profiles::yum::global (
   class { 'profiles::yum::puppet7':
     managed_repos => $managed_repos,
   }
+
+  # setup dnf-autoupdate
+  include profiles::yum::autoupdater
+
 }

site/profiles/templates/reposync/autosyncer.erb

@@ -88,4 +88,7 @@ for conf in /etc/reposync/conf.d/*.conf; do
   # After syncing each repo, fix the repository metadata
   create_repo_metadata "${snap_path}"
 
+  # Update selinux
+  restorecon <%= @basepath %>
+
 done

site/profiles/templates/yum/autoupdate_service.erb

@@ -0,0 +1,6 @@
+[Unit]
+Description=dnf-autoupdater-service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/dnf update -y

site/profiles/templates/yum/autoupdate_timer.erb

@@ -0,0 +1,10 @@
+[Unit]
+Description=dnf-autoupdater-timer
+
+[Timer]
+OnCalendar=<%= @on_calendar %>
+RandomizedDelaySec=<%= @randomized_delay_sec %>
+Persistent=true
+
+[Install]
+WantedBy=timers.target